Url filtering (cisco)

Url filtering (cisco) DEFAULT

Firepower Management Center Configuration Guide, Version 6.7

Keep in mind the following guidelines and limitations for URL filtering:

Filter by Category and Reputation

Follow the instructions in How to Configure URL Filtering with Category and Reputation.

Configure Your Policy to Inspect Packets That Must Pass Before a URL Can Be Identified

The system cannot filter URLs before:

  • A monitored connection is established between a client and server.

  • The system identifies the DNS, HTTP or HTTPS application in the session.

  • The system identifies the requested domain or URL (for encrypted sessions, from a non-encrypted domain name, the ClientHello message or the server certificate).

This identification should occur within 3 to 5 packets, or after the server certificate exchange in the TLS/SSL handshake if the traffic is encrypted.

Important! To ensure that your system examines these initial packets that would otherwise pass, see Inspection of Packets That Pass Before Traffic Is Identified and subtopics.

If early traffic matches all other rule conditions but identification is incomplete, the system allows the packet to pass and the connection to be established (or the TLS/SSL handshake to complete). After the system completes its identification, the system applies the appropriate rule action to the remaining session traffic.

Block Threat Categories

Be sure that your policies specifically address Threat categories, which identify known malicious sites. Do this in addition to blocking sites with poor reputations.

For example, to protect your network from malicious sites, you must block all Threat categories in addition to blocking sites with poor or questionable reputations.

For specifics, see Threat Categories at the URL in URL Category and Reputation Descriptions.

URL Conditions and Rule Order

  • Position URL rules after all other rules that must be hit.

  • URLs can belong to more than one category. It is possible to want to allow one category of websites and block another—whether explicitly or by relying on the default action. In this case, make sure you create and order URL rules so you get the desired effect, depending on whether the allow or the block should take precedence.

For additional guidelines for rules, see the following topics: Best Practices for Access Control Rules and Rule Condition Mechanics.

Uncategorized or Reputationless URLs

When you build a URL rule, you first choose the category you want to match. If you explicitly choose Uncategorized URLs, you cannot further constrain by reputation.

Uncategorized URLs with Untrusted reputation are handled by the Malicious Sites category. If you want to block uncategorized sites with any other reputation level (such as Questionable), you must block all uncategorized sites.

After selecting a category and a reputation level, you can optionally select Apply to unknown reputation. For example, you can create a rule that applies to sites with Untrusted, Questionable, and unknown reputations.

You cannot manually assign categories and reputations to URLs, but in access control and QoS policies, you can manually block specific URLs. See Manual URL Filtering. See also Dispute URL Category and Reputation.

URL Filtering for Encrypted Web Traffic

When performing URL filtering on encrypted web traffic, the system:

  • (If DNS filtering is enabled) Checks to see if the system has previously seen the originating domain or the domain is in the local reputation database, and if so, takes action based on the reputation and category of the domain. Otherwise, the system processes the traffic based on your configurations for encrypted traffic, even if Retry URL cache miss lookup is enabled in the access control policy's advanced settings.

  • Disregards the encryption protocol; a rule matches both HTTPS and HTTP traffic if the rule has a URL condition but not an application condition that specifies the protocol.

  • Does not use URL lists. You must use URL objects and groups instead.

  • Matches HTTPS traffic based on the subject common name in the public key certificate used to encrypt the traffic, and also evaluates the reputation of any other URLs presented at any time during the transaction, including the post-decryption HTTP URL.

  • Disregards subdomains within the subject common name.

  • Does not display an HTTP response page for encrypted connections blocked by access control rules (or any other configuration); see Limitations to HTTP Response Pages.

URL Filtering and TLS Server Identity Discovery

The latest version of the Transport Layer Security (TLS) protocol 1.3, defined by RFC 8446, is the preferred protocol for many web servers to provide secure communications. Because the TLS 1.3 protocol encrypts the server's certificate for additional security, and the certificate is needed to match application and URL filtering criteria in access control rules, the Firepower System provides a way to extract the server certificate without decrypting the entire packet.

Access control policy advanced settings offer an Early application detection and URL categorization option for TLS Server Identity Discovery.

We strongly recommend enabling it for any traffic you want to match on application or URL criteria, especially if you want to perform deep inspection of that traffic. An SSL policy is not required because traffic is not decrypted in the process of extracting the server certificate.


Note

  • Because the certificate is decrypted, TLS server identity discovery can reduce performance depending on the hardware platform.

  • TLS server identity discovery is not supported in inline tap mode or passive mode deployments.


For more information, see Access Control Policy Advanced Settings.

HTTP/2

The system can extract HTTP/2 URLs from TLS certificates, but not from a payload.

Manual URL Filtering

  • Specify URLs using a custom Security Intelligence list or feed object. Do not use a URL object or directly enter a URL into the rule. For details, see Manual URL Filtering Options.

  • If you manually filter specific URLs using URL objects or by entering URLs directly into the rule, carefully consider other traffic that might be affected. To determine whether network traffic matches a URL condition, the system performs a simple substring match. If the requested URL matches any part of the string, the URLs are considered to match.

  • If you use manual URL filtering to create exceptions to other rules, position the specific rule with the exceptions above the general rule that would otherwise apply.

Search Query Parameters in URLs

The system does not use search query parameters in the URL to match URL conditions. For example, consider a scenario where you block all shopping traffic. In that case, using a web search to search for amazon.com is not blocked, but browsing to amazon.com is.

URL Filtering in High Availability Deployments

For guidelines for URL filtering with Firepower Management Centers in high availability, see URL Filtering and Security Intelligence.

Memory Limitations for Selected Device Models

  • If you are using NGIPSv, see the Cisco Firepower NGIPSv Quick Start Guide for VMware for information on allocating the correct amount of memory to perform category and reputation-based URL filtering.

  • Device models with less memory store less URL data locally, and the system may therefore check the cloud more frequently to determine category and reputation for sites that are not in the local database.

    Lower-memory devices include:

    • FTD 1010

    • Virtual FTD (FTDv) with 8 GB of RAM

    • ASA 5508-X and ASA 5516-X

Sours: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/url_filtering.html

Firepower Management Center Configuration Guide, Version 6.3

Filtering HTTPS Traffic

To filter encrypted traffic, the system determines the requested URL based on information passed during the TLS/SSL handshake: the subject common name in the public key certificate used to encrypt the traffic.

HTTPS filtering, unlike HTTP filtering, disregards subdomains within the subject common name. Do not include subdomain information when manually filtering HTTPS URLs in access control or QoS policies. For example, use example.com rather than www.example.com.

HTTPS filtering also does not support URL lists. You must use URL objects and groups instead.


Tip

In an SSL policy, you can handle and decrypt traffic to specific URLs by defining a distinguished name SSL rule condition. The common name attribute in a certificate’s subject distinguished name contains the site’s URL. Decrypting HTTPS traffic allows access control rules to evaluate the decrypted session, which improves URL filtering.


Controlling Traffic by Encryption Protocol

The system disregards the encryption protocol (HTTP vs HTTPS) when performing URL filtering in access control or QoS policies. This occurs for both manual and reputation-based URL conditions. In other words, URL filtering treats traffic to the following websites identically:

  • http://example.com/

  • https://example.com/

To configure a rule that matches only HTTP or HTTPS traffic, add an application condition to the rule. For example, you could allow HTTPS access to a site while disallowing HTTP access by constructing two access control rules, each with an application and URL condition.

