cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2627
Views
0
Helpful
4
Replies

Block HTTPS on ASA (Standard ASA no other features)

#TCN
Level 1
Level 1

is it possible to block specific https URL's on a standard ASA using the "regex" (regular expression) - I believe the customers ASA is running version 9.x

I had a look around the regex and looks like you can only block http and not https

 

Thanks

James

2 Accepted Solutions

Accepted Solutions

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi James,

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).

Reference:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

ASA (with Sourcefire) will be able to analyze HTTPS traffic and block/allow it based on policy you configure - HTTPS decryption is coming with next major version.

You can use Cisco Web Security appliance along with Cisco ASA today to filter HTTP and HTTPS traffic.

View solution in original post

4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi James,

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).

Reference:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thanks Dinesh - much appriciated.

Regards,

James

ASA (with Sourcefire) will be able to analyze HTTPS traffic and block/allow it based on policy you configure - HTTPS decryption is coming with next major version.

You can use Cisco Web Security appliance along with Cisco ASA today to filter HTTP and HTTPS traffic.

The FirePOWER release 6.0.0 which includes SSL-Inspection on the local box was released two days ago. But as with any X.0.0 version, I first would use it in a test-system.