10.5.3-024 XML feeds failing

tahscolony · ‎11-13-2018

I have a blacklist feed that I serve off an internal server. It works fine for 10.5.2-072 as I have 3 servers fetching it. I did an upgrade on a test server for the JSON format for the O365 feeds, and while that works, it broke the XML feed. Current version not working is 10.5.3-025

I get a protocol error.

Retrieving feed content from server...
Failure: Protocol error while fetching file from the server.

Test completed: Errors occurred, see details above.

I have a TAC opened and a week later, no help, blew off a webex this morning, I waited on it for 15 minutes and they didn't join, so asking if anyone has run into this themselves and found a fix.

sadik.sener1 · ‎12-13-2018

If you still havent got an answer for this, i had the same problem too.

I've opened up a case. Here is the answer :

Thanks for Contacting Cisco TAC. This is Zaid from Web Security and I will be assisting you with your service request during EMEA shift.

I’ve reviewed the case notes, and I can see that you’re concerned about external custom URL category O365 not getting updated on WSA and causing issues. Please note that this is related to the latest change on Microsoft side, where they have terminated the use of an XML feed to provide URLs and IP addresses used by the Office 365 services. The current XML format was unavailable starting from 2018-10-02, whereafter Microsoft moved to a REST API-based format. For more information, see Office 365 URLs and IP address ranges.

We have an enhancement link to track this change by Microsoft:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi91517/

Also, this Field Notice has been released to cover this announcement and provide workaround.

https://www.cisco.com/c/en/us/support/docs/field-notices/703/fn70307.html

Also, we have introduced new releases with this new feature to overcome this recent change

11.5.1-124

10.5.3-024

##########
Office 365 Web Service External URL Categories: You can configure your appliance with Microsoft Office 365 web service's external live feed which serves URLs and IPs. The web service URL must not contain a ClientRequestId , and must have JSON as the format.

##########

NOTE: After upgrade , select "Office 365 Web service" in the custom category for Office 365 and this will auto populate the URL. However, for now, this option is only available on WSA (not SMA) so if you are managing your WSA(s) via SMA, this option should be configured on WSA locally.

Reference (release notes/ what’s new section):

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa_10-0/WSA_10-5-x_Release_Notes.pdf

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa11-5/WSA_11-5-x_Release_Notes.pdf

If I can be of any further assistance, please let me know.

tahscolony · ‎12-14-2018

Correct, however, my issues occurred because of the upgrade to enable JSON for O365. I opened a TAC case myself and after spinning wheels with them, and in reviewing some packet captures in Wireshark I discovered that the latest version of WSA is no longer sending TLS 1.2 to the server when trying to retrieve the XML, hence the protocol errors encountered. Our web server only accepts TLS 1.2.

IOW Cisco engineers BROKE the XML feed on this last upgrade that enabled JSON feeds from O365. They have no fix for it yet, or any idea when one will be available. In the meantime in order for us to proceed with the upgrades to Ironports to start getting the JSON from O365, I have to open TLS 1.1 on the web server, which goes against the PCI policies.

BTW the O365 feed works fine to pull the JSON, the XML feed is for other in house categories for URL filters and that is what they broke.