01-06-2020 05:50 AM - edited 02-21-2020 09:48 AM
Hi, I have enabled DPI inspection on my FTD units. When I whitelist a URL by domain or URL, via the connection events in the fmc, I am still getting blocked for the URL category. Per the event log, it is getting de-crypt and the behavior is same with other sites that use the same ACP. I even see the url listed in the Global-Whitelist-for-URL feed when I login to the FTD appliance. Any suggestions what else to look for? Running 6.4.0.4.
Solved! Go to Solution.
01-08-2020 04:39 AM
I opened a case with TAC. The issue was a misunderstanding how SI works. Apparently the SI URL whitelist only whitelists the security intelligence but doesn't allow a fast path before the ACP. You cannot whitelist a URL via the SI feed, it still checks the ACP.
01-08-2020 12:10 AM
Security Intelligence happens before ACP and decryption so something is not right here. Do you see these events in Analysis > Security Intelligence Events ?
Thank you for rating helpful posts!
01-08-2020 04:39 AM
I opened a case with TAC. The issue was a misunderstanding how SI works. Apparently the SI URL whitelist only whitelists the security intelligence but doesn't allow a fast path before the ACP. You cannot whitelist a URL via the SI feed, it still checks the ACP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: