Re: URL Category and Reputation failure on FTD

ShineSudheesh · ‎06-20-2020

Hi all,

I am getting URL Category and Reputation failure on FTD , there is no url filtering license available on the device, also the url monitor is disabled on the health policy.

What could be the reason for this?

As per my understanding FTD will not directly communicating with bright cloud for the DB update,instead FMC will push the DB update to FTD just correct me if i am wrong.

Also Can somebody tell me , for downloading the URL database from FMC to FTD , which port is using?

Thanks in advance.

Regards

Shine Sudheesh

Marvin Rhoads · ‎06-20-2020

Did you used to have a URL Filtering license and deploy and access control policy that uses that feature in a rule? That would cause the error you are seeing.

Yes the URL updates come via the FMC manager. The ASAs cache a certain amount of URLs locally (how many varies based on model of ASA). Those updates (and all others) come via the sftunnel communications with FMC. That uses tcp/8305.

ShineSudheesh · ‎06-20-2020

Dear Marvin ,
Thanks for your kind reply.

FTD is registered with FMC and it is working fine , means the TCP port 8305 is fine.

i am not sure , whether the URL filtering licensed was used before, and deployed the ACP rules that uses the feature.
Now we are having 1000+ ACP rules on the device, do i need to manually verify each ACP rule to check whether they are using the URL filtering feature,or any other method is there to get rid of the issue?

Regards
Shine Sudheesh

ShineSudheesh · ‎06-20-2020

Dear Team ,
Any way to find URL specific rules from FTD?

Regards
Shine Sudheesh

Marvin Rhoads · ‎06-20-2020

A rule using an unlicensed feature should have a yellow exclamation point in a triangle displayed in the ACP listing in FMC. Also, whenever you deploy that policy the deployment page will give you a warning about it.

You can also just glance at the URL column of the ACP and see if anything other than "Any" is in it. Even with 2000 rules, that's only 20 pages to glance at quickly. Or your could "show access-control-config" from the sensor cli and search the output for "URL". Any rule with either a URL category or specific URL(s) will have that string embedded.

ShineSudheesh · ‎06-20-2020

Dear Martin,
Thanks for the reply.
Ok. i am not getting any warning regarding the URL when i am deploying the ACP to the FTD.If that is the case ,it means no ACP rules using that feature correct?
even though , still getting the alert.FMC version we are running is 6.5.0.4 and FTD 6.4.x,any bug issue ?
Regards
Shine Sudheesh

ShineSudheesh · ‎06-20-2020

Dear Marvin ,
Adding some more points checked as per your suggestion .
++Verified the URL filtering license ----->No license available
++As you said , i should get the warning when i am deploying he ACP rule with unlicensed feature --No warning
++No connectivity from FMC to bright cloud --->in this case , i should get the URL alert for the FMC correct ,but i am getting the alert for managed device
++SF tunnel is up bw FMC and FTD

Regards
Shine Sudheesh

ShineSudheesh · ‎06-21-2020

Dear Marvin ,

Removed the health monitoring from health policy (As URL Filtering is not using)and deployed the health policy to the managed device.Issue resolved.

Regards
Shine Sudheesh

URL Category and Reputation failiure on FTD