Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Can't block HTTPS without HTTPS Decryption policy

I tried to block the facebook website so I had create the URL object name's "facebook", the result work fine on http://www.facebook.com but on the
https://www.facebook.com the client still can access this URL. How can I block this HTTPS websites without decrypt the traffic.

My Access policy

1) Source = Any

    Destination = Facebook ( www.facebook.com )

    Application = Any

    Action = Deny

 

2) Source = Any

     Destination = Any

     Application = facebook

     Actione = Decy

 

5 REPLIES

Well,The only way would make

Well,

The only way would make to block the outgoing DNS request that look for the A record of facebook that come.

 

If you need to only block HTTP/HTTPS as you saw u are fine with HTTP but for HTTPS your box will need to work as a SSL proxy and decrypt and re-encrypt the traffic.

 

Regards,

 

Jcarvaja

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Hi,when you said that we need

Hi,

when you said that we need to work as a SSL proxy, it means that we need to enable the SSL inspection, right?

We can not block this type of URL without SSL inspection?

Thanks in advance.

Hall of Fame Super Silver

If you're running Release 9.2

If you're running Release 9.2(1.2) Build 50 (or later) they have added the following feature:

"URL category and web reputation are now available for TLS/SSL traffic even if you do not enable decryption. Access policies that use URL filtering or web reputation filtering will now apply correctly to undecrypted TLS/SSL connections."

Reference.

New Member

Hi Marvin,Thanks a lot for

Hi Marvin,

Thanks a lot for your quick response.

I'll do upgrade on my box.

Cheers

Hi MarvinThank you for your

Hi Marvin

Thank you for your reply. I will upgrade my box and test again

 

Regards,

S. Tinnakorn

488
Views
0
Helpful
5
Replies
CreatePlease to create content