i have cisco 5516-x with FP module and FPMC installed on VM (6.0.1). i have added license and enabled them for device. also i have added service policy rules in ASA 5516 with enabling firepower inspection. but still i am not able to do URL filtering or any malware filtering. i have tried may methods to do this. still not luck. can some one helps me to configure this from beginning or is there any clear guide which explain initial installation of firepower integration.
thank you in advance
Have you deployed the Access Control Policy (ACP) with URL and File inspection rules?
Please share a screen shot of Device Management and ACP pages.
The screenshots looks correct. Can you please also share ouptu of "show service-policy sfr" from ASA CLI and a screenshot of all access control policy rules unless the 1 you shared is on Top.
I notice your "blockeicar" has an application rule included. Only traffic matching that condition AND the URL condition will have the selected Block with Reset action applied.
You cannot trace the logic in FirePOWER 6.0.1 that you are using, either on the firewall or from FirePOWER Management Center.
Your FirePOWER Management Center Connection Record will show what URL Category a given connection was classified into.
In FMC 6.1, Cisco added the capability to do a lookup of the category directly from the Web UI. (You could always just put the URL into brightcloud.com service that Cisco uses in the backend.)
In FMC 6.2 we now have the capability to do a packet-tracer fucntion from the Health Monitoring Advnaced Troubleshooting tools section of FMC.
Thanks a lot for update. if i removed asa firepower management from firepower center will cause any down time? or can i just remove management center and install new center. also can i transfer my FP license to new center?
Changing from one management center to another will not cause any downtime on the managed devices. When you redeploy policies (either from an existing or new FMC) there can be a brief interruption of packet processing.
Rehosting or transferring licenses requires TAC assistance (Global Licensing Operations queue) for Classic licenses such as are used by your 5516-X FirePOWER Service module managed by FMC.
(The newer Smart licenses used by FTD can be rehosted via self-service.)
i will plan to upgrade then. after that i hope to do configurations again. hope that will work fine.
is there anything need to check from firewall/?
i have added FPMC policies to interface. i did not created any Zones. is that can be a issue? because asa doesn't have zones created .
thank you all
Still I dont have a answer for this matter. when URL filtering, i can filter manual URLs but not categories. also i cant see any of loggin record for blocking traffic. this is really weird.