Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2085
Views
0
Helpful
5
Replies

Firepower URLs without license

mmacdonald70
Level 1
Level 1

‎01-02-2016 02:29 PM - edited ‎03-12-2019 12:05 AM

I'm not sure if this is answered somewhere in the docs that I missed. If it it, I'm sorry.

I have two questions in relation to my ASA5506-x appliance and firepower:

1. I don't currently have the URL license since I'm not interested in the cloud based service.  What I would like however is the ability to filter out URLs based on regex or keywords in the URL.  Is this possible?

2. On a similar topic, is there a way to see what URLs were accessed?

3. I keep seeing messages in the "Threats" area like "INDICATOR-COMPROMISE Suspicious .pw dns query" but I can't seem to figure out a way to get more information (like the source IP address)

Thanks

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-02-2016 06:31 PM

If you don't want to licence the Firepower module (ps, there is a promo on for three years licences at the moment ...), then could consider doing this purely on the ASA.

You can filter either HTTP (not https) urls, or do DNS filtering, which stops all protocols. I personally prefer the DNS method.  Here is a brief example to block logmein.com.

regex domain_logmein.com “\.logmein\.com”
!
class-map type regex match-any DomainBlockList
  description Blocked Domains
  match regex domain_logmein.com
!
policy-map type inspect dns PM-DNS-inspect
  parameters message-length maximum 512
  match domain-name regex class DomainBlockList
  drop-connection log
!
policy-map global_policy
  class inspection_default
    inspect dns PM-DNS-inspect
!
service-policy global_policy global

0 Helpful

Karsten Iwen
VIP
VIP

‎01-03-2016 03:56 AM

I never tested it without a license, but the documentation states that it should work without:

To apply an access control policy that... 
License 

performs access control based on zone, network, or port

performs URL filtering using literal URLs and URL objects

Any

 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Karsten Iwen

‎01-03-2016 12:51 PM

I think that means you need "any" licence such as "Control" as opposed to "No" licence. I'm 99% confident it wont allow you to configure anything if you have no licence at all.
0 Helpful

mmacdonald70
Level 1
Level 1
In response to Karsten Iwen

‎01-03-2016 07:05 PM

Thanks.  I just tried this out and it appears to work.  I manually added several URLs in a rule and it successfully blocked them.

Now if I can just figure out the other two questions.

0 Helpful

mohd_123shoaib
Level 1
Level 1

‎11-11-2019 06:39 AM

Hi,

Regarding your second and third query, you can use connection events on the FMC to check connection attempts against the access rule you have defined. But Remmeber you should have logging enabled against the required access rule. Also for the 3rd question you can use intrusion events.

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01101111.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card