cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19499
Views
23
Helpful
31
Replies

Sourcefire URL filtering - odd behavior

David Inabinet
Level 1
Level 1

I'm seeing some strange behavior with our new ASA 5545-X with the Sourefire URL filtering.

 

I'm intermittently able to get to known bad sites that should be blocked. For example, we are testing the porn URL filtering and our device is configured to NOT allow any Nudity. For some time, I'm able to browse playboy.com or some of the other known bad sites. Then, without any configuration changes, the sites get blocked. It also seems that after an undetermined amount of time, the sites are allowed, at least for the first attempt then they are blocked again - sending users to the block page. 

Also, a few sites (well known Adult sites) are allowed when, clearly, they should be blocked. 

 

Is anyone seeing anything like this?

31 Replies 31

Thanks Burkhard!

I've been searching for this url for almost two hours yesterday and didn't find it in any Firepower docs nor my searching the Cisco website or the net.

It seems that this doesn't check the Firepower URL category database as that's not selectable and the URL I've tried to check is in no category for all four available databases.

What does it show in Senderbase.org? or what is the URL?

It shows neutral. The URL is https://wgmail.bleier.at which is categorized as Adult/Pornography.

I submitted the URL for you. It takes up to 24 hours to be verified.

I would love to add the website to certain category classification, unfortunately, I don't have an appropriate account to make those changes.

The website which I wish to change is used as Filter avoidance tool however it isn't marked as such: www.expressvpn.com

Could you please help me out regarding this pressing matter.

Thanks in advance,

That URL is indeed categorized as Filter Avoidance.

http://www.senderbase.org/lookup/?search_string=www.expressvpn.com

Remember , Firepower is not using Senderbase as source for URL filtering.

Source is webroot. I assume this will be moved to senderbase but no ETA on that.

http://www.brightcloud.com/tools/url-ip-lookup.php

www.expressvpn.com is classified on webroot/brightcloud as :

Computer and Internet Security
Business and Economy

You can request a URL category change there.

Then you'll have to block Google. Sourcefire does not have a Safe Search function yet.

Remember that this is an IPS appliance that has had multiple add-on's like URL filtering, NAT, VPN, etc. If you want tried and true URL filtering you should look at the WSA.

I understand your point but if the product doesn't work they shouldn't sell it or at least label it as "Beta". It is touted as a top tier URL filtering solution.

 

I spoke with TAC today. They are aware of the issue and will be getting back to me with a workaround until an official patch is released. 

I opened a ticket yesterday and had a tech call me back and resolve this issue. There is a bug that is fixed in v5.3.1.2 and v5.4. After the tech applied the fix the issue was resolved.

mikgruff3
Level 1
Level 1

Same here running same code.

Margarita Malacara Cruz
Cisco Employee
Cisco Employee

I am having this same issue but we are running v5.4.1 build 59.  

My customer has a rule configured to block "Adult and Pornography" as well as "Music" sites. After successfully reaching www.vainaporno.com and www.suenamp3.com, the Connection Events show no URL category set for any of these sites. 

Is there a way to block uncategorized sites? He prefers to create a new rule allowing permitted sites 'on-demand' after the Connection Event has been reviewed. 

Also, according to the Brightcloud URL / IP Lookup tool, the site www.vainaporno.com is actually categorized as "Adult and Pornography". But the Connection Events on the Defense Center don't show any URL category set. 

 

http://www.brightcloud.com/tools/url-ip-lookup.php

 

Review Cisco Networking for a $25 gift card