[go: up one dir, main page]
Scribd
Upload
42 views43 pages

TACSEC 2002 URL APP Filtering

URL_App_filter

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views43 pages

TACSEC 2002 URL APP Filtering

URL_App_filter

Uploaded by

Praveen Rai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

#CiscoLive

Troubleshooting URL and


Application Filtering Issues on
Secure Firewall
Shakthi Gunashekaran
Technical Consulting Engineer
TACSEC-2002

#CiscoLive
Your Speaker
Shakthi Gunashekaran

• Master of Science in Electrical Engineering


• 6 years as Network Security Engineer
• 3 years as Technical Consulting Engineer in HTTS
Security at RTP
• Cisco Self-Publisher – Security

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda

• Overview of URL and Application Filtering


• Best Practices
• Troubleshooting Common Issues
• Q&A Session

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• This session will focus on the best
practices and top case generators
for these features.
• This is a troubleshooting session.
General knowledge of Secure
Firewall is expected.
• The features in this session are
based on FMC in version 7.0+.

Before We Go Pact • Questions at the end of session.

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Overview of URL
and Application
Filtering
URL (Uniform Resource Locator)
www.cisco.com

Secure Firewall
> system support trace
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Packet 9573: TCP ******S*, 05/25-17:15:56.358685, seq 1675526169, dsize 0
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, ‘allow www2.cisco.com', pending URL
Server Cert:
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Packet 9576: TCP ***AP***, 05/25-17:15:56.478673, seq 1675526170, ack 3373080446, dsize 517
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 AppID: service: HTTPS(1122), client: SSL client(1296), payload: Cisco(184), misc: (0)
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, ‘allow www2.cisco.com', waiting for decryption
Since decryption is enabled, we need to wait for this to get past TLS handshake and into HTTP protocol:
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 inspection pending, waiting for decrypted-URL, rule order 2, id 268434446
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 rule order 2, ‘Allow-www.cisco.*', action Allow continue eval of pending deny
Service has changed from HTTPS to HTTP/2, now we are in HTTP protocol, we should have the URL:
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Packet 9585: TCP ***AP***, 05/25-17:15:56.528674, seq 1675526795, ack 3373084593, dsize 13
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Stream: TCP normalization error in NO_TIMESTAMP
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 AppID: service: HTTP/2(2889), client: (0), payload: (0), misc: (0)
We have the actual URL:
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 Starting with minimum 2, ‘allow www2.cisco.com', and SrcZone first with zones 1 -> 2, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt
type: unknown, dst sgt: 0, dst sgt type: unknown, svc 2889, payload 184, client 596, misc 0, user 9999997, url https://www.cisco.com, host www.cisco.com, no xff
192.168.147.52 50636 -> 172.253.122.113 443 6 AS=0 ID=0 GR=1-1 no match rule order 3, ‘allow cisco.com', url 0 (https://cisco.com) custom url

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
In browser type in URL and
press enter:
www.cisco.com

CN (TLS): HTTP:
SNI (TLS): URL: https://www.cisco.com
www.cisco.com www.cisco.com

TCP TLS: Client TLS: Server HTTP


3WHS Hello Certificate Request

IP Security SSL App App Layer


Detection preprocessor
Intelligence
(SI) SI
SI App
(URL /DNS)
Detection
(URL /DNS)

SI
L7 ACL (URL and (URL /DNS)
Application
Filtering
L7 ACL (URL and
Application Red = Snort Process
Filtering

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
URL Filtering in Secure Firewall
Snort Process

IP Security App SSL App Identity Application Layer


Intelligence Detection Decryption Detection Policy Preprocessors

IPS, File & URL + IPS Policy Security Network


QoS Application before AC Intelligence Analysis
Malware Policy
Classify per AC Rule Filtering rule (URL /DNS) Policy

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
URL Filtering
• Enables safe web access for users in a network

URL Filtering
www.youtube.com

• Can be enabled for each


Access Control Rule

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
URL Filtering Types
Category and Reputation-Based URL Filtering

• Filters access to websites based on general classification and risk level


FMC queries Cisco Cloud for
URL Data

URL Data sent to FMC

URL Filtered Data


FMC pushes the URL Data to
Cisco Cloud Managed Devices.
Website Firewall

User requests to browse a Website

System uses local dataset provided


by Cisco Cloud to filter

User access to Website Allowed or


Blocked

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
URL Filtering Types
Manual URL Filtering Object > Object Management >
Security Intelligence > URL Lists
and Feeds > Add URL Lists and
Feeds

• Manually add the URLs in the access rules


for filtering
• Does not require any special License

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Application Filtering

• Application detectors are added through VDB updates

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ACTION: ALLOW
Scenario 1 URL: facebook.com
Application: FACEBOOK

Navigate: facebook.com
URL and Application
Condition in same Access
Control Rule Result: Will be allowed but not
recommended to use

Note: Default Action is ‘Block’

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ACTION: BLOCK

Scenario 2 URL: www.gmail.com


Application: GMAIL

Navigate to ‘gmail.com’
URL and Application
Condition in same Access Result: Will be Allowed because the URL
Control Rule www.gmail.com redirects to
https://accounts.google.com/ or
https://www.google.com/gmail/about/

