Scribd
Upload
11 views43 pages

Troubleshooting URL Filtering on Firewalls

URL_App_filter

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views43 pages

Troubleshooting URL Filtering on Firewalls

URL_App_filter

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

#CiscoLive

Troubleshooting URL and


Application Filtering Issues on
Secure Firewall
Shakthi Gunashekaran
Technical Consulting Engineer
TACSEC-2002

#CiscoLive
Your Speaker
Shakthi Gunashekaran

• Master of Science in Electrical Engineering


• 6 years as Network Security Engineer
• 3 years as Technical Consulting Engineer in HTTS
Security at RTP
• Cisco Self-Publisher – Security

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda

• Overview of URL and Application Filtering


• Best Practices
• Troubleshooting Common Issues
• Q&A Session

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• This session will focus on the best
practices and top case generators
for these features.
• This is a troubleshooting session.
General knowledge of Secure
Firewall is expected.
• The features in this session are
based on FMC in version 7.0+.

Before We Go Pact • Questions at the end of session.

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Overview of URL
and Application
Filtering
URL (Uniform Resource Locator)
[Link]

Secure Firewall
> system support trace
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Packet 9573: TCP ******S*, 05/25-[Link].358685, seq 1675526169, dsize 0
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, ‘allow [Link]', pending URL
Server Cert:
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Packet 9576: TCP ***AP***, 05/25-[Link].478673, seq 1675526170, ack 3373080446, dsize 517
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 AppID: service: HTTPS(1122), client: SSL client(1296), payload: Cisco(184), misc: (0)
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, ‘allow [Link]', waiting for decryption
Since decryption is enabled, we need to wait for this to get past TLS handshake and into HTTP protocol:
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 inspection pending, waiting for decrypted-URL, rule order 2, id 268434446
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 rule order 2, ‘[Link].*', action Allow continue eval of pending deny
Service has changed from HTTPS to HTTP/2, now we are in HTTP protocol, we should have the URL:
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Packet 9585: TCP ***AP***, 05/25-[Link].528674, seq 1675526795, ack 3373084593, dsize 13
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Stream: TCP normalization error in NO_TIMESTAMP
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 AppID: service: HTTP/2(2889), client: (0), payload: (0), misc: (0)
We have the actual URL:
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 Starting with minimum 2, ‘allow [Link]', and SrcZone first with zones 1 -> 2, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt
type: unknown, dst sgt: 0, dst sgt type: unknown, svc 2889, payload 184, client 596, misc 0, user 9999997, url [Link] host [Link], no xff
[Link] 50636 -> [Link] 443 6 AS=0 ID=0 GR=1-1 no match rule order 3, ‘allow [Link]', url 0 ([Link] custom url

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
In browser type in URL and
press enter:
[Link]

CN (TLS): HTTP:
SNI (TLS): URL: [Link]
[Link] [Link]

TCP TLS: Client TLS: Server HTTP


3WHS Hello Certificate Request

IP Security SSL App App Layer


Detection preprocessor
Intelligence
(SI) SI
SI App
(URL /DNS)
Detection
(URL /DNS)

SI
L7 ACL (URL and (URL /DNS)
Application
Filtering
L7 ACL (URL and
Application Red = Snort Process
Filtering

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
URL Filtering in Secure Firewall
Snort Process

IP Security App SSL App Identity Application Layer


Intelligence Detection Decryption Detection Policy Preprocessors

IPS, File & URL + IPS Policy Security Network


QoS Application before AC Intelligence Analysis
Malware Policy
Classify per AC Rule Filtering rule (URL /DNS) Policy

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
URL Filtering
• Enables safe web access for users in a network

URL Filtering
[Link]

• Can be enabled for each


Access Control Rule

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
URL Filtering Types
Category and Reputation-Based URL Filtering

• Filters access to websites based on general classification and risk level


FMC queries Cisco Cloud for
URL Data

URL Data sent to FMC

URL Filtered Data


FMC pushes the URL Data to
Cisco Cloud Managed Devices.
Website Firewall

User requests to browse a Website

System uses local dataset provided


by Cisco Cloud to filter

User access to Website Allowed or


Blocked

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
URL Filtering Types
Manual URL Filtering Object > Object Management >
Security Intelligence > URL Lists
and Feeds > Add URL Lists and
Feeds

• Manually add the URLs in the access rules


for filtering
• Does not require any special License

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Application Filtering

• Application detectors are added through VDB updates

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ACTION: ALLOW
Scenario 1 URL: [Link]
Application: FACEBOOK

Navigate: [Link]
URL and Application
Condition in same Access
Control Rule Result: Will be allowed but not
recommended to use

Note: Default Action is ‘Block’

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ACTION: BLOCK

Scenario 2 URL: [Link]


