topic Re: Firepower blocking Microsoft.com? in Network Security

Firepower blocking Microsoft.com?

roundearther — Mon, 30 Sep 2019 18:56:22 GMT

Security Intelligence Events shows https://www.microsoft.com as being URL blocked and classified under Security Intelligence Category as "URL Malware."

Is Firepower's Collective Security Intelligence (CSI) URL blocking Microsoft.com?

Re: Firepower Collective Security Intelligence (CSI) blocking Microsoft.com?

CACorpITOps — Mon, 30 Sep 2019 18:37:37 GMT

Having this problem as well.

Re: Firepower blocking Microsoft.com?

Jeff Sterck — Mon, 30 Sep 2019 19:00:14 GMT

I have this issue as well. Removing URL Malware from my URL filtering policy has made it work. I previously tried whitelisting the URL (HTTP/S) and, while that adds the URL into my whitelist, it does not supersede the URL Malware list.

Frustrating.

Re: Firepower blocking Microsoft.com?

roundearther — Mon, 30 Sep 2019 19:09:18 GMT

I was able to get it to work by right-clicking on the URL in Connections > Security Intelligence Events and then clicking "Whitelist HTTP/S Connections to Domain Now" and "Whitelist HTTP/S Connections to URL Now."

Re: Firepower blocking Microsoft.com?

Jeff Sterck — Mon, 30 Sep 2019 19:42:59 GMT

Interesting. I tried that as well and it did not work. Did it require you to deploy once you added them to the whitelists?

Re: Firepower blocking Microsoft.com?

roundearther — Mon, 30 Sep 2019 19:46:41 GMT

No, I did not have to deploy.

Re: Firepower blocking Microsoft.com?

-Sparrow- — Fri, 04 Oct 2019 19:07:48 GMT

Interesting... I'm seeing this same thing as well for a handful of IP's on my internal LAN, but I can browse to https://www.microsoft.com without issue. Haven't heard any complaints from any end users yet.

** Side note** Has anyone here seen an increase in "URL Malware" URL Blocks to https://mv-s2s-dev.ngrok.io?

I've seen this URL being blocked daily since about the 5th of September. Google doesn't reveal much about it. It triggers IOC's on some of our hosts every day.

Re: Firepower blocking Microsoft.com?

Firepowered — Sat, 05 Oct 2019 15:45:17 GMT

You can 'Trust' microsoft.com, this should take care of it. Alternatively you can also add it to whitelist from the event log, deploy policy after you do that, to be sure.