A few days ago, someone asked me the following two questions–
- Is a URL filtering license required to manually filter sites in Firepower?
- Are wildcards supported as filtering criteria?
The short answer to the first question is simply no. There is no requirement for a term-based URL filtering license to do manual filtering. The URL license enables filtering AND logging based on web categories and risks levels. If this license is not installed and attached to a Firepower device, any policy containing those elements cannot be deployed. However, URL filtering rules that contain only manual URLs can be applied and do function properly.
The visual below is directly from the URL tab in an Access Control Policy Rule.
The second question requires a slightly longer answer. With URL filtering, Firepower considers the protocol, fqdn, path and filename. For example, the following is a URL for the article I wrote last Thursday.
For filtering purposes, any substring of the URL will match. So any of the following will block the above page.
packetu www.packetu.com 6 http w.packetu.com/2016/06/23/accessing
Obviously, care must be taken to make sure a rule isn’t overly broad. Very few people want to just filter “http” or “6”. Also worth noting, the URLs appear to be case desensitized and logged in lower case. So the filtering criteria of PACKETU and packetu yield similar results. Additionally, https://packetu.com is logged in the connection table in both cases.
The short answer to my questions are that 1) URL term license is not required for manual filtering and 2) Wildcarding is not supported, and substring matching is the actual method used by the solution.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.