Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
4
Replies

Using ftd to block subdomains on the internet.

tryingtofixit
Level 1
Level 1

‎03-07-2025 09:50 AM

I need to lock javada1.oracle.com, javadl-esd-secure.oracle.com, java.com and java.net.

Can I do this using a FQDN object and a deny access rule?  What is the process for blocking subdomains with the ftd? 

0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎03-07-2025 10:51 AM - edited ‎03-07-2025 10:51 AM

Yes, you can use FQDN objects to do this. You will need an object for each FQDN that you want to block: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/objects-object-mgmt.html?bookSearch=true

You can use FQDN objects in access control rules and prefilter rules, or manual NAT rules, only. 
The rules match the IP address obtained for the FQDN through a DNS lookup. 
To use an FQDN network object, ensure you have configured the DNS server settings in DNS Server Group
and the DNS platform settings in DNS.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

tryingtofixit
Level 1
Level 1
In response to nspasov

‎03-07-2025 12:12 PM

thanks for the link. I have it configured as a fqdn object in block access rule. dns is enabled and working on the fmc to the ftd.  nothing gets blocked. got any troubleshooting links ? 

 

0 Helpful

tryingtofixit
Level 1
Level 1

‎03-07-2025 01:38 PM - edited ‎03-07-2025 02:05 PM

how can I tell fmc/ftd DNS resolution is working? It is configured on FMC. but DNS is NOT resolving for FQDN's or URL's. I can ssh into the cli on the ftd and ping internal and external by name. 

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎03-07-2025 03:10 PM

Can you confirm the following:

  1. You have DNS objects configured: Object -> Object Management -> DNS Server Group
  2. DNS is configured on FTD: Devices -> Platform Settings -> DNS:
    1. Enable DNS name resolution by device
    2. DNS Server Groups contains the DNS object from above
    3. The correct interface objects are selected for DNS resolution
  3. Post the output from the following commands in the FTD cli: system support diagnostic-cli -> enable:
    1. show run dns
    2. ping www.cisco.com
    3. Extended ping: ping -> TCP Ping [n] -> Interface [Desired interface] -> Target IP address [www.google.com] > Repeat count [5] -> Datagram size [100] -> Timeout in seconds [2] -> Extended commands [n] -> Sweep range of size [n]

Thank you for rating helpful posts!

 

 

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card