https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899884#M2205 <HTML><HEAD></HEAD><BODY><P>Thanks for that.&nbsp; I really like the grep and tail the logs.&nbsp; It's like an instant way to see what's going on.</P><P></P><P>So I did this and today the site is not blocked!!&nbsp; Weird how it would be blocked one day but not the next. Oh well, at least I got the nifty grep command out of it.</P><P></P><P>I guess what took me back is that I'm in the IT identity group which does not block much at all.&nbsp; Shopping is especially not blocked as we make online purchases for various busness needs.</P><P></P><P>Thank you!</P></BODY></HTML> Wed, 07 Mar 2012 14:44:07 GMT keithsauer507 2012-03-07T14:44:07Z https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899882#M2203 <P>I'm trying to order a laptop locker from a website for busness purposes.&nbsp; Sure I can go into the IronPort and whitelist the site, but I want to know why the IronPort is so flaky like this.</P><P></P><P>The error I'm getting is this (sanitised domain name and username):</P><P></P><P align="center" style="color: #000000; font-family: sans-serif; font-size: large;"><STRONG>The website you are trying to access is blocked.</STRONG></P><P><BR style="color: #000000; font-family: 'Times New Roman'; text-align: -webkit-auto; font-size: medium;" /></P><P><BR style="color: #000000; font-family: 'Times New Roman'; text-align: -webkit-auto; font-size: medium;" /></P><TABLE style="font-family: 'Times New Roman';"><TBODY><TR><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P>Blocked Site:</P></TD><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P><STRONG>www.schoollockers.com</STRONG></P></TD></TR><TR><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P>Blocked Category:</P></TD><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P><STRONG>Shopping</STRONG></P></TD></TR><TR><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P>User:</P></TD><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P><STRONG>DOMAINNAME\username@Windows</STRONG></P></TD></TR><TR><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P>User Group:</P></TD><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P><STRONG>BLOCK_WBRS_11-Information_Technology-Authenticated_Users-NONE-NONE-NONE-NONE</STRONG></P></TD></TR><TR><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P>Reauth_URL:</P></TD><TD style="background-color: white; border-color: gray; border-style: none; padding: 1px;"><P><STRONG>-</STRONG></P></TD></TR></TBODY></TABLE><P> <SPAN style="font-family: Arial; font-size: 10pt;"> </SPAN></P><P style="color: #000000; font-family: 'Times New Roman'; text-align: -webkit-auto; font-size: medium;"><SPAN style="font-family: Arial; font-size: 10pt;">Base64Decode</SPAN> <SPAN style="font-family: Arial; font-size: 10pt;">error '800a0001'</SPAN></P><P style="color: #000000; font-family: 'Times New Roman'; text-align: -webkit-auto; font-size: medium;"><SPAN style="font-family: Arial; font-size: 10pt;">Bad Base64 string.</SPAN></P><P style="color: #000000; font-family: 'Times New Roman'; text-align: -webkit-auto; font-size: medium;"><SPAN style="font-family: Arial; font-size: 10pt;">/ironport/blocked.asp</SPAN><SPAN style="font-family: Arial; font-size: 10pt;">, line 78</SPAN></P><P></P><P></P><P></P><P>Now why would the blocked category be Shopping, but yet in another tab I am at <A href="https://community.cisco.com/www.walmart.com" target="_blank">www.walmart.com</A> and that loads fine?&nbsp; In fact other sites like Newegg, PCMall, BestBuy, Staples, Officemax, etc... all shopping sites - work great.</P><P></P><P>Can someone tell me the best way to diagnose this problem rather than bypass the webfilter or maintain long lists of one off exceptions?</P><P></P><P>S160 running v7.1.3-014 for Web</P> Tue, 06 Mar 2012 15:40:09 GMT https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899882#M2203 keithsauer507 2012-03-06T15:40:09Z https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899883#M2204 <HTML><HEAD></HEAD><BODY><P>Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.</P><P></P><P>More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup.&nbsp; But basically:</P><P></P><P></P><P>Grep</P><P>1</P><P>regular expression: username</P><P>Tail the logs: yes</P><P></P><P>And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.</P></BODY></HTML> Wed, 07 Mar 2012 07:48:30 GMT https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899883#M2204 Chris Illsley 2012-03-07T07:48:30Z https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899884#M2205 <HTML><HEAD></HEAD><BODY><P>Thanks for that.&nbsp; I really like the grep and tail the logs.&nbsp; It's like an instant way to see what's going on.</P><P></P><P>So I did this and today the site is not blocked!!&nbsp; Weird how it would be blocked one day but not the next. Oh well, at least I got the nifty grep command out of it.</P><P></P><P>I guess what took me back is that I'm in the IT identity group which does not block much at all.&nbsp; Shopping is especially not blocked as we make online purchases for various busness needs.</P><P></P><P>Thank you!</P></BODY></HTML> Wed, 07 Mar 2012 14:44:07 GMT https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899884#M2205 keithsauer507 2012-03-07T14:44:07Z https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899885#M2206 <HTML><HEAD></HEAD><BODY><P> A note on grep.. I typically use the IP address instead of username... that way you'll see things, even if the user isn't authenticated yet... </P></BODY></HTML> Wed, 07 Mar 2012 14:59:42 GMT https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899885#M2206 Ken Stieers 2012-03-07T14:59:42Z https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899886#M2207 <HTML><HEAD></HEAD><BODY><P>That "<STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: 'Times New Roman';">BLOCK_WBRS_11</STRONG>" means that the particular site was blocked due to a low web reputation score, rather than due to the category of the content.</P><P></P><P>Further along in the access log line for that connection will be the score itself. Here's one of ours:</P><P></P><P>BLOCK_WBRS_11-All_Access-CC_AD_Identity-NONE-NONE-NONE-NONE <IW_ADV> -</IW_ADV></P><P></P><P><SPAN>The -6.4 is the negative reputation score that caused this transaction to be blocked. Cisco has a public site where you can look up the reputation scores: </SPAN><A class="jive-link-external-small" href="http://senderbase.org">http://senderbase.org</A></P><P></P><P>In the upper right corner, just under the "Look up your network" box, click on the Reputation Look Up link.</P></BODY></HTML> Wed, 14 Mar 2012 18:11:22 GMT https://community.cisco.com/t5/web-security/ironport-incorrectly-blocking-quot-shopping-quot-from-it-admin/m-p/1899886#M2207 Stafford Rau 2012-03-14T18:11:22Z