URL Timeouts for NGFW
post by: Moses Frost
From the Firepower 6.3.0 Release Notes
You can now force URL data to expire. There is a tradeoff between security and performance. A shorter interval means you use more current data, while a longer interval can make web browsing faster for your users.
Upgrading to Version 6.3.0 does not change system behavior. The setting defaults to disabled (the current behavior), meaning that cached URL data does not expire.
New/Modified screens: System > Integration > Cisco CSI > Cached URLs Expire setting
What does this feature mean?
In the version PRIOR to 6.3.0 (6.2.3 and below), the URL’s that had been requested on the sensor and cached never aged out. Given the following scenario if you had a site like so:
Site: www.mybankshopper.local , category: Shopping
And it was decided that this site should be re-categorized was Finance, or ‘Newly seen Domain’. The sensor/firewall would never age out that URL categorization. Originally it was decided that this would be the case because of performance. Most of the NGFW’s I’ve seen work this way, mostly because it is the most efficient. Most of the UTM’s on the market work a bit different. We will get into this in the Order of Operations discussion at a future date.
You now will have a new value that can be as little as 2 hours up to 1 week.
Is this feature backwards compatible?
Yes, by default it’s set to ‘Never’ which is the default behavior.
Should I change this value?
Yes, this way you will take advantage of URL Re-categorizations in products.
What value should I use?
This is hard to say, the more aggressive you are the more performance will be impacted. Even if the impact is so small that you cannot visually see it, there will be overhead invovled. Why? Because if the cache ages quickly (say 2 hours) all sites will need to be relearned. If this is the case there will be a hit. There are seed files that expidite the process, but this is not user configurable, it is inherent in the system.
How can I configure this?
Firepower Management Center: System -> Integration -> Cisco CSI
Firepower Device Manager (FDM): Device Menu -> URL Timeouts
From here you can configure the appropriate settings.
No matter what the manager is, you must always deploy the configuration: