Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3839
Views
2
Helpful
13
Replies

Block TLD’s (Top level domains)

00uq6s92nAQyTe3t35d6
Level 1
Level 1

‎02-21-2022 02:55 AM

Hi all,


We are trying to block TLD’s (Top level domains) within the FTD’s / FMC.   For example, we wish to block TLD’s that can pose threats such as RU, plus a few others. Currently, we have a rule built in the “Security Intelligence” to attempt a block these TLD’s, but it doesn’t work. We adjusted the Object group (txt file) to try male it block “RU”. Regardless of which way it was added e.g .RU or *RU or just RU, all failed and allowed the traffic to pass.

 

Is it possible for the FTD’s do even do this? Should such a rule be added to Access Control Policy, and not use the Security Intelligence?

 

Thanks

3 people had this problem
Labels:
0 Helpful
13 Replies 13

FredrikW73
Level 1
Level 1

‎03-17-2022 06:00 AM - edited ‎03-17-2022 07:42 AM

The Access Control Policy works with IP addresses (single, range or subnet) and FQDNs. I don´t think it is possible to build policies from wildcarded addresses or names. A block based on wildcarded names/domains can be done in a surf proxy like the WSA.

Best option in FTD would be to block destination/source based on GeoLocation. You can block traffic to/from GeoLocation RUS as an example.

0 Helpful

hiddenuser
Level 1
Level 1

‎03-31-2023 09:44 AM

The limitation with Geolocation block is that this uses the IP address of the web server host. In 2022-23, attackers are using legitimate services like Cloudflare to host phishing credential harvesting, but on sites that use .RU TLD. This is a common tactic. 

Cisco needs to provide guidance on how to block TLD's as other services like Zscaler now offer a specific feature for just such a purpose.

0 Helpful

Ken Stieers
VIP
VIP
In response to hiddenuser

‎03-31-2023 10:21 AM

Create an incoming content filter with one action, drop.
Create a mail policy, at the top, with nothing enabled, except the one content filter. In that mail policy, add the senders for the TLDs want as @.tld, so @.ru, @.cn, etc.
A separate policy will mean this mail that you’re going to drop incurs no extra scanning load for domains that you’re just going to dump. You could do it with a message filter, and a dictionary, but this makes it “visible” in the gui.


0 Helpful

hiddenuser
Level 1
Level 1
In response to Ken Stieers

‎03-31-2023 10:26 AM

Hi Ken,

This post is regarding the FTD/FMC.. not the ESA. You are correct that it is very easy to block TLD's on the ESA.

I use this regex on the ESA which works great.

[^@]+@[^@]+\.id$

0 Helpful

Ken Stieers
VIP
VIP
In response to hiddenuser

‎03-31-2023 10:37 AM

Heheh! Oooops, sorry!!!
0 Helpful

kleemisch
Level 1
Level 1

‎05-18-2023 02:14 PM - edited ‎05-18-2023 02:15 PM

Has anyone found a way to block these domains in ftd/fmc? Specifically .zip domains?

network.admin01
Level 1
Level 1
In response to kleemisch

‎05-30-2023 04:33 AM

Yes, attach a DNS policy to the ACP and configure a rule using a custom DNS list by adding *.zip and *.mov to a new line in a .txt file and uploading it as a new object.

00uq6s92nAQyTe3t35d6
Level 1
Level 1
In response to network.admin01

‎05-30-2023 05:58 AM - edited ‎05-30-2023 06:07 AM

Will that work? Because I am sure the FMC wil not support wildcards.

Look here - Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 7.0 - Objects [Cisco Secure Firewall Threat Defense] - Cisco and under  Configuring Network Objects and Groups

I should add that, it will also depend on where your DNS sits. DNS may not be done by the Cisco FTD's.

0 Helpful

FredrikW73
Level 1
Level 1
In response to 00uq6s92nAQyTe3t35d6

‎05-30-2023 06:35 AM

FMC may not support wildcards in adress objects but it does support wildcards in Security Intelligence lists.

Study the section about "Custom Security Intelligence Lists and Feeds" in the config guide.

I will try this tomorrow in my lab setup.

0 Helpful

network.admin01
Level 1
Level 1
In response to FredrikW73

‎05-30-2023 10:35 AM

Yeah as you suggested. It works with Security Intelligence's DNS policy using a custom DNS list. Just set this up for .zip and .mov.

0 Helpful

ik752712
Level 1
Level 1
In response to network.admin01

‎05-30-2023 12:09 PM

Doesn't seems to work for me...

Are you doing DNS for the network on FTD or another device? What is the FMC/FTD software version?

0 Helpful

network.admin01
Level 1
Level 1
In response to ik752712

‎05-30-2023 11:33 PM

DNS servers are Windows servers and the traffic is passing through the FTDs but DMZ servers resolving from the Internet are also working fine. Version 7.0.5 for both.

You need to make sure the correct ACP is applied to the FTDs with security intelligence DNS policy configured. Also the DNS traffic must go through the FTDs.

0 Helpful

FredrikW73
Level 1
Level 1
In response to network.admin01

‎06-01-2023 01:30 AM - edited ‎06-02-2023 02:20 AM

I tested the suggestion to add a block via security intelligence, using custom DNS list, in our lab setup (blocked *.ru).

The block works perfectly. I have tried a similar config using a custom URL list previously but that did not work.

0 Helpful
Customers Also Viewed These Support Documents