topic Re: Connections to web sites using typekit timing out behind FTD in Network Security

Connections to web sites using typekit timing out behind FTD

MauryJ — Tue, 28 Jun 2022 15:17:15 GMT

We noticed a strange phenomenon with at least two sites, both of which are using Adobe fonts (typenet.net), when accessed from behind our ASA with FTD.

Looking at the developer tools console in chrome, I can see that while the page is loading, the browser sits and eventually times out waiting for a response while trying to load a font from p.typekit.net, and we see this from both Windows and Mac clients on our internal network. The actual requested URL in one case is:

https://p.typekit.net/p.css?s=1&k=oci4iyo&ht=tk&f=15779.15782&a=86990265&app=typekit&e=css

When analyzing the connection event logs in FMC, I am not seeing any relevant connections from the clients getting blocked, when loading these sites. Outside of our network, the issue does not come up. The client's we're seeing this from have access to http and https in our ACLs and aren't going through a proxy. Has anyone else run up against this?

Versions:

FTD 6.7.0.3

Snort 2.9.17 (Build 3014)
Rule Update 2022-06-16-001

Thanks

Re: Connections to web sites using typekit timing out behind FTD

Mohammed al Baqari — Wed, 29 Jun 2022 01:49:31 GMT

Hi,

Just to ensure that you have logging setup correctly, configure a
rule which matches specific client source IP at the top and enable logging
on it. Then look for connection events to see if there are matches.

**** please remember to rate useful posts

Re: Connections to web sites using typekit timing out behind FTD

jmatysek — Fri, 02 Sep 2022 18:58:35 GMT

Hi Maury,

Just ran into something similar, and what I found was that my 2120 was associating the URL https://p.typekit.net with a web application called Burnbook (an anonymous messaging app) which Cisco classifies as a Very High Risk application and was blocking it per a rule to block Very High Risk applications. I discovered this by viewing Connection Events filtered for my workstation IP while trying to load the website in question. I tried whitelisting the typekit URL with no effect. However whitelisting this Burnbook app did the trick. Not sure how/why Adobe's hosted web font service got linked with this Burnbook app by Cisco in their VDB.

Hope that helps,
John

Re: Connections to web sites using typekit timing out behind FTD

nick_t — Fri, 09 Dec 2022 18:08:16 GMT

I have the same experience. Web pages were taking 30+ Seconds to load. Using Dev Tools in the browser confirmed a use.typekit.net file was failing to load. But only behind our FTD's/FMC not on personal / offsite machines.

Looked at the logs, scanned the url/file with Talos, all came back fine. FMC Events shows BurnBook application as well.

I guess i'm going to whitelist BurnBook. Bummer. Is there a method to notify Talos of this mis-assignment?