08-01-2017 09:40 AM - edited 03-12-2019 06:28 AM
I can't seem to figure out where this is falling down. Britecloud had this URL: http://www.redwingbusinessadvantageaccount.com categorized as 'Parked Domains' back on 7/26/2017, I submitted a change request and its now 'Business and Economy'
Britecloud changed the category quickly, I checked the website on 7/28 and the change was complete. Everything with this process was worked as expected.
Unfortunately my Firepower instance still has it marked as 'Parked Domains'
Under System, Integration, URL filtering is enabled, Enable Automatic Updates is enabled and Query Cisco CSI for Unknown URLs is also enabled.
Firepower lists the Last URL Filtering Update: 2017-07-31 20:07:02 - this date is well past the date I had visually confirmed the update do be in.
How do I confirm the category, or force reload of the URL cache?
08-01-2017 11:37 PM
If URL DB is up-to-date already then you can try restarting snort and SFDataC on sensor and see if you see changed category.
Login to sensor, go to expert mode, become root (sudo su):
Commands :
pmtool restartbytype snort (This causes a few packet drops)
pmtool restartbyid SFDataC
Let me know if that helps.
Regards,
Dv
08-02-2017 01:18 PM
Unfortunately those restarts did not help.
I also looked at the /var/log/urldb_log on management center, it shows 'Up to date' with the current timestamps.
On the sensor in var/log/messages, it shows the current database version being put into use. This DB version matches the britecloud web site.
Aug 2 00:38:19 vh-asasfr-1 SF-IMS[4417]: [4555] SFDataCorrelator:URLDBLookup [INFO] Loading the URLDB File full_bcdb_rep_5.270.bin
Aug 2 00:38:20 vh-asasfr-1 SF-IMS[4417]: [4555] SFDataCorrelator:URLDBLook [INFO] Updating Current Database data, full_bcdb_rep_5.270.bin 5.270
Aug 2 00:38:20 vh-asasfr-1 SF-IMS[4417]: [4555] SFDataCorrelator:URLUserIP_CorrelatorThread [INFO] Loaded URL DB into shared memory
Aug 2 00:38:30 vh-asasfr-1 SF-IMS[18850]: [18850] sfpreproc:URLDBLookup [INFO] Scess, attached to database
Aug 2 00:38:30 vh-asasfr-1 SF-IMS[18850]: [18850] sfpreproc:DataMessaging_UserGroupUrlAPI [INFO] Swapped shmem db pointers
edit: I suppose I should note that this isn't the first time I've asked Britecloud to adjust a URL category and then not have it update locally. I've worked around it in the past by creating an object for the URL and adding it to a white list. The work around works, but it seems like something that should work.
08-03-2017 06:29 AM
I quickly checked in my lab and pretty much I see the new category assigned to it which is Business & Economy. I would be happy to take a look to the device if you can open up a TAC case & give me the SR number. We can try removing global shared memory for and then re-associate the bcdb with SFDataC and Snort.
08-04-2017 07:24 AM
Hi Dv, I've opened SR# 682820411. Thank you for following up!
04-26-2018 09:33 AM
07-26-2023 05:16 AM
any update, i have the same issue .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide