Firepower blocking Microsoft.com?

roundearther · ‎09-30-2019

Security Intelligence Events shows https://www.microsoft.com as being URL blocked and classified under Security Intelligence Category as "URL Malware."

Is Firepower's Collective Security Intelligence (CSI) URL blocking Microsoft.com?

CACorpITOps · ‎09-30-2019

Having this problem as well.

Jeff Sterck · ‎09-30-2019

I have this issue as well. Removing URL Malware from my URL filtering policy has made it work. I previously tried whitelisting the URL (HTTP/S) and, while that adds the URL into my whitelist, it does not supersede the URL Malware list.

Frustrating.

roundearther · ‎09-30-2019

I was able to get it to work by right-clicking on the URL in Connections > Security Intelligence Events and then clicking "Whitelist HTTP/S Connections to Domain Now" and "Whitelist HTTP/S Connections to URL Now."

Jeff Sterck · ‎09-30-2019

Interesting. I tried that as well and it did not work. Did it require you to deploy once you added them to the whitelists?

roundearther · ‎09-30-2019

No, I did not have to deploy.

-Sparrow- · ‎10-04-2019

Interesting... I'm seeing this same thing as well for a handful of IP's on my internal LAN, but I can browse to https://www.microsoft.com without issue. Haven't heard any complaints from any end users yet.

** Side note** Has anyone here seen an increase in "URL Malware" URL Blocks to https://mv-s2s-dev.ngrok.io?

I've seen this URL being blocked daily since about the 5th of September. Google doesn't reveal much about it. It triggers IOC's on some of our hosts every day.

Firepowered · ‎10-05-2019

You can 'Trust' microsoft.com, this should take care of it. Alternatively you can also add it to whitelist from the event log, deploy policy after you do that, to be sure.