The first rule allows HTTPS traffic to the website:

  • Action: Allow
  • Application: HTTPS
  • URL: example.com

The second rule blocks HTTP access to the same website:

  • Action: Block
  • Application: HTTP
  • URL: example.com
Sours: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/url_filtering.html
  1. 22 x 28 cabinet door
  2. Erie county taxes
  3. Origin curve fitting
  4. Italian counting 1 20

Cisco SD-WAN Security Configuration Guide, Cisco IOS XE Release 17.x

The URL Filtering feature enables the user to provide controlled access to Internet websites or Intranet sites by configuring the URL-based policies and filters on the device. The user can configure the URL Filtering profiles to manage the web access. The URL Filtering feature is implemented using the security virtual image similar to the IPS feature.


Note

A NAT direct internet access route is necessary to implement URL Filtering.


URL Filtering can either allow or deny access to a specific URL based on:

  • Allowed list and blocked list: These are static rules, which helps the user to either allow or deny URLs. If the same pattern is configured under both the allowed and blocked lists, the traffic is allowed.

  • Category: URLs can be classified into multiple categories such as News, Social Media, Education, Adult and so on. Based on the requirements, user has the option to block or allow one or more categories.

  • Reputation: Each URL has a reputation score associated with it. The reputation score range is from 0-100, and it is categorized as: high-risk (reputation score (0-20), suspicious (21-40), moderate-risk (41-60), low-risk (61-80), and trustworthy (81-100). Based on the reputation score of a URL and the configuration, a URL is either blocked or allowed.

When there is no allowed list or blocked list configured on the device, based on the category and reputation of the URL, traffic is allowed or blocked using a block page. For HTTP(s), a block page is not displayed and the traffic is dropped.

This section contains the following topics:

Overview of URL Filtering

The URL Filtering feature enables the user to provide controlled access to Internet websites by configuring the URL-based policies and filters on the device.

The URL Filtering feature allows a user to control access to Internet websites by permitting or denying access to specific websites based on the category, reputation, or URL. For example, when a client sends a HTTP/HTTP(s) request through the router, the HTTP/HTTP(s) traffic is inspected based on the URL Filtering policies (allowed list/ blocked list, Category, and Reputation). If the HTTP/HTTP(s) request matches the blocked list, the HTTP(s) request is blocked by an inline block page response. If the HTTP/HTTP(s) request matches the allowed list, the traffic is allowed without further URL Filtering inspection.

For HTTPS traffic, the inline block page is not displayed. URL Filtering will not decode any encoded URL before performing a lookup. Because the SSL/TLS session is still being established at the time it is determined the request should be blocked, the client is not expected to receive a HTTP response, whether it is the injected HTTP blocked page or redirect URL, which causes a protocol error to occur.

In Cisco SD-WAN, a HTTP response can be inserted into the HTTPS session if this traffic is routed through SSL/TLS proxy. The SSL/TLS session is allowed to establish in this case, and when the HTTP GET is received on the decrypted HTTPS session, the HTTP blocked page or redirect URL is injected and it is accepted by the client.

Database Overview

By default, WAN Edge routers do not download the URL database from the cloud.

To enable the URL database download:

  • prior to Cisco vManage Release 20.5, you must set the Resource Profile to High in the App-hosting Security Feature Template.

  • from Cisco vManage Release 20.5 onwards, you must enable Download URL Database on Device in the App-hosting Security Feature Template.

Additional memory is required to download the URL database.

If configured, WAN Edge routers download the URL database from the cloud. After the full database is downloaded from the cloud, if there are any updates to the existing database, the incremental updates will be automatically downloaded every 15 minutes. The complete database size is approximately 440 MB and the downloaded database should always synchronize with the cloud. The database will be invalid if the connection to the cloud is lost for more than 24 hours. The default URL category/reputation database only has a few IP address based records. The category/reputation look up occurs only when the host portion of the URL has the domain name.

If the device does not get the database updates from the cloud, vManage ensures that the traffic designated for URL Filtering is not dropped.


Note

The URL Filtering database is periodically updated from the cloud in every 15 minutes.


Filtering Options

The URL Filtering allows you to filter traffic using the following options:

Category-Based Filtering

URLs can be classified into multiple categories such as News, Social Media, Education, Adult and so on. Based on the requirements, user has the option to block or allow one or more categories.

A URL may be associated with up to five different categories. If any of these categories match a configured blocked category, then the request will be blocked.

Reputation-Based Filtering

In addition to category-based filtering, you can also filter based on the reputation of the URL. Each URL has a reputation score associated with it. The reputation score range is from 0-100 and it is categorized as:

  • High risk: Reputation score of 0 to 20

  • Suspicious: Reputation score of 21 to 40

  • Moderate risk: Reputation score of 41 to 60

  • Low risk: Reputation score of 61 to 80

  • Trustworthy: Reputation score of 81 to 100

When you configure a web reputation in vManage, you are setting a reputation threshold. Any URL that is below the threshold is blocked by URL filtering. For example, if you set the web reputation to Moderate Risk in vManage, any URL that has a reputation score below than and equal to 60 is blocked.

Based on the reputation score of a URL and the configuration, a URL is either blocked or allowed.

List-based Filtering

List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists. Here are some important points to note regarding these lists:

  • URLs that are allowed are not subjected to any category-based filtering (even if they are configured).

  • If the same item is configured under both the allowed and blocked list, the traffic is allowed.

  • If the traffic does not match either the allowed or blocked lists, then it is subjected to category-based and reputation-based filtering (if configured).

  • A user may consider using a combination of allowed and blocked pattern lists to design the filters. For example, if you want to allow www\.foo\.com but also want to block other URLs such as www\.foo\.abc and www\.foo\.xyz, you can configure www\.foo\.com in the allowed list and www\.foo\. in the blocked list.

Cloud-Lookup

The Cloud-Lookup feature is enabled by default and is used to retrieve the category and reputation score of URLs that are not available in the local database.

The category and reputation score of unknown URLs are returned as follows:

Name based URLs:

  • Valid URL — corresponding category and reputation score is received.

  • Unknown URL (new URL or unknown to the cloud) — category is 'uncategorized' and reputation score is 40

  • Internal URLs with proper domain name (for example, internal.abc.com) — category and reputation score is based on the base domain name (abc.com from the example above).

  • Completely internal URLs (for example, abc.xyz) — category is 'uncategorized' and reputation score is 40

IP based URLs:

  • Public hosted IP — corresponding category and reputation score is received.

  • Private IP like 10.<>, 192.168.<> — category is 'uncategorized' and reputation score is 100

  • Non-hosted/Non-routable IP — category is 'uncategorized' and reputation score is 40

The Cloud-Lookup score is different from the on-box database for these URLs (Unknown/Non-hosted/Non-routable/Internal URLs).

Configure and Apply URL Filtering

To configure and apply URL Filtering to a Cisco IOS XE SD-WAN device, do the following:

Before you Begin

Before you apply an IPS/IDS, URL Filtering, or Advanced Malware Protection policy for the first time, you must Upload the Cisco Security Virtual Image to vManage.

Configure URL Filtering

To configure URL Filtering through a security policy, use the vManage security configuration wizard:

  1. From the Cisco vManage menu, choose .

  2. Click Add Security Policy. The Add Security Policy wizard opens, and various use-case scenarios are displayed.

  3. In Add Security Policy, choose a scenario that supports URL filtering (Guest Access, Direct Internet Access, or Custom).

  4. Click Proceed to add a URL filtering policy in the wizard.

  5. In the Add Security Policy wizard, click Next until the URL Filtering window is displayed.

  6. Click the Add URL Filtering Policy drop-down menu and choose Create New to create a new URL filtering policy. The URL filtering - Policy Rule Configuration wizard appears.

  7. Click Target VPNs to add the required number of target service VPNs in the Add Target VPNs wizard.

  8. Enter a policy name in the Policy Name field.

  9. Choose one of the following options from the Web Categories drop-down:

    • Block: Block websites that match the categories that you choose.

    • Allow: Allow websites that match the categories that you choose.

  10. Choose one or more categories to block or allow from the Web Categories list.

  11. Choose a Web Reputation from the drop-down menu. The options are:

    • High Risk: Reputation score of 0 to 20.

    • Suspicious: Reputation score of 21 to 40.

    • Moderate Risk: Reputation score of 41 to 60.

    • Low Risk: Reputation score of 61 to 80.

    • Trustworthy: Reputation score of 81 to 100.

  12. (Optional) From Advanced, choose one or more existing lists or create new ones as needed from the Whitelist URL List or Blacklist URL List drop-down menu.


    Note

    Items on the allowed lists are not subject to category-based filtering. However, items on the blocked lists are subject to category-based filtering. If the same item is configured under both the allowed and blocked lists, the traffic is allowed.


    To create a new list, do the following:

    1. Click New Whitelist URL List or New Blacklist URL List in the drop-down menu.

    2. In the URL List Name field, enter a list name consisting of up to 32 characters (letters, numbers, hyphens and underscores only)

    3. In the URL field, enter URLs to include in the list, separated with commas. You also can use Import to add lists from an accessible storage location.

    4. Click Save when you are finished.

    You also can create or manage URL lists. To do this:

    1. From the Cisco vManage menu, choose Configuration > Security.

    2. Choose Lists from the Custom Options drop-down menu.

    3. Choose Whitelist URLs or Blacklist URLs in the left pane.

    To remove a URL list from the URL List field, click the X next to the list name in the field.

  13. (Optional) In the Block Page Server pane, choose an option to designate what happens when a user visits a URL that is blocked. Choose Block Page Content to display a message that access to the page has been denied, or choose Redirect URL to display another page.

    If you choose Block Page Content, users see the content header in the Content Body field, enter text to display under this content header. The default content body text is . If you choose Redirect URL, enter a URL to which users are redirected.

  14. (Optional) In the Alerts and Logs pane, choose the alert types from the following options:

    • Blacklist: Exports an alert as a Syslog message if a user tries to access a URL that is configured in the blocked URL List.

    • Whitelist: Exports an alert as a Syslog message if a user tries to access a URL that is configured in the allowed URL List.

    • Reputation/Category: Exports an alert as a Syslog message if a user tries to access a URL that has a reputation that is configured as blocked in the Web Reputation field or that matches a blocked web category.

      Alerts for allowed reputations or allowed categories are not exported as Syslog messages.

  15. You must configure the address of the external log server in the Policy Summary page.

  16. Click Save URL filtering Policy to add an URL filtering policy.

  17. Click Next until the Policy Summary page is displayed.

  18. Enter Security Policy Name and Security Policy Description in the respective fields.

  19. If you enabled Alerts and Logs, in the Additional Policy Settings section you must specify the following:

    • External Syslog Server VPN: The syslog server should be reachable from this VPN.

    • Server IP: IP address of the server.

    • Failure Mode: Open or Close.

  20. Click Save Policy to save the Security policy.

  21. To edit the existing URL filtering policy, click Custom Options in the right-side panel of the Security wizard.

Apply a Security Policy to a Device

To apply a security policy to a device:

  1. From the Cisco vManage menu, choose .

  2. Click Device.

  3. From the Create Template drop-down list, choose From Feature Template.

  4. From the Device Model drop-down list, choose one of the devices.

  5. Click Additional Templates.

    The Additional Templates section is displayed.

  6. From the Security Policy drop-down list, choose the name of the policy you configured previously.

  7. Click Create to apply the security policy to a device.

  8. Click … next to the device template that you created.

  9. Click Attach Devices.

  10. Choose the devices to which you want to attach the device template.

  11. Click Attach.


Note

If you are migrating from older releases to Cisco IOS XE Release 17.2 or later with Application lists and the zone-based firewall that is configured in Cisco vManage, you must first remove the security template from the base template and push the base template. Thereafter, reattach the security template and then push the template to the device.

Modify URL Flitering

To modify a URL Filtering policy, do the following:

  1. From the Cisco vManage menu, choose .

  2. In the Security screen, click the Custom Options drop-down menu , choose Policies/Profiles, and then choose URL Filtering.

  3. For the desired policy you want to modify, click ... and choose Edit.

  4. Modify the policy as required and click Save URL Filtering Policy.

Delete URL Filtering

To delete a URL filtering policy, you must first detach the policy from the security policy:

  1. From the Cisco vManage menu, choose .

  2. To detach the URL filtering policy from the security policy:

    1. For the security policy that contains the URL filtering policy, click ... and click Edit.

      The Policy Summary page is displayed.

    2. Click URL Filtering.

    3. For the policy that you want to delete, click ... and choose Detach.

    4. Click Save Policy Changes.

  3. To delete the URL filtering policy:

    1. In the Security screen, click the Custom Options drop-down menu , choose Policies/Profiles, and then choose URL Filtering.

    2. For the policy that you want to delete, click ... and click Delete.

    3. Click OK.

Monitor URL Filtering

You can monitor the URL Filtering for a device by web categories using the following steps.

To monitor the URLs that are blocked or allowed on an IOS XE SD-WAN device:

  1. From the Cisco vManage menu, choose , and then choose a device.

  2. In the left pane, under Security Monitoring, click URL Filtering. The URL Filtering information displays in the right pane.

  3. Click Blocked. The session count on a blocked URL appears.

  4. Click Allowed. The session count on allowed URLs appears.

Configure URL Filtering for Unified Security Policy

You can create a URL filtering policy specifically for use in a unified security policy. After being created, the URL filtering policy is included in the advanced inspection profile and applied to the unified security policy for implementation on Cisco IOS XE SD-WAN devices.

To configure a URL filtering policy for a unified security policy, perform the following steps:

  1. From the Cisco vManage menu, choose Configuration > Security.

  2. Click Custom Options.

  3. Click Policies/Profiles.

  4. Click URL Filtering in the left pane.

  5. Click Add URL Filtering Policy, and choose Create New.

  6. Click Policy Mode to enable the unified mode.

    This implies that you are creating a URL filtering policy for use in the unified security policy.


    Note

    Target VPNs are not applicable for URL filtering used in a unified security policy.


  7. Enter a policy name in the Policy Name field.

  8. Choose one of the following options from Web Categories.

    • Block:Block websites that match the categories that you choose.

    • Allow:Allow websites that match the categories that you choose.

  9. Choose one or more categories to block or allow from the Web Categories drop-down list.

  10. Choose the Web Reputation from the drop-down list. The options are:

    • High Risk: The Reputation score is between 0 to 20.

    • Suspicious: The Reputation score is between 21 to 40.

    • Moderate Risk: The Reputation score is between 41 to 60.

    • Low Risk: The Reputation score is between 61 to 80.

    • Trustworthy: The Reputation score is between 81 to 100.

  11. (Optional) From Advanced, choose one or more existing lists or create new ones, as needed, from the Whitelist URL List or Blacklist URL List drop-down lists.


    Note

    Items in the allowed lists are not subject to category-based filtering. However, items in the blocked lists are subject to category-based filtering. If the same item is configured under both the allowed and blocked lists, traffic is allowed.


    To create a new list, do the following:

    1. Click New Whitelist URL List or New Blacklist URL List in the drop-down list.

    2. In the URL List Name field, enter a list name consisting of up to 32 characters (letters, numbers, hyphens and underscores only)

    3. In URL field, enter URLs to include in the list, separated by commas. You also can use Import to add lists from an accessible storage location.

    4. Click Save.

    You also can create or manage URL lists by choosing , and then choosing Lists from Custom Options top-right corner of the window, and then clicking Whitelist URLs or Blacklist URLs in the left pane.

    To remove a URL list from the URL List field, click X next to the list name.

  12. (Optional) In the Block Page Server pane, choose an option to designate what happens when a user visits a URL that is blocked.

    If you click Block Page Content, users see the content header In the Content Body field, enter text to display under this content header. The default content body text is . If you click Redirect URL, enter a URL to which users are redirected.

  13. (Optional) In the Alerts and Logs pane, choose alert type option:

    • Blacklist: Exports an alert as a syslog message if a user tries to access a URL that is configured in the blocked URL List.

    • Whitelist: Exports an alert as a syslog message if a user tries to access a URL that is configured in the Allowed URL List.

    • Reputation/Category: Exports an alert as a syslog message if a user tries to access a URL that is configured as blocked in the Web Reputation field or that matches a blocked web category.

      Alerts for allowed reputations or allowed categories are not exported as syslog messages.

  14. Configure the address of the external log server in the Policy Summary page.

  15. Click Save URL filtering Policy to add an URL filtering policy.

Sours: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/url-filtering.html
Cisco SDWAN - URL Filtering Configuration Lab demo

Firepower Management Center Configuration Guide, Version 6.5

Filtering HTTPS Traffic

To filter encrypted traffic, the system determines the requested URL based on information passed during the TLS/SSL handshake: the subject common name in the public key certificate used to encrypt the traffic.

HTTPS filtering, unlike HTTP filtering, disregards subdomains within the subject common name. Do not include subdomain information when manually filtering HTTPS URLs in access control or QoS policies. For example, use example.com rather than www.example.com.

HTTPS filtering also does not support URL lists. You must use URL objects and groups instead.


Tip

In an SSL policy, you can handle and decrypt traffic to specific URLs by defining a distinguished name SSL rule condition. The common name attribute in a certificate’s subject distinguished name contains the site’s URL. Decrypting HTTPS traffic allows access control rules to evaluate the decrypted session, which improves URL filtering.


Controlling Traffic by Encryption Protocol

The system disregards the encryption protocol (HTTP vs HTTPS) when performing URL filtering in access control or QoS policies. This occurs for both manual and reputation-based URL conditions. In other words, URL filtering treats traffic to the following websites identically:

  • http://example.com/

  • https://example.com/

To configure a rule that matches only HTTP or HTTPS traffic, add an application condition to the rule. For example, you could allow HTTPS access to a site while disallowing HTTP access by constructing two access control rules, each with an application and URL condition.

The first rule allows HTTPS traffic to the website:

  • Action: Allow
  • Application: HTTPS
  • URL: example.com

The second rule blocks HTTP access to the same website:

  • Action: Block
  • Application: HTTP
  • URL: example.com
Sours: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/url_filtering.html

Filtering (cisco) url

Firepower Management Center Configuration Guide, Version 6.2.3

Filtering HTTPS Traffic

To filter encrypted traffic, the system determines the requested URL based on information passed during the TLS/SSL handshake: the subject common name in the public key certificate used to encrypt the traffic.

HTTPS filtering, unlike HTTP filtering, disregards subdomains within the subject common name. Do not include subdomain information when manually filtering HTTPS URLs in access control or QoS policies. For example, use example.com rather than www.example.com.

HTTPS filtering also does not support URL lists. You must use URL objects and groups instead.


Tip

In an SSL policy, you can handle and decrypt traffic to specific URLs by defining a distinguished name SSL rule condition. The common name attribute in a certificate’s subject distinguished name contains the site’s URL. Decrypting HTTPS traffic allows access control rules to evaluate the decrypted session, which improves URL filtering.


Controlling Traffic by Encryption Protocol

The system disregards the encryption protocol (HTTP vs HTTPS) when performing URL filtering in access control or QoS policies. This occurs for both manual and reputation-based URL conditions. In other words, URL filtering treats traffic to the following websites identically:

  • http://example.com/

  • https://example.com/

To configure a rule that matches only HTTP or HTTPS traffic, add an application condition to the rule. For example, you could allow HTTPS access to a site while disallowing HTTP access by constructing two access control rules, each with an application and URL condition.

The first rule allows HTTPS traffic to the website:

  • Action: Allow
  • Application: HTTPS
  • URL: example.com

The second rule blocks HTTP access to the same website:

  • Action: Block
  • Application: HTTP
  • URL: example.com
Sours: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/fpmc-config-guide-v623_chapter_010000000.html
Cisco WSA(Ironport) LAB :Custom URL Filtering

URL Filtering Configuration and Best Practices for Cisco Email Security

Introduction

This document describes how to configure URL Filtering on the Cisco Email Security Appliance (ESA) and best practices for its use.

Background Information

Control and protection against malicious or undesirable links are incorporated into the anti-spam, outbreak, content, and message filtering processes in the work queue. These controls:

  • Increase the effectiveness of protection from malicious URLs in messages and attachments.
  • URL filtering is incorporated into Outbreak Filtering. This strengthened protection is useful even if your organization already has a Cisco Web Security Appliance or similar protection from web-based threats because it blocks threats at the point of entry.
  • You can also use content or message filters to take action based on the Web-Based Reputation Score (WBRS) of URLs in messages. For example, you can rewrite URLs with a neutral or unknown reputation to redirect them to the Cisco Web Security Proxy for click-time evaluation of their safety.
  • Better identify spam
  • The appliance uses the reputation and category of links in messages, in conjunction with other spam-identification algorithms, to help identify spam. For example, if a link in a message belongs to a marketing web site, the message is more likely to be a marketing message.
  • Support enforcement of corporate acceptable use policies
  • The category of URLs (for example, Adult Content or Illegal Activities) can be used in conjunction with content and message filters to enforce corporate acceptable use policies.
  • Allow you to identify users in your organization who most frequently clicked a URL in a message that has been rewritten for protection, as well as links that have most frequently been clicked.

When you configure URL Filtering on the ESA, you must also configure other features dependent upon your desired functionality. Here are some typical features that are enabled alongside URL Filtering:

  • For enhanced protection against spam, the Anti-Spam Scanning feature must be enabled globally in accordance with the applicable mail policy. This can be either the Cisco IronPort Anti-Spam (IPAS) or the Cisco Intelligent Multi-Scan (IMS) feature.
  • For enhanced protection against malware, the Outbreak Filters or Virus Outbreak Filters (VOF) feature must be enabled globally in accordance with the applicable mail policy.
  • For actions based on the URL reputation, or in order to enforce acceptable use policies with the use of message and content filters, you must enable VOF globally.

