01-17-2017 07:45 AM - edited 03-12-2019 06:15 AM
01-18-2017 04:45 AM
Can you elaborate the issue you are facing at this point? Are you able to manage the firepower with ASDM at this point?
01-18-2017 10:10 AM
I am able to manage the firepower with asdm. I have only the protection and control license enabled. I am blocking some urls with firepower services and then I commit and deploy the changes on the Access Control policy; the task status is completed. But I can still access to the blocked urls since the source networks.
I did'nt configure ntp settings on the module, and did´nt follow the steps to "send" the traffic throw the module(8,9). Could it be the problem?
01-18-2017 10:16 AM
Yes actually you will need to redirect traffic in the ASA to sfr module. SFR will take no action since till the time it sees traffic. It is good if you configure NTP, however this doesn't seem to be NTP problem
01-18-2017 10:21 AM
http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html
please see section redirection to module
01-18-2017 11:18 AM
ciscoasa# sh runn class-map
!
class-map inspection_default
match default-inspection-traffic
!
ciscoasa# sh runn poli
ciscoasa# sh runn policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
ciscoasa# sh runn servi
ciscoasa# sh runn service-pol
ciscoasa# sh runn service-policy
service-policy global_policy global
ciscoasa#
Thanks I'm going to check the link.
01-18-2017 11:24 AM
yes you need to do required configuration
01-19-2017 01:09 PM
I redirected the traffic in the asa to the sfr module. But the url filter still does´nt work.
iscoasa(config)# show run class-map
!
class-map SFR
match access-list SFR
class-map inspection_default
match default-inspection-traffic
!
ciscoasa(config)# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class SFR
sfr fail-open
!
ciscoasa(config)# show run service-policy
service-policy global_policy global
ciscoasa(config)#
01-31-2017 11:25 PM
Hi,
Configuration are correct by redirecting the traffic to the SFR module.
Protection and Control only uses IPS and Application blocking.You need a URL license in order to block specific URL. Kindly check on Cisco documents about the licensing.
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html
Thank you and Best Regards!
01-18-2017 09:41 PM
Do the following configuration
access-list sfr permit ip any any
class-map sfr
match access-list sfr
policy-map global_policy
class sfr
sfr fail-open
01-20-2017 08:11 AM
Hi,
I give up with the firepower services, and I am blocking URLs using FQDN objects, and it is working, but I have problems with facebook.com. I can access to the website intermittenly, and the users experimented problems with google complements.
access-list ACL-INSIDE; 5 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended deny ip any object OBJ-FACEBOOK.COM (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 1 extended deny ip any fqdn facebook.com (resolved) 0xaf2d4651
access-list ACL-INSIDE line 1 extended deny ip any host 31.13.73.36 (facebook.com) (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 2 extended deny ip any object OBJ-YOUTUBE.COM (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 2 extended deny ip any fqdn youtube.com (resolved) 0xa3337447
access-list ACL-INSIDE line 2 extended deny ip any host 216.58.219.78 (youtube.com) (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 3 extended permit ip any any (hitcnt=36658) 0x2ed1288c
ciscoasa(config)# sh acc
01-18-2017 10:51 AM
How can I verify if I have a default policy-map applied? Once I redirected the traffic in the asa to the sfr module. Must the asa firepower configuration take effect?. Thanks
01-18-2017 11:08 AM
Send me command
show run class-map
show run policy-map
show run service-policy
Yes once you apply that wait for some time so that all existing connected are torn down and then test again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide