https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4020318#M933781 <P>I'm trying to allow traffic to and from a URL, specifically upgrade.bitdefender.com/av64bit-eps or ip add: 104.18.168.222. I've attached an image of how it's configured on the FMC. Traffic is still not being allowed so I'm trying to confirm what the issue is. I've attached a packet trace as well as some other items</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:52:42 GMT Vic48 2020-02-21T17:52:42Z https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4020318#M933781 <P>I'm trying to allow traffic to and from a URL, specifically upgrade.bitdefender.com/av64bit-eps or ip add: 104.18.168.222. I've attached an image of how it's configured on the FMC. Traffic is still not being allowed so I'm trying to confirm what the issue is. I've attached a packet trace as well as some other items</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:52:42 GMT https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4020318#M933781 Vic48 2020-02-21T17:52:42Z https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4020319#M933784 Hi,<BR />Remove the source portsm change to any and then try again.<BR />Useful command, try using the "system support firewall-engine-debug" from the CLI of the FTD and then perform a test and observe the output.<BR /><BR />HTH Wed, 29 Jan 2020 15:57:27 GMT https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4020319#M933784 Rob Ingram 2020-01-29T15:57:27Z https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4021209#M933785 <P>Thanks again for the reply. I updated the ports to any, but the outcome was still the same. I also tried the suggested command and here's the output:</P><P>&nbsp;</P><P>admin@firepower:~$ system support firewall-engine-debug<BR />-sh: system: command not found<BR />admin@firepower:~$ system ?<BR />-sh: system: command not found<BR />admin@firepower:~$</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 30 Jan 2020 18:06:56 GMT https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4021209#M933785 Vic48 2020-01-30T18:06:56Z https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4021214#M933787 That command is run from the FTD and not in expert mode.<BR /><BR />What is the configuration of those URLs? Thu, 30 Jan 2020 18:14:45 GMT https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4021214#M933787 Rob Ingram 2020-01-30T18:14:45Z https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4023448#M933796 <P>I figured out how to run the command, but never got any output from the debug. Does that mean that traffic from PC isn't hitting the FMC?&nbsp; However when I ran a packet trace from the FMC the traffic appears to be allowed.</P><P>&nbsp;</P><P><SPAN class="tabs2_section tabs2_section_1 tabs2_section1 tab_section"><SPAN class="section sn-stream-section"><SPAN class="sn-widget-textblock-body sn-widget-textblock-body_formatted">Phase: 1<BR />Type: CAPTURE<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />MAC Access list<BR /><BR />Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list<BR /><BR />Phase: 3<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 207.225.150.1 using egress ifc OUTSIDE<BR /><BR />Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group CSM_FW_ACL_ global<BR />access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE any ifc OUTSIDE any rule-id 268434433<BR />access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: WILD-VPN - Default<BR />access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Allow All<BR />Additional Information:<BR />This packet will be sent to snort for additional processing where a verdict will be reached<BR /><BR />Phase: 5<BR />Type: CONN-SETTINGS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />class-map class-default<BR />match any<BR />policy-map global_policy<BR />class class-default<BR />set connection advanced-options UM_STATIC_TCP_MAP<BR />service-policy global_policy global<BR />Additional Information:<BR /><BR />Phase: 6<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 7<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 8<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 9<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 10<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 11<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 19909447, packet dispatched to next module<BR /><BR />Phase: 12<BR />Type: EXTERNAL-INSPECT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Application: 'SNORT Inspect'<BR /><BR />Phase: 13<BR />Type: SNORT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Snort Trace:<BR />Packet: TCP, SYN, seq 1044228831<BR />Session: new snort session<BR />AppID: service unknown (0), application unknown (0)<BR />Firewall: starting rule matching, zone 2 -&gt; 1, geo 0 -&gt; 0, vlan 0, sgt 65535, username 'No Authentication Required', , icmpType 0, icmpCode 0<BR />Firewall: pending rule-matching, 'Allow All' , pending URL<BR />Snort id 2, NAP id 1, IPS id 0, Verdict PASS<BR />Snort Verdict: (pass-packet) allow this packet<BR /><BR />Phase: 14<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 207.225.150.1 using egress ifc OUTSIDE<BR /><BR />Phase: 15<BR />Type: ADJACENCY-LOOKUP<BR />Subtype: next-hop and adjacency<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />adjacency Active<BR />next-hop mac address 0000.0c07.ac01 hits 2359096 reference 50<BR /><BR />Result:<BR />input-interface: INSIDE<BR />input-status: up<BR />input-line-status: up<BR />output-interface: OUTSIDE<BR />output-status: up<BR />output-line-status: up<BR />Action: allow </SPAN></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="tabs2_section tabs2_section_1 tabs2_section1 tab_section">The odd thing is that even though the: upgrade.bitdefender.com/av64bit-eps/versions.dat is allowed on the FMC no vmware servers can reach it. The following pic is what would come up if it could be reached. How is it that packet tracer shows it as reachable yet the servers cannot?</SPAN></P><P>&nbsp;</P><P><SPAN class="tabs2_section tabs2_section_1 tabs2_section1 tab_section">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image (4).png" style="width: 659px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/66472iBF1417C09F24BC01/image-size/large?v=v2&amp;px=999" role="button" title="image (4).png" alt="image (4).png" /></span></SPAN></P><P>&nbsp;</P><P><SPAN class="tabs2_section tabs2_section_1 tabs2_section1 tab_section"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-02-04_9-56-29.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/66473iD1CE3AB26ED97442/image-size/large?v=v2&amp;px=999" role="button" title="2020-02-04_9-56-29.png" alt="2020-02-04_9-56-29.png" /></span></SPAN></P> Tue, 04 Feb 2020 15:38:45 GMT https://community.cisco.com/t5/network-security/cisco-fmc-url-policy-issue/m-p/4023448#M933796 Vic48 2020-02-04T15:38:45Z