Note: As of AsyncOS 11.1 for Email Security, support for URL scanning in attachments is now available.  You can now configure your appliance to scan for URLs in message attachments and perform configured actions on such messages.  You can use the URL Reputation and URL Category content and message filters to scan for URLs in message attachments. For more details, see the “Using Message Filters to Enforce Email Policies”, “Content Filters” and “Protecting Against Malicious or Undesirable URLs” chapters in the user guide or online help.

Note: Additionally as of AsyncOS 11.1 for Email Security, support for URL filtering support for shortened URLs now available.  You can now configure your appliance to perform URL filtering on shortened URIs, and retrieve the actual URL from the shortened URL. Based on the URL reputation score of the original URL, a configured action is taken on the shortened URL. To enable URL filtering for shortened URLs in your appliance, see the “Protecting Against Malicious or Undesirable URLs” chapter in the user guide or online help and the CLI Reference Guide for AsyncOS for Cisco Email Security Appliance.

Enable URL Filtering

In order to implement URL Filtering on the ESA, you must first enable the feature.  URL Filtering can be enabled from GUI or CLI by the ESA administrator.

To enable URL Filtering with the use of the GUI, navigate to Security Services > URL Filtering > Enable:

From the CLI, run the command, websecurityconfig:

myesa.local> websecurityconfig
Enable URL Filtering? 1180> y

Note: URL Logging is a sub-feature from with-in VOF. This is a CLI-only feature that must be enabled as shown here, using outbreakconfig:

myesa.local> outbreakconfig

Outbreak Filters: Enabled

Choose the operation you want to perform:
- SETUP - Change Outbreak Filters settings.
- CLUSTERSET - Set how the Outbreak Filters are configured in a cluster.
- CLUSTERSHOW - Display how the Outbreak Filters are configured in a cluster.
[]> setup

Outbreak Filters: Enabled
Would you like to use Outbreak Filters? [Y]>

Outbreak Filters enabled.

Outbreak Filter alerts are sent when outbreak rules cross the threshold (go above or
back down below), meaning that new messages of certain types could be quarantined
or will no longer be quarantined, respectively.

...

Logging of URLs is currently disabled.

Do you wish to enable logging of URL's? 1180> y

Logging of URLs has been enabled.

The Outbreak Filters feature is now globally enabled on the system. You must use the
'policyconfig' command in the CLI or the Email Security Manager in the GUI to enable
Outbreak Filters for the desired Incoming and Outgoing Mail Policies.

Note: Ensure that you commitany and all changes to your configuration before you proceed from either the GUI or the CLI on your ESA.

Enable URL Filtering Support for Shortened URLs

Enabling URL filtering support for shortened URLs is able to be done by CLI only, using websecurityadvancedconfig:

myesa.local> websecurityadvancedconfig

...

Do you want to enable URL filtering for shortened URLs? 1180> Y

For shortened URL support to work, please ensure that ESA is able to connect to following domains:
bit.ly, tinyurl.com, ow.ly, tumblr.com, ff.im, youtu.be, tl.gd, plurk.com, url4.eu, j.mp, goo.gl, yfrog.com, fb.me, alturl.com, wp.me, chatter.com, tiny.cc, ur.ly

Cisco recommends having this enabled for URL filtering configuration best practices.  Once enabled, the mail logs will reflect anytime a shortened URL is used with-in the message:

Mon Aug 27 14:56:49 2018 Info: MID 1810 having URL: http://bit.ly/2tztQUi has been expanded to https://www.wired.com/?p=2270330&drafts-for-friends=js-1036023628&post_type=non-editorial

Once URL filtering is enabled as described in this article, from the mail logs example above, we can see the bit.ly link recorded AND the original link that it expands out to also recorded. 

Create URL Filtering Actions

When you enable URL filtering alone, it does not take action against messages that might contain live and valid URLs.

The URLs included in inbound and outbound messages are evaluated. Any valid string for a URL is evaluated, to include strings with these components:

  • HTTP, HTTPS, or WWW
  • Domain or IP addresses
  • Port numbers preceded by a colon (:)
  • Uppercase or lowercase letters

When the system evaluates URLs in order to determine whether a message is spam, if necessary for load management, it prioritizes and screens inbound messages over outbound messages.

You can perform actions on messages based on the reputation or category of URLs in the message body and message attachments. If you want to perform any action other than modifying URLs or their behavior, add a URL Reputation or URL Category condition and select the reputation scores or URL categories for which you want to apply the action.

For example, if you want to apply the Drop (Final Action) action to all messages that include URLs in the Adult category, add a condition of type URL Category with the Adult category selected.

If you do not specify a category, the action you choose is applied to all messages.

URL reputation score ranges for clean, neutral, and malicious URLs are predefined and not editable. However, you can specify a custom range instead. The specified endpoints are included in the range you specify. For example, if you create a custom range from -8 to -10, then -8 and -10 are included in the range. Use “No Score” for URLs for which a reputation score cannot be determined.

In order to quickly scan URLs and take action, you can create a content filter so that if the message has a valid URL, then the action is applied. From the GUI, navigate to Mail Policies > Incoming Content Filters > Add Filter.

Content Filters for Malicious URLs

This example shows a scan for malicious URLs with the implementation of this inbound content filter:

With this filter in place, the system scans for a URL with a Malicious reputation (-10.00 to -6.00), adds a log entry to the mail logs, uses the defang action in order to make the link un-clickable, and places this into a URL Filtering quarantine. Here is an example from the mail logs:

Wed Nov 5 21:27:18 2014 Info: Start MID 186 ICID 606
Wed Nov 5 21:27:18 2014 Info: MID 186 ICID 606 From: <[email protected]>
Wed Nov 5 21:27:18 2014 Info: MID 186 ICID 606 RID 0 To: <[email protected]>
Wed Nov 5 21:27:18 2014 Info: MID 186 Message-ID '<[email protected]>'
Wed Nov 5 21:27:18 2014 Info: MID 186 Subject 'URL Filter test malicious'
Wed Nov 5 21:27:18 2014 Info: MID 186 ready 2230 bytes from <[email protected]>
Wed Nov 5 21:27:18 2014 Info: MID 186 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Nov 5 21:27:18 2014 Info: ICID 606 close
Wed Nov 5 21:27:19 2014 Info: MID 186 interim verdict using engine: CASE spam positive
Wed Nov 5 21:27:19 2014 Info: MID 186 using engine: CASE spam positive
Wed Nov 5 21:27:19 2014 Info: ISQ: Tagging MID 186 for quarantine
Wed Nov 5 21:27:19 2014 Info: MID 186 interim AV verdict using Sophos CLEAN
Wed Nov 5 21:27:19 2014 Info: MID 186 antivirus negative
Wed Nov 5 21:27:19 2014 Info: MID 186 URL http:// peekquick .com /sdeu/cr.sedin/sdac/denc.php has reputation -6.77 matched url-reputation-rule
Wed Nov 5 21:27:19 2014 Info: MID 186 Custom Log Entry: <===> MALICIOUS URL! <===>

