Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
2
Helpful
34
Replies

access rules firepower 1010

BornJames
Level 1
Level 1

‎07-08-2023 06:01 PM

Hi team,

have a question regarding access rules.

how come if any any eveyrhting works fine.

however when i want to allow lets say connect to facebook, and everything else disable 

so i put source(inside) network(any-ipv4) ports(any) destination(outside_zone) network(FQDN facebook.com) ports (any)

so now I should have connection only to facebook, however no connection at all.

 

0 Helpful
34 Replies 34

MHM Cisco World
VIP
VIP
In response to BornJames

‎07-17-2023 02:27 AM

Yes below note to add new NATing 

BornJames_1-1689379911470.png

0 Helpful

Marius Gunnerud
VIP
VIP

‎07-12-2023 02:57 AM

can you go into expert mode (tye expert at the > prompt), become root user (sudo su -) and then do an nslookup for facebook.com (nslookup facebook.com) and see what result you get.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

aspilbea
Cisco Employee
Cisco Employee
In response to Marius Gunnerud

‎07-14-2023 03:09 AM

You will most likely find that an FQDN object for such a large scale web service will not work for your use-case. That's not the intended use. 

If you configure an FQDN Object such as facebook.com, the FTD device will do a DNS lookup for facebook.com and put that IP address into the Access Control entry, it will repeat that based on the TTL of the DNS query. 
Meanwhile your device behind the firewall is going to do it's own DNS lookup for facebook.com and connect to the IP address. 

Due to the nature of how DNS operates, there is no way to guarantee that the lookup from the firewall and the lookup from the client will always resolve the same IP address. Similarly the client may also navigate to web.facebook.com or www.facebook.com which may resolve to different IP addresses than just facebook.com.

In reality you'd be better served using the Application Visibility and Control capabilities or a URL rule depending on the requirement. In the latter case, you may also want to check out the TLS Server Identity Discover feature. 

BornJames
Level 1
Level 1
In response to aspilbea

‎07-14-2023 05:17 PM - edited ‎07-14-2023 05:44 PM

facebook was just an example.

I have tried example.com same result

However you are right about using Application option.

I tried google as an application and it worked.

Might have to use the URL option to allow specific websites

0 Helpful

alex.fritzsche
Level 4
Level 4

‎07-14-2023 04:19 AM

Like the last comments summarize:

the ACL should be on Application, not on FQDN.
generally you FTD should lookup DNS either internally via an internal DNS Server and then the interface you specify is the specific internal interface where the DNS server resides.
OR the Firewall does DNS-lookups to the internet directly, like 8.8.8.8 or 208.67.222.222, then you specify your Outside-Interface as source

alexfritzsche_0-1689333536344.png

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card