Encrypted traffic, end of the road.
The ASA won't be able to see the request on the HTTP request, so it won't block it.
The CSC module is a good partner in crime when blocking HTTPS on the ASA.
But, we don't always have a spare CSC to use, so, here's something you can try:
You can block HTTPS by dropping the DNS request.
For this to work properly the DNS request for resolving the ip of HTTPS URL must go through ASA which means if user and it's DNS server both are behind same interface of ASA then this would not work. As we are dropping the blocked web-site request during it's DNS resolution Request.
As this solution works based on dropping the DNS server reply thereby this does not only block HTTPS but any other kind of traffic as well (HTTP, FTP, etc.) where the user accesses a server using its name and hence has to perform a DNS query.
What to do:
HTTPS websites use a SSL tunnel from the end device to the end server, so the firewall isn’t capable of inspecting the SSL traffic. So Instead of using URL inspection, we can configure DNS inspection.
The ASA inspects the DNS request from the internal DNS server or end device to the external DNS server. We can use regular expressions to match the FQDN of a website. Below is an example configuration of blocking access to the website (and applications using a DNS entry to this website) facebook.com
regex domain_facebook.com “\.facebook\.com”
!
class-map type regex match-any DomainBlockList
match regex domain_facebook.com
!
policy-map type inspect dns Pol-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map global_policy
class inspection_default
inspect dns Pol-DNS-inspect
!
service-policy global_policy global
A problem with this approach could be the DNS cache on the internal DNS server. This is domain name is queried before configuring the inspection, the domain will be available until the DNS cache from the DNS server expires. In urgent situation you can maybe clear the DNS cache yourself.
