Re: Firepower: How to block traffic from PCs running Windows XP

cisco · ‎09-15-2017

Hi,

I have a ASA 5525-X with Firepower. We still have some computers in our networks running Windows XP and I would like to block Internet-traffic from these computers. Of course I can maintain the IP-addresses in an access-list and block the traffic that way, but is it possible to do this more dynamic by using Firepower?

Best regards,

Thor-Egil Ekeli

Flavio Miranda · ‎09-15-2017

Hello,

Sure it is. Follows the steps:

1-Configure URL objects/group under Object > Object Management
2-Create rule under Access Control policy calling the URL object created
3-Deploy the policy on the targe device.

Marvin Rhoads · ‎09-16-2017

@Flavio Miranda,

I don't see how a URL rule can block traffic base on initiator operating system.

@cisco,

I haven't done this and Firepower doesn't make it easy but I believe you can use a Correlation Policy. You have to build a traffic profile and then a rule and finally a correlation policy that uses those building blocks and assign an action (i.e. Blacklist). However, Firepower has to be in a location to see the traffic with enough detail to authoritatively identify the OS. That can be problematic.

This sort of thing can be done better and more easily with Cisco ISE as its built-in profiling (a Plus license feature) is much more precise. It can then assign a downloadable ACL (DACL) dynamically to prevent Internet access while allowing all other internal access at the switchport (or Wireless client) level.