hi,

facebook uses HTTPS and would need a decryption engine like a dedicated firepower appliance.

the ASA firepower module doesn't have this capability.

i've tried to block facebook on our ASA firepower module but didn't work.

It blocks HTTPS based on Server name Identifier (SNI) or common name from certificate filed. But it won't send you the block page as HTTPS, we don't see HTTP get request and can not spoof it.

Thanks,

Dinkar

Right - even with a hardware appliance and https decryption policy we cannot send a block page for https sites. We can only block the site silently (reset the connection).

I tried this with an AMP 8150 and confirmed with TAC that the block page function is not available for https - even with a decryption policy and trusted certificate issued from an internal PKI on the appliance..

hi,

i just tried this and i can block facebook using the URL blocking policy.

i was doing application blocking earlier and somehow facebook gets through.

If you were using application and URL in the same rule then it won't work and will allow the URL. That's because the rule has to match the and condition. It has to match the application and URL. In your case it will never match the application because traffic is encrypted and device won't be identify the application. So it goes to the next rule or default rule.

Even if you have SSL decryption policy it will still allow some packets, that's because device will require some packets to identify the actual application used by the client.

So you need to be very careful when you are creating your policies.

Thanks,

Dinkar