Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1913
Views
3
Helpful
19
Replies

URL Category Block

ssan239
Level 1
Level 1

‎05-11-2023 02:33 AM

Hi Team,

May i know if we configure a Rule with certain unwanted URL Categories to Block on top of the rule base. Will it block only the categories and allow any other traffic from that rule?

0 Helpful
19 Replies 19

balaji.bandi
Hall of Fame
Hall of Fame

‎05-11-2023 02:55 AM

yes it matches the URL it will block only - the order rule top down. (so global rule will catch allowed all )

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP
VIP

‎05-11-2023 02:58 AM

@ssan239 the cisco recommendations L3/L4 traffic should come before rules that require inspection (URL filtering in your instance), as inspection L3/L4 can be evaluated quicker and without inspection.

If your rules only contain URL categories to block it will only block those categories.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-11-2023 03:03 AM

Yes. It requires the URL Filtering license to block based on category. Assuming you have that, the Block rule will check for the traffic and, if it is found to be destined to a URL categorized among your block categories, it will be blocked.

Any traffic not matching that rule will be evaluated against the subsequent rules in your Access Control Policy.

ssan239
Level 1
Level 1

‎05-11-2023 03:42 AM

Thanks a lot Balaji, Rob and Marvin for the quick reply.

If it is not matching the category in the block rule then it will continue checking the other rules from top to bottom approach and act based on the other ACLs below the Block URL rule?

I want to be more specific on this. Please help me for better understanding on this.

If i configure a rule on top of my rule base as below:

Src Zone: Any

Dst Zone: Any

Src: Any

Dst: Any

URL Category: Spyware, Phishing

Action: Block

In this case i am blocking on Spyware and Phishing and it is on top of the rule base. So if the traffic is not matching this category, then will the packet be implicitly allowed or will it check the next rules with the IP address config and allow or deny based on the config?

0 Helpful

Rob Ingram
VIP
VIP
In response to ssan239

‎05-11-2023 04:13 AM

@ssan239 I would say you should explictly define the SRC (inside) DST (outside) zones and the SRC network (local networks) at a minimum.

0 Helpful

ssan239
Level 1
Level 1
In response to Rob Ingram

‎05-11-2023 04:27 AM

Any reason Rob?

0 Helpful

Rob Ingram
VIP
VIP
In response to ssan239

‎05-11-2023 04:37 AM

@ssan239 if you don't specify the SRC/DST zones and/or networks, all traffic is evaluated against those rules to determine if there is a match. It's more efficient if you are specific when you write the rules.

0 Helpful

ssan239
Level 1
Level 1

‎05-11-2023 04:47 AM

Thank you Rob for clarification.

Apart from all traffic being checked by the rule, Will it allow other category traffic as we are blocking only Spyware and Phishing on top of the rule base?

0 Helpful

Rob Ingram
VIP
VIP
In response to ssan239

‎05-11-2023 04:50 AM - edited ‎05-11-2023 05:12 AM

@ssan239 traffic that does not match the rule that blocks spyware and phishing will be processed by the other rules in the policy.

0 Helpful

ssan239
Level 1
Level 1

‎05-11-2023 04:55 AM

The same rule allow all the other traffic other than Spyware and Phishing is it? If this is the 1st rule in the policy then it will allow everything else and it will not even check the 2nd policy is it? Sorry for being a pain but need to get complete understanding on this. As i am not getting complete picture with the documents i read.

0 Helpful

Rob Ingram
VIP
VIP
In response to ssan239

‎05-11-2023 05:09 AM

@ssan239 traffic that is not spyware or phishing will not match that rule, they will be evaluated by the other rules in the Access Control Policy and permitted/denied accordingly.

0 Helpful

ssan239
Level 1
Level 1
In response to Rob Ingram

‎05-16-2023 09:21 AM

Hi Rob,

I am hearing lot of other things about the below policy on top.

Src Zone: Any

Dst Zone: Any

Src: Any

Dst: Any

URL Category: Spyware, Phishing

Action: Block

Will FTD allow any traffic from Outside to Inside 3 to 5 packets through in order for a handshake to establish so it can compare the details with the categories in the rule?

0 Helpful

Rob Ingram
VIP
VIP
In response to ssan239

‎05-16-2023 09:37 AM

@ssan239 yes,  identification should occur within 3 to 5 packets, or after the server certificate exchange in the TLS/SSL handshake if the traffic is encrypted. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/access-url-filtering.html

 

0 Helpful

ssan239
Level 1
Level 1
In response to Rob Ingram

‎05-16-2023 11:25 PM

Thank you Rob,

So this mean any public IP accessing inside server on some random port will be allowed 3-5 packets from the rule above and try TCP handshake or SSL handshake and then see if it is matching the category(Phishing and Spyware). If it doesn't match then it will go ahead with other rules is it?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card