Application: GMAIL

Navigate to ‘[Link]’
URL and Application
Condition in same Access Result: Will be Allowed because the URL
Control Rule [Link] redirects to
[Link] or
[Link]

Note: Default Action is ‘Block’

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Best Practices
Use category and reputation based-filtering

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Inspect packets before URL is identified

Monitored Connection

Client Server

DNS/
HTTP/
System identifies the Application in the session HTTPS
Firewall
System Identifies URL/ Domain

System identifies the ClientHello message or the server certificate (For


Encrypted sessions with non-encrypted domain name)

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inspect packets before URL is identified
On FMC:
Access Control Policy > Advanced > Network Analysis and Intrusion Policy

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Block Threat Categories
• Threat categories identify known Malicious sites
• [Link]

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
URL Conditions and Rule Order

Rule Order Exception


ACL Drop Rules (only with Layer
URL Filtering Block Rule
3/4 criteria)

ACL Rules with Application and


URL Filtering Rules
Encrypted Traffic Inspection

Intrusion, File and Malware Rules Intrusion, File and Malware Rules

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
URL Conditions and Rule Order
L3/L4

Rule to Allow All Social Media Access takes precedence over URL Rule to block TikTok.
TikTok gets allowed since it’s part of Social Networking Category.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
URL Conditions and Rule Order

• Always Add Exceptions to URL rule above the rule you are making an exception to.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Uncategorized or Reputation-less URLs

Uncategorized URLs cannot be filtered by Reputation.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Uncategorized or Reputation-less URLs

URLs in any Category can be filtered even if there is no reputation


known. Choose ‘Apply to Unknown Reputation’ option under
Reputations.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
URL Filtering and TLS Server Identity Discovery
• TLS protocol 1.3 encrypts
FMC: Access Control Policy > Advanced
Server certificate for added
security.
• Server Certificate is
needed to match URL and
application filtering
criteria.
• Enable TLS Server Identity
Discovery to extract server
certificate without
decrypting the entire
packet.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Troubleshooting
Common Issues
Cloud Connectivity Issues
URL Filtering License URL Filtering Updates

Integration > Other Integration >


System > Smart Licenses
Cloud Services

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cloud Connectivity Issues
URL Filtering Monitor Verify Connectivity

System > Health > Policy Verify if ping to these URLs are
successful from Management
device

[Link]
[Link]
[Link]
[Link]

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Incorrect URL filtering result
Things to check if the URL
appears to be incorrectly
handled based on its URL
category and reputation

Cached URLs Expire Default value = Never

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Dispute Category and Reputation of URLs
Integration > Other Integration > Cloud Services

[Link]

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Find Category and Reputation of URL
In FMC : Analysis > Advanced > URL
admin

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Access Control and URL Filtering Reputation
Rule Action is ‘Block’

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Access Control and URL Filtering Reputation
Rule Action is ‘Allow’

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
ACTION: BLOCK
Scenario 3 URL: [Link]
Google Search “[Link]”

Search Query Parameters Result:


in URL Search will be allowed but you
cannot access the URL.

Note: Default Action is ‘Block’

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Access Control Policy:
Scenario 4
Rule1: ACP L3/4 Rules
Rule2: Application Rule to block ‘YOUTUBE’
Rule3: URL Rule to Allow all Streaming Video
Rule4: URL Rule to block ‘[Link]’
Rule4: URL Rule to Allow all Social Networking
Manual URL Filtering
Test:
1. Access YOUTUBE [Action: Block]
2. Navigate to [Link] [Action: Allow]

Note: Default Action is ‘Block’


TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
References
References
• FMC URL Filtering Configuration Guide
[Link]
guide-v70/url_filtering.html
• Best Practices for URL Filtering
[Link]
guide-v70/url_filtering.html#ID-2189-00000301
• Best Practices for Configuring Application Control
[Link]
guide-v70/rule_management_common_characteristics.html#id_101338
• Best Practices for Rule Order
[Link]
guide-v70/best_practices_for_access_control.html#ID-2176-000005cc

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
References
• Inspection of Packets That Pass Before Traffic Is Identified
[Link]
guide-
v70/advanced_access_control_settings_for_network_analysis_and_intrusion_policies.html#ID-
2194-0000001f
• TLS/SSL Guidelines and Limitations
[Link]
guide-v70/getting_started_with_ssl_rules.html#id_65029
• SSL Decryption Configuration Guide
[Link]
700/[Link]

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Fill out your session surveys!

Attendees who fill out a minimum of four session


surveys and the overall event survey will get Cisco Live-
branded socks (while supplies last)!

Attendees will also earn 100 points in the Cisco Live


Game for every survey completed.

These points help you get on the leaderboard and increase your chances of winning daily and grand prizes

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Participate in UX research after
Cisco Live 2023 Las Vegas!
Sign up today: [Link]/SecurePanel
Thank you

#CiscoLive
#CiscoLive

You might also like