Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
3
Replies

Which product can chase internal user access internet web site?

Go to solution
cwhlaw2009
Level 1
Level 1

‎08-19-2016 04:18 AM - edited ‎02-21-2020 05:54 AM

Dear All,

My client is using ASA 5512, they want to check and record their internal users (Employees) accessed what web site (HTTP, HTTPS, FTP etc.).

I haven't any idea which cisco product or other can do this.

THX

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-19-2016 06:11 PM

The FirePOWER module on the ASA 5512-X, when licensed and configured with proper policy, can do this.

The ASA 5512-X by itself cannot.

If you can share "show inventory" and "show module" we can get some clue about the appliance's readiness and ability to run the module. We would be looking for the required SSD and installed sfr module type.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cwhlaw2009

‎08-21-2016 06:25 PM

FirePOWER can easily restrict access to websites by category - whether they are http or https. You need only the URL Filtering license for that.

If you want to DECRYPT and inspect https traffic and make decisions based on things like micro applications (e.g allow Facebook posting but prohibit Facebook games) then you need to do a lot more. The FirePOWER module can do it, but you need an enterprise PKI that can issue a certificate that the clients trust and can act as a man-in-the-middle. It also takes a lot more processing power. As a result, your throughput can go WAY down. It is not something you would want to do an a 5512-X platform unless a throughput of about 20 Mbps was acceptable. 

However, that limitation is shared by all web filtering services or appliances.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-19-2016 06:11 PM

The FirePOWER module on the ASA 5512-X, when licensed and configured with proper policy, can do this.

The ASA 5512-X by itself cannot.

If you can share "show inventory" and "show module" we can get some clue about the appliance's readiness and ability to run the module. We would be looking for the required SSD and installed sfr module type.

0 Helpful

Go to solution
cwhlaw2009
Level 1
Level 1
In response to Marvin Rhoads

‎08-21-2016 05:44 PM

One more question, client said they want to filter web site such as HTTPS 

After using FirepOWER, do they need buy websense or smartfilter? or FirePower only can filter HTTPS, http etc website?

THx

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cwhlaw2009

‎08-21-2016 06:25 PM

FirePOWER can easily restrict access to websites by category - whether they are http or https. You need only the URL Filtering license for that.

If you want to DECRYPT and inspect https traffic and make decisions based on things like micro applications (e.g allow Facebook posting but prohibit Facebook games) then you need to do a lot more. The FirePOWER module can do it, but you need an enterprise PKI that can issue a certificate that the clients trust and can act as a man-in-the-middle. It also takes a lot more processing power. As a result, your throughput can go WAY down. It is not something you would want to do an a 5512-X platform unless a throughput of about 20 Mbps was acceptable. 

However, that limitation is shared by all web filtering services or appliances.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card