custom url category issues

Reply
Highlighted
Not applicable

custom url category issues

OK, let me start out with I am not using the URL filtering profiles, only trying to setup whitelists for outbound web using the custom URL categories.

So I built a rule that allows my trust zone to go out to the untrust using web-browsing app and the custom url category which contains the URLs that need to go out.  When I try the connection I'm getting 503 errors and seeing 2 entries in my traffic log.  The first one is a start type that is allowed by the rule with an any in the URL category, the second is a deny that is getting dropped by the deny all cleanup rule at the bottom with a not-resolved URL category.  What I'm trying to figure out is why it isn't being allowed by the URL category.

Tags (1)
Highlighted
L7 Applicator

Hi,

Could you please verify the category from below mentioned link.

http://www.brightcoud.com/support/lookip.php

Also check the traffic logs ( click into the magnifying glass symbol of the dropped traffic)  for more details.

Thanks

Subhankar

Highlighted
Not applicable

It comes up with a category but I'm not sure how that applies since I'm not using Brightcloud, just trying to use my own custom categories.

Highlighted
Not applicable

Result of show session ID command (IPs sanitized)

Session         1587225

        c2s flow:

                source:      x.x.71.42 [ProdApp]

                dst:         y.y.110.122

                proto:       6

                sport:       38456           dport:      80

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      y.y.110.122 [Deep Dark Woods]

                dst:         x.x.71.42

                proto:       6

                sport:       80              dport:      38456

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Jul 23 08:41:06 2013

        timeout                       : 90 sec

        total byte count(c2s)         : 730

        total byte count(s2c)         : 66

        layer7 packet count(c2s)      : 11

        layer7 packet count(s2c)      : 1

        vsys                          : vsys2

        application                   : web-browsing

        session to be logged at end   : False

        session in session ager       : False

        session synced from HA peer   : False

        layer7 processing             : completed

        URL filtering enabled         : True

        URL category                  : not-resolved

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/15

        session QoS rule              : N/A (class 4)

Highlighted
L7 Applicator

You may want to try checking the category on the firewall itself:

> check url www.example.com

The session output shows that the firewall isn't able to resolve the URL category. The site(s) you added to the custom URL category may not be the full list of domains. If you were to add paloaltonetworks.com to a custom URL category, there are other categories referenced by that page. Things like CDNs (akamai, etc.), site analytic cookies, and similar content may not be displayed if you are only allowing the custom category you created.

Hope this helps,

Greg

Highlighted
L4 Transporter

Going back to your first statement, "OK, let me start out with I am not using the URL filtering profiles." Do you even have a URL filter lic and have you downloaded a database in the past? If not, I believe the custom URL wont work as theres no database to put the custom URL category in.

Thanks,

Dominic

Highlighted
Not applicable

I don't have the check url command but if I do a test url with the url I get a "No URL database is loaded" response.

Highlighted
Not applicable

No I don't have a license, I'm starting to wonder if that's part of the issue since I am getting No URL database is loaded responses when trying to do a test url.  Is this something I can update once without the licenses since I don't really need the categories.  We are in front of an all server environment and really only need to allow a handful of sites out but unfortunately 2 of the sites have one URL each but about 50 servers doing load balancing/failover for them.

Highlighted
L4 Transporter

You should get a free 30day eval of URL filtering with the device. You should be able to see that online in customer portal (My Devices). Once the 30 day is applied go to device tab -> licenses and activate the URL filter, then Dynamic Updates. *Adding the URL database may require a restart.

Dominic

Highlighted
Not applicable

OK, I see that option in My Devices so I should be able to make that work.  I guess my only concern with the trial license is will I be able to tell if something is going to keep working once the trial runs out.  Can I remove the license once I update the URL database?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!