Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov
Level 1
Level 1

‎04-05-2018 01:06 PM - edited ‎02-21-2020 07:36 AM

I'm working on an ASA 5516-X with FirePower Services. 

Unfortunately we don't have a budget for FMC, so the management of the FirePower moduels is done via ASDM. But anyhow, we managed to get it working. 

Now the task is to configure a URL filtering policy on the FirePower Module. We have been successful in importing all 4 licenses and updating the Geolocation and IPS databases. So far so good. 

But still, I'm not able to get the URL filtering going... It seems like the nothing is matched and the traffc just passes through...

Here are the specs:

ASA software version  9.8(2)20

 

The FirePower module looks fine:

ciscoasa/act/pri# show module sfr details
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5516
Hardware version: N/A
Serial Number: JAD21240FR4
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 7070.8b67.d51b to 7070.8b67.d51b
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 10.11.12.202
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.11.12.254
Mgmt web ports: 443
Mgmt TLS enabled: true

 

Now, here's what we have configured. 

1. First configure a URL filtering policy on the FirePower module. Check in the attached file.

2. Than an ACL was created to match traffic from one particular source IP we're testing the policies with. This is attached to a class map and added to the default global_policy

 

access-list FP_REDIRECT extended permit ip host 10.15.16.11 any

!

class-map sfr
match access-list FP_REDIRECT

!

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr
sfr fail-open

!

 

3. I also see hits when I check the sfr policy

ciscoasa/act/pri# show service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 486, packet output 486, drop 0, reset-drop 0

 

So, it should mean that whenever we generate traffic from the source we're matching, it should get redirected to the FirePower module, where there's a URL filtering policy. 

But it does not work! 

It does not work even if I put a static URL object... 

So I cannot understand why this happens? 

How can I further troubleshoot and make sure:

1. Traffic is properlly redirected to the FirePower module

2. The URL filtering policy is properly matched

 

Any hint or idea is appreciated!

1 person had this problem
Labels:
Preview file
95 KB
0 Helpful
Who Me Too'd this topic