Solved: Filtered URLs in ASA Still Sent to Websense?

dsstaoist · ‎05-15-2013

Hi All,

We have a ASA5510 running version 8.2(5). My predecesor configured it to send traffic to our Websense server for filtering, which is successful. Because we're running low on Websense licenses, and because we don't have a need to have our servers filtered, I added exceptions yesterday as follows:

filter url except 10.1.1.15 255.255.255.255 0.0.0.0 0.0.0.0 allow

Sure enough, when I try to access previously forbidden sites on that server, the traffic is allowed.

However - and this is my question - the Websense box still "sees" the IP and accordingly counts it against licenses. If the ASA is configured to ignore the IP with the above command, why is it still sending it to the Websense server, especially even if it continues to allow traffic? (I have restarted all the websense services in the order their support site suggests between attempts as well).

Thanks,

DS

dsstaoist · ‎05-17-2013

Ok, I believe I found the root cause and the fix seems to work. Simply, if HTTPS filtering is turned on, and you exclude an IP using "filter url..." you also need to exclude it using "filter https...". Even if the machine behind a particular IP is only sending HTTP requests (presumably) for sites like cnn.com or msn.com, the ASA seems to forward the IP to Websense anyway to check for HTTPS filter policies/etc. Excluding this as mentioned, from both http and https, seems to do the trick after a websense service restart and license report generation.

View solution in original post

Julio Carvajal · ‎05-15-2013

Hello David,

Got it.. Can you post the entire ASA config?

regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dsstaoist · ‎05-15-2013

Sorry, no. We have pretty strict confidentiality controls due to the work we do here. I can verify/check particular items though if you'd like.

Julio Carvajal · ‎05-15-2013

What a shame..

Then do captures on the asa interface connecting to the websense and provide me what you see on the 5 and 6th bit of the payload on the packets sent to the websense appliance, also the message type

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dsstaoist · ‎05-15-2013

Yeah, I know :-( How would I do what you're asking on the capture part?

Julio Carvajal · ‎05-15-2013

Hello David,

On wireshark, no way I can send you the steps or photos of how to do it as I do not have any websense to play with,

You could do the captures and sent them privately to me but I would say its not an option based on the security policy of your company

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dsstaoist · ‎05-15-2013

I can send the firewall config privately if you're a Cisco employee, which based on your email address it seems you are. Shall I?

Julio Carvajal · ‎05-15-2013

Hello,

Sure, go ahead

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dsstaoist · ‎05-15-2013

Sent.

dsstaoist · ‎05-17-2013

Ok, I believe I found the root cause and the fix seems to work. Simply, if HTTPS filtering is turned on, and you exclude an IP using "filter url..." you also need to exclude it using "filter https...". Even if the machine behind a particular IP is only sending HTTP requests (presumably) for sites like cnn.com or msn.com, the ASA seems to forward the IP to Websense anyway to check for HTTPS filter policies/etc. Excluding this as mentioned, from both http and https, seems to do the trick after a websense service restart and license report generation.

Julio Carvajal · ‎05-17-2013

Hello David,

Interesting enough,

Glad to know everything is working now

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC