Blocking FB using ASA

network_user · ‎07-24-2014

Hello,

Is it possible to block facebook (http and https) using ASA firewall (without CSC)? I know that http can be blocked by blocking traffic going out to FB addresses, but how about https?

Thank you.

turbo_engine26 · ‎07-24-2014

I know this is not the answer that you're looking for but better to use a dedicated cheap web filtering solution. Although you can block http destinations by addresses in a firewall, it is not flexible enough. Whenever a new address for that destination comes into life, you must manually add it in your blocking list. And whenever an old address for that destination dies, you must manually remove it from your blocking list. The result is "Headache".

On the other hand, you only need a single check box beside the "Social Networking" category in the web filter.

My personal experience is to avoid firewalls when it comes to blocking "Web Sites" because they are headache in that matter.

Just my 2 cents.

kevin_giusti · ‎07-24-2014

It's a REALLY crappy/non-scalable solution but you could do something like this using DNS names and ACLs.

dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2

object network www.pandora.com
fqdn www.pandora.com
object network www.netflix.com
fqdn www.netflix.com

object-group network Blocked-Websites
network-object object www.pandora.com
network-object object www.netflix.com

#create DHCP reservations or set static IPs for users/servers that will not be filtered.
object-group network Unfiltered-Users
network-object host 192.168.10.5
network-object host 192.168.10.6

access-list inside extended permit ip object-group Unfiltered-Users any
access-list inside extended deny ip any object-group Blocked-Websites
access-list inside extended permit ip any any

access-group inside in interface inside

turbo_engine26 · ‎07-24-2014

Well, be my guest to MANUALLY add a web site every time you want to block something in your blocked websites object group. Is this the scalability you want? .. What if there is an exception and couple of users from subnet X asks you to open Netflix and block it for the rest of subnets? Do you have the scalability in the ASA to do this? Can't you see the amount of configurations you even added to the ASA just because to block certain web sites? Can't you see that i respectfully mentioned that my answer may be not the answer that you're looking for?

Respect others' opinions or Get lost.

kevin_giusti · ‎07-25-2014

I wasn't referring to your post at any point in time. I was describing my own using half baked web webfiltering using DNS and ACLs as crappy and non-scalable.

turbo_engine26 · ‎07-25-2014

OMG lol, i am so sorry kevin ;)

kevin_giusti · ‎08-01-2014

Haha, no worries

nkarthikeyan · ‎07-25-2014

Hi,

You cannot do much to block in asa... whatever the fqdn al will not block effectively....... it can be accessible via the leakage... in one of my client location we have identified the FB subnet range for that location and we have blocked the entire range...

say we have blocked 173.252.110.0/24 and so on whatever we have observed as the FB Subnets....

in this case if they use extended URL's are also they wont get web page accessible at any cost....

Regards

Karthik

nspasov · ‎08-01-2014

CX/Sourcefire is the answer to your troubles :) Or a web filtering engine as suggested above.