07-07-2017 03:59 AM - edited 02-21-2020 06:12 AM
Hi,
I'm looking to investigate some URL events on the FMC, however i can't seem to find a way to get any further information in regards to them, I've tried to search though Analysis and nothing showing in regards to a source IP or the blocked URL.
I've also tried to run a search for "High risk" under the url reputation but it doesn't return any results.
Has anyone else had this issue of trying to find out which users are trying to do things / trigger URL blocks etc?
Thanks
Kris
07-07-2017 04:22 AM
Only reason you would not see those events with specific search is because there is no such event with those search parameter OR Maybe connections do exist but URL reputation or category is missing.
I would suggest you generate some traffic from a PC for a few websites and verify if you see reputation and category for them (Quick verification).
07-07-2017 04:39 AM
Adding to what DV adviced, please make sure that you have enabled logging for the requires rules.
07-07-2017 06:08 AM
Thank you both for the replies.
Logging is enabled, I've disabled, re-enabled and have redeployed the configuration to the device, I will see if that does anything but i doubt it.
I can see other events and some url stuff but i'm just not getting alot of it which i would expect.
I will continue to have a look around and check if anything looks a miss.
07-09-2017 06:25 PM
Great. Let us know if you need any help. If this is something urgent, you can open up a case with us, else we would be glad to assist here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide