Skip to main content

 

 

Cisco Defense Orchestrator

Create and Edit Firepower Threat Defense URL Objects

About Firepower URL Objects

URL objects and URL groups are used by Firepower devices. Use URL objects and groups (collectively referred to as URL objects) to define the URL or IP addresses of web requests. You can use these objects to implement manual URL filtering in access control policies or blocking in Security Intelligence policies. A URL object defines a single URL or IP address, whereas a URL group defines more than one URL or IP address.

Create a Firepower URL Object

Firepower Threat Defense (FTD) URL objects are reusable components that specify a URL or IP address. The Firepower Defense Manager and Firepower Management Center also refer to these objects as "URL Objects."

  1. Click the Objects tab to open the Objects page.
  2. Click Create Object > FTD > URL.   
  3. Enter an object name and description.
  4. Select Create a URL object.
  5. Enter the specific URL or IP address for your object. 
  6. Click Add.

Create a Firepower URL Group

A URL group can be made up of one or more URL objects representing one or more URLs or IP addresses. The Firepower Defense Manager and Firepower Management Center also refer to these objects as "URL Objects."

  1. Click the Objects tab to open the Objects page.
  2. Click Create Object > FTD > URL.   
  3. Enter an object name and description.
  4. Select Create a URL group.
  5. Add an existing object by clicking Add Object, selecting an object, and clicking Select. Repeat this step to add more objects.
  6. Click Add when you are done adding URL objects to the URL group.

Edit a Firepower URL Object or URL Group

  1. Click the Objects tab to open the Objects page.
  2. Filter the objects to find the object you want to edit and then select the object in the object table.
  3. In the details pane, click edit.png to edit.
  4. Edit the values in the dialog box in the same fashion that you created them in the procedures above. 
  5. Click Save.
  6. CDO displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.

Important Notes

When creating URL objects, keep the following points in mind:

  • If you do not include a path (that is, there is no / character in the URL), the match is based on the server’s hostname only. The hostname is considered a match if it comes after the :// separator, or after any dot in the hostname. For example, ign.com matches ign.com and www.ign.com, but it does not match verisign.com.
  • If you include one or more / character, the entire URL string is used for a substring match, including the server name, path, and any query parameters. However, we recommend that you do not use manual URL filtering to block or allow individual web pages or parts of sites, as servers can be reorganized and pages moved to new paths. Substring matching can also lead to unexpected matches, where the string you include in the URL object also matches paths on unintended servers or strings within query parameters.
  • The system disregards the encryption protocol (HTTP vs HTTPS). In other words, if you block a website, both HTTP and HTTPS traffic to that website is blocked, unless you use an application condition to target a specific protocol. When creating a URL object, you do not need to specify the protocol when creating an object. For example, use example.com rather than http://example.com.
  • If you plan to use a URL object to match HTTPS traffic in an access control rule, create the object using the subject common name in the public key certificate used to encrypt the traffic. Also, the system disregards subdomains within the subject common name, so do not include subdomain information. For example, use example.com rather than www.example.com.

However, please understand that the subject common name in the certificate might be completely unrelated to a web site’s domain name. For example, the subject common name in the certificate for youtube.com is *.google.com (this of course might change at any time). You will get more consistent results if you use the SSL Decryption policy to decrypt HTTPS traffic so that URL filtering rules work on decrypted traffic.

Note: URL objects will not match HTTPS traffic if the browser resumes a TLS session because the certificate information is no longer available. So even if you carefully configure the URL object, you might get inconsistent results for HTTPS connections.