Has anyone used URL filtering firepower services on Cisco ASAX series firewalls

I currently have an ASA5525X.  I have the defense center installed and am currently licensed for IPS and have traffic routed through the SFR module.  That works great, but now I am investigating the URL filtering and have few questions that I can't seem to find the answers to.  I'm hoping to get a response from someone who as set this up and can give me some real insight.  Thanks in advance!

1. Can in integrate the defense center with Active Directory for URL filtering?  This is a requirement for my organization, as I need to be able to pull up web history report on a specific user.  

2.  There should be no problem using IPS and url filtering on this ASA correct?  The ASA5525 is barely being touched in means of memory, cpu, and traffic, so I don't foresee any problems.

2. Is there good reporting features with this? Meaning can I easily pull up a web history report on a user?

3. Does this work like most other proxy servers, do I just add the proxy server IP (ASA), to my web browser, or does the URL filtering work differently using the ASA than a standard web proxy?

4. Can I configure different web filtering profiles or groups?   For example I want management to have more privileges surfing the internet, then i do a normal user. Is this possible?

If anyone who has done this can shed some insight on this, I would be greatly appreciated.  Thanks.
LVL 4
denver218Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>Can in integrate the defense center with Active Directory for URL filtering?  This is a requirement for my organization, as I need to be able to pull up web history report on a specific user.

Yes you need to install a host agent on a windows sever - and point that at your AD servers, then you point Threat Defence Centre to the agent and it performs the mappings, normally this would be on my website beause I did it a few weeks ago and documented it, but sites getting migrated at the moment - I do have all the screenshots x17

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
>>2.  There should be no problem using IPS and url filtering on this ASA correct?  The ASA5525 is barely being touched in means of memory, cpu, and traffic, so I don't foresee any problems.

Not a problem - Im running AMP, IPS and URL filtering

>>2. Is there good reporting features with this? Meaning can I easily pull up a web history report on a user?

Yes definitely with AVC it shows what applications are doing on the web as well as what users are doing with browsers!

>>3. Does this work like most other proxy servers, do I just add the proxy server IP (ASA), to my web browser, or does the URL filtering work differently using the ASA than a standard web proxy?

NO! you already have IPS so its already setup, you don't have to do anything on the client for proxy settings - they already should be going out through the firewall.

4. Can I configure different web filtering profiles or groups?   For example I want management to have more privileges surfing the internet, then i do a normal user. Is this possible?

Yes - but  you would have to create different policy elements for each group

Hope that clears a free things up, you have my sympathies documentation form Cisco is generally awful! Hence the reason I do my own - keep and eye on www.petenetlive.com
denver218Author Commented:
Thanks, that helps a lot.  When i purchase the URL license does this come with the host agent that I need to install on the AD server?  I just want to make sure I know everything I need.  When transitioning to the new ASAX with the SFR module for IPS, i ran into a few things that I didn't know I needed even after working with presales.  Even though Cisco acquired sourcefire a while ago now, sourcefire folks don't seem to know Cisco, and Cisco folks don't seem to know sourcefire. I found this to be true on many occasions.  Good job on your documentation.  I came across your website many times, on a number of different issues.
Pete LongTechnical ConsultantCommented:
If you already have the firewall/appliance registered then you probably already have rights to download the user agent, I managed to download it with little or no access - the hardest job is finding it!

User Agent
denver218Author Commented:
Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.