Hi Team
I'm using FTD on ASA 5506x v6.2.3.16-59 (managed by Firepower Device Management) with updates:
Two days ago I've reported to BrighCloud support that http://www.szachypolskie.pl/ should be categorize (it was under Uncatogorized category). I've got confirmation from them that they have updated the site to the Sports categories. This change is now published in the BrightCloud Service and is available in Database version 7.704.
Could someone help me to troubleshoot why this site is still blocked?
It seems to me that troubleshooting from Events section of Firepower Device Management is VERY limited.
I couldn't find event related to this particular issue.
Do I really need FMC to manage properly my FTD? seriously ? for home deployment?
I'm looking for you advice
Regards
Slawek
Hi Francesco
It seems that my FTD is still using outdated BrighCloud database version. Under events we can see:
so URL filtering rule was hit - that's good. Why still there is wrong category? Why there is no geolocation detected?
My rule set looks like:
Please let me know if I should modify my rule set.
Once when I enabled Security inteligence with balanced security it blocked dns traffic at all. No idea why. Any idea what was wrong?
Looking forward for your advcies
Slawek
Well geolocation and originator country didn't get populated because the traffic came from your inside network RFC 1918 address (192.168.0.0/16).
I can only think that Firepower is caching the previous disposition despite Brightcloud having updated the cloud side database. I found a bugID that appears to describe this behavior exactly:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw57184/?rfs=iqvred
If you have support, Cisco TAC can run a script to clear the cache.
As a workaround you could add a higher level rule specifically allowing that URL - thus avoiding the Block rule lower down.
Newer versions of FDM have a place where we can modify the cache settings:
Hi Francesco
I've used the script url_cache_tool.pl but after I got some issues:
1. after 10 min since I run it I was unable to open any web page via Browser (while I was able to ping host name_
2. I did reboot of my FTD, same resoults.
3. I disabled my "URL filtering" rule (I change BLOCK to Trust mode) and do commit
this workaroud "fix" the issue temporarly.
I decdided to restore back my config to understand what has happened.
I revert back "URL filtering" to BLOCK and check settings for Uncategorized websites to:
Once I did commit again most of websites where inaccesible, ie:
and from device logs:
so its seems that I still have issues with URL filtering (Brightcloud cache).
Is there anything else what I can check on my device? - I can't engage TAC
Why its not pooling correct url category from Bright cloud service?
My intention is to block url uncategorized with reputation set to Suspicious site or High - how to achieve it ?
Is there other functions on FTD which I can use to get such url blocked?
With regards
Slawek
Hi all
I've decided to create dedicated rule for Uncategorised URL's (rule number 4)
and now in logs, traffic to https://speed.cloudflare.com/ hit rule "IN to OUT" (rule number 6)
Thats good for me, but I'm still looking for explanation why it was blocked previously.
Anyway, I will keep my eyes open on this problem
Regards
Slawek
