Manual URL Filtering in Firepower

A few days ago, someone asked me the following two questions–

  1. Is a URL filtering license required to manually filter sites in Firepower?
  2. Are wildcards supported as filtering criteria?

The short answer to the first question is simply no. There is no requirement for a term-based URL filtering license to do manual filtering. The URL license enables filtering AND logging based on web categories and risks levels. If this license is not installed and attached to a Firepower device, any policy containing those elements cannot be deployed. However, URL filtering rules that contain only manual URLs can be applied and do function properly.

The visual below is directly from the URL tab in an Access Control Policy Rule.

Selected URLs

The second question requires a slightly longer answer. With URL filtering, Firepower considers the protocol, fqdn, path and filename. For example, the following is a URL for the article I wrote last Thursday.

https://packetu.com/2016/06/23/accessing-asa-cli-firepower-threat-defence/

For filtering purposes, any substring of the URL will match. So any of the following will block the above page.

packetu
www.packetu.com
6
http
w.packetu.com/2016/06/23/accessing

Obviously, care must be taken to make sure a rule isn’t overly broad. Very few people want to just filter “http” or “6”. Also worth noting, the URLs appear to be case desensitized and logged in lower case. So the filtering criteria of PACKETU and packetu yield similar results. Additionally, https://packetu.com is logged in the connection table in both cases.

Conclusion

The short answer to my questions are that 1) URL term license is not required for manual filtering and 2) Wildcarding is not supported, and substring matching is the actual method used by the solution.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

One Response to Manual URL Filtering in Firepower

  1. Pingback: Firepower Access Control Policies - PacketU

Comments are closed.