cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1679
Views
0
Helpful
5
Replies
rgnelson
Beginner

Firepower seems to have cached old URL category, how to force update?

I can't seem to figure out where this is falling down. Britecloud had this URL: http://www.redwingbusinessadvantageaccount.com categorized as 'Parked Domains' back on 7/26/2017, I submitted a change request and its now 'Business and Economy'

Britecloud changed the category quickly, I checked the website on 7/28 and the change was complete. Everything with this process was worked as expected. 

Unfortunately my Firepower instance still has it marked as 'Parked Domains'

Under System, Integration, URL filtering is enabled, Enable Automatic Updates is enabled and Query Cisco CSI for Unknown URLs is also enabled. 

Firepower lists the Last URL Filtering Update: 2017-07-31 20:07:02 - this date is well past the date I had visually confirmed the update do be in. 

How do I confirm the category, or force reload of the URL cache? 

5 REPLIES 5
Dinesh Verma
Cisco Employee

If URL DB is up-to-date already then you can try restarting snort and SFDataC on sensor and see if you see changed category.

Login to sensor, go to expert mode, become root (sudo su):

Commands :

pmtool restartbytype snort (This causes a few packet drops)

pmtool restartbyid SFDataC

Let me know if that helps.

Regards,

Dv

Unfortunately those restarts did not help. 

I also looked at the /var/log/urldb_log on management center, it shows 'Up to date' with the current timestamps. 

On the sensor in var/log/messages, it shows the current database version being put into use. This DB version matches the britecloud web site. 

Aug 2 00:38:19 vh-asasfr-1 SF-IMS[4417]: [4555] SFDataCorrelator:URLDBLookup [INFO] Loading the URLDB File full_bcdb_rep_5.270.bin
Aug 2 00:38:20 vh-asasfr-1 SF-IMS[4417]: [4555] SFDataCorrelator:URLDBLook [INFO] Updating Current Database data, full_bcdb_rep_5.270.bin 5.270
Aug 2 00:38:20 vh-asasfr-1 SF-IMS[4417]: [4555] SFDataCorrelator:URLUserIP_CorrelatorThread [INFO] Loaded URL DB into shared memory
Aug 2 00:38:30 vh-asasfr-1 SF-IMS[18850]: [18850] sfpreproc:URLDBLookup [INFO] Scess, attached to database
Aug 2 00:38:30 vh-asasfr-1 SF-IMS[18850]: [18850] sfpreproc:DataMessaging_UserGroupUrlAPI [INFO] Swapped shmem db pointers

edit: I suppose I should note that this isn't the first time I've asked Britecloud to adjust a URL category and then not have it update locally. I've worked around it in the past by creating an object for the URL and adding it to a white list. The work around works, but it seems like something that should work. 

I quickly checked in my lab and pretty much I see the new category assigned to it which is Business & Economy. I would be happy to take a look to the device if you can open up a TAC case & give me the SR number. We can try removing global shared memory for and then re-associate the bcdb with SFDataC and Snort.

Hi Dv, I've opened SR# 682820411. Thank you for following up!

Are you able to give us an update, seems we have the same issue
Content for Community-Ad