Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
3
Helpful
2
Replies

Firepower Web Applications

keithcclark71
Level 3
Level 3

‎05-01-2023 12:18 PM

I was wondering if there is a way to view the means of communication behind the web apps available in firepower? For ex today I was researching how to only allow specific VLAN access to windows updates. I started by searching google and one guy gave bunch of different Microsoft URL Dynamic Ports and another guy said a different list of URLS and Ports etc. So I went into firepower tried doing updates then viewing logs where it failed and eventually I just went ahead and allowed http https access to web applications Microsoft and Microsoft update. Well windows update works with these two webapps specified which leads me to believe that the windows update URL's , Ports etc are coded within the application itself and am wondering if there is a way to view those details? 

0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎05-01-2023 01:56 PM - edited ‎05-01-2023 01:57 PM

Hello,

 I dont believe under this webapps there are a list of hidden URLs and ports. It would be very hard to achieve and it would be outdate really fast as those URL my change all the time.

What I believe happen down there is there is a protocol in which you permit when permitting those webapps. The windows machine has on its code, the mean to search Microsoft update service.

This document from Microsoft say:

"1 Introduction
The Windows Server Update Services: Client-Server Protocol enables machines to discover and download software updates over the Internet by using the SOAP and HTTP protocols (as specified in [SOAP1.1], [SOAP1.2-1/2003], [SOAP1.2-2/2003], and [RFC2616]).
Sections 1.5, 1.8, 1.9, 2, and 3 of t"

Which mean, there´s some API on the Microsoft site in which allow Windows do connect and get the updates as soon as the protocol is permitted and access to the internet is granted.

 You can read more about this and the specific of the protocol here:

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wusp/b8a2ad1d-11c4-4b64-a2cc-12771fcb079b 

Attached you can see the doc specific for MS-WUSP protocol

 

 

 

Preview file
4829 KB

Marius Gunnerud
VIP
VIP

‎05-02-2023 01:11 AM

The Webapp field does not have a list of URLs that it matches on, instead it looks into the header of the packet and matches on fields and values that are common for that particular application.  Also, Cisco does not recommend using both Application and URLs in the same ACP rule.

Best Practices for Application Filtering

Please keep the following recommendations in mind when designing your application filtering access control rules.

  • To handle traffic referred by a web server, such as advertisement traffic, match the referred application rather than the referring application.

  • Avoid combining application and URL criteria in the same rule, especially for encrypted traffic.

  • If you write a rule for traffic that is tagged Decrypted Traffic, ensure that you have an SSL Decryption rule that will decrypt the matching traffic. These applications can be identified in decrypted connections only.

  • The system can detect multiple types of Skype application traffic. To control Skype traffic, choose the Skype tag from the Application Filters list rather than selecting individual applications. This ensures that the system can detect and control all Skype traffic the same way.

  • To control access to Zoho mail, select both the Zoho and Zoho Mail applications.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-access.html

 

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card