Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
0
Helpful
4
Replies

URL category caching

j.kougoulos
Level 4
Level 4

‎12-04-2015 03:21 AM

Hi,

I have a pair of S380  web security applicance running 8.5.2-027 in active / passive mode.

The active one for a specific url eg www.something.com ; in the policy trace and in user requests shows that the category for this site is Games.

The passive one shows the same site as Uncategorized.

In https://securityhub.cisco.com/web/submit_urls (URL Categorization Requests), when I lookup for the site I get as category "Not in our list".

The site is actually a book selling site.

So, my suspicion is that the site was miscategorized at some point as "Games", our active proxy got the category "Games" and now this result is cached somewhere in the machine. Is it possible to clean this cached entry in a non-disruptive way?

Thanks,

John

Labels:
0 Helpful
4 Replies 4

Siddharth Rajpathak
Cisco Employee
Cisco Employee

‎12-04-2015 07:13 AM

Hi John,

Typically the WSA appliance shouldn't cache the URL category for more than few minutes. It should actively check and verify if the category is upto date.

We should see such a discrepancy if both devices don't have the same definitions/signatures for URL categorization.

Could you please run the CLI command - version - on both devices and check if both of them have the same definitions/updates?

Assuming you have Cisco Web Usage Controls and WBRS features enabled on both devices, they should have the same number for the following:

-------------------------------------------
Web Reputation IP Filters
Web Reputation Rules
Web Reputation Prefix Filters
Cisco Web Usage Controls
Cisco Web Usage Controls - Web Categorization Prefix Filters
Cisco Web Usage Controls - Web Categorization Categories List
-------------------------------------------

Sid

0 Helpful

j.kougoulos
Level 4
Level 4
In response to Siddharth Rajpathak

‎12-04-2015 07:21 AM

Hello Sid,

they seem to be the same:

Active:

Web Reputation IP Filters: 1449241144 (Fri Dec  4 16:04:29 2015)
Web Reputation Rules: 1446749481 (Thu Nov  5 19:57:56 2015)
Web Reputation Prefix Filters: 1449241142 (Fri Dec  4 16:04:29 2015)
Cisco Web Usage Controls - Web Categorization Prefix Filters: 1449241142 (Fri Dec  4 16:04:29 2015)
Cisco Web Usage Controls - Web Categorization Categories List: 1424380693 (Sat Sep 12 20:17:51 2015)

Passive:

Web Reputation IP Filters: 1449241144 (Fri Dec  4 16:01:10 2015)
Web Reputation Rules: 1446749481 (Thu Nov  5 19:56:34 2015)
Web Reputation Prefix Filters: 1449241142 (Fri Dec  4 16:01:10 2015)
Cisco Web Usage Controls - Web Categorization Prefix Filters: 1449241142 (Fri Dec  4 16:01:10 2015)
Cisco Web Usage Controls - Web Categorization Categories List: 1424380693 (Sat Sep 12 20:18:00 2015)

John

0 Helpful

Siddharth Rajpathak
Cisco Employee
Cisco Employee
In response to j.kougoulos

‎12-04-2015 08:04 AM

Hi John,

You are right, the definitions do look the same.

May I request you to provide access logs for the concerned website from both devices?

You can configure each WSA in browser settings manually, access the website and then grep the access logs on each device via CLI.

To grep the access logs for this entry, run the following from the CLI:

  1. Grep
  2. Enter the number of the log you wish to grep: 1 (for accesslogs)
  3. Enter the regular expression to grep: <client IP>
  4. Do you want this search to be case insensitive?: Y
  5. Do you want to tail the logs?: Y
  6. Do you want to paginate the output?: N

Sid

0 Helpful

j.kougoulos
Level 4
Level 4
In response to Siddharth Rajpathak

‎12-04-2015 08:34 AM

Hi Sid,

here are the logs:

Active:

1449246380.888 2268 10.xx.yy.zz TCP_DENIED/403 0 GET http://www.xxxxxxxxx-press.com/ "DOMAIN\user@AD1" NONE/- - BLOCK_WEBCAT_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE <IW_game,ns,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_game,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP

Passive:

1449246444.202 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/ - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.215 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/ - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.882 660 10.xx.yy.zz TCP_MISS/200 64384 GET http://www.xxxxxxxxx-press.com/ "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com text/html DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,nc,nc,"Unknown","-","Unknown","Unknown","-","-",780.41,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP
1449246444.890 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=28693 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.890 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30847 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.891 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=31006 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.891 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30962 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.891 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30363 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.892 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30601 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.911 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=28693 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.912 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30847 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.912 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30962 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.912 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=31006 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.912 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30363 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.914 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30601 - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.925 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/adaptive.php?send_browser=YYY|Firefox|40.0|Win32|Y|1920|1080|C - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246444.930 0 10.xx.yy.zz TCP_DENIED/407 0 GET http://www.xxxxxxxxx-press.com/adaptive.php?send_browser=YYY|Firefox|40.0|Win32|Y|1920|1080|C - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - AUTHM: NONE
1449246445.199 274 10.xx.yy.zz TCP_MISS/200 10555 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=31006 "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com image/jpeg DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,nc,-,"Unknown","-","Unknown","Unknown","-","-",308.18,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP
1449246445.202 167 10.xx.yy.zz TCP_MISS/200 891 GET http://www.xxxxxxxxx-press.com/adaptive.php?send_browser=YYY|Firefox|40.0|Win32|Y|1920|1080|C "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com text/javascript DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",42.68,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP
1449246445.230 302 10.xx.yy.zz TCP_MISS/200 15534 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30601 "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com image/jpeg DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,nc,-,"Unknown","-","Unknown","Unknown","-","-",411.50,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP
1449246445.276 351 10.xx.yy.zz TCP_MISS/200 46837 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30962 "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com image/jpeg DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,nc,-,"Unknown","-","Unknown","Unknown","-","-",1067.51,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP
1449246445.315 389 10.xx.yy.zz TCP_MISS/200 92677 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30363 "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com image/jpeg DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,nc,-,"Unknown","-","Unknown","Unknown","-","-",1905.95,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP
1449246445.330 405 10.xx.yy.zz TCP_MISS/200 80419 GET http://www.xxxxxxxxx-press.com/image.php?type=T&id=30847 "DOMAIN\user@AD1" DIRECT/www.xxxxxxxxx-press.com image/jpeg DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,nc,-,"Unknown","-","Unknown","Unknown","-","-",1588.52,0,-,"Unknown","-",-,"-",-,-,"-","-"> - AUTHM: NTLMSSP

(Obviously the TCP_DENIED/407 come from the proxy authentication process).

Thanks!

John

0 Helpful
Customers Also Viewed These Support Documents