cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
2
Replies

URL filtering

Hello community!

I was reading the following article: ASA URL filtering without a Websense and I have additional questions regarding that process.

Is my understanding that the website denied is denied globally thanks to the command service-policy global_policy global, which means that if I have 10 networks on my firewall, the traffic to that website is going to be denied for all of them, right? 

I know that the example shows how to apply the rule to an specific host and we can have some flexibility due the ACL we have to set, but still this is a global setting right?

Is there a way I can setup this rule to only one interface? What about scalability can I set multiple rules for different type of traffic? 

Thanks!

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

I've seen this feature used maybe once in production and I've worked on hundreds of ASAs. It's not very robust and most people only ever did it as an experiment to see if they could.

Anybody serious about URL filtering will use either a proxy or something like the FirePOWER service module.

That said, you can apply the service policy either globally or on a specific interface. As shown in the article example:

service-policy http-traffic interface inside

...would do it for the interface with nameif "inside".

See also the CLI configuration guide reference.

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

I've seen this feature used maybe once in production and I've worked on hundreds of ASAs. It's not very robust and most people only ever did it as an experiment to see if they could.

Anybody serious about URL filtering will use either a proxy or something like the FirePOWER service module.

That said, you can apply the service policy either globally or on a specific interface. As shown in the article example:

service-policy http-traffic interface inside

...would do it for the interface with nameif "inside".

See also the CLI configuration guide reference.

Hi Marvin! :D

That is exactly what I was looking for: "I've seen this feature used maybe once in production [...] It's not very robust..."

I'm playing with a ASA v9.x and reading about the FQDN feature implemented I came across with the article I previously quoted "ASA URL filtering without a Websense" and I wanted to know how much you can do with it.

Thank you very much for all the help :D

Regards!

 

 

Review Cisco Networking for a $25 gift card