Adding URLs to an allow category caused some connections to be blocked

cancel
Showing results for 
Search instead for 
Did you mean: 

Adding URLs to an allow category caused some connections to be blocked

L2 Linker

We added additional URLs to an existing custom url category and on our URL filtering profile, it is set to alert. These additional URLs are completely unrelated to the connection that started to fail. And as soon as we reverted those changes things began working just as they had before. We checked the URL filtering logs and nothing was being blocked on this connection. It wouldn't drop every connection either, so for example we have a client that was reaching out to a certain IP on the internet on 443. Some were blocked by the default block rule with an application on SSL and others were allowed with an application of incomplete on the rule the traffic should be hitting (they both had the destination of the same IP). But again once we removed those seeming unrelated URLs from the category everything was again allowed and registered as SSL.

bafergel_1-1635279938830.png

 

bafergel_2-1635279998851.png

 

Network Administrator
3 REPLIES 3

L1 Bithead

“Incomplete “ session means traffic is not able to complete TCP 3 way handshake or may be there insufficient data transfer

Cyber Elite
Cyber Elite

@bafergel,

Without knowing what you actually did and seeing exactly what you were trying to do this is going to be difficult to troubleshoot. @Dalidali is correct in the fact that incomplete simply means that not enough traffic was passed for app-id to identify the application. When you look in the detailed log entry for the incomplete traffic are you actually recording return traffic? 

Yes there is return traffic, however only a handful of packets so it doesn't appear as if much information passed in these connections. The successful SSL connections pass many more bytes and packets. And the incomplete connections only start appearing when those extra URLs are added, and SSL ones start getting blocked. The policies did not change and while in a broken state I did a test policy match and that traffic should have hit our rule... but it just didn't. These particular clients are configured to reach out to a specific URL, the URLs that were added that broke it did not modify or orverlap with this URL. The added URLs were mostly shopping/sports sites.

Network Administrator
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!