I also have logging enabled

keithcclark71 · ‎05-11-2017

I can See network based IP blocks only within SI event view

When I blacklist a URL within connection analysis view and verify it is in the URL Blacklist within Security Intelligence section in object management and no entry in opposing whitelist for same url that when navigating to the URL I do not see anytjhing in Security Intelligence events and rather it is shown as an allow in connection events. Url Filtering license in place as well. Is it normal to see URL blacklists hits within the Security Intelligence event viewer as that would be what I would have expected.

keithcclark71 · ‎05-11-2017

I also have logging enabled within the SI event view for URL as well

Veronika Klauzova · ‎05-22-2017

Hello,

yes, you should be able to see IP and URL based blocks in Security Intelligence Events table. I have quickly tried to manually blacklisted URL from connection events and then observe whether it will be blacklisted by URL SI and it was working like a charm. The reason of blocked event would changed from IP Block to URL Block depending which blacklist contain destination host.

What URL are you trying to block, do you have same results for all attempted websites or only some has this odd behaviour?

Looking forward to hear from you.

Best regards,

Veronika

keithcclark71 · ‎05-23-2017

Veronika can you try adding wivb.com to global blacklist as a test and let me know results?

Veronika Klauzova · ‎05-25-2017

I got same results on 6.2.0 and 6.2.0.1 FMC version, but it's working fine on 6.2.1. FMC is the one that is instructing detection engine software version, so that's why FMC version have in this case different results on traffic processing with SI URL.

I will check whether there is already software defect filled for this or not.

--

Veronika

Veronika Klauzova · ‎05-26-2017

Keith, can you let me know if you are using hardware or software sensor appliance?

Secuirty Intelligence Event View