cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1066
Views
0
Helpful
10
Replies
Highlighted
Beginner

Filtered URLs in ASA Still Sent to Websense?

Hi All,

We have a ASA5510 running version 8.2(5).  My predecesor configured it to send traffic to our Websense server for filtering, which is successful.  Because we're running low on Websense licenses, and because we don't have a need to have our servers filtered, I added exceptions yesterday as follows:

filter url except 10.1.1.15 255.255.255.255 0.0.0.0 0.0.0.0 allow

Sure enough, when I try to access previously forbidden sites on that server, the traffic is allowed.

However - and this is my question - the Websense box still "sees" the IP and accordingly counts it against licenses.  If the ASA is configured to ignore the IP with the above command, why is it still sending it to the Websense server, especially even if it continues to allow traffic?  (I have restarted all the websense services in the order their support site suggests between attempts as well).

Thanks,

DS

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Ok, I believe I found the root cause and the fix seems to work.  Simply, if HTTPS filtering is turned on, and you exclude an IP using "filter url..." you also need to exclude it using "filter https...".  Even if the machine behind a particular IP is only sending HTTP requests (presumably) for sites like cnn.com or msn.com, the ASA seems to forward the IP to Websense anyway to check for HTTPS filter policies/etc.  Excluding this as mentioned, from both http and https, seems to do the trick after a websense service restart and license report generation.

View solution in original post

10 REPLIES 10
Highlighted

Hello David,

Got it.. Can you post the entire ASA config?

regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Sorry, no.  We have pretty strict confidentiality controls due to the work we do here.  I can verify/check particular items though if you'd like.

Highlighted

What a shame..

Then do captures on the asa interface connecting to the websense and provide me what you see on the 5 and 6th bit of the payload  on the packets sent to the websense appliance, also the message type

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Yeah, I know :-(  How would I do what you're asking on the capture part?

Highlighted

Hello David,

On wireshark, no way I can send you the steps or photos of how to do it as I do not have any websense to play with,

You could do the captures and sent them privately to me but I would say its not an option based on the security policy of your company

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

I can send the firewall config privately if you're a Cisco employee, which based on your email address it seems you are.  Shall I?

Highlighted

Hello,

Sure, go ahead

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Sent.

Highlighted
Beginner

Ok, I believe I found the root cause and the fix seems to work.  Simply, if HTTPS filtering is turned on, and you exclude an IP using "filter url..." you also need to exclude it using "filter https...".  Even if the machine behind a particular IP is only sending HTTP requests (presumably) for sites like cnn.com or msn.com, the ASA seems to forward the IP to Websense anyway to check for HTTPS filter policies/etc.  Excluding this as mentioned, from both http and https, seems to do the trick after a websense service restart and license report generation.

View solution in original post

Highlighted

Hello David,

Interesting enough,

Glad to know everything is working now

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad