- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Access Control Rules: Realms and Users
- Access Control Rules: Custom Security Group Tags
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Access Control Using Content Restriction
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Access Control Policies: Adaptive Profiles
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Access Control Using Content Restriction
Major search engines and content delivery services provide features that allow you to restrict search results and website content. For example, schools use content restriction features to comply with the Children's Internet Protection Act (CIPA).
When implemented by search engines and content delivery services, you can enforce content restriction features only for individual browsers or users. The Firepower System allows you to extend these features to your entire network.
The system allows you to enforce:
- Safe Search—Supported in many major search engines, this service filters out explicit and adult-oriented content that particular environments (business, government, education, etc.) classify as objectionable. The system does not restrict a user's ability to access the home pages for supported search engines. Note that YouTube Restricted Mode is a subfeature of Safe Search.
- YouTube EDU—This service filters YouTube content for an educational environment. It allows schools to set access for educational content while limiting access to noneducational content. YouTube EDU is a different feature than YouTube Restricted Mode, which enforces restrictions on YouTube searches as part of Google's Safe Search feature. With YouTube EDU, users access the YouTube EDU home page, rather than the standard YouTube home page.
Content restriction features communicate the restricted status of a search or content query via an element in the request URI, an associated cookie, or a custom HTTP header element. You can configure access control rules to modify these elements as the system processes traffic.
Note that, to enforce content restriction, you must also enable an SSL policy, which impacts performance.
If you enable logging of connection events for these access control rules, the system logs related events with a
Reason
of
Content Restriction.
The following topics describe how to enforce content restriction using access control rules:
Using Access Control Rules to Enforce Content Restriction
Caution To avoid rule preemption, position rules governing YouTube EDU above rules governing Safe Search in both SSL and access control policies. For more information, see Content Restriction Rule Order.
To enforce content restriction using access control rules:
Step 1 Create an SSL policy; see Creating a Basic SSL Policy.
Step 2 Add SSL rules for handling Safe Search and YouTube EDU traffic:
– Safe Search—Add the
safesearch supported
filter.
– YouTube EDU—Search for "YouTube" in the Available Applications list, and add the resulting applications.
For more information, see Controlling Encrypted Traffic Based on Application.
Step 3 Set rule positions for the SSL rules you added. Click and drag, or use the right-click menu to cut and paste.
Step 4 Create or edit an access control policy, and associate the SSL policy with the access control policy; see Associating Other Policies with Access Control.
Step 5 In the access control policy, add rules for handling Safe Search and YouTube EDU traffic, placing the Safe Search rule after the YouTube EDU rule:
- Choose Allow as the Action for the rules. The system does not allow any other action for content restriction handling.
- In the Applications tab, click the dimmed icon for either Safe Search (
) or YouTube EDU (
) , and set related options. These icons are disabled, rather than dimmed, if you choose any
Action
other than
Allow
for the rule.
Note You cannot enable Safe Search and YouTube EDU restrictions for the same access control rule.
In most cases, enabling Safe Search or YouTube EDU populates the Selected Applications and Filters list with the appropriate values. The system does not automatically populate the list if a Safe Search or YouTube application is already present in the list when you enable the feature. If applications do not populate as expected, manually add them as follows:
– Safe Search—Add the
search engines
filter.
– YouTube EDU—Search for "YouTube" in the Available Applications list, and add the resulting applications.
For more information, see Adding an Application Condition to an Access Control Rule.
Step 6 Set rule positions for the access control rules you added. Click and drag, or use the right-click menu to cut and paste.
Step 7 Configure the Block Response Page that the system displays when it blocks restricted content; see Displaying a Custom Web Page for Blocked URLs.
- Deploy configuration changes; see Deploying Configuration Changes.
Safe Search Options for Access Control Rules
The Firepower System supports Safe Search filtering for specific search engines only. For a list of supported search engines, see applications tagged
safesearch supported
in the
Applications
tab of the access control rule editor. For a list of unsupported search engines, see applications tagged
safesearch unsupported
.
When enabling Safe Search for an access control rule, set the following parameters:
Enables Safe Search filtering for traffic that matches this rule.
Specifies the action you want the system to take when it processes traffic from unsupported search engines. If you choose Block or Block with Reset , you must also configure the HTTP response page that the system displays when it blocks restricted content; see Displaying a Custom Web Page for Blocked URLs.
YouTube EDU Options for Access Control Rules
When enabling YouTube EDU for an access control rule, set the following parameters:
Enables YouTube EDU filtering for traffic that matches this rule.
Specifies the value that uniquely identifies a school or district network in the YouTube EDU initiative. YouTube provides this ID when a school or district registers for a YouTube EDU account.
Note If you check Enable YouTube EDU, you must enter a Custom ID. This ID is defined externally by YouTube. The system does not validate what you enter against the YouTube system. If you enter an invalid ID, YouTube EDU restrictions may not perform as expected.
Content Restriction Rule Order
To avoid rule preemption in both SSL and access control policies, position rules governing YouTube restriction above rules governing Safe Search restriction.
When you enable Safe Search for an access control rule, the system adds the search engine category to the Selected Applications and Filters list. This application category includes YouTube. As a result, YouTube traffic matches to the Safe Search rule unless YouTube EDU is enabled in a rule with a higher evaluation priority.
A similar rule preemption occurs if you position an SSL rule with the
safesearch supported
filter higher in the evaluation order than an SSL rule with specific YouTube application conditions.
For more information, see Ordering Rules to Improve Performance and Avoid Preemption.
Feedback