Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
6
Replies

FTD - Custom URL filtering issues

n-russell-biggie
Level 1
Level 1

‎11-08-2022 04:34 AM

Hi all,

I have an access rule configured as below which does not seem to work.

source network object -> any 

Ports any -> 443

URL -> microsoft.com

When running packet tracer, the traffic to microsoft.com is allowed, however, traffic to another website which is not in the URL filtering is also allowed. I see that both packet traces hit the configured rule, but I feel that as soon as the traffic matches the port 443 it is allowed. It is like the URL filter is being ignored.

Do I need some kind of SSL / Decryption policy to enable the URL filtering to work? Or could this be DNS related.

Thanks

Nick

 

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎11-08-2022 04:57 AM

Most of the rule top down, so check what rule it is hitting ?

some guided video to understand the process.

https://www.youtube.com/watch?v=Ik6jfkVZYu8

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

n-russell-biggie
Level 1
Level 1
In response to balaji.bandi

‎11-08-2022 05:16 AM

Hi Balaji,

Thank you for the link. I have my ACL set up exactly as in the video. The packet tracer states that the traffic does hit the correct rule. However, the rule is allowing traffic to URLs not stated in the rule.

Thanks

Nick

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to n-russell-biggie

‎11-08-2022 10:17 AM

can you post the packet tracer output?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

n-russell-biggie
Level 1
Level 1
In response to balaji.bandi

‎11-09-2022 04:24 AM

Hi,

I have attached packet traces and screenshots of the ACL. 

Let me know if you spot anything. To me it looks like the traffic is being allowed by the "Zones" section of the ACL and not actually getting to the URL section, but I may be wrong.

Thanks

Nick

Preview file
216 KB
Preview file
7 KB
Preview file
7 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to n-russell-biggie

‎11-09-2022 04:40 AM

Are you only testing with packet-tracer or are you testing with actually trying to access a different website?

Because URL filtering is done in SNORT, until SNORT has made a verdict on what should happen with the traffic the traffic is allowed through the firewall (usually the first 3 packets).  So a packet tracer is not a good indication of if the rule set is working as intended as packet-tracer only sends one packet and does not take into consideration the action that SNORT takes on the packet.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

n-russell-biggie
Level 1
Level 1
In response to Marius Gunnerud

‎11-09-2022 05:05 AM

Perfect, exactly the info I was looking for. We will get the client to test with actual web access. I was only using the packet tracer on the FTD.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card