Custom URL matching on wrong URLs

Reply
Cyber Elite

@mprintz,

Are you decrypting traffic at all or not? 

L1 Bithead

@BPry Yes, I am for that URL category and a handful of other URLs (none of the ones in the logs I've posted), as well as some non-HTTP services.  However, that's a recent change I made to see if it would fix the problem, but it didn't.

 

Matt

Cyber Elite

Hi @mprintz

 

What you actually have in this screenshot are connection attempts. In the screenshot there are no urls in the URL column in the monitor tab, so the firewall was not able to apply the url category. But this does not mean that these connections were successfullly established (also because of the app incomplete - I assume the bytes (received/sent) are only a few, not much more that a tcp handshake and a tls handshake).

The firewall has to allow some packets in order to get to the packet where it could allow/deny the traffic based on the actual url.

View solution in original post

L1 Bithead

@vsys_remo Thanks, that makes sense.  I didn't realize the handshake is considered a different session than the data that follows it.  I also moved the rule down in the list (as it's not as frequently used as others) so other rules are hit first.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!