02-26-2017 05:23 AM - edited 02-21-2020 06:01 AM
Hi There,
i have cisco 5516-x with FP module and FPMC installed on VM (6.0.1). i have added license and enabled them for device. also i have added service policy rules in ASA 5516 with enabling firepower inspection. but still i am not able to do URL filtering or any malware filtering. i have tried may methods to do this. still not luck. can some one helps me to configure this from beginning or is there any clear guide which explain initial installation of firepower integration.
thank you in advance
02-26-2017 07:15 PM
Have you deployed the Access Control Policy (ACP) with URL and File inspection rules?
Please share a screen shot of Device Management and ACP pages.
02-26-2017 11:16 PM
Hi Marvin,
Please find attached images for those captures. i guess i am doing some small mistake. but i cannot find it.. :(
i can see application traffic on dashboard, but when i click on that application it is not shows any record details.
Thanks in advance
02-26-2017 11:30 PM
Hi Kasun,
The screenshots looks correct. Can you please also share ouptu of "show service-policy sfr" from ASA CLI and a screenshot of all access control policy rules unless the 1 you shared is on Top.
Thanks
Yogesh
02-27-2017 10:48 PM
02-27-2017 11:12 PM
Kasun,
I notice your "blockeicar" has an application rule included. Only traffic matching that condition AND the URL condition will have the selected Block with Reset action applied.
02-27-2017 11:23 PM
02-27-2017 11:28 PM
You cannot trace the logic in FirePOWER 6.0.1 that you are using, either on the firewall or from FirePOWER Management Center.
Your FirePOWER Management Center Connection Record will show what URL Category a given connection was classified into.
In FMC 6.1, Cisco added the capability to do a lookup of the category directly from the Web UI. (You could always just put the URL into brightcloud.com service that Cisco uses in the backend.)
In FMC 6.2 we now have the capability to do a packet-tracer fucntion from the Health Monitoring Advnaced Troubleshooting tools section of FMC.
02-27-2017 11:34 PM
Hi Marvin,
Thanks a lot for update. if i removed asa firepower management from firepower center will cause any down time? or can i just remove management center and install new center. also can i transfer my FP license to new center?
thank you
02-27-2017 11:41 PM
Changing from one management center to another will not cause any downtime on the managed devices. When you redeploy policies (either from an existing or new FMC) there can be a brief interruption of packet processing.
Rehosting or transferring licenses requires TAC assistance (Global Licensing Operations queue) for Classic licenses such as are used by your 5516-X FirePOWER Service module managed by FMC.
(The newer Smart licenses used by FTD can be rehosted via self-service.)
02-27-2017 11:47 PM
HI Marvin,
i will plan to upgrade then. after that i hope to do configurations again. hope that will work fine.
is there anything need to check from firewall/?
thank you
02-28-2017 01:37 AM
Hi All,
i have added FPMC policies to interface. i did not created any Zones. is that can be a issue? because asa doesn't have zones created .
thank you all
02-27-2017 05:55 AM
Hello Kasun,
For URL filtering , you can refer the following video tutorial.
https://www.youtube.com/watch?v=nXIBDQqekPY
Regards
Jetsy
03-10-2017 11:36 PM
Still I dont have a answer for this matter. when URL filtering, i can filter manual URLs but not categories. also i cant see any of loggin record for blocking traffic. this is really weird.
03-11-2017 06:40 AM
For logging - have you set the rules in your Access Control Policy to create log entries? They won't by default.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide