01-26-2016 06:56 AM
I'm at a bit of a losst and am writing to see if anyone else has experienced anything like this:
I have a policy that allows unrestricted access to youtube.com via http/https. Accessing this rule is only allowed based on membership in an AD group. And in testing, it seems to work, when i add my user object to the policy itself. I don't access to AD to insert myself into various groups for testing.
So here's where it gets wierd.
I have some members in that group that are able to access it using https and not http, and for the life of me I can't figure out why.
Anybody have anything like this happen before?
Thansk,
bws
01-26-2016 07:31 AM
Do you decrypt traffic?
You can test if user is in specific group with command below:
show user user-ids match-user john
Can firewall identify that user is in the group you use in the policy?
If you go to traffic log is traffic correctly identified (or it is just ssl)?
For me youtube always redirects me to https version so how can you access it over http?
01-26-2016 09:12 AM
Raido, first of all, thank you for the reply. My responses will be in blue.
Do you decrypt traffic? Yes, but not in this particular policy
You can test if user is in specific group with command below:
show user user-ids match-user john Executed like expected and sees all of the users in question being associated with that group. (I ran this command on a sample group of 10 users and the response was consistently the same)
Can firewall identify that user is in the group you use in the policy? Yes as there are other websites being processed by this policy and that all works properly.
If you go to traffic log is traffic correctly identified (or it is just ssl)? I see both 80 and 443 and other sites, seem to be processed properly.
I even went so far as to specify the user object in the policy, at the same level as the group, in the event that the firewalls weren't recognizing the group members. No joy. So I'm at a bit of a loss on this one.
For me youtube always redirects me to https version so how can you access it over http?
01-26-2016 09:24 AM
So expectation is to allow Youtube right?
And it is not working?
If you go to traffic log and filter based on used and search for sessions that were not permitted.
(user.src.eq 'domain\user' ) and (action neq allow)
Then you should see blocked sessions.
Click on mag glass.
What is session end reason?
What is application identified?
Against what rule this traffic matched?
By default only ended sessions show up in traffic log so you might want to check session table also or check "Log at Session Start" on policy during troubleshooting.
01-26-2016 11:26 AM
First off THANK YOU! I believe I was getting caught up on a single tree in forest, so to speak... What was happening is elements of Youtube are being classified as google-base, and since that's not explicitly allowed, it's flagging the entire session. Now that I know the cause & effect, I can work it out.
Thanks again and cheers!
bws
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
