Brightcloud is the source

John · ‎02-20-2017

Hi Team,

I would like to ask on the possible copy of the url or site that is under social networking category in ffirepower/firesight.

Marvin Rhoads · ‎02-20-2017

Brightcloud is the source Cisco uses for the URL categories.

You can lookup a given site using http://www.brightcloud.com/tools/url-ip-lookup.php.

You cannot download a copy of all the sites they include for a given category.

hacizeynal · ‎02-21-2017

Hi Marvin ,

do you know how often they update this list ? Yesterday i totally gone crazy on one of customer ,i was not able to block most famous adult and proxy sites ? Is this a bug ?

Marvin Rhoads · ‎02-21-2017

It's upated continually - i.e. multiple times throughout the day.

Did you check the connection records for the traffic that was not being blocked and see the Category that FirePOWER assigned the traffic?

hacizeynal · ‎02-21-2017

Yes ,i see that this site falls under Uncategorized site ,but when i check it on site it shows that it is already under adult category .

Marvin Rhoads · ‎02-21-2017

Are any sites showing up categorized correctly? If your FMC DNS lookups aren't working that would cause all site lookups to fail (= Uncategorized)

hacizeynal · ‎02-22-2017

After verification commands i see that i can successfully connected to Brightcloud database and resolve it.

admin@firepower2:~$ sudo nslookup service.brightcloud.com
Server: 192.168.10.250
Address: 192.168.10.250#53

Non-authoritative answer:
Name: service.brightcloud.com
Address: 52.210.56.12
Name: service.brightcloud.com
Address: 52.18.164.250

Server: 192.168.10.250
Address: 192.168.10.250#53

Non-authoritative answer:
Name: database.brightcloud.com
Address: 52.51.55.250
Name: database.brightcloud.com
Address: 54.171.36.173
Name: database.brightcloud.com
Address: 52.50.161.77

admin@firepower2:~$ telnet service.brightcloud.com 80
Trying 52.18.164.250...
Connected to service.brightcloud.com.
Escape character is '^]'.

Marvin Rhoads · ‎02-22-2017

That appears to be OK.

Can you share a screen shot of your Acess Control Policy rules that you're using for URL Monitoring or Blocking?

If you cannot, it might be easiest to just open a TAC case.

hacizeynal · ‎02-22-2017

Hi Marvin ,

FYI.

Marvin Rhoads · ‎02-22-2017

That looks straightforward.

Assuming it's deployed to your devices, I would expect that policy to block the defined categories as long as your source user was not a member of the Managers or IT Dept. groups.

I have used similar policies on FirePOWER 5.3 through 6.2 and they worked fine.

You might want to open a TAC case so they can work with you interactively.

hacizeynal · ‎02-22-2017

I am sure that source was true ,but it doesnt match ,unfortunately I can not open TAC because customer still wants to test and compare it with Checkpoint and PaloAlto ,so what would you recommend to do ?

John · ‎02-22-2017

Is there any list of what are under each category that is in firesight?

Marvin Rhoads · ‎02-22-2017

You can list the categories.

You cannot list the URLs that are within each category.

Sourcefire | List of sites under social networking category