cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3220
Views
0
Helpful
3
Replies

Help diagnose a blocked site

keithsauer507
Level 5
Level 5

Hi.

I'm trying to put a weather widget on our intranet site and for people in our "Restricted Internet" group we have a URL category list called "Allowed Domains".  Basically I put the domain in .accuweather.com and I still cannot get this widget to load for a test user in the ldap group "Restricted Internet".

So the next step I did was go to Web Tracking and look up the user name, website and blocked for the transaction type.  For some reason there are two results which contradict each other.

In the Disposition column it says Block - AVC, however in the Website column it correctly shows URL CATEGORY: Allowed Domains.  This is a contradiction because if it is an "allowed domain" it should not be blocked.  Any idea why this site would possibly be blocked?  I did have the weather.com widget on our intranet site and that worked fine, however the accuweather widget shows a little more information.

Here is a clip from the Website column in Web Tracking:

http://netwx.accuweather.com/netWx-V212.swf?zipcode=19464&customtheme=&theme=blue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0

(3)
CONTENT TYPE: application/x-shockwave-flashURL CATEGORY: Allowed Domains
DESTINATION IP: 207.242.93.89

DETAILS: Restricted_Internet "Access". WBRS: 5.3.


RELATED TRANSACTIONS

http://vortex.accuweather.com/adc2010/images/animated-overlays/cloudy.swfhttp://vortex.accuweather.com/adc2010/images/animated-overlays/cloudy.swf

http://netwx.accuweather.com/netWx-V212.swf?zipcode=19464&customtheme=&theme=blue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0

CONTENT TYPE: application/x-shockwave-flashURL CATEGORY: Allowed Domains
DESTINATION IP: 207.242.93.89

DETAILS: Restricted_Internet "Access". WBRS: 5.3.

3 Replies 3

Some piece of it is getting categorized by the AVC engine (dynamically based on content). Are you blocking flash video?

Use grep on your WSA to find out which pieces are getting categorized improperly, then go to CCO, and have a category assigned.

Here’s how to use Grep: (I grep for the IP of the machine I’m testing with.

http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1013&p_created=1202506177&p_sid=*wqDvGwk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=772&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9NDIsNDImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfbmwmcF9wYWdlPTEmcF9zZWFyY2hfdGV4dD1ncmVw&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1&p_topview=1

Here’s what your AVC info is set for: https://securityhub.cisco.com/web/application_visibility_control

Here’s the category lookup and submit tool: https://securityhub.cisco.com/web/submited_urls

Good call on the Flash Video.

I SSH to the Ironport and played around with grep.  Found this, which looks to be flash video.  Oddly I didn't even think of it as flash video, as myself (in the very unrestricted IT group) can see the weather widget and there's obviously no video.  However one of the pages calls an swf from another server... it must be the way they dynamically draw the sun or clouds in the forcast.

test@Windows

" DIRECT/netwx.accuweather.com application/x-shock                                                                             wave-flash BLOCK_AVC_11-Restricted_Internet-Authenticated_Users-NONE-NONE-NONE-D                                                                             efaultGroup ","-","Flash Video","Media","-","-",144.43,0,-,"-","-"> -

1308254622.019 307 10.1.3.126 TCP_DENIED/403 5344 GET

http://netwx.accuweather.c

                                                                             om/netWx-V212.swf?zipcode=19464&customtheme=&theme=blue&metric=0&target=_self&la                                                                             ng=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0                                                                              "DIAMONDCU\test@Windows" DIRECT/netwx.accuweather.com application/x-shock                                                                             wave-flash BLOCK_AVC_11-Restricted_Internet-Authenticated_Users-NONE-NONE-NONE-D                                                                             efaultGroup -

It was flash video AND Media, so in Global Policy for applications (because thats where the default restricted user falls back to) I changed them to monitor and it now works.