cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
10
Helpful
4
Replies
Frequent Contributor

ASA Firepower block browsers

Hi guys,

 

Does anyone know if it's possible to block using Firepower all browsers but one (let's say Chrome).

So in terms of old firewall rules way:

 Rule no1 - allow browser Chrome

 Rule no2 - deny any other browser

 

I found a hint (tracking User-Agent String) on this document using Cloud Security service, but I don't have this service/appliance.

 

Thanks,

Florin.

 

Everyone's tags (2)
4 REPLIES 4
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA Firepower block browsers

Hi,
Using FTD and FMC 6.2.3 I've permitted internet access only using a specific browser. In the ACP rule you'd select the application (chrome, firefox etc) and then permit/deny as reequired. You obviously need the correct licensing.

HTH
Frequent Contributor

Re: ASA Firepower block browsers

Hello RJI,

 

Thanks for the input! Indeed I could find Chrome on the listed apps.

Allow Chrome.PNG

 

I have two questions:

1. Where should I add this : Mandatory or Default Rules? 

2. After I add it is there a such thing as Implicit Deny? Currently I have no other rule so I don't want to risk adding one rule then dropping everything else.

 

Thanks,

Florin.

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA Firepower block browsers

Hi,
I'd place in mandatory, these are applied first before default rules.
You have a Default Action at the bottom of the ACP from there you can select the default action of Block/Trust/Network Discovery etc.
HTH
Highlighted
Frequent Contributor

Re: ASA Firepower block browsers

Nice, we are getting there!
Now let's dig into the next step:
1. As default action at the bottom I have a profile named IPS profile. This means adding just ONE rule in Mandatory field plays safe in regard to the overall traffic flow ?
2. I looked over web browser category, there're 49 listed today but there's no trace about the one I need to block, let's call it no 50. Do you think if I just add a 2nd rule of block any other web browser would it work for me ? If not a TAC case on Cisco could give me the signature to block "no 50"?

Thanks,
Florin.