cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3544
Views
0
Helpful
9
Replies

URL Filtering FTD/FMC2100

Fantas
Level 1
Level 1

Hi,

we want to apply url filtering on our new FTD2100 firewalls through FMC. I have below questions and need clarity please before I proceed and deploy changes. My change is coming soon so wana prepare.

 

1 - URL filtering enabling steps on through FMC

2 - How FTD will detect If it receives http/https traffic for website access.

3 - Current clients can access internet through bluecoat proxy but now I wana to remove proxy setting from browser and wana allow access to specific urls through FTD for all those internal clients.

4 - Do the FTD need to have SSL certificate for https sites to access outside urls

5 - How proxy will resolve request for linkedin.com from internal client

6 - How this will work when client open browser and type www.linkedin.com, how this request will go to FTD as its through browser and how FTD will resolve www.linkedin.com so that connection can happen.

7 - For URL filtering do we needs to add FTD inside IP in proxy setting port 8080 on client browser setting

8 - Since I have already 200 plus rules on FMC for FTD2100, Do I need to create new Category for URL filtering so If any client need access to sites ten I can just add them in that category , just a clean work.

9 - Will be any issue for existing rules because URL category rules will have block action for some sites , so I dont wana create any issues for other running policies.

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni
Hi

You don't need to configure anything in your clients browsers.
You don't need to do ssl decryption for https url filtering, it's based on ssl handshake with the server certificate exchange.

If you want to deny some sites, you need to put the rule above other roles to avoid any overlap or override. It's difficult to tell you which position without knowing your configuration.

To answer all your questions, take a look on the Cisco documentation which is clear and straight forward:
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/url_filtering.html

Ssl decryption will be needed if you want to filter results on search engines.
Here a documentation explaining how:
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/access_control_using_content_restriction.html

Hope this is clear. Let me know if you need any clarifications after you looked at the docs.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks,

 

So my ACLs on FMC like this as an example.

I have many categories like this sourced from different zones.

Can I create new category with new name like URL/Sites Access and add rules under this.

How traffic through rules will process if my new category at the end.

Client IP also already exists in existing rules.

 

Client IP : 1.1.1.1/32

Dest : www.linkedin.com

Action : Allow

Dest : www.facebook.com

Action : Block

 

Category Inside Rules (Existing)

1 - Source 1.1.1.0/25   DST : Any    port : 443,22,80,53    Permit

2 - Source 2.2.2.0/25   DST : Any    port : 443,22,80,53    Permit

3 - Source 1.1.1.1/32   DST : 9.9.9.9/32    port : 443,22,80,53    Permit

4 - Source 1.1.1.0/28   DST : Any    port : 443   Permit

5 - Source 1.1.1.1/32   DST : 10.10.10.10/32    port : 443,22,80,53    Permit

 

Category Corp  Rules (Existing)

1 - Source 11.11.11.0/25   DST : Any    port : 443,22,80,53    Permit

2 - Source 22.22.22.0/25   DST : Any    port : 443,22,80,53    Permit

3 - Source 11.11.11.11/32   DST : 9.9.9.9/32    port : 443,22,80,53    Permit

4 - Source 11.11.11.0/28   DST : Any    port : 443   Permit

5 - Source 11.11.11.11/32   DST : 10.10.10.10/32    port : 443,22,80,53    Permit

 

Access Control Policy (ACP) rules are processed from top to bottom as they appear in FMC.

The first match ends the rule processing (unless the action is Monitor in which case the subsequent rule(s) are processed).

I would avoid mixing rules with url and ports. I would put url filtering rules before and then ports rules.
Add Marvin mentioned, rules are red and selected for traffic from top to down.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks.

 

Can I create new category for URLs traffic only and keep this category above Inside rules category.

New URLs category will be sourced from same inside zone to outside and other zone same as existing Inside existing category sourced from inside to outside and other internal zones.

So my scenarios is like this

 

Client----->FTD-------->ASA with FirePower--------->Internet

 

based on above , Can I do URL filtering on ASA with firepower instead on FTD because client might to talk some other destinations so can be routed or allowed on FTD firewall but for URLs access like facebook.com will be routed to ASA with Firepower firewall So I can do URL filtering and NAT for Internet for internal clients on ASA.

 

Since we have SFR module on ASA so we should be able to URL filtering through FMC.

You can do url filtering on your asa instead of ftd but the rules given previously still remain. (From top down and avoid mixing url filters with ports/applications)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks,

 

I have decided to do NAT on ASA and URL filtering on FTD.

 

Lets see how it goes.

 

 

This is a good choice!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card