Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
3
Replies

FMC

osman.cerkez
Community Member

‎03-07-2017 04:33 AM - edited ‎03-12-2019 02:01 AM

Hello,

I have Cisco ASA 5515-X devices with Firepower services managed by FMC 6.1.0.2 and TAC (IPS and URL) licenses.

 I have few questions about it:

 -  Is it possible to allow  specific YouTube channel for a specific group of users, but block all other YouTube streaming for all other users.

 -  Is it possible to allow specific Facebook page like "https://www.facebook.com/something.hr/" for a specific group of users but block all other Facebook pages

 If it is possible can you please explain how to set it up.

 

Regards

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP Alumni
VIP Alumni

‎03-08-2017 03:03 PM

Yes this is possible if your Defence center is integrated / joined with AD.  Or you will need to install a user agent on the client that is connect to active directory.

These links explain how you can create policies based on user identity.  Of course if the users have static IPs or are isolated to a spesific subnet then you could just match on the IP or subnet.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html#anc8

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Rules-User.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

osman.cerkez
Community Member
In response to Marius Gunnerud

‎03-09-2017 03:00 AM

In the Firepower Management Center a Realm has been configured and FMC is integrated with AD. Firepower User Agent for AD version 2.3 is installed on domain controler and operating correctly.

The Identity Policy is configured for passive authentication, set to use the configured Realm and assigned in Access Control Policy and all of these setups works fine.

I have configured SSL Policy with Decrypt-Resign Action for applications (Youtube and Facebook) and assigned in Access Control Policy

But I still cannot to configure Access Control Policy with a rule which i can to use for the previously described case like:

  •  Allow specific YouTube channel like

https://www.youtube.com/channel/UCZ2awNGeUbU5xN1hX-PCYpQ

 for specific group of users or for all users, but block all other YouTube streaming for all other users

  • Allow specific Facebook page, but block all other Facebook pages for all users or group of AD users

 

In the rule of Access Controll Policy which I use for Application control, under Applications filters I Added Youtube and Facebook , and under URLs filters added specific url which I would like to allow but it does not work and next rule with block and reset action for Youtube and Facebook Aplications, block this traffic.

Regards

0 Helpful

Marius Gunnerud
VIP Alumni
VIP Alumni
In response to osman.cerkez

‎03-09-2017 09:16 AM

I believe you are configuring the rule incorrectly.  do not add Application filters just the URL filter that you would like to permit.  Then test.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card