Wed Nov 5 21:27:19 2014 Info: MID 186 URL http:// peekquick .com/sdeu/cr.sedin/sdac/denc.php has reputation -6.77 matched url-reputation-defang-action
Wed Nov 5 21:27:19 2014 Info: MID 186 URL http:// peekquick .com /sdeu/cr.sedin/sdac/denc.php has reputation -6.77 matched url-reputation-defang-action
Wed Nov 5 21:27:19 2014 Info: MID 186 rewritten to MID 187 by url-reputation-defang-action filter '__MALICIOUS_URL__'
Wed Nov 5 21:27:19 2014 Info: Message finished MID 186 done
Wed Nov 5 21:27:19 2014 Info: MID 187 Outbreak Filters: verdict positive
Wed Nov 5 21:27:19 2014 Info: MID 187 Threat Level=5 Category=Phish Type=Phish
Wed Nov 5 21:27:19 2014 Info: MID 187 rewritten URL u'http:// peekquick .com/sdeu/cr.sedin/sdac/denc.php-Robert'
Wed Nov 5 21:27:19 2014 Info: MID 187 rewritten to MID 188 by url-threat-protection filter 'Threat Protection'
Wed Nov 5 21:27:19 2014 Info: Message finished MID 187 done
Wed Nov 5 21:27:19 2014 Info: MID 188 Virus Threat Level=5
Wed Nov 5 21:27:19 2014 Info: MID 188 quarantined to "Outbreak" (Outbreak rule:Phish: Phish)
Wed Nov 5 21:27:19 2014 Info: MID 188 quarantined to "URL Filtering Quarantine" (content filter:__MALICIOUS_URL__)
Wed Nov 5 21:28:20 2014 Info: SDS_CLIENT: Generated URL scanner configuration
Wed Nov 5 21:28:21 2014 Info: SDS_CLIENT: URL scanner enabled=1
Wed Nov 5 21:28:21 2014 Info: SDS_CLIENT: Generated URL scanner configuration
Wed Nov 5 21:28:21 2014 Info: SDS_CLIENT: URL scanner enabled=1

Note: The URL that is embedded in the previous example has extra spaces included in the URL body, so it does not trip any web scans or proxy detection.

This URL for peekquick.com is MALICIOUS and scored at a -6.77. An entry is made in the mail logs, where you can see all of the processes in action. The URL filter detected the malicious URL, defanged, and quarantined it. The VOF also scored it positive based on its rule set and provided details that this was a related Phish.

If VOF is not enabled, the same message is processed through, but URL scans are not acted upon without the added ability of VOF to drive scans and action. However, in this example the message body is scanned by the Cisco Anti-Spam Engine (CASE) and deemed as spam-positive:

Wed Nov 5 21:40:49 2014 Info: Start MID 194 ICID 612
Wed Nov 5 21:40:49 2014 Info: MID 194 ICID 612 From: <[email protected]>
Wed Nov 5 21:40:49 2014 Info: MID 194 ICID 612 RID 0 To: <[email protected]>
Wed Nov 5 21:40:49 2014 Info: MID 194 Message-ID '<[email protected]>'
Wed Nov 5 21:40:49 2014 Info: MID 194 Subject 'URL Filter test malicious'
Wed Nov 5 21:40:49 2014 Info: MID 194 ready 2230 bytes from <[email protected]>
Wed Nov 5 21:40:49 2014 Info: MID 194 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Nov 5 21:40:50 2014 Info: ICID 612 close
Wed Nov 5 21:40:50 2014 Info: MID 194 interim verdict using engine: CASE spam positive
Wed Nov 5 21:40:50 2014 Info: MID 194 using engine: CASE spam positive

Wed Nov 5 21:40:50 2014 Info: ISQ: Tagging MID 194 for quarantine
Wed Nov 5 21:40:50 2014 Info: MID 194 interim AV verdict using Sophos CLEAN
Wed Nov 5 21:40:50 2014 Info: MID 194 antivirus negative
Wed Nov 5 21:40:50 2014 Info: MID 194 queued for delivery
Wed Nov 5 21:40:52 2014 Info: RPC Delivery start RCID 20 MID 194 to local IronPort Spam Quarantine
Wed Nov 5 21:40:52 2014 Info: ISQ: Quarantined MID 194
Wed Nov 5 21:40:52 2014 Info: RPC Message done RCID 20 MID 194
Wed Nov 5 21:40:52 2014 Info: Message finished MID 194 done

This detection via CASE alone does not always occur. There are times when CASE and IPAS rules might contain that match against a certain sender, domain, or message contents in order to detect this threat alone.

Content Filters for Neutral URLs

Neutral URL reputation means that URLs are currently clean, but may turn malicious in the future, as they are prone to attacks. For such URLs, administrators can create non-blocking policies, for example, redirecting them to the Cisco Web Security Proxy for click-time evaluation.

Note: In AsyncOS 9.7 for Email Security and later, URLs that were formerly labeled “Suspicious” are now labeled “Neutral.”  Only the labeling has changed; the underlying logic and processing have not changed.

This example shows a scan for neutral URLs with the implementation of this inbound content filter:

With this filter in place, the system searches for a URL with a Neutral reputation (-5.90 to 5.90) and adds a log entry to the mail logs. This example shows a modified subject in order to prepend "[NEUTRAL URL!]". Here is an example from the mail logs:

Wed Nov 5 21:22:23 2014 Info: Start MID 185 ICID 605
Wed Nov 5 21:22:23 2014 Info: MID 185 ICID 605 From: <[email protected]>
Wed Nov 5 21:22:23 2014 Info: MID 185 ICID 605 RID 0 To: <[email protected]>
Wed Nov 5 21:22:23 2014 Info: MID 185 Message-ID '<D0804586.24BAE%[email protected]>'
Wed Nov 5 21:22:23 2014 Info: MID 185 Subject 'Middle of the road?'
Wed Nov 5 21:22:23 2014 Info: MID 185 ready 4598 bytes from <[email protected]>
Wed Nov 5 21:22:23 2014 Info: MID 185 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Nov 5 21:22:24 2014 Info: MID 185 interim AV verdict using Sophos CLEAN
Wed Nov 5 21:22:24 2014 Info: MID 185 antivirus negative
Wed Nov 5 21:22:24 2014 Info: MID 185 URL https:// www. udemy.com/official-udemy-instructor-course/?refcode=slfgiacoitvbfgl7tawqoxwqrdqcerbhub1flhsmfilcfku1te5xofictyrmwfcfxcvfgdkobgbcjv4bxcqbfmzcrymamwauxcuydtksayhpovebpvmdllxgxsu5vx8wzkjhiwazhg5m&utm_campaign=email&utm_source=sendgrid.com&utm_medium=email has reputation -5.08 matched url-reputation-rule
Wed Nov 5 21:22:24 2014 Info: MID 185 Custom Log Entry: <===> NEUTRAL URL! <===>

Wed Nov 5 21:22:24 2014 Info: MID 185 Outbreak Filters: verdict negative
Wed Nov 5 21:22:24 2014 Info: MID 185 queued for delivery
Wed Nov 5 21:22:24 2014 Info: New SMTP DCID 26 interface 192.168.0.199 address 192.168.0.200 port 25
Wed Nov 5 21:22:24 2014 Info: Delivery start DCID 26 MID 185 to RID [0]
Wed Nov 5 21:22:24 2014 Info: Message done DCID 26 MID 185 to RID [0] [('X-IronPort-AV', 'E=Sophos;i="5.07,323,1413259200"; \r\n d="scan\'208,217";a="185"'), ('x-ironport-av', 'E=Sophos;i="5.07,323,1413244800"; \r\n d="scan\'208,217";a="93843786"')]
Wed Nov 5 21:22:24 2014 Info: MID 185 RID [0] Response '2.0.0 Ok: queued as 0F8F9801C2'
Wed Nov 5 21:22:24 2014 Info: Message finished MID 185 done

Note: The URL that is embedded in the previous example has extra spaces included in the URL body, so it does not trip any web scans or proxy detection.

The Udemy link in the previous example does not appear clean, and it is scored NEUTRAL at -5.08. As shown in the mail logs entry, this message is allowed to be delivered to the end-user.

The administrator may not wish to take the broad range of neutral (-5.90 to 5.90) as an indicator.  It may be more appropriate to have a custom range with a smaller range to lean more towards negative neutral scoring, as to not trigger against all URLs that fall within the neutral range and possibly creating a false negative/false positive action.

Content Filters for Clean URLs

This example shows a scan for clean URLs with the implementation of this inbound content filter:

With this filter in place, the system searches for a URL with a clean reputation (6.00 to 10.00) and simply adds a log entry to the mail logs in order to trigger and record the Web-Based Reputation Score (WBRS). This log entry also helps to identify the process that is triggered. Here is an example from the mail logs:

Wed Nov 5 21:11:10 2014 Info: Start MID 182 ICID 602
Wed Nov 5 21:11:10 2014 Info: MID 182 ICID 602 From: <[email protected]>
Wed Nov 5 21:11:10 2014 Info: MID 182 ICID 602 RID 0 To: <[email protected]>
Wed Nov 5 21:11:10 2014 Info: MID 182 Message-ID '<D08042EA.24BA4%[email protected]>'
Wed Nov 5 21:11:10 2014 Info: MID 182 Subject 'Starting at the start!'
Wed Nov 5 21:11:10 2014 Info: MID 182 ready 2798 bytes from <[email protected]>
Wed Nov 5 21:11:10 2014 Info: MID 182 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Nov 5 21:11:11 2014 Info: MID 182 interim AV verdict using Sophos CLEAN
Wed Nov 5 21:11:11 2014 Info: MID 182 antivirus negative
Wed Nov 5 21:11:11 2014 Info: MID 182 URL http:// www .yahoo.com has reputation 8.39 matched url-reputation-rule
Wed Nov 5 21:11:11 2014 Info: MID 182 Custom Log Entry: <===> CLEAN URL! <===>

Wed Nov 5 21:11:11 2014 Info: MID 182 Outbreak Filters: verdict negative
Wed Nov 5 21:11:11 2014 Info: MID 182 queued for delivery
Wed Nov 5 21:11:11 2014 Info: New SMTP DCID 23 interface 192.168.0.199 address 192.168.0.200 port 25
Wed Nov 5 21:11:11 2014 Info: Delivery start DCID 23 MID 182 to RID [0]
Wed Nov 5 21:11:11 2014 Info: Message done DCID 23 MID 182 to RID [0] [('X-IronPort-AV', 'E=Sophos;i="5.07,323,1413259200"; \r\n d="scan\'208,217";a="182"'), ('x-ironport-av', 'E=Sophos;i="5.07,323,1413244800"; \r\n d="scan\'208,217";a="93839309"')]
Wed Nov 5 21:11:11 2014 Info: MID 182 RID [0] Response '2.0.0 Ok: queued as 7BAF5801C2'
Wed Nov 5 21:11:11 2014 Info: Message finished MID 182 done
Wed Nov 5 21:11:16 2014 Info: ICID 602 close
Wed Nov 5 21:11:16 2014 Info: DCID 23 close

Note: The URL that is embedded in the previous example has extra spaces included in the URL body, so it does not trip any web scans or proxy detection.

As shown in the example, Yahoo.com is deemed CLEAN and given a score of 8.39, is noted in the mail logs, and is delivered to the end-user.

Content Filters for URLs with "No Score"

“No Score” is given for URLs when a reputation score cannot be determined.  These may be URLs that contain new domains, or URLs that have seen little to no traffic and are not able to have a current score.

Administrators may wish to handle URLs with no score at their own discretion.  If there is a seen increase in Phish-related emails and attachments, please review the URL score associated.  Administrators may wish to have no score URLs redirected to the Cisco Cloud Web Security proxy service for click-time evaluation.

Report Uncategorized and Misclassified URLs

At times, a URL might not be classified yet, or it might be miscategorized. In order to report URLs that have been miscategorized, and URLs that are not categorized but should be, visit the Cisco URL categorization requests page.

You might also desire to check the status of submitted URLs. In order to do this, click the Status on the Submitted URLs tab of this page.

Malicious URLs and Marketing Messages Are Not Caught by Anti-Spam or Outbreak Filters

This can occur because the web site reputation and category are only two criteria among many that anti-spam and outbreak filters use in order to determine their verdicts. In order to increase the sensitivity of these filters, lower the thresholds that are required to take action, such as rewriting or replacing URLs with text, or quarantining or dropping messages.

Alternatively, you can create content or message filters based on the URL reputation score.

Related Information

Sours: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

You will also be interested:

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3

Configuring Access Control Rules

Use access control rules to control access to network resources. Rules in the access control policy are evaluated from top to bottom. The rule applied to traffic is the first one where all the traffic criteria are matched.

Procedure


Step 1

Select .

Step 2

Do any of the following:

  • To create a new rule, click the + button.
  • To edit an existing rule, click the edit icon (edit icon) for the rule.

To delete a rule you no longer need, click the delete icon (delete icon) for the rule.

Step 3

In Order, select where you want to insert the rule in the ordered list of rules.

Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.

The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.

Step 4

In Title, enter a name for the rule.

The name cannot contain spaces. You can use alphanumeric characters and these special characters: + . _ -

Step 5

Select the action to apply to matching traffic.

  • Trust—Allow traffic without further inspection of any kind.
  • Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.
  • Block—Drop the traffic unconditionally. The traffic is not inspected.
Step 6

Define the traffic matching criteria using any combination of the following tabs:

  • Source/Destination—The security zones (interfaces) through which the traffic passes, the IP addresses or the country or continent (geographical location) for the IP address, or the protocols and ports used in the traffic. The default is any zone, address, geographical location, protocol, and port. See Source/Destination Criteria.
  • Application—The application, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application. See Application Criteria.
  • URL—The URL or URL category of a web request. The default is any URL. See URL Criteria.
  • Users—The user or user group. Your identity policies determine whether user and group information is available for traffic matching. You must configure identity policies to use this criteria. See User Criteria.

To modify a condition, you click the + button within that condition, select the desired object or element, and click OK in the popup dialog box. If the criterion requires an object, you can click Create New if the object you require does not exist. Click the x for an object or element to remove it from the policy.

When adding conditions to access control rules, consider the following tips:

  • You can configure multiple conditions per rule. Traffic must match all the conditions in the rule for the rule to apply to traffic. For example, you can use a single rule to perform URL filtering for specific hosts or networks.

  • For each condition in a rule, you can add up to 50 criteria. Traffic that matches any of a condition's criteria satisfies the condition. For example, you can use a single rule to apply application control for up to 50 applications or application filters. Thus, there is an OR relationship among the items in a single condition, but an AND relationship between condition types (for example, between source/destination and application).

  • Some features require that you enable the appropriate license.

Step 7

(Optional.) For policies that use the Allow action, you can configure further inspection on unencrypted traffic. Click one of the following links:

  • Intrusion Policy—Select and select the intrusion inspection policy to inspect traffic for intrusions and exploits. See Intrusion Policy Settings.
  • File Policy—Select the file policy to inspect traffic for files that contain malware and for files that should be blocked. See File Policy Settings.
Step 8

(Optional.) Configure logging for the rule.

