- Block Access to Websites with a Cisco ASA Firewall. Although the ASA can provide a simple solution for restricting web access to specific websites, you should know that it is NOT a replacement for a full-featured URL filtering solution. There are a few methods to block access to websites. These methods include regular expressions (regex).
- 'URL Filtering. License: URL Filtering. URL filtering allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the ASA FirePOWER module.
On this page, fill out the following:. New password. IP address, mask, and default gateway (if it needs to be changed). Hostname of the FMC. Domain for the FMC. DNS server information. NTP server information or manually set the clock.
Set the timezone. Whether or not to install the updates and rule updates. Upload and apply licenses if using classic licensesClick Apply when done and it should take a little time for this to apply to the FMC.After the configuration has updated, you will be in the FMC GUI. Navigate to DevicesDevice Management and click AddAdd Group.
ASA 5506-X with FirePOWER Services: Access product specifications, documents, downloads, Visio stencils, product images, and community content.
This is an optional step but you can create logical groups here to add your devices to for ease of management and organization. Then click AddAdd Device to add your Firepower module from your ASA using the IP address you just configured. In this window, you would fill out the following:.
Hostname or IP address of the device. Display name of the Device for the FMC. Shared key that you previously used in the when configuring the Firepower module. (Optional) Group.
Access Control Policy - The device needs to have an access control policy assigned to it to be added. If you haven't created one, you can choose New from the drop-down and create one with a base policy of the following: Intrusion Policy (and optionally choose a base policy), Network Discovery or Block all traffic. Then choose the licenses that will be applied to the device including Protection (intrusion detection and prevention, file control, and Security Intelligence filtering), Control (user and application control), Malware (network-based Advanced Malware Protection), URL Filtering (category and reputatio-based URL filtering), and VPN (7000/8000 appliances only.
N/A on ASA with Firepower). There is a optional setting for NAT ID under Advanced Settings. This is a unique key for configuring Firepower devices over the internet that need to go through a NAT. I'm not going to configure this in my lab.Click Register when done and join the device to the FMC for management.
This might take a few minutes while the Access Control Policy is applied. After the device is connected, click on the name of the device in the Device Management. Choose the interface tab and edit the interfaces. Here you can create an 'inside' zone and 'outside' zone corresponding with each interface. This is not necessary but it can help for creating Access Control Policy rules later based on the source and destination zone. These network objects and groups can be used as a foundation to the intrusion policy by adding them to the variable set.
Firepower Whitelist
The variable sets represent commonly used values in the intrusion rules to identify source and destination IP addresses and ports. The HOMENET variable in the variable set is the 'protected' networks. You can create multiple variable sets to apply to separate intrusion policies and the reason you might do this is that you might want one variable set where the HOMENET variable is defined as your inside hosts, another variable set where it's defined as your DMZ hosts and maybe a completely different one where your guest subnets are defined. This way you can have different types of intrusion policies with different IPS rules that are protecting different protected networks.To define a variable set, navigate to ObjectsObject ManagementVariable Set and click on Add Variable Set to create a variable set. The initial configuration of the variable set will be based upon the Default-Set but you can change it to anything you would like. Likewise, you can also modify the default set if you don't see yourself using multiple variable sets in your lab or enterprise.
Click Save and then click Save again to save this variable set.Network Discovery is the policy used to collect host, application ad user data traffic from the network. This information is used to build a comprehensive map of the network assets, performs forensic analysis, behavioral profiling, access control, and mitigate and respond to vulnerabilities. To modify the network discovery policy, navigate to PoliciesNetwork Discovery. Here you can either add a rule or edit the default policy by clicking the pencil. In this case, I'm just going to click the pencil. The default policy does network discovery on any network. This is not ideal for two reasons:1) This means that Firepower will be trying to profile and create a host profile for every IP and host it sees pass through the system including hosts from the internet.2) This is a waste of resources and there is a host limit on any appliance. You don't want to hit that limit because of webpages and other profiled hosts on the internetAfter clicking the pencil icon, I recommend adding your network object groups and I usually like to check the box next to Users to include user discovery.
Click Create and Edit Policy.On the Edit Policy page, there are a few things I'd like to call out. If you click on the Firepower Recommendations on the left. On this page, you can click the button for Generate and Use Recommendations or Generate Recommendations to have Firepower generate recommended rules to be enabled or disabled based on the hosts, applications and protocols that have been discovered through network discovery. This is a good way to have Firepower customize the IPS rules based on the hosts on your network. The settings under here are as follow:. First Time File Analysis - Submit a file for file analysis that the system detects for the first time if the file matches a rule configured to perform a malware cloud lookup and Spero, local malware or dynamic analysis. Allow - Allows the matching traffic to pass through the device.
You can also inspect the traffic using an IPS policy, file policy or both. Monitor - Doesn’t affect traffic flow - only purpose is to log a connection event. Traffic matching this will result in a connection event and traffic will proceed down the rule set, potentially matching another rule or the default action. Block and Block with Reset - Deny traffic without further inspection.
Block simply stops the traffic from passing while Block with Reset resets the connection. Interactive Block and Interactive Block with Reset - Allows users to bypass a website block by clicking through the warning page.There are also several tabs you can use to define your rule. Zones - Used to limit rule to traffic coming into or going out of specific interfaces. Networks - Detail any combination of individual IP addresses, CIDR blocks, and prefix lengths.
Clicking the Geolocation tab reveals available geolocation objects that you can use to define rules. VLAN Tags - Allows you to specify a number from 0 to 4094 to identify a network by VLAN. Users - Specify which users your rule should apply to, with users and groups being retrieved from an Active Directory server. On this access control rule, you can have it populated with the Available Users or AD groups. Applications - Filter based on applications provided by Firepower, user-defined applications and any application filters you created in Objects. Ports - Specify source and/or destination ports for the rule.
Use a previously created one or default port objects. URLs - Allows filtering based on Firepower-provided categories and reputations as well as user-created URL objects. Can also enter a URL in the field at the bottom to make sure the rule matches it. SGT/ISE Attributes - When pxGrid is enabled and ISE integration works, can utilize objects from ISE in the policy like SGT tags. Inspection - How to control how traffic that matches this rule will be inspected - Certain action types will cause this to be greyed out (Trust, Monitor, Block and Block with Reset) since they don’t allow for additional inspection.
Logging - Controls the behavior of connection and file event logging. Will not affect logging for IPS or malware events since these will be logged based on the IPS and file policies. Comments - Add rule comments optionally.For my first rule, I'm just going to create a rule to monitor web traffic and not take any action on it. Next I'm going to click on the Security Intelligence tab. Here is where we can configure policy based on IP, URL, and DNS feeds provided by the Cisco Talos Security Intelligence and Research Group and/or our own custom lists and feeds we create. Anything on these lists can be blocked prior to access control rules so the malicious traffic can be blocked without further inspection or wasting resources if it's going to a known bad actor.There are the following custom feeds that are provided by Cisco.