Best Practices for URL Filtering
Keep in mind the following guidelines and limitations for URL filtering:
Filter by Category and Reputation
Follow the instructions in How to Configure URL Filtering with Category and Reputation.
Configure Your Policy to Inspect Packets That Must Pass Before a URL Can Be Identified
The system cannot filter URLs before:
-
A monitored connection is established between a client and server.
-
The system identifies the DNS, HTTP or HTTPS application in the session.
-
The system identifies the requested domain or URL (for encrypted sessions, from a non-encrypted domain name, the ClientHello message or the server certificate).
This identification should occur within 3 to 5 packets, or after the server certificate exchange in the TLS/SSL handshake if the traffic is encrypted.
Important! To ensure that your system examines these initial packets that would otherwise pass, see Inspection of Packets That Pass Before Traffic Is Identified and subtopics.
If early traffic matches all other rule conditions but identification is incomplete, the system allows the packet to pass and the connection to be established (or the TLS/SSL handshake to complete). After the system completes its identification, the system applies the appropriate rule action to the remaining session traffic.
Block Threat Categories
Be sure that your policies specifically address Threat categories, which identify known malicious sites. Do this in addition to blocking sites with poor reputations.
For example, to protect your network from malicious sites, you must block all Threat categories. Additionally, Talos recommends that you block only sites with Poor category. You can block questionable reputations if you have an aggressive security posture, but this may result in a higher amount of false positives.
For specifics, see Threat Categories at the URL in URL Category and Reputation Descriptions.
URL Conditions and Rule Order
-
Position URL rules after all other rules that must be hit.
-
URLs can belong to more than one category. It is possible to want to allow one category of websites and block another—whether explicitly or by relying on the default action. In this case, make sure you create and order URL rules so you get the desired effect, depending on whether the allow or the block should take precedence.
For additional guidelines for rules, see the following topics: Best Practices for Access Control Rules.
Uncategorized or Reputationless URLs
When you build a URL rule, you first choose the category you want to match. If you explicitly choose Uncategorized URLs, you cannot further constrain by reputation.
Uncategorized URLs with Untrusted reputation are handled by the Malicious Sites category. If you want to block uncategorized sites with any other reputation level (such as Questionable), you must block all uncategorized sites.
After selecting a category and a reputation level, you can optionally select Apply to unknown reputation. For example, you can create a rule that applies to sites with Untrusted, Questionable, and unknown reputations.
You cannot manually assign categories and reputations to URLs, but in access control and QoS policies, you can manually block specific URLs. See Manual URL Filtering. See also Dispute URL Category and Reputation.
URL Filtering for Encrypted Web Traffic
When performing URL filtering on encrypted web traffic, the system:
-
(If DNS filtering is enabled) Checks to see if the system has previously seen the originating domain or the domain is in the local reputation database, and if so, takes action based on the reputation and category of the domain. Otherwise, the system processes the traffic based on your configurations for encrypted traffic, even if Retry URL cache miss lookup is enabled in the access control policy's advanced settings.
-
Disregards the encryption protocol; a rule matches both HTTPS and HTTP traffic if the rule has a URL condition but not an application condition that specifies the protocol.
-
Does not use URL lists. You must use URL objects and groups instead.
-
Matches HTTPS traffic based on the subject common name in the public key certificate used to encrypt the traffic, and also evaluates the reputation of any other URLs presented at any time during the transaction, including the post-decryption HTTP URL.
-
Disregards subdomains within the subject common name.
-
Does not display an HTTP response page for encrypted connections blocked by access control rules (or any other configuration); see Limitations to HTTP Response Pages.
URL Filtering and TLS Server Identity Discovery
The latest version of the Transport Layer Security (TLS) protocol 1.3, defined by RFC 8446, is the preferred protocol for many web servers to provide secure communications. Because the TLS 1.3 protocol encrypts the server's certificate for additional security, and the certificate is needed to match application and URL filtering criteria in access control rules, the Firepower System provides a way to extract the server certificate without decrypting the entire packet.
Access control policy advanced settings offer an Early application detection and URL categorization option for TLS Server Identity Discovery.
We strongly recommend enabling it for any traffic you want to match on application or URL criteria, especially if you want to perform deep inspection of that traffic. A decryption policy is not required because traffic is not decrypted in the process of extracting the server certificate.
Note |
|
For more information, see Access Control Policy Advanced Settings.
HTTP/2
The system can extract HTTP/2 URLs from TLS certificates, but not from a payload.
Manual URL Filtering
-
Specify URLs using a custom Security Intelligence list or feed object. Do not use a URL object or directly enter a URL into the rule. For details, see Manual URL Filtering Options.
-
If you manually filter specific URLs using URL objects or by entering URLs directly into the rule, carefully consider other traffic that might be affected. To determine whether network traffic matches a URL condition, the system performs a simple substring match. If the requested URL matches any part of the string, the URLs are considered to match.
-
If you use manual URL filtering to create exceptions to other rules, position the specific rule with the exceptions above the general rule that would otherwise apply.
Search Query Parameters in URLs
The system does not use search query parameters in the URL to match URL conditions. For example, consider a scenario where you block all shopping traffic. In that case, using a web search to search for amazon.com is not blocked, but browsing to amazon.com is.
URL Filtering in High Availability Deployments
For guidelines for URL filtering with Firepower Management Centers in high availability, see URL Filtering and Security Intelligence in the Cisco Secure Firewall Management Center Administration Guide.
Memory Limitations for Selected Device Models
-
Device models with less memory store less URL data locally, and the system may therefore check the cloud more frequently to determine category and reputation for sites that are not in the local database.
Lower-memory devices include:
-
Firepower 1010
-
Threat Defense Virtual with 8 GB of RAM
-
URL Matching for TLS session Resumption on Threat Defense
Use URL matching with Snort 2 under the following conditions:
-
If there is no TLS session resumption and SSL policy is enabled or the Client Hello message contains Server Name Indication (SNI) extension.
-
If there is TLS session resumption and SSL policy is not enabled or the Client Hello message does not contain SNI extension.