By default, connection events are not generated for traffic that matches a rule, although file events are generated by default if you select a file policy. You can change this behavior. You must enable logging for traffic that matches the policy to be included in dashboard data or Event Viewer. See Logging Settings.

Intrusion events are always generated for intrusion rules set to drop or alert regardless of the logging configuration on the matching access rule.

Step 9

Click OK.


Source/Destination Criteria

The Source/Destination criteria of an access rule define the security zones (interfaces) through which the traffic passes, the IP addresses or the country or continent (geographical location) for the IP address, or the protocols and ports used in the traffic. The default is any zone, address, geographical location, protocol, and port.

To modify a condition, you click the + button within that condition, select the desired object or element, and click OK. If the criterion requires an object, you can click Create New if the object you require does not exist. Click the x for an object or element to remove it from the policy.

You can use the following criteria to identify the source and destination to match in the rule.

Source Zones, Destination Zones

The security zone objects that define the interfaces through which the traffic passes. You can define one, both, or neither criteria: any criteria not specified applies to traffic on any interface.

  • To match traffic leaving the device from an interface in the zone, add that zone to the Destination Zones.

  • To match traffic entering the device from an interface in the zone, add that zone to the Source Zones.

  • If you add both source and destination zone conditions to a rule, matching traffic must originate from one of the specified source zones and egress through one of the destination zones.

Use this criteria when the rule should apply based on where the traffic enters or exits the device. For example, if you want to ensure that all traffic going to inside hosts gets intrusion inspection, you would select your inside zone as the Destination Zones while leaving the source zone empty. To implement intrusion filtering in the rule, the rule action must be Allow, and you must select an intrusion policy in the rule.

Source Networks, Destination Networks

The network objects or geographical locations that define the network addresses or locations of the traffic.

  • To match traffic from an IP address or geographical location, configure the Source Networks.

  • To match traffic to an IP address or geographical location, configure the Destination Networks.

  • If you add both source and destination network conditions to a rule, matching traffic must originate from one of the specified IP addresses and be destined for one of the destination IP addresses.

When you add this criteria, you select from the following tabs:

  • Network—Select the network objects or groups that define the source or destination IP addresses for the traffic you want to control.

  • Geolocation—Select the geographical location to control traffic based on its source or destination country or continent. Selecting a continent selects all countries within the continent. Besides selecting geographical location directly in the rule, you can also select a geolocation object that you created to define the location. Using geographical location, you could easily restrict access to a particular country without needing to know all of the potential IP addresses used there.


    Note

    To ensure that you are using up-to-date geographical location data to filter your traffic, Cisco strongly recommends that you regularly update the geolocation database (GeoDB).


Source Ports, Destination Ports/Protocols

The port objects that define the protocols used in the traffic. For TCP/UDP, this can include ports. For ICMP, it can include codes and types.

  • To match traffic from a protocol or port, configure the Source Ports. Source ports can be TCP/UDP only.

  • To match traffic to a protocol or port, configure the Destination Ports/Protocols. If you add only destination ports to a condition, you can add ports that use different transport protocols. ICMP and other non-TCP/UDP specifications are allowed in destination ports only; they are not allowed in source ports.

  • To match traffic both originating from specific TCP/UDP ports and destined for specific TCP/UDP ports, configure both. If you add both source and destination ports to a condition, you can only add ports that share a single transport protocol, TCP or UDP. For example, you could target traffic from port TCP/80 to port TCP/8080.

Application Criteria

The Application criteria of an access rule defines the application used in an IP connection, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application.

Although you can specify individual applications in the rule, application filters simplify policy creation and administration. For example, you could create an access control rule that identifies and blocks all high risk, low business relevance applications. If a user attempts to use one of those applications, the session is blocked.

In addition, Cisco frequently updates and adds additional application detectors via system and vulnerability database (VDB) updates. Thus, a rule blocking high risk applications can automatically apply to new applications without you having to update the rule manually.

You can specify applications and filters directly in the rule, or create application filter objects that define those characteristics. The specifications are equivalent, although using objects can make it easier to stay within the 50-items-per-criteria system limit if you are creating a complex rule.

To modify the application and filters list, you click the + button within the condition, select the desired applications or application filter objects, which are listed on separate tabs, and click OK in the popup dialog box. On either tab, you can click Advanced Filter to select filter criteria or to help you search for specific applications. Click the x for an application, filter, or object to remove it from the policy. Click the Save As Filter link to save the combined criteria that is not already an object as a new application filter object.


Note

If a selected application was removed by a VDB update, “(Deprecated)” appears after the application name. You must remove these applications from the filter, or subsequent deployments and system software upgrades will be blocked.


You can use the following Advanced Filter criteria to identify the application or filter to match in the rule. These are the same elements used in application filter objects.


Note

Multiple selections within a single filter criteria have an OR relationship. For example, Risk is High OR Very High. The relationship between filters is AND, so Risk is High OR Very High, AND Business Relevance is Low OR Very Low. As you select filters, the list of applications in the display updates to show only those that meet the criteria. You can use these filters to help you find applications that you want to add individually, or to verify that you are selecting the desired filters to add to the rule.


Risks

The likelihood that the application is used for purposes that might be against your organization's security policy, from very low to very high.

Business Relevance

The likelihood that the application is used within the context of your organization's business operations, as opposed to recreationally, from very low to very high.

Types

The type of application:

  • Application Protocol—Application protocols such as HTTP and SSH, which represent communications between hosts.

  • Client Protocol—Clients such as web browsers and email clients, which represent software running on the host.

  • Web Application—Web applications such as MPEG video and Facebook, which represent the content or requested URL for HTTP traffic.

Categories

A general classification for the application that describes its most essential function.

Tags

Additional information about the application, similar to category.

For encrypted traffic, the system can identify and filter traffic using only the applications tagged SSL Protocol. Applications without this tag can only be detected in unencrypted or decrypted traffic. Also, the system assigns the decrypted traffic tag to applications that the system can detect in decrypted traffic only, not encrypted or unencrypted.

Applications List (bottom of the display)

This list updates as you select filters from the options above the list, so you can see the applications that currently match the filter. Use this list to verify that your filter is targeting the desired applications when you intend to add filter criteria to the rule. If your intention is to add specific applications, select them from this list.

URL Criteria

The URL criteria of an access rule defines the URL used in a web request, or the category to which the requested URL belongs. For category matches, you can also specify the relative reputation of sites to allow or block. The default is to allow all URLs.

URL categories and reputations allow you to quickly create URL conditions for access control rules. For example, you could block all Gambling sites, or high risk Social Networking sites. If a user attempts to browse to any URL with that category and reputation combination, the session is blocked.

Using category and reputation data also simplifies policy creation and administration. It grants you assurance that the system will control web traffic as expected. Finally, because Cisco's threat intelligence is continually updated with new URLs, as well as new categories and risks for existing URLs, you can ensure that the system uses up-to-date information to filter requested URLs. Malicious sites that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies.

To modify the URL list, you click the + button within the condition and select the desired categories or URLs using one of the following techniques. Click the x for a category or object to remove it from the policy.

URL Tab

Click +, select URL objects or groups, and click OK. You can click Create New URL if the object you require does not exist.


Note

Before configuring URL objects to target specific sites, carefully read the information on manual URL filtering.


Sours: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-access.html


1178 1179 1180 1181 1182