06-28-2022 08:17 AM
We noticed a strange phenomenon with at least two sites, both of which are using Adobe fonts (typenet.net), when accessed from behind our ASA with FTD.
Looking at the developer tools console in chrome, I can see that while the page is loading, the browser sits and eventually times out waiting for a response while trying to load a font from p.typekit.net, and we see this from both Windows and Mac clients on our internal network. The actual requested URL in one case is:
https://p.typekit.net/p.css?s=1&k=oci4iyo&ht=tk&f=15779.15782&a=86990265&app=typekit&e=css
When analyzing the connection event logs in FMC, I am not seeing any relevant connections from the clients getting blocked, when loading these sites. Outside of our network, the issue does not come up. The client's we're seeing this from have access to http and https in our ACLs and aren't going through a proxy. Has anyone else run up against this?
Versions:
FTD 6.7.0.3
Snort 2.9.17 (Build 3014)
Rule Update 2022-06-16-001
Thanks
06-28-2022 06:49 PM
09-02-2022 11:58 AM
Hi Maury,
Just ran into something similar, and what I found was that my 2120 was associating the URL https://p.typekit.net with a web application called Burnbook (an anonymous messaging app) which Cisco classifies as a Very High Risk application and was blocking it per a rule to block Very High Risk applications. I discovered this by viewing Connection Events filtered for my workstation IP while trying to load the website in question. I tried whitelisting the typekit URL with no effect. However whitelisting this Burnbook app did the trick. Not sure how/why Adobe's hosted web font service got linked with this Burnbook app by Cisco in their VDB.
Hope that helps,
John
12-09-2022 10:08 AM
I have the same experience. Web pages were taking 30+ Seconds to load. Using Dev Tools in the browser confirmed a use.typekit.net file was failing to load. But only behind our FTD's/FMC not on personal / offsite machines.
Looked at the logs, scanned the url/file with Talos, all came back fine. FMC Events shows BurnBook application as well.
I guess i'm going to whitelist BurnBook. Bummer. Is there a method to notify Talos of this mis-assignment?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide