OK, let me start out with I am not using the URL filtering profiles, only trying to setup whitelists for outbound web using the custom URL categories.
So I built a rule that allows my trust zone to go out to the untrust using web-browsing app and the custom url category which contains the URLs that need to go out. When I try the connection I'm getting 503 errors and seeing 2 entries in my traffic log. The first one is a start type that is allowed by the rule with an any in the URL category, the second is a deny that is getting dropped by the deny all cleanup rule at the bottom with a not-resolved URL category. What I'm trying to figure out is why it isn't being allowed by the URL category.
Hi,
Could you please verify the category from below mentioned link.
http://www.brightcoud.com/support/lookip.php
Also check the traffic logs ( click into the magnifying glass symbol of the dropped traffic) for more details.
Thanks
Subhankar
It comes up with a category but I'm not sure how that applies since I'm not using Brightcloud, just trying to use my own custom categories.
Result of show session ID command (IPs sanitized)
Session 1587225
c2s flow:
source: x.x.71.42 [ProdApp]
dst: y.y.110.122
proto: 6
sport: 38456 dport: 80
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: y.y.110.122 [Deep Dark Woods]
dst: x.x.71.42
proto: 6
sport: 80 dport: 38456
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Tue Jul 23 08:41:06 2013
timeout : 90 sec
total byte count(c2s) : 730
total byte count(s2c) : 66
layer7 packet count(c2s) : 11
layer7 packet count(s2c) : 1
vsys : vsys2
application : web-browsing
session to be logged at end : False
session in session ager : False
session synced from HA peer : False
layer7 processing : completed
URL filtering enabled : True
URL category : not-resolved
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/15
session QoS rule : N/A (class 4)
You may want to try checking the category on the firewall itself:
> check url www.example.com
The session output shows that the firewall isn't able to resolve the URL category. The site(s) you added to the custom URL category may not be the full list of domains. If you were to add paloaltonetworks.com to a custom URL category, there are other categories referenced by that page. Things like CDNs (akamai, etc.), site analytic cookies, and similar content may not be displayed if you are only allowing the custom category you created.
Hope this helps,
Greg
Going back to your first statement, "OK, let me start out with I am not using the URL filtering profiles." Do you even have a URL filter lic and have you downloaded a database in the past? If not, I believe the custom URL wont work as theres no database to put the custom URL category in.
Thanks,
Dominic
I don't have the check url command but if I do a test url with the url I get a "No URL database is loaded" response.
No I don't have a license, I'm starting to wonder if that's part of the issue since I am getting No URL database is loaded responses when trying to do a test url. Is this something I can update once without the licenses since I don't really need the categories. We are in front of an all server environment and really only need to allow a handful of sites out but unfortunately 2 of the sites have one URL each but about 50 servers doing load balancing/failover for them.
You should get a free 30day eval of URL filtering with the device. You should be able to see that online in customer portal (My Devices). Once the 30 day is applied go to device tab -> licenses and activate the URL filter, then Dynamic Updates. *Adding the URL database may require a restart.
Dominic
OK, I see that option in My Devices so I should be able to make that work. I guess my only concern with the trial license is will I be able to tell if something is going to keep working once the trial runs out. Can I remove the license once I update the URL database?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!