URL Categories missing from Expedition

Reply
Highlighted
L1 Bithead

URL Categories missing from Expedition

I'm looking for the developers of Expedition to have a look to a case opened from one of our biggest partners in APAC (Telstra).
They had to roll back a customer migration a few days ago due to a couple of rules missing URL category lost through the use of the Migration Tool.

In the process of importing, two rules failed to include a destination URL category that resulted in problems with the migrated policy, but only those two rules. Other rules imported and exported successfully, and they can reproduce the problem on my Expedition VM.

 

The original rule:

Rule

Source

Dest

User

App

Destination URL category

Profiles

1 - allow online storage users access to the cloud

Trust

Untrust

Group: online-storage

Web-browsing

SSL

Sharefile

Dropbox

Accellion

etc

online-storage-and-backup

URL Filtering:

Allow: online-storage-and-backup

Block: everything else

 

 

Was missing the dest URL category in Expedition, the exported XML and new Device Group once imported into Panorama:

Rule

Source

Dest

User

App

Destination URL category

Profiles

1 - allow online storage users access to the cloud

Trust

Untrust

Group: online-storage

Web-browsing

SSL

Sharefile

Dropbox

Accellion

etc

Any

URL Filtering:

Allow: online-storage-and-backup

Block: everything else

 

This resulted in almost all SSL and web-browsing traffic matching the erroneous rule and being blocked. To fix this they ran an audit against the pre-migrated policy and remediated one more rule, the remaining rules seemed to be OK. There were no errors in the Expedition logs indicating an import issue, but it does raise a concern that other policy elements failed to import.

 

They can repeat the issue on demand and would call it a bug, so it should probably be raised with the Expedition dev team.

They believe the issue may lie with a static content and app db in Expedition, and either the tool needs to be able to update content revisions or use what is available in the base config XML.

 

They noticed Expedition gives you the option to import apps and URL categories from a target device via the API, but this may not always be possible (e.g. running Expedition off-site).

 

I'm aware of developers were talking to Telstra recently, so it might be a good opportunity to do the same.

 

Thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!