09-15-2017 03:22 AM - edited 02-21-2020 06:18 AM
Hi,
I have a ASA 5525-X with Firepower. We still have some computers in our networks running Windows XP and I would like to block Internet-traffic from these computers. Of course I can maintain the IP-addresses in an access-list and block the traffic that way, but is it possible to do this more dynamic by using Firepower?
Best regards,
Thor-Egil Ekeli
09-15-2017 07:20 AM
Hello,
Sure it is. Follows the steps:
1-Configure URL objects/group under Object > Object Management
2-Create rule under Access Control policy calling the URL object created
3-Deploy the policy on the targe device.
09-16-2017 08:10 AM
I don't see how a URL rule can block traffic base on initiator operating system.
I haven't done this and Firepower doesn't make it easy but I believe you can use a Correlation Policy. You have to build a traffic profile and then a rule and finally a correlation policy that uses those building blocks and assign an action (i.e. Blacklist). However, Firepower has to be in a location to see the traffic with enough detail to authoritatively identify the OS. That can be problematic.
This sort of thing can be done better and more easily with Cisco ISE as its built-in profiling (a Plus license feature) is much more precise. It can then assign a downloadable ACL (DACL) dynamically to prevent Internet access while allowing all other internal access at the switchport (or Wireless client) level.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide