Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
4
Replies

URLs in log that are not related to my network

Jesserony
Level 1
Level 1

‎07-13-2022 07:36 AM

When reviewing our firepower connection event logs for outside incoming connections to our sites, under the URL category, it usually makes sense, a name of a web site that we host. Occasionally it is something way off, like http://www.picbbs.net/

Which has absolutely no relation to our sites that i know of. I was assuming the URL was what they were trying to browse to.

0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎07-13-2022 04:04 PM

it has to be some one from inside network initatie the connection to be website. you can block this website. below is the example config how to add it in block list

https://wannabecybersecurity.blogspot.com/2019/07/configuring-cisco-fmc-url-filtering.html

 

please do not forget to rate.
0 Helpful

Jesserony
Level 1
Level 1
In response to Sheraz.Salim

‎07-15-2022 07:10 AM

Thanks Sheraz. I am still confused. Below are the hits i saw the other day. Notice the Initiator IP (143.92.32.49) is HKG (our server are all in USA) and the Responder IP are all different, internal servers of ours. To me this looks like traffic from the outside, but ive been known to be a little thick-headed...


First Packet Last Packet Action Reason Initiator IP Initiator Country Responder IP Responder Country Ingress Security Zone Egress Security Zone Source Port / ICMP Type Destination Port / ICMP Code Application Protocol Client Web Application URL URL Category URL Reputation Device Security Context


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.130 Outside DMZ 46890 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 192.168.170.185 Outside Inside 44402 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.135 Outside DMZ 59584 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary
7/13/2022 3:54 7/13/2022 3:54 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.105 Outside DMZ 53554 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.107 Outside DMZ 59216 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/Account/Login?ReturnUrl=%2f Uncategorized Unknown COLO-ASA Primary

0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎07-15-2022 04:11 AM

if unwanted websites make a connection with your environment it may be risky to take action and block them.

you can take help from here.

https://youtu.be/Ik6jfkVZYu8  

Thanks,
Jitendra
0 Helpful

frknl
Level 1
Level 1

‎07-15-2022 05:16 AM

I suggest you to consider these sites for permit only in TCP seassions that initialized from inside to outside. Whatever the default rules you have, using explict rules feels more secure. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card