topic Filtered URLs in ASA Still Sent to Websense? in Network Security

Filtered URLs in ASA Still Sent to Websense?

dsstaoist — Tue, 12 Mar 2019 01:43:48 GMT

Hi All,

We have a ASA5510 running version 8.2(5). My predecesor configured it to send traffic to our Websense server for filtering, which is successful. Because we're running low on Websense licenses, and because we don't have a need to have our servers filtered, I added exceptions yesterday as follows:

filter url except 10.1.1.15 255.255.255.255 0.0.0.0 0.0.0.0 allow

Sure enough, when I try to access previously forbidden sites on that server, the traffic is allowed.

However - and this is my question - the Websense box still "sees" the IP and accordingly counts it against licenses. If the ASA is configured to ignore the IP with the above command, why is it still sending it to the Websense server, especially even if it continues to allow traffic? (I have restarted all the websense services in the order their support site suggests between attempts as well).

Thanks,

Filtered URLs in ASA Still Sent to Websense?

Julio Carvajal — Wed, 15 May 2013 18:36:56 GMT

Hello David,

Got it.. Can you post the entire ASA config?

regards,

Filtered URLs in ASA Still Sent to Websense?

dsstaoist — Wed, 15 May 2013 18:55:07 GMT

Sorry, no. We have pretty strict confidentiality controls due to the work we do here. I can verify/check particular items though if you'd like.

Filtered URLs in ASA Still Sent to Websense?

Julio Carvajal — Wed, 15 May 2013 18:57:19 GMT

What a shame..

Then do captures on the asa interface connecting to the websense and provide me what you see on the 5 and 6th bit of the payload on the packets sent to the websense appliance, also the message type

Filtered URLs in ASA Still Sent to Websense?

dsstaoist — Wed, 15 May 2013 19:05:21 GMT

Yeah, I know 😞 How would I do what you're asking on the capture part?

Filtered URLs in ASA Still Sent to Websense?

Julio Carvajal — Wed, 15 May 2013 19:07:50 GMT

Hello David,

On wireshark, no way I can send you the steps or photos of how to do it as I do not have any websense to play with,

You could do the captures and sent them privately to me but I would say its not an option based on the security policy of your company

regards

Filtered URLs in ASA Still Sent to Websense?

dsstaoist — Wed, 15 May 2013 19:12:18 GMT

I can send the firewall config privately if you're a Cisco employee, which based on your email address it seems you are. Shall I?

Filtered URLs in ASA Still Sent to Websense?

Julio Carvajal — Wed, 15 May 2013 19:15:16 GMT

Hello,

Sure, go ahead

Filtered URLs in ASA Still Sent to Websense?

dsstaoist — Wed, 15 May 2013 19:25:28 GMT

Sent.

Filtered URLs in ASA Still Sent to Websense?

dsstaoist — Fri, 17 May 2013 15:52:34 GMT

Ok, I believe I found the root cause and the fix seems to work. Simply, if HTTPS filtering is turned on, and you exclude an IP using "filter url..." you also need to exclude it using "filter https...". Even if the machine behind a particular IP is only sending HTTP requests (presumably) for sites like cnn.com or msn.com, the ASA seems to forward the IP to Websense anyway to check for HTTPS filter policies/etc. Excluding this as mentioned, from both http and https, seems to do the trick after a websense service restart and license report generation.

Filtered URLs in ASA Still Sent to Websense?

Julio Carvajal — Fri, 17 May 2013 16:34:51 GMT

Hello David,

Interesting enough,

Glad to know everything is working now