blocking a Particular URL with FirePOWER Services using ASDM on ASA 5506-x

eurixjaneth1 · ‎01-17-2017

Hi guys, need a clue about

I have an asa 5506-X that is running the next version

Cisco Adaptive Security Appliance Software Version 9.6(1)

Device Manager Version 7.6(1)

And the sfr

Mod SSM Application Name Status SSM Application Version

---- ------------------------------ ---------------- --------------------------

sfr ASA FirePOWER Up 6.0.0-1005

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------

1 Up Sys Not Applicable

sfr Up Up

ciscoasa#

I need to configure an url filter, to block some links. I don't have a server to install the FireSight. And I would like to use only asdm. I am following the steps on the link bellow (blocking a Particular URL with FirePOWER Services)

http://www.petenetlive.com/KB/Article/0001107

But is not working. I was wondering if something is missing?. Thanks for your help.

Pranay Prasoon · ‎01-18-2017

Can you elaborate the issue you are facing at this point? Are you able to manage the firepower with ASDM at this point?

eurixjaneth1 · ‎01-18-2017

I am able to manage the firepower with asdm. I have only the protection and control license enabled. I am blocking some urls with firepower services and then I commit and deploy the changes on the Access Control policy; the task status is completed. But I can still access to the blocked urls since the source networks.

I did'nt configure ntp settings on the module, and did´nt follow the steps to "send" the traffic throw the module(8,9). Could it be the problem?

Pranay Prasoon · ‎01-18-2017

Yes actually you will need to redirect traffic in the ASA to sfr module. SFR will take no action since till the time it sees traffic. It is good if you configure NTP, however this doesn't seem to be NTP problem

Pranay Prasoon · ‎01-18-2017

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

please see section redirection to module

eurixjaneth1 · ‎01-18-2017

ciscoasa# sh runn class-map
!
class-map inspection_default
match default-inspection-traffic
!
ciscoasa# sh runn poli
ciscoasa# sh runn policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
ciscoasa# sh runn servi
ciscoasa# sh runn service-pol
ciscoasa# sh runn service-policy
service-policy global_policy global
ciscoasa#

Thanks I'm going to check the link.

Pranay Prasoon · ‎01-18-2017

yes you need to do required configuration

eurixjaneth1 · ‎01-19-2017

I redirected the traffic in the asa to the sfr module. But the url filter still does´nt work.

iscoasa(config)# show run class-map
!
class-map SFR
match access-list SFR
class-map inspection_default
match default-inspection-traffic
!
ciscoasa(config)# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class SFR
sfr fail-open
!
ciscoasa(config)# show run service-policy
service-policy global_policy global
ciscoasa(config)#

ccg-security · ‎01-31-2017

Hi,

Configuration are correct by redirecting the traffic to the SFR module.

Protection and Control only uses IPS and Application blocking.You need a URL license in order to block specific URL. Kindly check on Cisco documents about the licensing.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html

Thank you and Best Regards!

Pranay Prasoon · ‎01-18-2017

Do the following configuration

access-list sfr permit ip any any

class-map sfr

match access-list sfr

policy-map global_policy

class sfr

sfr fail-open

eurixjaneth1 · ‎01-20-2017

Hi,

I give up with the firepower services, and I am blocking URLs using FQDN objects, and it is working, but I have problems with facebook.com. I can access to the website intermittenly, and the users experimented problems with google complements.

access-list ACL-INSIDE; 5 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended deny ip any object OBJ-FACEBOOK.COM (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 1 extended deny ip any fqdn facebook.com (resolved) 0xaf2d4651
access-list ACL-INSIDE line 1 extended deny ip any host 31.13.73.36 (facebook.com) (hitcnt=57) 0x10988964
access-list ACL-INSIDE line 2 extended deny ip any object OBJ-YOUTUBE.COM (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 2 extended deny ip any fqdn youtube.com (resolved) 0xa3337447
access-list ACL-INSIDE line 2 extended deny ip any host 216.58.219.78 (youtube.com) (hitcnt=23714) 0x9e8d44e3
access-list ACL-INSIDE line 3 extended permit ip any any (hitcnt=36658) 0x2ed1288c
ciscoasa(config)# sh acc

eurixjaneth1 · ‎01-18-2017

How can I verify if I have a default policy-map applied? Once I redirected the traffic in the asa to the sfr module. Must the asa firepower configuration take effect?. Thanks

Pranay Prasoon · ‎01-18-2017

Send me command

show run class-map

show run policy-map

show run service-policy

Yes once you apply that wait for some time so that all existing connected are torn down and then test again