About URL Conditions in an Access Control Rule
The URL conditions of an access control rule defines the URL used in a web request, or the category to which the requested URL belongs. For category matches, you can also specify the relative reputation of sites to allow or block. The default is to allow all URLs.
URL categories and reputations allow you to quickly create URL conditions for access control rules. For example, you could block all Gaming sites, or all high risk Social Networking sites. If a user attempts to browse to any URL with that category and reputation combination, the session is blocked.
Using category and reputation data also simplifies policy creation and administration. It grants you assurance that the system will control web traffic as expected. Finally, because Cisco's threat intelligence is continually updated with new URLs, as well as new categories and risks for existing URLs, you can ensure that the system uses up-to-date information to filter requested URLs. Malicious sites that represent security threats such as malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new policies.
To modify the URL and URL Category conditions in an access control rule, you can edit the rule using the procedure in Configure the Firepower Threat Defense Access Control Policy. Simple edits may be performed without entering edit mode. From the policy page, you can modify a URL condition in the rule by selecting the rule and clicking the + button within the URL condition column and selecting a new object, element, URL reputation, or URL category from the popup dialog box. You can also click the x on an object or element to remove it from the rule.
Click the blue plus icon and select URL objects, groups, or URL categories and click Save. You can click Create New Object if the URL object you require does not exist. See Create and Edit Firepower Threat Defense URL Objects for more information about URL objects.
License Requirement for URL Filtering
To use URL filtering, you need to have the URL Filtering license enabled on your Firepower Device Manager.
Specifying a Reputation for a URL Category Used in a Rule
By default, all URLs in a URL category are treated by a rule the same way. For example, if you have a rule that blocks Social Network URLs, you will block all of them regardless of reputation. You can adjust that setting so that you block only high-risk Social Network sites. Likewise, you could allow all URLs from a URL category except the high-risk sites.
Use this procedure to use a reputation filter on a URL category in an access control rule:
- From the FTD Policy page, select the rule you want to edit.
- Click Edit.
- Click the URLs tab.
- Click the blue plus button and select a URL Category.
- Click Apply Reputation to Selected Categories or the Any Reputation link on the URL Category you just picked.
- Uncheck the Any Reputation check box.
- Filter URLs by reputation:
- If the rule has a blocking action, slide the reputation slider to the right to block only the sites with the reputations marked in red. For example, if you slide the slider to "Sites with Security Risks," a blocking rule would block "Sites with Security Risks," "Suspicious Sites," and "High-Risk sites" but it would allow traffic from "Well-known Sites" and "Benign Sites."
- If the rule has an allow action, slide the reputation slider to the right to allow only the sites with the reputations marked in green. For example, if you slide the slider to "Benign Sites," the rule will allow traffic from "Well-Known Sites" and "Benign Sites" but not allow traffic from "Sites with Security Risks," "Suspicious Sites," and "High-Risk sites."
- Click Save.
- Click Select.
- Click Save.
- When you are ready, return to the Devices & Services page, and deploy the changes. See Deploy Configuration Changes from Defense Orchestrator to FTD for more information.