topic Re: Custom Category traffic flow issue in General Topics

Custom Category traffic flow issue

EmptySet — Tue, 13 Apr 2021 13:40:31 GMT

Hello all,

I have created a custom URL category for a site and have a security policy to allow specific applications to that category but the results are inconsistent and when I review the log, when the traffic was successful the URL Category shows as the custom category and whenever it fails, it shows the URL category as a default PAN category (in this case computer-and-internet-info) despite the destination IP addresses being the same. I can see the traffic shows as decrypted, it shows the expected application, ports, etc... it's just the resulting category that seems to change.

When I do security policy test, the proper rule is returned but live traffic it fails.

Is there something obvious I am missing?

Thanks.

Re: Custom Category traffic flow issue

LAYER_8 — Tue, 13 Apr 2021 19:23:35 GMT

What escape / end characters are you using in your formatting?

See here.

Re: Custom Category traffic flow issue

OtakarKlier — Tue, 13 Apr 2021 19:47:25 GMT

Hello,

I would also recommend taking a screen shot of the denied traffic logs, and comparing it to the security policy its supposed to hit.

Regards,

Re: Custom Category traffic flow issue

EmptySet — Tue, 13 Apr 2021 20:40:21 GMT

No wildcards or escape characters. It's a static FQDN in the format of subdomain2.subdomain1.domain.com.

Re: Custom Category traffic flow issue

EmptySet — Tue, 13 Apr 2021 20:49:23 GMT

I did this comparison before the post and it's how I saw that the URL category is different when it's blocked than when it is allowed.

So to use MS Teams as example, say the site is media.teams.microsoft.com. This URL is added to a custom URL category. Then in the security policy the application is ms-teams-downloading and ms-teams-uploading, ports are tcp 80/443, URL category is the custom URL category object and I have some basic profiles in the actions tab.

When traffic goes to the IP for media.teams.microsoft.com and the application is ms-teams-uploading, traffic is allowed and the log shows the category as the custom URL object. When traffic goes to the IP for media.teams.microsoft.com and the application is ms-teams-downloading, the traffic is blocked and the category is the default PAN computer-and-internet-info.

Re: Custom Category traffic flow issue

Avinash1 — Wed, 14 Apr 2021 08:27:44 GMT

You need to allow this category computer-and-internet-info as well to resolve the issue.

Re: Custom Category traffic flow issue

EmptySet — Wed, 14 Apr 2021 13:10:51 GMT

Adding computer-and-internet-info as an allowed category kind of defeats the purpose of the custom category, doesn't it? And why does the custom category show for uploading but not downloading?

Re: Custom Category traffic flow issue

EricPrehn — Wed, 14 Apr 2021 22:04:37 GMT

It wouldn't happen to be version 9.1.8 or similar, would it? If so, we're fighting with the exact same issue.

Re: Custom Category traffic flow issue

EmptySet — Thu, 15 Apr 2021 12:19:31 GMT

Not yet... currently it is 8.1.17. I'm in the middle of updating to 9.1.8 company wide though, so your post doesn't fill me with hope.