10-16-2015 01:00 PM - edited 03-12-2019 05:47 AM
Question,
Is it possible to setup FireSIGHT URL policy to block Facebook, but allow http://facebook.com/mycompany
We have a client who is looking for this feature.
Thank You
Sylwia
10-20-2015 02:15 AM
Hi Sylwia,
Yes, you can do that. You need to select action as Block or Block reset when you create an access rule and change the settings using HTTP Responses tab to custom while creating the policy. But this is only for HTTP websites.
Thanks,
Dinkar
10-22-2015 01:52 AM
hi,
facebook uses HTTPS and would need a decryption engine like a dedicated firepower appliance.
the ASA firepower module doesn't have this capability.
i've tried to block facebook on our ASA firepower module but didn't work.
10-22-2015 02:39 AM
It blocks HTTPS based on Server name Identifier (SNI) or common name from certificate filed. But it won't send you the block page as HTTPS, we don't see HTTP get request and can not spoof it.
Thanks,
Dinkar
10-22-2015 05:03 AM
Right - even with a hardware appliance and https decryption policy we cannot send a block page for https sites. We can only block the site silently (reset the connection).
I tried this with an AMP 8150 and confirmed with TAC that the block page function is not available for https - even with a decryption policy and trusted certificate issued from an internal PKI on the appliance..
10-22-2015 07:56 AM
hi,
i just tried this and i can block facebook using the URL blocking policy.
i was doing application blocking earlier and somehow facebook gets through.
10-22-2015 08:18 AM
If you were using application and URL in the same rule then it won't work and will allow the URL. That's because the rule has to match the and condition. It has to match the application and URL. In your case it will never match the application because traffic is encrypted and device won't be identify the application. So it goes to the next rule or default rule.
Even if you have SSL decryption policy it will still allow some packets, that's because device will require some packets to identify the actual application used by the client.
So you need to be very careful when you are creating your policies.
Thanks,
Dinkar
11-02-2015 09:57 AM
Thank You everyone for the follow up, but now im confused,
I know becasue it works right now, I can block either
http://facebook.com or applicaiton based facebook
what im trying to accomplish is to allow
url facebook.com/mycompany = which allows users to get to clients facebook company page and block everything else on facebook afterwards..
Ive setup 3 D-Cloud demos and my own lab and 2 TAC cases, and no anwser yet.
seeing if anyone in community has ever seen this or even tried something like this.
Thank You again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide