04-24-2020 02:31 AM
hi
We are running IOS 11.8 on a WSA 695 and our users are trying to upload ( POST ) a video to facebook
The access policy allows access to the ' social networking ' URL category but the session seems to ignoring the access policy and hitting the global policy
2 log entries below with the client IP address redacted
the 1st log entry shows the user has access to the website https://rupload.com via the allow_social_media
the 2nd log entry shows the POST failure hitting the global policy
All advice help is much appreciated
thanks
Graham
1st log entry successfull access to the site 200 http response
1587647301.885 231 9.9.9.9 TCP_MISS_SSL/200 359 GET https://rupload.facebook.com:443/fb_video/d250fc249ffb1d8e81239470faf545c4-0-4893928?fb_dtsg_ag=AQy-o7O2z_YhgWCG11EoJLJUN4ThFfttBG4kPEsIm_VCPw%3AAQzerrpyrd2WY5JH-pWaONZJMcZ-HXrXS1bp8Wr32Jj_8Q&__user=758458578&__a=1&__dyn=7AgNe-4amaWxd2u6aJGi9FxqeCwKy... "REGULATED\upn3xo@regulated" DIRECT/rupload.facebook.com text/plain DEFAULT_CASE_12-http_Allow_Social_Media-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_snet",7.1,1,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,"IW_snet",-,"Unknown","Social Networking","-","Facebook General","Facebook","-","-",12.43,0,-,"Unknown","-",0,"-",0,0,"d250fc249ffb1d8e81239470faf545c4-0-4893928","854e9c0727ae961da81ffa666e4630aad5549a83e2b7439c4a9bdaa0888cf53b",4,-,"-",-> - - "23/Apr/2020:14:08:21 +0100" 157.240.195.17 443 "Social Networking" 7.1 "https://www.facebook.com/" 52701 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"
2nd log entry blocked for the reason BLOCK_WEBCAT_IDS http 403 response
1587718905.926 4790 9.9.9.9 TCP_DENIED_SSL/403 0 POST https://rupload.facebook.com:443/fb_video/992bb35013d478439471b56938323c4b-0-6698642?__user=758458578&__a=1&__dyn=7AgNe-4amaUmgDxyHqzGomzFEbEyGgmAyAAjFCxG4U9ES2N6xCaxubwTwyCw_DyUJoK6UnGi4EOuUG4Xze3KawCx138S2Sih6UXU98pz8Gicx2q5o4Om5bzEG6Ehwj8lg8VElwga... "REGULATED\upn3xo@regulated" NONE/- - BLOCK_WEBCAT_IDS_9-DefaultGroup-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-NONE <"IW_snet",7.1,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",1,-,"IW_snet",-,"-","Social Networking","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - - "24/Apr/2020:10:01:45 +0100" - 443 "Social Networking" 7.1 "https://www.facebook.com/" 52615 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"
04-24-2020 03:02 PM - edited 04-24-2020 03:05 PM
couple of questions
1. Is the same user having same issue on your both the cases ?
2. your timing of the session does not match - both are different date.
3. not sure how your policy are lined up.
DEFAULT_CASE_12-http_Allow_Social_Media-DefaultGroup vs BLOCK_WEBCAT_IDS_9
example docunent for referene (it was for block same way you can allow)
https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/AVC/Controlling_Facebook_Activity.pdf
04-26-2020 02:57 AM
Hi
thank you for your reply, i have read that pdf and unfortunately it doesnt help but really appreciated
in answer to your questions
1.) It is the all users who have this issue, it doesnt work for any user
2.) These were just examples off the log but the issue is the same all the time
the users can access https://rupload.facebook.com via the allow_social_media access policy but when they try a POST to the same site it ignores this access policy and gets blocked by the default policy
All help is appreciated
kind regards
Graham
04-26-2020 04:20 AM
To understand better.
can you post the sample Log which have continuty for one user while access from start to deny, so we get better understanding.
is this Video viewing or uploading ? (just to clarify).
04-27-2020 03:29 AM
Hi
The user is trying to post a video, log entries from this morning below
thanks for looking
kind regards
Graham
1587983062.575 744 9.9.9.9 TCP_MISS_SSL/200 39 CONNECT tunnel://rupload.facebook.com:443/ "REGULATED\upn0sz@regulated" DIRECT/rupload.facebook.com - DECRYPT_AVC_7-https_allow_social_media-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"C_Bank",7.1,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_snet",-,"-","Social Networking","-","Facebook General","Facebook","Encrypted","-",0.42,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - - "27/Apr/2020:11:24:22 +0100" 157.240.195.17 443 "C_Bank" 7.1 - 53886 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"
1587983082.859 176 9.9.9.9TCP_DENIED_SSL/403 0 POST https://www.facebook.com:443/ajax/bz?__a=1&__beoa=0&__ccg=EXCELLENT&__comet_req=0&__csr=&__dyn=7AgNe-4amaWxd2u6aJGi9FxqeCwAyoyGgmAGniheCGgjCxe2qdwIhEnUzgjGqK5-5FEG5VGwxyUymubyRUC6UlWAxamqnK7GgPxW9xaaCzU-foOi8yU-bBAAhfypfBzoggoz8FecGdCDgO8gaEnBx6HBy8G... "REGULATED\upn0sz@regulated" NONE/- - BLOCK_WEBCAT_IDS_9-DefaultGroup-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-NONE <"IW_snet",7.1,0,"-",0,0,0,1,"-",-,-,-,"-",-,-,"-","-",1,-,"IW_snet",-,"-","Social Networking","-","Facebook General","Facebook","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> - - "27/Apr/2020:11:24:42 +0100" - 443 "Social Networking" 7.1 "https://www.facebook.com/company name redacted/publishing_tools/?section=DRAFTS&sort[0]=edited_by_descending" 53840 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"
04-27-2020 03:23 PM
since we are not sure what is Default of your Policy deny for testing above default rule create a new rule for user to upoad.
example :(this is blocked one can be used for allow)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide