Showing results for 
Search instead for 
Did you mean: 

roberto cotto

FTD running in ASA Mode

 does  CIsco firesight running  ni ASA mode sipport  using FQDN in Access-list to  allow or block access by ports ex SSh

Philip D'Ath

If you have the Firepower URL licence you can definitely block by URL ...

If the ASA software is not too old you can also block by FQDN on the ASA side.

FTD is running in ASA AND Firepower mode in the same time. There's no separate way of operations.

You can add URL based rules. Or you can add application (like SSH) or you can add ports.

I have done it man all of them ! still doesnt work :( , Unfortunately I dont have license for opening TAC ,what do you recommend me to do ?

> Actually I dont use FTD ,I am using version 6.2 Firepower and my sensor is 5525

Are you using 6.2 as SFR module in ASA? Do you have connection events on the FMC?

I don't really understand your setup. Also, if you don't run FTD (which has a trial 90 days of URL licensing) and you don't have an URL license, what are you trying to achieve will not work.

I am using Firepower ,not FTD ,I have 90 days proper license for this feature ,that's why it should work man

FTD means Firepower Threat Defense.

Attach an screenshot of your Access Control Policy.

Also, a screenshot from System -> Integration page, where URL filtering configuration is shown.


Have an endpoint where you can troubleshoot from (used to try to access one of the destinations in those categories). Is recommended that endpoint to not generate too much other traffic

Open a ssh connection to the FTD's management IP. From cli, run:

system support firewall-engine-debug

Provide the filtering info, like this:

Please specify an IP protocol: tcp
Please specify a client IP address: your_endpoint_IP_address
Please specify a client port:
Please specify a server IP address:
Please specify a server port:

Now, while it runs, access one of the websites. Stop the debug with CTRL+C. Grab the output and add it in here.


You're doing it wrong. The URL categories should be configured on the URLs tab of the ACP rule, not on the Applications.

Please check the documentation for further information:

I am sorry I did wrong screen ,it should be like that .

Hi Philip ,

Although Firepower has this ability ( at least they insist ) they can not block majority of porn sites ,I am totally fed up with these small issues which made me crazy ,all of them are fall to uncategorized category which actually they should not.I know that Checkpoint or PaloAlto has URL report webpages which you can request to change specific site's category .

They block. Maybe there's something wrong on your setup. Or there could be other configuration issues.

Recognize Your Peers
Content for Community-Ad