I'm looking for some guidance on a problem i'm facing with Ironport. Our external company website has a flash clock widget that loads 8 different timezones. Depending on the website page you visit it may only load 6 of the 8 clocks. The problem is not consistent per user, so for example I may visit a certain page and get 5 out of 8 clocks but another user may visit the same page and get all 8.
When I look through the logs in Ironport I get the following message for the clocks that do not appear: TCP_MISS/403 611 There are no other blocks showing against the Access Policies set in Ironport so i'm lost as to why this is being forbidden (403) Any help would be gratefully appreciated.
You will need to grep for the access logs while testing this application. What your looking for are requests made by the application which are being blocked by your access policies hence the 403 that your already seeing in the access logs. Once you have determined the URLs being requested by the application add those URLs to a custom URL category: WSA GUI -> Web Security Manager -> Custom URL Category -> submit -> commit your changes. You will also need to add this custom URL category to a No Authentication Access / Identity which will also contain a No Authentication Identity. Usually in this scenario you will already have a default No Auth Identity based on your class of network A,B,C created with a Custom URL Category already directly associated to that identity. This type of Access Policy , Identity, Custom URL Category is designed for applications , Operating system updates etc...
WSA Cisco Forums Moderator
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...