topic I'm having real issues with in Network Security

URL filtering - not blocking

Dave Phillips — Tue, 12 Mar 2019 12:44:30 GMT

I have URL filtering set up on FireSight and my ASA 5525-X. I have noticed that it does not block unwanted pages.

It shows up in Defense Center events as "interactive block with reset", but the page is actually never blocked.

It appears to be trying to block the page? When I visit a "blocked" site, the site takes a long time to load. The cursor just spins and you think it is going to time out, then after 15 seconds the page loads.

I am running version 5.4.1.1 on my DC and 5.4.0.3 on my ASA module.

I have configured a monitoring rule before the block rule as was suggested in the forums.

You have to create a rule

Ed Padilla Jr — Thu, 13 Aug 2015 23:47:02 GMT

You have to create a rule under the Access Control Policy, and apply the access control policy.

I do have a rule. In the

Dave Phillips — Fri, 14 Aug 2015 00:06:35 GMT

I do have a rule. In the access control policy I have a rule set it to "interactively block with reset" for several categories (gambling, porn) as well as a custom object. I also have a rule right above this one to "monitor" for the same categories.

It seems like Firesight is trying to block the page as it logs the action correctly, but I never see the block page and like I mentioned it eventually loads.

Because you have chosen the

rcmcdermott11 — Fri, 14 Aug 2015 15:55:38 GMT

Because you have chosen the interactive block it allows the client to 'click through' or simply refresh their webpage and essentially ignore the blocking action. What is likely happening for you is that the browser is automatically refreshing and rebuilding the connection. If you look at your connection events you should see a block for the first connection attempt followed by an allowed on the refresh.

Now as to the reason you aren't seeing the interactive block message there are a few possibilities.

Note that in the following situations, the response page does not appear and traffic is blocked without interaction, even if the session matches an Interactive Block rule:

• if the session was or is encrypted; this includes sessions decrypted by the system

• after a connection has been established and allowed to flow for a few packets so the system can inspect it for requested URLs and application details

I have seen some funky behavior with the response pages as well on the ASA w/ Firepower so if anyone has some more insight there I'd love to see it.

I managed to get the URLs

Dave Phillips — Fri, 14 Aug 2015 16:49:51 GMT

I managed to get the URLs blocked by changing the action to "block". I still do not get a block page, the blocked URL just doesn't load.

I like the Firesight product so far, but I think the URL filtering has room for A LOT of improvement. I was hoping to replace of my current expensive, bloated web filtering product, but I wont be able to with the current state of the software right now.

Fairly familiar with the

Ed Padilla Jr — Fri, 14 Aug 2015 16:56:05 GMT

Fairly familiar with the product, but if you create a customize block page, would that work?

I'm having real issues with

GarySLear — Thu, 08 Oct 2015 15:20:50 GMT

I'm having real issues with these modules. Even with a simple policy they don't seem to be reliable.

I've installed/migrated/upgraded the appliances and have no such issues, but every SFR module I've put in is becoming a nightmare.

I've found that the only time an interactive block page is presented is when a static URL is specified, if it involves a cloud lookup then it just doesn't load the page at all, as if the reset is sent without the "interactive" part. Another issue our customer is experiencing is that when a category is set to block and reset, the initial page loads but when navigating further it then provides the block. As you can imagine some webpages show some explicit content on the home page and this is unacceptable in my opinion.

I'm also seeing lots of issues with ASDM managed modules in that lots of GUI glitches are happening when looking at the configuration or monitoring pages, but only on the firepower sections.

This is causing lots of frustration and needs sorting out.