Solved: Lots of sites being categorized as anonymizers inc...

Jennifer_Wilson · ‎2024-03-04

We block anonymizers and can see that at least open.spotify.com, www.bing.com teams web etc are being blocked as they are tagged as anonymizers by URL categorization.
Had reports this has been happening since last Friday.

online Checkpoint URL checker shows the spotify one as what you would expect (entertainmnet etc.) and the IP's on it as uncategorized.

But the URL & App DB on my management server says it's up to date with a version of 141202403031347 created 03/03/2023 13:47 and won't update past that one.

Anyone else seeing similar issues?

the_rock · ‎2024-03-04

I agree 100%, best to oppen TAC case and see what they come back with.

Andy

View solution in original post

the_rock · ‎2024-03-04

Have not noticed it in my lab, shows up fine. When in doubt, I always check below, its correct 100% of the time

Best,

Andy

https://url-classification.io/?utm_source=g&utm_medium=a&utm_campaign=g2&gad_source=1&gclid=CjwKCAiA...

STEVE_ENS · ‎2024-03-04

I've been putting all the sites that the Anonymyzer rule has been catching into that classification site and they are all coming back green...so there are definitely issues.

the_rock · ‎2024-03-04

This is the log I see when going to bing.com

Andy

Morten_O · ‎2024-03-04

Yes, I have heard this from multiple customers within the last week or so. Heard that they needed to whitelist Bing, Teams, Office, WebEX and more - all categorized as Anonymizers.

the_rock · ‎2024-03-04

What version? We have many customers on R81.20 and no one reported this.

Best,

Andy

Morten_O · ‎2024-03-04

I think the majority of those with the problem are running R81.10

the_rock · ‎2024-03-04

That could be why...I will try later in R81.10 lab as well.

Andy

Jennifer_Wilson · ‎2024-03-04

Thanks for the info Morten, yes we are on R81.10 as well.

the_rock · ‎2024-03-04

Just tried, yes, seems like it is an issue in R81.10. Btw @Jennifer_Wilson , https categorization is NOT replacement for ssl inspection, but regardless of the fact you dont have inspection turned on, even if you did, you would most likely have the same problem.

I would consider upgrading to R81.20, if you can.

Best,

Andy

Jennifer_Wilson · ‎2024-03-04

Don't suppose you know if that would work if we upgraded just the management server? (leaving the gateways on R81.10)

the_rock · ‎2024-03-04

I do know...it would NOT work, Im 100% positive. You need to upgrade the gateways, because upgrading the mgmt server only would not do much to change this behavior.

Best,

Andy

Jennifer_Wilson · ‎2024-03-04

cheers, thanks for the confirmation it would not work.

the_rock · ‎2024-03-04

No worries.

Andy

Morten_O · ‎2024-03-04

Is this test a new installation of R81.10 or an old one? Which Jumbo? I know it's much to ask, but does it help to clear the URLF-cache (sk64280)?

the_rock · ‎2024-03-04

All good mate, questions are FREE ; - ). Its not new install, had it for some time.

Btw, tried that first actually and its latest jumbo.

Best,

Andy

STEVE_ENS · ‎2024-03-04

We are seeing this on R81.20... I've disabled my anonymyzer rule for the time being until we see a solution.

the_rock · ‎2024-03-04

I had not heard of any customers we have reporting this or had seen it in my lab and I do lots of ssl inspection testing in my eve-ng and also Azure lab.

Best,

Andy

Morten_O · ‎2024-03-04

As I see it, this is not related to HTTPS-inspection - I don't think that any of my customers that are seeing this issue uses HTTPS-inspection.

I think normal URLF/APCL is causing this.

the_rock · ‎2024-03-04

You wont see this issue if you were using uhttps inspection. As I said to @Jennifer_Wilson , http categorization is sadly NOT a replacement for inspection feature.

Best,

Andy

Jennifer_Wilson · ‎2024-03-04

Don't suppose you have the full list?
It's hard to figure out from our logs (lots of IP's rather than app names and we don't do SSL Decryption (do HTTPS Categprization))

Morten_O · ‎2024-03-04

I don't think there is a full list - I just heard that lenovo.com is now also an Anonymizer....

Best solution would be to open an Service Request. Not everyone can just upgrade to R81.20 overnight

the_rock · ‎2024-03-04

I agree 100%, best to oppen TAC case and see what they come back with.

Andy

Jennifer_Wilson · ‎2024-03-04

Just need to add that we've discovered that (AV sig/Defender etc.) updates to microsoft windows PCs are also being blocked because of this (ie Windows Updates, Windows 11 Updates) etc.

the_rock · ‎2024-03-04

I hate to say this, but in your case, without even having inspection enabled, it would be totally pointless to add anything as bypass rules in the inspection policy, as that would only take effect if the feature is turned on.

Best,

Andy

STEVE_ENS · ‎2024-03-04

I'm seeing this behaviour on my R81.20 appliance as well...so not just 81.10

D_W · ‎2024-03-04

Can you share some Log Details of these false positives?

STEVE_ENS · ‎2024-03-04

Response from TAC is that it is a known issue, they are working on it. I've had apps that have worked for years suddenly being blocked...going out to internet and coming in from internet.

D_W · ‎2024-03-04

Is the anomyzer before the allow rule? I need to think ahead. Hope it will not hit us 🤪

the_rock · ‎2024-03-04

Let us know what they provide you as a solution.

Best,

Andy

Are you a member of CheckMates?

Lots of sites being categorized as anonymizers inc. Spotify and Bing?