02-14-2017 08:20 AM - edited 02-21-2020 06:00 AM
does CIsco firesight running ni ASA mode sipport using FQDN in Access-list to allow or block access by ports ex SSh
02-14-2017 07:20 PM
If you have the Firepower URL licence you can definitely block by URL ...
If the ASA software is not too old you can also block by FQDN on the ASA side.
02-16-2017 11:54 AM
FTD is running in ASA AND Firepower mode in the same time. There's no separate way of operations.
You can add URL based rules. Or you can add application (like SSH) or you can add ports.
02-22-2017 02:13 AM
I have done it man all of them ! still doesnt work :( , Unfortunately I dont have license for opening TAC ,what do you recommend me to do ?
02-22-2017 02:28 AM
> Actually I dont use FTD ,I am using version 6.2 Firepower and my sensor is 5525
Are you using 6.2 as SFR module in ASA? Do you have connection events on the FMC?
I don't really understand your setup. Also, if you don't run FTD (which has a trial 90 days of URL licensing) and you don't have an URL license, what are you trying to achieve will not work.
02-22-2017 02:58 AM
I am using Firepower ,not FTD ,I have 90 days proper license for this feature ,that's why it should work man
02-22-2017 03:01 AM
FTD means Firepower Threat Defense.
Attach an screenshot of your Access Control Policy.
02-22-2017 03:03 AM
Also, a screenshot from System -> Integration page, where URL filtering configuration is shown.
02-22-2017 03:26 AM
02-22-2017 04:08 AM
Have an endpoint where you can troubleshoot from (used to try to access one of the destinations in those categories). Is recommended that endpoint to not generate too much other traffic
Open a ssh connection to the FTD's management IP. From cli, run:
system support firewall-engine-debug
Provide the filtering info, like this:
Please specify an IP protocol: tcp
Please specify a client IP address: your_endpoint_IP_address
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Now, while it runs, access one of the websites. Stop the debug with CTRL+C. Grab the output and add it in here.
02-22-2017 03:25 AM
02-22-2017 03:47 AM
You're doing it wrong. The URL categories should be configured on the URLs tab of the ACP rule, not on the Applications.
Please check the documentation for further information:
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Rules__URL_Filtering.html#ID-2189-000001c1
02-22-2017 03:55 AM
02-21-2017 11:32 PM
Hi Philip ,
Although Firepower has this ability ( at least they insist ) they can not block majority of porn sites ,I am totally fed up with these small issues which made me crazy ,all of them are fall to uncategorized category which actually they should not.I know that Checkpoint or PaloAlto has URL report webpages which you can request to change specific site's category .
02-22-2017 12:50 AM
They block. Maybe there's something wrong on your setup. Or there could be other configuration issues.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: