Hi, again - nope, I guess it

gary.moon · ‎03-03-2017

We regularly will request recategorization of a domain through Brightcloud, and upon receiving word that the URL was recategorized, will go into /var/sf/cloud_download to find that the database version matches the latest number of the "full_bcdb_rep" bin file. Yet, the URL isn't available and looking at the events shows that hits to the URL are still resolving to the old category (or lack thereof).

Can someone tell me the details they know of what the steps are to get the Brightcloud database bin file active on the FPMC? It seems to be a lengthy delay sometimes of up to half a day longer after we've been notified of the change. I'd like to shorten that where pssible.

Thanks!

Marvin Rhoads · ‎03-04-2017

Have you enabled automatic updates of the URL Filtering data? ("System > Integration > Cisco CSI" in FMC 6.1 or later).

In that same page, you can also request an ad hoc update immediately. Normally the update is daily.

There is a technote with more details here:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117956-technote-sourcefire-00.html

gary.moon · ‎03-06-2017

Thanks for the input - yes, automatic updates are enabled, but that's a great idea, I'll do an 'update now' next time and see if it's improved.

gary.moon · ‎03-07-2017

Hi, again - nope, I guess it doesn't work that simply - I had just suggested recategorization of a site. After I received the email from webroot that the database had been updated with the new categorization, I ssh'ed to the box and checked the version of the database against mine on the FPMC. They matched the "full" as well as the "rep" bin file version. (In this case, 5.121).

So, I went to the FPMC, System>Integration and clicked Update Now on the URL filtering screen. Enable Automatic Updates is on. It says pending for a while, and then returns, but then the Last URL Filtering Update still shows yesterday's date, and the site isn't accessible. Trying to force a deploy doesn't seem to work, since it tells me that everything is up to date!

I'm still wondering how it really works, so I can give users a realistic expectation of how long it will be until they access their sites.

Thanks,

Ga

Sentia NOC · ‎10-26-2017

Hello!

Did you ever find a fix for the problem?

I have similar issues right now with URL filtering.

engahmedsaied · ‎11-08-2017

Same issue

dan.letkeman · ‎02-09-2018

I have to force it manually on the FMC and the Sensor due to the fact that it usually doesn't update at all even though the database is downloaded:

On the sensor CLI-
> expert
admin@2120fptd:~$ sudo su -
Password:
root@2120fptd:~# cd ..
root@2120fptd:/# pmtool restartbyid SFDataCorrelator
root@2120fptd:/# pmtool restartbytype snort

On the FMC CLI

root@FMC:~$ sudo su –
Password:
root@FMC:~# pmtool restartbyid CloudAgent
root@FMC:~# pmtool restartbyid SFDataCorrelator

Keep in mind you want to do this on off hours for the sensor as there will be a short disruption in traffic.

I currently have a TAC case open for this with no resolution as of yet.

rgnelson · ‎03-30-2018

I am seeing this on a fresh Firepower deployment, was there any resolution via TAC?

dan.letkeman · ‎04-01-2018

This is supposed to be fixed in 6.2.3. It was pulled due to a bug found but should be available in the next few days.

rgnelson · ‎04-02-2018

Thank you, this likely saves me the time of working with TAC.

maraz · ‎05-25-2018

Hello, did you get any respons from Cisco TAC regarding this?

Best Regards

Robert Maras

dan.letkeman · ‎05-25-2018

Doesn't look like they have fixed it yet.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc33964

Firepower URL rules not matching Brightcloud database