06-20-2016 08:18 AM - edited 03-10-2019 06:38 AM
Searching around I see a number of posts on the same subject, but these relate to v5.X software.
Relevant bits of config:
class sfr
sfr fail-open
user-statistics accounting
!
class-map sfr match access-list SFR-REDIRECT
!
access-list SFR-REDIRECT extended permit ip any any
I added a URL deny for www.playboy.com to test my URL filtering policy amongst other things. I also added a couple of random proxy / anonymiser sites. I see one of these hitting the Access Control Policy (deny - reset) but traffic still gets thorough. I don't see traffic to www.playboy.com.
Runing: Sourcefire - 6.0.1
Regards
Darren
Solved! Go to Solution.
06-21-2016 07:42 AM
Hello Darren,
The url cateogarization should work fine with the AC policy action . It works this way .Once after the bright cloud database is updated in both FMC and Firepower , the url filtering will work based on the cateogaries that are added in the AC policy If the sites are not getting blocked, that means its not hitting the right policy. I hope the AC policy rule position is proper. Try to position the URL rule first and see. Along with the URL access control issues, there was a known issue which comes top of my mind . It has to do with the security zones and started affecting the version starting from 6.0.0. If you have a security zone added in the interfaces , there is a chance of access control policy never works properly.Its intermittent. I just have a suggestion for you since I have worked with another client for the same. Could you please try upgrading to the following version of 6.0.0.1.
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=6.0.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest
IMPORTANT HOTFIXES for 6.0.0.1: After updating to Version 6.0.0.1, you must install both Hotfix K and Hotfix O or the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.
Under version 6.0.0.1 , the issue is fixed for the security zone. If you are not planning to go ahead with the upgrade, you need to open a TAC service request as we need to verify the pcap for this specific traffic. We need to perform the debug level troubleshooting for this issue.
Rate if this answer or post helps you.
Regards
Jetsy
06-20-2016 08:54 PM
Hello Darren,
The configuration looks fine. Your understanding on version 5.4.x and 5.4.x.x is right. We have several known bugs in those version which affects the URL cateogarization. Is it a new installation or an already ongoing one ?
In version 6.0.1 there is no any bugs related to url cateogarization issues. Before moving to the details I hope you have the url license which is must for blocking the url cateogaries. Are you blocking the url by adding it manually or using the Adult & Pornography caetogary ?
Below are the two useful links to verify your configuration setup once again.
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117956-technote-sourcefire-00.html
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html
Could you please verify if the url database is uptodated or not ? For this refer the following .
If you already enabled it , could you please check when is the last url filtering update occurred ?
Regards
Jetsy
06-21-2016 06:59 AM
Thank you Jetsy.
Yes, the URL database has been updated (screenshot enclosed).
I messed about with the URL policy, after allowing DNS the URL policy is the 2nd policly in my ACP. In the URL policy I define Category: Adult & Pornography, URL: Tunnelbear, URL: Hola and URL: playboy.com. I noticed from the Firepower v6.X command ref that www.xyz.com, http://www.xyz.com and https://xyz.com could be simplified to xyz.com only.
Since the change I have had some success denying Hola and presenting a message stating 'Access Denied" etc. Tunnelbear sometimes works and sometimes does not i.e. I can periodially access the site. Playboy.com is not blocked at all.
I probably need to understand a little more about how the URL filter works with brightcloud. Perhaps try this from a few additional devices as well to rule out my laptop as a probable cause. Each time of course I clear my browser cache / restart my browser etc.
I reviewed the 2 x URL's recommeded, much appreciated. I have additionally seen a useful Youtube video that demonstrates how to debug the policy on the sfr module (ASA 5525X). I'll follow this to see if I can see what's happenning at the Firewall end for playboy.com.
Any other pointers greatly appreciated.
Regards
Darren
06-21-2016 07:42 AM
Hello Darren,
The url cateogarization should work fine with the AC policy action . It works this way .Once after the bright cloud database is updated in both FMC and Firepower , the url filtering will work based on the cateogaries that are added in the AC policy If the sites are not getting blocked, that means its not hitting the right policy. I hope the AC policy rule position is proper. Try to position the URL rule first and see. Along with the URL access control issues, there was a known issue which comes top of my mind . It has to do with the security zones and started affecting the version starting from 6.0.0. If you have a security zone added in the interfaces , there is a chance of access control policy never works properly.Its intermittent. I just have a suggestion for you since I have worked with another client for the same. Could you please try upgrading to the following version of 6.0.0.1.
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=6.0.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest
IMPORTANT HOTFIXES for 6.0.0.1: After updating to Version 6.0.0.1, you must install both Hotfix K and Hotfix O or the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.
Under version 6.0.0.1 , the issue is fixed for the security zone. If you are not planning to go ahead with the upgrade, you need to open a TAC service request as we need to verify the pcap for this specific traffic. We need to perform the debug level troubleshooting for this issue.
Rate if this answer or post helps you.
Regards
Jetsy
06-21-2016 08:53 AM
Hi Jetsy,
Thank you again.
I see know that after editing the search for Playboy that it's identified under 'Business and Economy' Benign Sites with security risks which isn't hitting the policy as you say. I had assumed that the Category Adult and Pornography (1-2) would capture this, crazy that it doesn't.
Further, images are from images.playboy.com which once identified seperately seems to help, however, if you click about on the site you can pull other content which evades the URL filter.
I'm at the beginning of my understanding on the best way to configure Firepower and I clearly need to do more reading. I would have hoped it was a little more 'dynamic' and that anything from 'playboy.com' irrespective of it being images.playboy.com etc would hit the rule.
I'll report the above to TAC / Brightcloud which I understand is the policy when such events occur.
Regards
Darren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide