10-12-2019 08:14 PM - edited 02-21-2020 09:35 AM
Hi,
we want to apply url filtering on our new FTD2100 firewalls through FMC. I have below questions and need clarity please before I proceed and deploy changes. My change is coming soon so wana prepare.
1 - URL filtering enabling steps on through FMC
2 - How FTD will detect If it receives http/https traffic for website access.
3 - Current clients can access internet through bluecoat proxy but now I wana to remove proxy setting from browser and wana allow access to specific urls through FTD for all those internal clients.
4 - Do the FTD need to have SSL certificate for https sites to access outside urls
5 - How proxy will resolve request for linkedin.com from internal client
6 - How this will work when client open browser and type www.linkedin.com, how this request will go to FTD as its through browser and how FTD will resolve www.linkedin.com so that connection can happen.
7 - For URL filtering do we needs to add FTD inside IP in proxy setting port 8080 on client browser setting
8 - Since I have already 200 plus rules on FMC for FTD2100, Do I need to create new Category for URL filtering so If any client need access to sites ten I can just add them in that category , just a clean work.
9 - Will be any issue for existing rules because URL category rules will have block action for some sites , so I dont wana create any issues for other running policies.
10-12-2019 09:38 PM
10-12-2019 10:13 PM
Thanks,
So my ACLs on FMC like this as an example.
I have many categories like this sourced from different zones.
Can I create new category with new name like URL/Sites Access and add rules under this.
How traffic through rules will process if my new category at the end.
Client IP also already exists in existing rules.
Client IP : 1.1.1.1/32
Dest : www.linkedin.com
Action : Allow
Dest : www.facebook.com
Action : Block
Category Inside Rules (Existing)
1 - Source 1.1.1.0/25 DST : Any port : 443,22,80,53 Permit
2 - Source 2.2.2.0/25 DST : Any port : 443,22,80,53 Permit
3 - Source 1.1.1.1/32 DST : 9.9.9.9/32 port : 443,22,80,53 Permit
4 - Source 1.1.1.0/28 DST : Any port : 443 Permit
5 - Source 1.1.1.1/32 DST : 10.10.10.10/32 port : 443,22,80,53 Permit
Category Corp Rules (Existing)
1 - Source 11.11.11.0/25 DST : Any port : 443,22,80,53 Permit
2 - Source 22.22.22.0/25 DST : Any port : 443,22,80,53 Permit
3 - Source 11.11.11.11/32 DST : 9.9.9.9/32 port : 443,22,80,53 Permit
4 - Source 11.11.11.0/28 DST : Any port : 443 Permit
5 - Source 11.11.11.11/32 DST : 10.10.10.10/32 port : 443,22,80,53 Permit
10-13-2019 05:06 AM
Access Control Policy (ACP) rules are processed from top to bottom as they appear in FMC.
The first match ends the rule processing (unless the action is Monitor in which case the subsequent rule(s) are processed).
10-13-2019 09:30 PM
10-14-2019 01:20 AM
Thanks.
Can I create new category for URLs traffic only and keep this category above Inside rules category.
New URLs category will be sourced from same inside zone to outside and other zone same as existing Inside existing category sourced from inside to outside and other internal zones.
10-14-2019 03:57 PM
So my scenarios is like this
Client----->FTD-------->ASA with FirePower--------->Internet
based on above , Can I do URL filtering on ASA with firepower instead on FTD because client might to talk some other destinations so can be routed or allowed on FTD firewall but for URLs access like facebook.com will be routed to ASA with Firepower firewall So I can do URL filtering and NAT for Internet for internal clients on ASA.
Since we have SFR module on ASA so we should be able to URL filtering through FMC.
10-14-2019 06:15 PM
10-15-2019 05:57 PM
Thanks,
I have decided to do NAT on ASA and URL filtering on FTD.
Lets see how it goes.
10-17-2019 08:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide