topic Re: R80.30 URL filtering blocking allowed categories in Firewall and Security Management

R80.30 URL filtering blocking allowed categories

mark239 — Wed, 13 Nov 2019 10:27:02 GMT

I recently rolled out a pair of small appliances to two sites.

The web filtering policy for a particular user group is layered, and it has an allow list and the next rule is a drop all, with block message. HTTPS scanning is enabled with the cert rolled out. (I have also tried breaking the layers and having the standalone accept rule and then the standalone drop all rule after it)

On one site this works perfectly.

On another site, regularly (Every day or at least every other day) from early in the morning the firewall starts blocking all requests to anything categorised 'Computers/Internet' (Which is an allowed category) and a lot of things stop working. There are no failed category updates in the system log (Before the upgrade this same behaviour occurred, but we had updates failed and then database failed to reload so i suspected this initially). It's like the allow rule is being completely ignored. User auth is working, as the user name is logged in the log entry with the message the site was blocked as it belongs to the computers/internet category.

The only way to stop this is to remove the drop rule after the allow for this user group, Once you re-enable it and install the policy it will be fine again until the next time it happens out of the blue.

I previously upgraded the appliance from R80.20, as they were getting an HTTPS inspection error around certificate length (>1000) that the fix seemed to be upgrade to R80.30.

Any ideas?

Re: R80.30 URL filtering blocking allowed categories

PhoneBoy — Thu, 14 Nov 2019 02:43:39 GMT

There is no downloaded database for URL categorization, all lookups are done via the cloud.
What is the exact rule that is supposed to allow the traffic?
When the traffic is blocked, what rule is it hitting?
What are examples of the site(s) in question?
Also, maybe the issue isn't the URL categorization, but the gateway is failing to do LDAP lookups on users for some reason?

Re: R80.30 URL filtering blocking allowed categories

mark239 — Thu, 14 Nov 2019 10:42:09 GMT

Ah, I assumed there was a DB due to the system events about installing application/url filtering database versions (And the old errors about failing to update and failing to reload DB)

The exact rule is basic. Its from a user group, to internet and allow certain categories.

The rule immediately below is block everything else. Block rule is currently disabled.

LDAP I assume to be ok - as a username is listed with every log.

Examples of sites being blocked are

entrust.net (blocked as business/economy) - an allowed category

google.com - blocked as search engines (allowed category)

etc etc.

Re: R80.30 URL filtering blocking allowed categories

abihsot__ — Thu, 14 Nov 2019 11:03:54 GMT

Hello,

what is the setting for "fail mode" - blades -> appl/URLF > general > fail mode ?

When traffic is blocked, in the logs if you check "matched rule" tab, what is the number of rule?

Re: R80.30 URL filtering blocking allowed categories

mark239 — Thu, 14 Nov 2019 11:06:11 GMT

The matched rule is the block rule, immediately below the allow rule.

I have already set fail-mode to open at the start of the problems, hoping that would fix it (It didnt)

Thanks

Re: R80.30 URL filtering blocking allowed categories

abihsot__ — Thu, 14 Nov 2019 11:19:02 GMT

So there are two options, you don't hit allow rule because of source not matched access role or not matching category.

From one ticket with TAC, I was advised to put categories directly to the policy instead of creating custom application group and using it. I wasn't convinced at that time and for me it was just stupid, however it is working fine now. If your custom application group is not super lengthy, maybe you can try that.

Re: R80.30 URL filtering blocking allowed categories

PhoneBoy — Thu, 14 Nov 2019 19:33:37 GMT

The user is communicated via AD Query, Identity Collector, etc.
LDAP is done from the gateway specifically to look up groups for the given user.
If LDAP is failing for some reason, then you would not be matching the Access Role in your allow rule.
It would explain why you're seeing the behavior you're seeing.

Re: R80.30 URL filtering blocking allowed categories

abihsot__ — Thu, 14 Nov 2019 19:43:14 GMT

In fact on a second look, I think LDAP is working fine, because exactly the same access role is used in rule 9, so there is something wrong with matching app/urlf category.

Re: R80.30 URL filtering blocking allowed categories

PhoneBoy — Thu, 14 Nov 2019 19:45:28 GMT

The original poster is experiencing issues on one gateway, but not other.
The categorization should be the same and we can confirm this by looking at the log card of the dropped connection.
That pretty much leaves LDAP (or something with the lookup process) as the only culprit.

Re: R80.30 URL filtering blocking allowed categories

abihsot__ — Thu, 14 Nov 2019 19:51:50 GMT

Where do you see log card of dropped connection? I fail to find this screenshot...

Re: R80.30 URL filtering blocking allowed categories

PhoneBoy — Thu, 14 Nov 2019 19:53:12 GMT

It wasn't provided, but I surmise, based on the original poster's description, that's what we'd find.

Re: R80.30 URL filtering blocking allowed categories

abihsot__ — Thu, 14 Nov 2019 19:56:28 GMT

oh, I see... But OP mentioned that rule 9 was matching, which has exactly the same access role as rule 8...

Re: R80.30 URL filtering blocking allowed categories

mark239 — Fri, 15 Nov 2019 09:23:48 GMT

I'll upload a few examples later - thanks so far guys for the time/consideration