09-08-2015 03:27 PM - edited 03-11-2019 11:34 PM
Hello community!
I was reading the following article: ASA URL filtering without a Websense and I have additional questions regarding that process.
Is my understanding that the website denied is denied globally thanks to the command service-policy global_policy global, which means that if I have 10 networks on my firewall, the traffic to that website is going to be denied for all of them, right?
I know that the example shows how to apply the rule to an specific host and we can have some flexibility due the ACL we have to set, but still this is a global setting right?
Is there a way I can setup this rule to only one interface? What about scalability can I set multiple rules for different type of traffic?
Thanks!
Solved! Go to Solution.
09-08-2015 07:14 PM
I've seen this feature used maybe once in production and I've worked on hundreds of ASAs. It's not very robust and most people only ever did it as an experiment to see if they could.
Anybody serious about URL filtering will use either a proxy or something like the FirePOWER service module.
That said, you can apply the service policy either globally or on a specific interface. As shown in the article example:
service-policy http-traffic interface inside
...would do it for the interface with nameif "inside".
See also the CLI configuration guide reference.
09-08-2015 07:14 PM
I've seen this feature used maybe once in production and I've worked on hundreds of ASAs. It's not very robust and most people only ever did it as an experiment to see if they could.
Anybody serious about URL filtering will use either a proxy or something like the FirePOWER service module.
That said, you can apply the service policy either globally or on a specific interface. As shown in the article example:
service-policy http-traffic interface inside
...would do it for the interface with nameif "inside".
See also the CLI configuration guide reference.
09-09-2015 07:44 AM
Hi Marvin! :D
That is exactly what I was looking for: "I've seen this feature used maybe once in production [...] It's not very robust..."
I'm playing with a ASA v9.x and reading about the FQDN feature implemented I came across with the article I previously quoted "ASA URL filtering without a Websense" and I wanted to know how much you can do with it.
Thank you very much for all the help :D
Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide