cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
0
Helpful
4
Replies

URLs in log that are not related to my network

Jesserony
Level 1
Level 1

When reviewing our firepower connection event logs for outside incoming connections to our sites, under the URL category, it usually makes sense, a name of a web site that we host. Occasionally it is something way off, like http://www.picbbs.net/

Which has absolutely no relation to our sites that i know of. I was assuming the URL was what they were trying to browse to.

4 Replies 4

it has to be some one from inside network initatie the connection to be website. you can block this website. below is the example config how to add it in block list

https://wannabecybersecurity.blogspot.com/2019/07/configuring-cisco-fmc-url-filtering.html

 

please do not forget to rate.
Ankita Ojha is a part of Cisco Firepower TAC team and is actively assisting Customers in EMEA theatre. She has experience in multiple firewall technologies. Also, she holds a bachelor's degree in Computer Science and Engineering.

Thanks Sheraz. I am still confused. Below are the hits i saw the other day. Notice the Initiator IP (143.92.32.49) is HKG (our server are all in USA) and the Responder IP are all different, internal servers of ours. To me this looks like traffic from the outside, but ive been known to be a little thick-headed...


First Packet Last Packet Action Reason Initiator IP Initiator Country Responder IP Responder Country Ingress Security Zone Egress Security Zone Source Port / ICMP Type Destination Port / ICMP Code Application Protocol Client Web Application URL URL Category URL Reputation Device Security Context


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.130 Outside DMZ 46890 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 192.168.170.185 Outside Inside 44402 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.135 Outside DMZ 59584 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary
7/13/2022 3:54 7/13/2022 3:54 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.105 Outside DMZ 53554 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/ Uncategorized Unknown COLO-ASA Primary


7/13/2022 3:54 7/13/2022 3:55 Allow Intrusion Monitor 143.92.32.49 HKG 172.20.43.107 Outside DMZ 59216 / tcp 80 (http) / tcp HTTP Chrome http://www.picbbs.net/Account/Login?ReturnUrl=%2f Uncategorized Unknown COLO-ASA Primary

Jitendra Kumar
Spotlight
Spotlight

if unwanted websites make a connection with your environment it may be risky to take action and block them.

you can take help from here.

https://youtu.be/Ik6jfkVZYu8  

Thanks,
Jitendra

frknl
Level 1
Level 1

I suggest you to consider these sites for permit only in TCP seassions that initialized from inside to outside. Whatever the default rules you have, using explict rules feels more secure. 

Review Cisco Networking for a $25 gift card