Cisco Cisco Firepower Management Center 4000

If you want the rule to block traffic (the rule action is 

, 

, 

, or 

) selecting a reputation level also selects all reputations more severe than 

that level. For example, if you configure a rule to block 

 (level 2), it also automatically 

blocks 

 (level 1) sites.

If you want the rule to allow traffic (the rule action is 

, 

, or 

), selecting a reputation 

level also selects all reputations better than that level. For example, if you configure a rule to allow 

 (level 4), it also automatically allows 

 (level 5) sites.

If you change the rule action for a rule, the system automatically changes the reputation levels in URL 
conditions according to the above points. If you do not specify a reputation level, the system defaults to 

, meaning all levels. For example, you could block all malware sites, regardless of reputation. You 

can also use 

 to represent any category. For example, you could block all URLs that match 

 

category, but have a 

 reputation.

You are not limited to creating URL conditions using categories and reputations; you can specify 
individual URLs or groups of URLs to achieve more granular, custom control over allowed and blocked 
URLs. This is also the only kind of URL filtering you can perform without a special license. You can 
add either of the following kinds of URL conditions to an access control rule:

individual URL objects and URL object groups, which represent individual URLs and groups of 
URLs, respectively; see 

Unlike URL categories, you cannot qualify URL objects and groups with reputations. If the existing 
URL objects do not meet your needs, you can create a URL object on the fly while creating a URL 
condition. You can then use the new object in your rule and in other existing and future rules. For 
more information, see 

literal URLs; see 

 for more information

Unlike creating a URL object on the fly, adding a literal URL to an access control rule does not allow 
you to reuse the URL in other rules.

To determine whether network traffic matches a URL condition, the system performs a simple substring 
match. If the value of a URL object or literal URL matches any part of a URL requested by a monitored 
host, the URL condition of the access control rule is satisfied. For example, if you allow all traffic to 
example.com, your users could browse to URLs including:

http://example.com/

http://example.com/newexample

http://www.example.com/

This means that when specifying individual URLs in URL conditions, you must carefully consider other 
traffic that might be affected. For example, consider a scenario where you want to explicitly block 
ign.com (a gaming site). However, substring matching means that blocking ign.com also blocks 
verisign.com, which might not be your intent.

Note that to block HTTPS traffic, you can enter the common name from the Secure Sockets Layer (SSL) 
certificate for the traffic. When entering a URL from a certificate, enter the domain name and omit 
subdomain information. (For example, type 

example.com

 rather than 

www.example.com

.) If you block 

traffic based on the certificate URL, both HTTP and HTTPS traffic to that website are blocked. 

When deciding how to build a URL condition, keep in mind that although using URL literals, objects, 
and groups gives you precise control over allowed and blocked URLs, you must be careful to make sure 
that your rules do not have unintended consequences.