03-06-2012 07:40 AM
I'm trying to order a laptop locker from a website for busness purposes. Sure I can go into the IronPort and whitelist the site, but I want to know why the IronPort is so flaky like this.
The error I'm getting is this (sanitised domain name and username):
The website you are trying to access is blocked.
Blocked Site: | www.schoollockers.com |
Blocked Category: | Shopping |
User: | DOMAINNAME\username@Windows |
User Group: | BLOCK_WBRS_11-Information_Technology-Authenticated_Users-NONE-NONE-NONE-NONE |
Reauth_URL: | - |
Base64Decode error '800a0001'
Bad Base64 string.
/ironport/blocked.asp, line 78
Now why would the blocked category be Shopping, but yet in another tab I am at www.walmart.com and that loads fine? In fact other sites like Newegg, PCMall, BestBuy, Staples, Officemax, etc... all shopping sites - work great.
Can someone tell me the best way to diagnose this problem rather than bypass the webfilter or maintain long lists of one off exceptions?
S160 running v7.1.3-014 for Web
Solved! Go to Solution.
03-06-2012 11:48 PM
Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.
More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup. But basically:
Grep
1
regular expression: username
Tail the logs: yes
And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.
03-06-2012 11:48 PM
Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.
More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup. But basically:
Grep
1
regular expression: username
Tail the logs: yes
And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.
03-07-2012 06:44 AM
Thanks for that. I really like the grep and tail the logs. It's like an instant way to see what's going on.
So I did this and today the site is not blocked!! Weird how it would be blocked one day but not the next. Oh well, at least I got the nifty grep command out of it.
I guess what took me back is that I'm in the IT identity group which does not block much at all. Shopping is especially not blocked as we make online purchases for various busness needs.
Thank you!
03-07-2012 06:59 AM
A note on grep.. I typically use the IP address instead of username... that way you'll see things, even if the user isn't authenticated yet...
03-14-2012 11:11 AM
That "BLOCK_WBRS_11" means that the particular site was blocked due to a low web reputation score, rather than due to the category of the content.
Further along in the access log line for that connection will be the score itself. Here's one of ours:
BLOCK_WBRS_11-All_Access-CC_AD_Identity-NONE-NONE-NONE-NONE
The -6.4 is the negative reputation score that caused this transaction to be blocked. Cisco has a public site where you can look up the reputation scores: http://senderbase.org
In the upper right corner, just under the "Look up your network" box, click on the Reputation Look Up link.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide