cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Neil_ZInk
Copper

Is there way to find out if site/ip is blocked by IPS/URLF via command line?

Dear Checkmates

 

Is there way to find out if site/ip is blocked by IPS/URLF via command line?

thanks

0 Kudos
7 Replies
Admin
Admin

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

In short: no.

  • IPS doesn't block specific sites or IPs to begin with, it's looking for malicious traffic patterns.
  • To determine this for URLF, you would need to know
    • What the category is (no way to query that via CLI currently)
    • What your policy is configured to block based on a number of factors

For URLF, you may be able to do it in SmartConsole using

Can you describe your intended use case?

0 Kudos
Neil_ZInk
Copper

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

Our help desk is taking multiple tickets a day with basic question.  Are we blocking this site?

I want to create a self-help portal where the user enters the destination URL.  I want to automate the process to see if the URL and port are open or not.  If firewall is blocking the URL/port it would create ticket for the Cybersecurity team.

0 Kudos
Admin
Admin

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

Currently there is no API to do what you want.

That said, you could simulate this with scripted calls to curl or similar to the destination URL from a system subject to the same URLF policy as your end users.

If curl is able to download the homepage from the URL, then you're not blocking access to it.

If curl returns some sort of error or gets a UserCheck page, then you are and a ticket should be created. 

The trick is in parsing the output of curl to figure out which result is which.

0 Kudos
Vladimir
Pearl

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

I suspect that the SmartEvent could be used to determine when the URLF and App Control block sites and trigger notification events for the CyberSec team by either email, snmp traps etc.

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

yes Correct 

0 Kudos

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

I understand the Neil question and frustration, I try the best to describe the situation and please do not reply it work as intended...and you need to enable HTTPS inspection.

We got the same issues with URL blocked....unnecessary calls to our help desk.

Assuming we block you  "youtube.com", if the user is accessing the site with HTTP then the wonderful "blocked message page" is displayed. That is great and the user know the paged is blocked...end of story.

Now,  the user or  most Internet pages are redirected to "HTTPS"...from google to youtube to your banking.....etc,etc.

https://youtube.com is still blocked by URL filtering without HTTPS inspection ...known this  by searching at Smartlog, Tracker, Events....

but NO wonderful blocked page is display to the user.....just a "Secure Connection Failed" is displayed, prompting the user to initiate a call to the help desk.

0 Kudos
Admin
Admin

Re: Is there way to find out if site/ip is blocked by IPS/URLF via command line?

If you want a block page for HTTPS sites to show to the end user, you will have to enable HTTPS Inspection.

If you don't really want to do HTTPS Inspection, I suppose you could simply enable the feature with any "any any bypass" rule.

However, I have not tried this.

Either way, HTTPS Inspection needs to be enabled in order to show a block page for HTTPS sites to end users.

0 Kudos