- Categories (classification)
- Reputation (risk level)
- This varies from High Risk (level 1) to Well Known (level 5)
- Category + Reputation
- Manual URLs
Selected
Reputation Level
|
Selected Rule
Action
|
||||
High Risk
|
Suspicious Site
|
Benign Site with
Security Risk
|
Benign Site
|
Well Known
|
|
1 - High Risk
|
Block, Allow
|
Allow
|
Allow
|
Allow
|
Allow
|
2 - Suspicious Sites
|
Block
|
Block, Allow
|
Allow
|
Allow
|
Allow
|
3 - Benign Sites with Security Risk
|
Block
|
Block
|
Block, Allow
|
Allow
|
Allow
|
4 - Benign Sites
|
Block
|
Block
|
Block
|
Block, Allow
|
Allow
|
5 - Well Known
|
Block
|
Block
|
Block
|
Block
|
Block, Allow
|
- HTTP
- FP will perform URL filtering for plain text traffic (either HTTP traffic or decrypted HTTPS traffic)
- Its configured in ACP by matching HTTP application and configuring URL Filter
- HTTPS Filtering
- FP detects the URL during SSL handshake from the certificate CN
- HTTPS URL filtering disregards subdomains in the CN and matches the root domain only (unlike HTTP which consider subdomains in HTTP requests)
- For example, if the CN contains www.example.com, FP will match example.com only
- Its configured in ACP by matching HTTPS application and configuring URL Filter
- SSL
- Manual URL filtering isn't supported in SSL
- Its configured in SSL Policy to match categories
- You can override URL Categories and Groups by configurating manual URLs
- Wildcard isn't support
- For example, if you block a URL category which contains a single URL to be whitelisted, you can configure a rule with the whitelisted URL added manually before the blocking rule
- When configuring Manual URLs, any match of the URL string will trigger action. For example, if you allow all traffic to example.com, your users could browse to URLs including:
Note: To see URL category and
reputation information in events and application details, you must create at
least one rule with a URL condition
Limitations of URL Filtering
- Connection will establish 3-way TCP handshake. Once SSL Exchange starts or HTTP request received, FP will be able to action (3-5 packets)
- Uncategorized URLs will pass through FP unless they are explicitly blocked
- FP won't block searches on blocked categories. For example, using a web search to search for amazon.com is not blocked, but browsing to amazon.com is blocked
- Due to low memory, low level appliances will use more generic matches. Example, the system might evaluate mail.google.com using the google.com category and reputation
- Impacted models are ASA5506-X, ASA5506H-X, ASA5506W-X, ASA5508-X, ASA5512-X, ASA5515-X, ASA5516-X, and ASA5525-X
- It won't be displayed for HTTPS blocked URLs
TIP
- You can use URL filtering rule for allowing HTTPS access to a website while blocking HTTP access which is for security reason
- Create an ACP rule which matches HTTPS application and X URL - Action Allow
- Create an ACP rule which matches HTTP application and X URL - Action Block
How URL Lookup Process works?
In order to accelerate the URL lookup
process, the URL filtering provides a dataset that is installed on a Firepower
System locally. Dependent upon the amount of memory (RAM) available on an
appliance, there are two types of datasets:
Type of Dataset
|
Memory Requirement
|
|
On Version 5.3
|
On Version 5.4 or higher
|
|
20 Million URL
Dataset
|
> 2GB
|
> 3.4 GB
|
1 Million URL
Dataset
|
<= 2GB
|
<= 3.4 GB
|
No comments:
Post a Comment