Dear Andres, Kindly we are

Deepak.kumar111 · ‎09-11-2015

Hello !

I m a network administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5505 in many locations as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!

What u guys recommand !

Thanks

Deepak Kumar

Network Admin

Metrologo

Email	:	Deepak.kumar@metroinfrasys.com

Websites Contact No.	: :	www.metroinfrasys.com 7838156663

Metro Infrasys Private Limited

Vibhor Amrodia · ‎09-12-2015

Hi,

These are some of the available to bloc the Websites using the REGEX for HTTP(Not HTTPS):-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

FQDN ACL:-

https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting

Other than that you have to use an external URL filtering server which is the most feasible and recommended way.

Thanks and Regards,

Vibhor Amrodia

Deepak.kumar111 · ‎09-14-2015

Dear Vibhor,

Thanks for your prompt response,

Kindly suggest an external URL filter server so that we can easily implement it on our sites for URL filtering .

johnlloyd_13 · ‎09-14-2015

hi,

you could elevate your existing 5505 and use CWS for URL filtering.

you'll just need to upgrade to ASA 9.x though.

see helpful link:

http://ccnpsecuritywannabe.blogspot.com/2015/09/cisco-cloud-web-security-cws-using-asa.html

Andres Vega · ‎09-12-2015

Hello Deepak

FirePOWER is the solution you need to filter either by category or url. Unfortunately the ASA 5505 does not support it, it is only for Next Generation Firewalls. But not everything are bad news, because Cisco offers it to deploy in virtual machines too. The FirePOWER module will provide you with statistics per user, host, in addition you will be able to analyze files looking for Malwares.

I have just one concern about how many locations do you have? And how the traffic flows toward internet. I mean is there a single internet connection per site? Or is everything centralized in one site?

Regards,

Andres Vega

Deepak.kumar111 · ‎09-14-2015

Dear Andres,

Kindly we are using a single internet connection on every sites, so what do you suggest if Firepower does not support ASA 5505 .

Kindly suggest the alternate solution for the same.

Andres Vega · ‎09-14-2015

Deepak

Since you don't have centralized your internet connection it could be a little bit expensive to deploy. Because in that case you have to install a Virtual FirePOWER per location, the advantage to have a FirePOWER is that you would be able to perform filters by URL, Application, Signatures, by IP Address (Manual configured, or by Geolocation), etc.

Other option could be forward the www traffic via VPN to the main location and centralized it in a single virtual FirePOWER.

My point there are multiple ways to achieve the deploy and have the best Next Generation IPS nowadays working for you and your company.

Note: For management you have to install a Virtual FireSIGHT Management console or get a physical Defense Center, in whatever option you choose you have to purchase the license to make it work as you want.

Andres Vega · ‎09-14-2015

Deepak

Since you don't have centralized your internet connection it could be a little bit expensive to deploy. Because in that case you have to install a Virtual FirePOWER per location, the advantage to have a FirePOWER is that you would be able to perform filters by URL, Application, Signatures, by IP Address (Manual configured, or by Geolocation), etc.

Other option could be forward the www traffic via VPN to the main location and centralized it in a single virtual FirePOWER.

My point there are multiple ways to achieve the deploy and have the best Next Generation IPS nowadays working for you and your company.

Note: For management you have to install a Virtual FireSIGHT Management console or get a physical Defense Center, so whatever option you choose you have to purchase the license to make it work as you want.

Deepak.kumar111 · ‎09-17-2015

Dear Andres,

Thanks For your prompt response,

Please tell me one thing how to purchase Virtual Firepower and what is correct model to support my firewall Cisco ASA 5505.

Is Fire Power support Web filtering (Like Sites Blocking Option) Available.tell me Installation process.

Regards:-

Deepak Kumar

Andres Vega · ‎09-17-2015

Deepak

the only you need to purchase are the licenses, the software could be downloaded from the Cisco Website.

https://software.cisco.com/download/release.html?mdfid=286259687&catid=268438162&softwareid=286271056&release=SEU&relind=AVAILABLE&rellifecycle=&reltype=latest

https://software.cisco.com/download/release.html?mdfid=286259690&flowid=72310&softwareid=286271056&release=5.3.0.6&relind=AVAILABLE&rellifecycle=&reltype=latest

Licenses Comparision

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118396-technote-firesight-00.html

Virtual Installation Guide:

http://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_appliances/Cisco_Content_Security_Virtual_Appliance_Install_Guide.pdf?mdfid=282803424

Regards,

Andres

Deepak.kumar111 · ‎09-22-2015

Hi Andres,

Thank you for you help and i really appreciate you for this

but now I am in big trouble with costing for optimized solution of web filtering .Will CISCO-ASA 5505

with https://software.cisco.com/download/release.html?mdfid=286259687&catid=268438162&softwareid=286271056&release=SEU&relind=AVAILABLE&rellifecycle=&reltype=latest

be optimized solution with reference to cost and hardware comparatively New firewall with web filtering services.

Andres Vega · ‎10-16-2015

Deepak,

The link you have posted is for Virtual FireSIGHT, it is the management console for FirePOWER modules, unfortunately your 5505 does not support FirePOWER Module, for that reason you have to think in a different alternative like for example deploy a virtual sensor, maybe that could works for you.

Regards,

Andres

Web Filtering Cisco ASA 5505 (Need Help Urgent)