topic Re: FTD url blocked with notification "You are attempting to access a forbidden site." in Network Security

FTD url blocked with notification "You are attempting to access a forbidden site."

slv_slv — Fri, 02 Apr 2021 15:44:31 GMT

Hi Team

I'm using FTD on ASA 5506x v6.2.3.16-59 (managed by Firepower Device Management) with updates:

Two days ago I've reported to BrighCloud support that http://www.szachypolskie.pl/ should be categorize (it was under Uncatogorized category). I've got confirmation from them that they have updated the site to the Sports categories. This change is now published in the BrightCloud Service and is available in Database version 7.704.

Could someone help me to troubleshoot why this site is still blocked?

It seems to me that troubleshooting from Events section of Firepower Device Management is VERY limited.

I couldn't find event related to this particular issue.

Do I really need FMC to manage properly my FTD? seriously ? for home deployment?

I'm looking for you advice

Regards

Slawek

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

Francesco Molino — Sat, 03 Apr 2021 02:22:56 GMT

On Talos Intelligence, the site is categorized as sports and recreation, so it should go through.

You should see the log under monitoring/event menu. Can you share the log of that traffic and also the rule you created please?

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

Marvin Rhoads — Sat, 03 Apr 2021 03:39:16 GMT

Francesco Cisco only transitioned to Talos for Firepower 6.5 and later. The 6.2.3.16 used by the poster still uses Brightcloud.

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

Francesco Molino — Sat, 03 Apr 2021 03:43:21 GMT

Yes you’re right and I didn’t noticed the version.

Anyways, the category is fine on both cloud services. So the question to get the traffic event and rule configuration is still valid.

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

slv_slv — Sat, 03 Apr 2021 09:15:05 GMT

Hi Francesco

It seems that my FTD is still using outdated BrighCloud database version. Under events we can see:

so URL filtering rule was hit - that's good. Why still there is wrong category? Why there is no geolocation detected?

My rule set looks like:

Please let me know if I should modify my rule set.

Once when I enabled Security inteligence with balanced security it blocked dns traffic at all. No idea why. Any idea what was wrong?

Looking forward for your advcies

Slawek

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

Marvin Rhoads — Sat, 03 Apr 2021 14:43:48 GMT

Well geolocation and originator country didn't get populated because the traffic came from your inside network RFC 1918 address (192.168.0.0/16).

I can only think that Firepower is caching the previous disposition despite Brightcloud having updated the cloud side database. I found a bugID that appears to describe this behavior exactly:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw57184/?rfs=iqvred

If you have support, Cisco TAC can run a script to clear the cache.

As a workaround you could add a higher level rule specifically allowing that URL - thus avoiding the Block rule lower down.

Newer versions of FDM have a place where we can modify the cache settings:

FDM URL Filterng Preferences

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

Francesco Molino — Sun, 04 Apr 2021 02:13:15 GMT

Marvin is right, you’ll need to call TAC.

However, if you want to run it or take a look at it, you can go on the folder /ftd/app_bin/root/ngfw/var/sf/bin and run the script url_cache_tool.pl

Just to make sure the folder is the right now, once logged on your FTD using SSH, you will need to go into expert mode and then go into sudo su (use your admin password to enter sudo space).

Then, you can run the command: find / -name url_cache_tool.pl

The output will show you the full path. You can just run it.

Let us know if that works

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

slv_slv — Mon, 05 Apr 2021 10:20:05 GMT

Hi Francesco

I've used the script url_cache_tool.pl but after I got some issues:

1. after 10 min since I run it I was unable to open any web page via Browser (while I was able to ping host name_

2. I did reboot of my FTD, same resoults.

3. I disabled my "URL filtering" rule (I change BLOCK to Trust mode) and do commit

this workaroud "fix" the issue temporarly.

I decdided to restore back my config to understand what has happened.

I revert back "URL filtering" to BLOCK and check settings for Uncategorized websites to:

Once I did commit again most of websites where inaccesible, ie:

https://speed.cloudflare.com/

and from device logs:

so its seems that I still have issues with URL filtering (Brightcloud cache).

Is there anything else what I can check on my device? - I can't engage TAC 😞 here

Why its not pooling correct url category from Bright cloud service?

My intention is to block url uncategorized with reputation set to Suspicious site or High - how to achieve it ?

Is there other functions on FTD which I can use to get such url blocked?

With regards

Slawek

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

slv_slv — Tue, 06 Apr 2021 17:22:08 GMT

Hi all

Can I ask you to review my last update?

I stil can't use url filtering with blocking enabled for Uncategorized web-paged - why ?

With regrds

Slawek

Re: FTD url blocked with notification "You are attempting to access a forbidden site."

slv_slv — Tue, 06 Apr 2021 18:16:41 GMT

Hi all

I've decided to create dedicated rule for Uncategorised URL's (rule number 4)

and now in logs, traffic to https://speed.cloudflare.com/ hit rule "IN to OUT" (rule number 6)

Thats good for me, but I'm still looking for explanation why it was blocked previously.

Anyway, I will keep my eyes open on this problem

Regards

Slawek