Introduction
If you have a Cisco firewall running either ASA with Firepower services or the “pure” FTD operating system, you are most likely also utilizing the URL-filtering function to prevent your users from accessing categories of websites considered non-work related or in other ways harmful. This article is going to explain the different use-cases for URL-filtering and also an example of how you can set up useful block pages for when you need to stop your users from accessing inappropriate parts of the internet.
Block Page vs Interactive Page
When users try to access these kinds of company unapproved website sites, you can have your firewall hijack the browser session and redirect the user to a configurable block page. This page is hosted on your Firepower Management Center (FMC) and pushed out to your firewall(s). You can use this page to simply inform the user that the session has been blocked but you can also display an interactive page, where the user will be given the choice to continue to the requested website and hopefully be well aware that their traffic may be logged.
Depending on your use case, use whichever page is right for you.
Please note that secure websites (using HTTPS) will not display any kind of block/interactive page for your users unless you are using SSL decryption.
If you are not using SSL decryption, the user will only see the typical “The page could not be loaded” error.
Configuring Block and Interactive Page
The configuration for the two different pages is done through pure HTML code. Log into your FMC and navigate to Policies > Access Control > Access Control and click on the pencil icon to edit the policy of your choice. Select the tab called HTTP Responses and set both the Page options to Custom and then click on the pencil to open the window where you can input your HTML code. You can see and code examples of these pages and the bottom of this article.
For the interactive block page, a Continue button will automatically be added to the end of the page.
Configuring an URL rule
Head back to Policies > Access Control > Access Control and click on the pencil icon to edit the policy of your choice. Add a new rule and set whatever source-address(es) you want to be caught by the URL-filtering and then go to the URL tab to select which kinds of web categories and reputations you want to block. Use Action to select if you simply want to block these types of URLs or if you want to give the users the ability to continue by clicking “Continue”. When you are done, click on Save and then Save again in the top right corner and finish with Deploy above that to send the configuration to your firewall(s).
The most common is to block websites based on their categorization and reputation, which is updated on your Firepower firewall regularly automatically. Down below I have configured a rule to block all access to some website categories.
You can also configure specific URLs to be blocked by adding them as Objects in the Object menu at the top and then selecting them when you create your rule.
Checking the category of a website from FMC
If you are unsure what kind of categorization a website will receive, instead of visiting the website and checking the Firepower logs for the answer, you can do lookups of URLs directly from inside your FMC. Head over to Analysis > Advanced > URL and you will be greeted by the window below. Here you can type in several URLs at once to be run through the Firepower URL filter and instantly see their categorization and reputation.
Request a website to be recategorized
To allow dynamic categorization of websites, Cisco firewalls are actually using a third-party feed of URLs and their categories that are pulled down by the firewall from time to time. This URL feed is managed by BrightCloud. If you run into websites that are put into the wrong category and might be incorrectly blocked by your URL policies, there is an easy way to request the website to be recategorized. Visit the URL-tool of BrightCloud and use the form on the site to request recategorization.
Even better, put the link to BrightCloud directly into your block page or interactive page and make the users themselves take care of websites that they think have been put into the wrong category and save yourself the trouble. Anyone with an email address can send in requests to have a website’s categorization be looked at and possibly changed. From my experience, BrightCloud deals with recategorization in a pretty fast manner, usually within a few days, and when your Firepower device receives updates from the feed (which happen now and then), you should be all good to go.
Screenshot of BrightCloud https://www.brightcloud.com/tools/url-ip-lookup.php
Example of a block page (picture and code)
Here you can see what a simple block page can look like. Customize it with your own logo and colors to make it look more professional. While you cannot upload an image directly to FMC and the pages, you can link to images on the internet using the HTML code. For example, I put the Cisco logo from Wikipedia into my block page below.
Code (copy and paste as-is into Firepower Management Center)
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Website Blocked</title>
</head> <style type="text/css">
.title {color: #6f6d6d; font-family: Candara;
border:none;
border-top:
medium solid;
border-width:5px;
border-color: #00A0DA;
}
.body_text {font-family: Ebrima}
.border{border: #82b13d dashed;
border-width: 2px;}
</style>
<body> <center><img src="https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg" ><br><br><br>
<table width="500">
<tbody>
<tr>
<td><table width="100%"> <tbody> <tr> <td align="left" bordercolor="#82b13d" class="title" style="height: 30px"›
<br> <h1>ACCESS <font color="#00A0DA">DENIED</font></font></h1></td>
</tr>
<td><div class="auto-style2">
<span class="label body_text"> <br>The website you tried to visit has been blocked by the company's security systems because it may contain content that is considered inappropriate according to the company's policy for information security.
<br><br>If you need to have access to this website for work-related reasons or if you believe the website has been incorrectly categortized, you can use this <a href="https://www.brightcloud.com/tools/url-ip-lookup.php">self-service portal</a> to send in a request to have the website put into a different category.
<br>
<br>
</span></div></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table>
</body>
</html>