Re: User cannot resolve a dns for websites at firepower

AFAWZY · ‎08-30-2023

I was trying to allow an ip to reach only a specific URL and specific application with same ACP rule, But traffic could not match with this rule.

for example : URL --> amazon.com , application --> whatsapp .

So i tried to create a separate rule for URL and another for the application , and below them a (block any) rule to block any traffic except the traffic goes to these URL and application.

1- rule order was 1- allow (URL) rule 2- allow (application) rule 3- block (another URL) for testing, and everything was working correctly

2- but when i replaced (another URL) rule with the (block any) rule, FTD blocked every DNS resolution (all the traffic was matching the (block any rule). the 3 rules were the first 3 rules at the ACP policy.

3- i added DNS , HTTP , HTTPS at application for the two allow policy , then everything was allowed and matching the first rule

1- how can i allow only the URL and app with blocking everything else with right way ?

2- what should i change to make it work correctly ?

2- is it possible to combine a URL filtering and application filtering with the same rule ?

betliu · ‎09-20-2023

If you want to create an Access Control Policy (ACP) rule in Cisco Firepower Threat Defense (FTD) to allow traffic to a specific URL (e.g., amazon.com) and a specific application (e.g., WhatsApp), while blocking all other traffic. Here's how you can achieve this:

Create Two Separate Rules:

Rule 1: Allow the specific URL (amazon.com)
Rule 2: Allow the specific Application (WhatsApp)

Create a "Block All" Rule:
Create a rule that blocks all traffic. This rule should be placed below the two allow rules.

Question 1. How can I allow only the URL and app while blocking everything else the right way?

Answer： The approach you mentioned, creating separate rules to allow specific URL and application and then a "Block All" rule, is the right way to achieve your goal. The "Block All" rule should be the last rule in the ACP. Ensure that the "Block All" rule has a more specific criteria for blocking all traffic (e.g., source/destination any, any, any, any), so that it matches only when traffic does not match the preceding allow rules.

Question2. What should I change to make it work correctly?

Answer： To make it work correctly, follow these steps:

Configure the "Block All" rule to match traffic that should be blocked more specifically.
Ensure the "Block All" rule is the last rule in the ACP.

Question3. Is it possible to combine URL filtering and application filtering in the same rule?

Answer: Yes, it's possible to combine URL filtering and application filtering in the same rule. In fact, this can be a powerful way to control traffic. You can create a rule that matches both URL and application characteristics:

Create a rule where the "Application" field matches WhatsApp.
In the same rule, configure the "URL" field to match amazon.com.
But please note that in this way, traffic will only match the rule if it is both going to amazon.com and using the WhatsApp application. Make sure the rule order is correct, with this rule placed above the "Block All" rule.

Hope these information is helpful for you.

AFAWZY · ‎11-09-2023

Thank you Betliu for your explantion, i already solve it with separated rules that's why i did not check my account and the replies.

betliu · ‎11-09-2023

Great, I'm glad to hear that you already solved it.