Note: Default Action is ‘Block’

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Best Practices
Use category and reputation based-filtering

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Inspect packets before URL is identified

Monitored Connection

Client Server

DNS/
HTTP/
System identifies the Application in the session HTTPS
Firewall
System Identifies URL/ Domain

System identifies the ClientHello message or the server certificate (For


Encrypted sessions with non-encrypted domain name)

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inspect packets before URL is identified
On FMC:
Access Control Policy > Advanced > Network Analysis and Intrusion Policy

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Block Threat Categories
• Threat categories identify known Malicious sites
• https://www.talosintelligence.com/categories

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
URL Conditions and Rule Order

Rule Order Exception


ACL Drop Rules (only with Layer
URL Filtering Block Rule
3/4 criteria)

ACL Rules with Application and


URL Filtering Rules
Encrypted Traffic Inspection

Intrusion, File and Malware Rules Intrusion, File and Malware Rules

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
URL Conditions and Rule Order
L3/L4

Rule to Allow All Social Media Access takes precedence over URL Rule to block TikTok.
TikTok gets allowed since it’s part of Social Networking Category.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
URL Conditions and Rule Order

• Always Add Exceptions to URL rule above the rule you are making an exception to.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Uncategorized or Reputation-less URLs

Uncategorized URLs cannot be filtered by Reputation.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Uncategorized or Reputation-less URLs

URLs in any Category can be filtered even if there is no reputation


known. Choose ‘Apply to Unknown Reputation’ option under
Reputations.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
URL Filtering and TLS Server Identity Discovery
• TLS protocol 1.3 encrypts
FMC: Access Control Policy > Advanced
Server certificate for added
security.
• Server Certificate is
needed to match URL and
application filtering
criteria.
• Enable TLS Server Identity
Discovery to extract server
certificate without
decrypting the entire
packet.

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Troubleshooting
Common Issues
Cloud Connectivity Issues
URL Filtering License URL Filtering Updates

Integration > Other Integration >


System > Smart Licenses
Cloud Services

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cloud Connectivity Issues
URL Filtering Monitor Verify Connectivity

System > Health > Policy Verify if ping to these URLs are
successful from Management
device

regsvc.sco.cisco.com
est.sco.cisco.com
updates-talos.sco.cisco.com
updates.ironport.com

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Incorrect URL filtering result
Things to check if the URL
appears to be incorrectly
handled based on its URL
category and reputation

Cached URLs Expire Default value = Never

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Dispute Category and Reputation of URLs
Integration > Other Integration > Cloud Services

https://support.talosintelligence.com/docs/submit-ticket/

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Find Category and Reputation of URL
In FMC : Analysis > Advanced > URL
admin

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Access Control and URL Filtering Reputation
Rule Action is ‘Block’

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Access Control and URL Filtering Reputation
Rule Action is ‘Allow’

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
ACTION: BLOCK
Scenario 3 URL: cisco.com
Google Search “cisco.com”

Search Query Parameters Result:


in URL Search will be allowed but you
cannot access the URL.

Note: Default Action is ‘Block’

TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Access Control Policy:
Scenario 4
Rule1: ACP L3/4 Rules
Rule2: Application Rule to block ‘YOUTUBE’
Rule3: URL Rule to Allow all Streaming Video
Rule4: URL Rule to block ‘tiktok.com’
Rule4: URL Rule to Allow all Social Networking
Manual URL Filtering
Test:
1. Access YOUTUBE [Action: Block]
2. Navigate to tiktok.com [Action: Allow]

Note: Default Action is ‘Block’


TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
References
References
• FMC URL Filtering Configuration Guide
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-
guide-v70/url_filtering.html
• Best Practices for URL Filtering
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-
guide-v70/url_filtering.html#ID-2189-00000301
• Best Practices for Configuring Application Control
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-
guide-v70/rule_management_common_characteristics.html#id_101338
• Best Practices for Rule Order
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-
guide-v70/best_practices_for_access_control.html#ID-2176-000005cc

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
References
• Inspection of Packets That Pass Before Traffic Is Identified
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-
guide-
v70/advanced_access_control_settings_for_network_analysis_and_intrusion_policies.html#ID-
2194-0000001f
• TLS/SSL Guidelines and Limitations
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-
guide-v70/getting_started_with_ssl_rules.html#id_65029
• SSL Decryption Configuration Guide
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-
700/fptd-fdm-ssl-decryption.html

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Fill out your session surveys!

Attendees who fill out a minimum of four session


surveys and the overall event survey will get Cisco Live-
branded socks (while supplies last)!

Attendees will also earn 100 points in the Cisco Live


Game for every survey completed.

These points help you get on the leaderboard and increase your chances of winning daily and grand prizes

#CiscoLive TACSEC-2002 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Participate in UX research after
Cisco Live 2023 Las Vegas!
Sign up today: cs.co/SecurePanel
Thank you

#CiscoLive
#CiscoLive

You might also like