Re: WSA S695 running IOS 11.8 - posting a video to facebook via https://rupload.facebook.com

mac987 · ‎04-24-2020

hi

We are running IOS 11.8 on a WSA 695 and our users are trying to upload ( POST ) a video to facebook

The access policy allows access to the ' social networking ' URL category but the session seems to ignoring the access policy and hitting the global policy

2 log entries below with the client IP address redacted

the 1st log entry shows the user has access to the website https://rupload.com via the allow_social_media

the 2nd log entry shows the POST failure hitting the global policy

All advice help is much appreciated

thanks

Graham

1st log entry successfull access to the site 200 http response

1587647301.885 231 9.9.9.9 TCP_MISS_SSL/200 359 GET https://rupload.facebook.com:443/fb_video/d250fc249ffb1d8e81239470faf545c4-0-4893928?fb_dtsg_ag=AQy-o7O2z_YhgWCG11EoJLJUN4ThFfttBG4kPEsIm_VCPw%3AAQzerrpyrd2WY5JH-pWaONZJMcZ-HXrXS1bp8Wr32Jj_8Q&__user=758458578&__a=1&__dyn=7AgNe-4amaWxd2u6aJGi9FxqeCwKy... "REGULATED\upn3xo@regulated" DIRECT/rupload.facebook.com text/plain DEFAULT_CASE_12-http_Allow_Social_Media-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_snet",7.1,1,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,"IW_snet",-,"Unknown","Social Networking","-","Facebook General","Facebook","-","-",12.43,0,-,"Unknown","-",0,"-",0,0,"d250fc249ffb1d8e81239470faf545c4-0-4893928","854e9c0727ae961da81ffa666e4630aad5549a83e2b7439c4a9bdaa0888cf53b",4,-,"-",-> - - "23/Apr/2020:14:08:21 +0100" 157.240.195.17 443 "Social Networking" 7.1 "https://www.facebook.com/" 52701 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"

2nd log entry blocked for the reason BLOCK_WEBCAT_IDS http 403 response

1587718905.926 4790 9.9.9.9 TCP_DENIED_SSL/403 0 POST https://rupload.facebook.com:443/fb_video/992bb35013d478439471b56938323c4b-0-6698642?__user=758458578&__a=1&__dyn=7AgNe-4amaUmgDxyHqzGomzFEbEyGgmAyAAjFCxG4U9ES2N6xCaxubwTwyCw_DyUJoK6UnGi4EOuUG4Xze3KawCx138S2Sih6UXU98pz8Gicx2q5o4Om5bzEG6Ehwj8lg8VElwga... "REGULATED\upn3xo@regulated" NONE/- - BLOCK_WEBCAT_IDS_9-DefaultGroup-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-NONE <"IW_snet",7.1,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",1,-,"IW_snet",-,"-","Social Networking","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - - "24/Apr/2020:10:01:45 +0100" - 443 "Social Networking" 7.1 "https://www.facebook.com/" 52615 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"

balaji.bandi · ‎04-24-2020

couple of questions

1. Is the same user having same issue on your both the cases ?

2. your timing of the session does not match - both are different date.

3. not sure how your policy are lined up.

DEFAULT_CASE_12-http_Allow_Social_Media-DefaultGroup vs BLOCK_WEBCAT_IDS_9

example docunent for referene (it was for block same way you can allow)

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/AVC/Controlling_Facebook_Activity.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mac987 · ‎04-26-2020

Hi

thank you for your reply, i have read that pdf and unfortunately it doesnt help but really appreciated

in answer to your questions

1.) It is the all users who have this issue, it doesnt work for any user

2.) These were just examples off the log but the issue is the same all the time

the users can access https://rupload.facebook.com via the allow_social_media access policy but when they try a POST to the same site it ignores this access policy and gets blocked by the default policy

All help is appreciated

kind regards

Graham

balaji.bandi · ‎04-26-2020

To understand better.

can you post the sample Log which have continuty for one user while access from start to deny, so we get better understanding.

is this Video viewing or uploading ? (just to clarify).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mac987 · ‎04-27-2020

Hi

The user is trying to post a video, log entries from this morning below

thanks for looking

kind regards

Graham

1587983062.575 744 9.9.9.9 TCP_MISS_SSL/200 39 CONNECT tunnel://rupload.facebook.com:443/ "REGULATED\upn0sz@regulated" DIRECT/rupload.facebook.com - DECRYPT_AVC_7-https_allow_social_media-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"C_Bank",7.1,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_snet",-,"-","Social Networking","-","Facebook General","Facebook","Encrypted","-",0.42,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - - "27/Apr/2020:11:24:22 +0100" 157.240.195.17 443 "C_Bank" 7.1 - 53886 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"

1587983082.859 176 9.9.9.9TCP_DENIED_SSL/403 0 POST https://www.facebook.com:443/ajax/bz?__a=1&__beoa=0&__ccg=EXCELLENT&__comet_req=0&__csr=&__dyn=7AgNe-4amaWxd2u6aJGi9FxqeCwAyoyGgmAGniheCGgjCxe2qdwIhEnUzgjGqK5-5FEG5VGwxyUymubyRUC6UlWAxamqnK7GgPxW9xaaCzU-foOi8yU-bBAAhfypfBzoggoz8FecGdCDgO8gaEnBx6HBy8G... "REGULATED\upn0sz@regulated" NONE/- - BLOCK_WEBCAT_IDS_9-DefaultGroup-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-NONE <"IW_snet",7.1,0,"-",0,0,0,1,"-",-,-,-,"-",-,-,"-","-",1,-,"IW_snet",-,"-","Social Networking","-","Facebook General","Facebook","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> - - "27/Apr/2020:11:24:42 +0100" - 443 "Social Networking" 7.1 "https://www.facebook.com/company name redacted/publishing_tools/?section=DRAFTS&sort[0]=edited_by_descending" 53840 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "Social Networking"

balaji.bandi · ‎04-27-2020

since we are not sure what is Default of your Policy deny for testing above default rule create a new rule for user to upoad.

example :(this is blocked one can be used for allow)

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118277-technote-wsa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help