Solved: Firepower not blocking URLs

darreng · ‎06-20-2016

Searching around I see a number of posts on the same subject, but these relate to v5.X software.   

Relevant bits of config: 

 class sfr 

sfr fail-open
user-statistics accounting
! 

class-map sfr  match access-list SFR-REDIRECT 

!

 access-list SFR-REDIRECT extended permit ip any any  

I added a URL deny for www.playboy.com to test my URL filtering policy amongst other things. I also added a couple of random proxy / anonymiser sites. I see one of these hitting the Access Control Policy (deny - reset) but traffic still gets thorough. I don't see traffic to www.playboy.com.

Runing: Sourcefire - 6.0.1

Regards

Darren

Jetsy Mathew · ‎06-21-2016

Hello Darren,

The url cateogarization should work fine with the AC policy action . It works this way .Once after the bright cloud database is updated in both FMC and Firepower , the url filtering will work based on the cateogaries that are added in the AC policy If the sites are not getting blocked, that means its not hitting the right policy. I hope the AC policy rule position is proper. Try to position the URL rule first and see. Along with the URL access control issues, there was a known issue which comes top of my mind . It has to do with the security zones and started affecting the version starting from 6.0.0. If you have a security zone added in the interfaces , there is a chance of access control policy never works properly.Its intermittent. I just have a suggestion for you since I have worked with another client for the same. Could you please try upgrading to the following version of 6.0.0.1.

https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=6.0.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest

IMPORTANT HOTFIXES for 6.0.0.1: After updating to Version 6.0.0.1, you must install both Hotfix K and Hotfix O or the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.

Under version 6.0.0.1 , the issue is fixed for the security zone. If you are not planning to go ahead with the upgrade, you need to open a TAC service request as we need to verify the pcap for this specific traffic. We need to perform the debug level troubleshooting for this issue.

Rate if this answer or post helps you.

Regards

Jetsy

View solution in original post

Jetsy Mathew · ‎06-20-2016

Hello Darren,

The configuration looks fine. Your understanding on version 5.4.x and 5.4.x.x is right. We have several known bugs in those version which affects the URL cateogarization. Is it a new installation or an already ongoing one ?

In version 6.0.1 there is no any bugs related to url cateogarization issues. Before moving to the details I hope you have the url license which is must for blocking the url cateogaries. Are you blocking the url by adding it manually or using the Adult & Pornography caetogary ?

Below are the two useful links to verify your configuration setup once again.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117956-technote-sourcefire-00.html

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html

Could you please verify if the url database is uptodated or not ? For this refer the following .

Log into the web user interface of the FireSIGHT Management Center.
Navigate to System > Local > Configuration.
Select Cloud Services.
Select the Enable URL Filtering check box in order to enable URL Filtering.

If you already enabled it , could you please check when is the last url filtering update occurred ?

Regards

Jetsy

darreng · ‎06-21-2016

Thank you Jetsy.

Yes, the URL database has been updated (screenshot enclosed).

I messed about with the URL policy, after allowing DNS the URL policy is the 2nd policly in my ACP. In the URL policy I define Category: Adult & Pornography, URL: Tunnelbear, URL: Hola and URL: playboy.com. I noticed from the Firepower v6.X command ref that www.xyz.com, http://www.xyz.com and https://xyz.com could be simplified to xyz.com only.

Since the change I have had some success denying Hola and presenting a message stating 'Access Denied" etc. Tunnelbear sometimes works and sometimes does not i.e. I can periodially access the site. Playboy.com is not blocked at all.

I probably need to understand a little more about how the URL filter works with brightcloud. Perhaps try this from a few additional devices as well to rule out my laptop as a probable cause. Each time of course I clear my browser cache / restart my browser etc.

I reviewed the 2 x URL's recommeded, much appreciated. I have additionally seen a useful Youtube video that demonstrates how to debug the policy on the sfr module (ASA 5525X). I'll follow this to see if I can see what's happenning at the Firewall end for playboy.com.

Any other pointers greatly appreciated.

Regards

Darren

Jetsy Mathew · ‎06-21-2016

Hello Darren,

The url cateogarization should work fine with the AC policy action . It works this way .Once after the bright cloud database is updated in both FMC and Firepower , the url filtering will work based on the cateogaries that are added in the AC policy If the sites are not getting blocked, that means its not hitting the right policy. I hope the AC policy rule position is proper. Try to position the URL rule first and see. Along with the URL access control issues, there was a known issue which comes top of my mind . It has to do with the security zones and started affecting the version starting from 6.0.0. If you have a security zone added in the interfaces , there is a chance of access control policy never works properly.Its intermittent. I just have a suggestion for you since I have worked with another client for the same. Could you please try upgrading to the following version of 6.0.0.1.

https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=6.0.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest

IMPORTANT HOTFIXES for 6.0.0.1: After updating to Version 6.0.0.1, you must install both Hotfix K and Hotfix O or the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.

Under version 6.0.0.1 , the issue is fixed for the security zone. If you are not planning to go ahead with the upgrade, you need to open a TAC service request as we need to verify the pcap for this specific traffic. We need to perform the debug level troubleshooting for this issue.

Rate if this answer or post helps you.

Regards

Jetsy

darreng · ‎06-21-2016

Hi Jetsy,

Thank you again.

I see know that after editing the search for Playboy that it's identified under 'Business and Economy' Benign Sites with security risks which isn't hitting the policy as you say. I had assumed that the Category Adult and Pornography (1-2) would capture this, crazy that it doesn't.

Further, images are from images.playboy.com which once identified seperately seems to help, however, if you click about on the site you can pull other content which evades the URL filter.

I'm at the beginning of my understanding on the best way to configure Firepower and I clearly need to do more reading. I would have hoped it was a little more 'dynamic' and that anything from 'playboy.com' irrespective of it being images.playboy.com etc would hit the rule.

I'll report the above to TAC / Brightcloud which I understand is the policy when such events occur.

Regards

Darren