Cisco FTD URL Filtering feature gives the capability to control the websites that users on your network can access based on category, reputation, and also manual..

Cisco FTD URL Filtering Concept

Websites can be filtered based on category, reputation, combination of category and reputation and also manual URLs.

Cisco FTD URL Filtering
Cisco FTD URL Filtering

Social Networking, Gaming, Drugs and Business are some of these categories. Reputations are from trusted websites to untrusted and high-risk websites that come in each category.

URL Filtering based on Category and Reputation
URL Filtering based on Category and Reputation

If you allow a reputation level, all level below that will be also allowed. Similarly, if you block a reputation level, all above levels will be also blocked.

How URL Filtering Works in Cisco FTD

For HTTP traffic, that is easy to control traffic based on URL since the content of HTTP application header can be unencrypted and clear text.

Cisco FTD URL Filtering Mechanism
Cisco FTD URL Filtering Mechanism

To configure a rule for HTTP URL filtering, select the HTTP protocol on the “Applications” tab and the URL on “URLs” tab.

But for HTTPS traffic it is more difficult because the application header is encrypted and without SSL decryption policy it is not possible to read the content of application header.

For HTTPS traffic, the URL is detected based on DNS query or Certificate handshake in HTTPS negotiation.

With HTTPS URL filtering, only the main domain can be filtered, and subdomains and wildcards are not supported. For example, if you configure “www.example.com” as the URL in URL filtering, only the main domain “example.com” is considered and “www” cannot be checked.

To configure a rule for HTTPS URL filtering, select the HTTPS protocol on the “Applications” tab and the URL on “URLs” tab. If you do not specify HTTPS as protocol and only configure URLs in URL tab then DNS query will also be checked for URL filtering.

Cisco FTD URL Filtering Configuration

URL filtering through existing cisco categories and reputation

for the first scenario, we filter Social Networking websites of any reputation based on cisco URL category.

To configure the rule, we choose HTTP and HTTPS protocol in “Applications” tab and “Social Networking” URL category in “URLs” tab. We also enable logging so we can monitor Social Networking hit events.

Block Social Networking URLs
Block Social Networking URLs

Then we check the connectivity with Instagram website through a computer behind cisco FTD. We expect that the computer is not able to browse “instagram.com”.

Check Connectivity with Instagram
Check Connectivity with Instagram

We can also approve that the traffic is matched with the configured URL access control role through connection event monitoring.

Check Connection Event for Social Networking Category
Check Connection Event for Social Networking Category

Manual URL Filtering

For the second scenario, we implement URL filtering through URL objects that is manually created.

In “Objects -> Object Management -> URL”, we create a specific URL with “Add Object”. We create an object for “facebook.com” and an object for “instagram.com”. with “Add Group”, we can create our own categories. Here we create a category with the name of “my_social_networks”, that will contain both of the above objects.

These objects will be shown in URL tab in access control rule.

Cisco FTD URL Objects
Cisco FTD URL Objects

Then we change our previous rule to filter only websites inside our own category.

Block my Social Networks Category
Block my Social Networks Category

Then we test the connectivity and then monitor connection events to make sure if traffic is matched with our new access control rule.

Check Instagram Connection Events
Check Instagram Connection Events
Back to: Cisco FTD Design and Implementation > Cisco FTD URL Filtering

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment