Symptoms
Policies are in place to perform URL filtering on one of the virtual wire (vwire) interfaces that traffic goes through, but the firewall doesn't apply the policy.
Issue
When traffic goes through more than one virtual wire interfaces, if one virtual wire interface has a URL filtering policy while other(s) don't, the URL filtering policy will not be applied.
Topology example:
- Ports 1-2 are configured as a virtual wire and a URL filtering policy is in place.
- Ports 3-4 are configured as a virtual wire and no URL filtering policy is configured.
Workstations are connected to port 1 on the firewall, port 2 goes to an internal router which sends internet bound traffic to port 3 on the firewall which has port 4 connected to the internet. This means client connections will arrive via port 1, exit out port 2 to go to the router, the router will forward packets to port 3 on the firewall, and those packets exit out port 4 to go out on the internet.
Because ports 3-4 don't have a URL filtering policy configured, the URL policy configured on ports 1-2 will not be applied.
Workaround
A workaround can be implemented to resolve the issue. Running the command set deviceconfig setting url dynamic-url yes will allow the URL category to persist through the different virtual wire interfaces and the URL filtering policy will be applied.
owner: dwhyte