Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4497
Views
0
Helpful
4
Replies

URL Filtering not working on ASA Firepower 5506-X

Go to solution
JimGyt
Level 1
Level 1

‎03-09-2019 01:14 AM - edited ‎02-21-2020 08:55 AM

Hi everyone, first of all i'm very new at cisco firewall so i may have made big mistakes in my configuration. I'm trying to configure a Firepower ASA 5506-X to use the URL Filtering for blocking access to some websites.

Everything goes well, i followed the explanation on Cisco Website:

- I updated my ASA and ASDM

- I created a service policy rules (match any) to redirect the traffic to the Firepower

- I created a new rule

- Saved everything and Deploy

But nothing happens. I can still access to everything i tried to block. I also notice in ASA Firepower Reporting that nothing move like i didn't redirect the traffic. A little help will be appreciate, thanks.

Labels:
Preview file
190 KB
Preview file
52 KB
Preview file
69 KB
Preview file
110 KB
Preview file
164 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JimGyt
Level 1
Level 1
In response to JimGyt

‎03-11-2019 02:37 AM - edited ‎03-11-2019 03:34 AM

Hi again, i discover an odd thing. In the monitoring of the ASAFirepower, it shows the connection at Youtube.com as blocked as i wanted but in fact i can still navigate. After some testing i noticed that i seems to work on Edge but not in Chrome. 

 

EDIT: The problem is solved. Just wanted to share it in case somebody need it. The configuration was fine but i was only testing with Chrome and Youtube as URL. There is a known issue i found in Cisco Bug Search Tool and there is a workaround for Chrome and Youtube by disabling QUIC.

Thanks everybody.

View solution in original post

Preview file
104 KB
0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-09-2019 09:17 PM

In your Rules.JPG attachment it shows the box for "Enable ASA Firepower for this traffic flow" as unchecked. It needs to be checked.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎03-10-2019 07:29 AM - edited ‎03-10-2019 07:29 AM

hi, marvin is correct. you'll need to redirect traffic to the FP module for inspection. see helpful link:

http://wannabecybersecurity.blogspot.com/2019/01/cisco-asa-firepower-traffic-redirection.html

i would also suggest adding a top most rule (rule #1) to allow DNS. see helpful link:

http://wannabecybersecurity.blogspot.com/2019/02/configuring-cisco-firepower-access.html

0 Helpful

Go to solution
JimGyt
Level 1
Level 1
In response to johnlloyd_13

‎03-11-2019 01:03 AM

Hi, thank you for answer. I have tried and still no luck. I took the screenshot while i was creating the rule, and i did it too quickly. I will try yours suggestions right now. Thanks
0 Helpful

Go to solution
JimGyt
Level 1
Level 1
In response to JimGyt

‎03-11-2019 02:37 AM - edited ‎03-11-2019 03:34 AM

Hi again, i discover an odd thing. In the monitoring of the ASAFirepower, it shows the connection at Youtube.com as blocked as i wanted but in fact i can still navigate. After some testing i noticed that i seems to work on Edge but not in Chrome. 

 

EDIT: The problem is solved. Just wanted to share it in case somebody need it. The configuration was fine but i was only testing with Chrome and Youtube as URL. There is a known issue i found in Cisco Bug Search Tool and there is a workaround for Chrome and Youtube by disabling QUIC.

Thanks everybody.

Preview file
104 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card