Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
0
Replies

Some observations and Suggestions on Firepower URL filtering

t-crisall
Level 1
Level 1

‎01-18-2019 11:52 AM - edited ‎03-12-2019 04:19 AM

Environment background:

 - Firepower Management Center 4000 - 6.2.3.4 

 - Clustered ASA5585-SSP-40 with sensors - 6.2.3.4

 

I've been monitoring externally provided data about traffic from my inside networks to known malicious URL sites to measure the effectiveness of several Firepower ACL.  Today I found indication of connections to at least 3 malware sites (I stopped looking at 3) which my firepower was NOT blocking...  A search of Analysis -> Connections -> Events showed no traffic caught by these ACL to any of these sites in the last month.

 

One of my first thoughts was to use the Analysis -> Lookup -> URL feature to see what the firepower thought about the URLs. I quickly learned that this function requires System -> Integration -> Cisco CSI -> Query Cisco CSI for Unknown URLs be turned on.  When I turned the function on and saved, a lookup of all 3 URL's indicated that they were in fact High-Risk malware sites.

 

To my surprise, when I went back to Analysis -> Connections -> Events, the sites in question are now being blocked...

 

From this - I have a question and an observation. 

 

Question: I have always had 'Enable Automatic Updates' to URL Filtering turned on and the indicator is that the Last URL Filtering Update received was yesterday.  What am I getting in the automatic updates and the local URL filtering database?  I know that when we first setup these ACL several months ago at least one of the URLs in question must have been in the local database as the site WAS being blocked and events WERE being generated...

 

Observation:  The 'Analysis -> Lookup -> URL' tool is great but it should not be tied directly to the cloud lookup.  I would suggest that it FIRST lookup in the local database, THEN lookup in the cloud and then indicate WHERE it found the match in the results...

 

Thanks,

 

Tim

 

Edit: - where I mention ACL - I guess I should be using ACP...

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card