Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bulu_N
Explorer

Acessing URL matched and DROP with different rule (Logs showing additional domain address)

Hi Team,

We are accessing a genuine URL but its DROP by matching a drop rule.

We check the logs and find out that its showing destination as a as accessing URL but also a additional domain address "workisboring.com".

For workisboring.com we already created a DROP rule for this which matched in our case for intial 5 to 10 min for 1st time access and then its matched the accept rule and able to access the URL and then again we checked the logs find out that its matched the accept rule but this time we have not saw the additinal workisboring.com because now its matched on different rule.

Let me knnown Team what is the issue that time?

PHOTO-2022-08-17-10-12-34.jpg

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

What precise rule is it matching on?
What precise rule do you believe it should be matching on?
Is HTTPS Inspection being used?
What version/JHF?

0 Kudos
the_rock
Legend
Legend

Here are my questions...

1) What rule is it dropped on?

2) Are you using ORDERED or INLINE layer for URL filtering?

3) Did this ever work before?

Andy

0 Kudos
Bulu_N
Explorer

Hi Andy,

Thank you so much for the response.

Here are my Answers : 

1) What rule is it dropped on?

Rule number is 3 and 4 which is we using for block the incoming and outgoing connection towards blacklist IP address 

we mentioned sources as ANY and destination as blacklisted  on rule number 3 which we are multiple Blacklisted IP address as well as domain address also  rule 4 for outgoing source will be Black listed IP address.

2) Are you using ORDERED or INLINE layer for URL filtering?

 ORDERED

3) Did this ever work before?

Yes its working fine before but after upgrading to R81.10 we face this kind of issue 

so during the firs time only we face this issue for few minutes and then it’s automatically working fine and till 3 days gone we haven’t see the access issue.

I Need a RCA for this pls help

0 Kudos
the_rock
Legend
Legend

Honestly, if I were in your situation, best thing I would look for is logs in smart dashboard and also maybe search for keywords in messages files...so for example, if you are wondering about specific site, say www.cnn.com (just as an example), you could do something like this from gateway master member (if its a cluster)

grep -i cnn /var/log/messages*

Andy

0 Kudos
PhoneBoy
Admin
Admin

If you need a formal RCA, please open a TAC case.

That said, it's pretty obvious there is something in the traffic that causes it to be classified differently at different points of time.
As we are continually analyzing traffic flows, this is normal.
Packet captures of the relevant traffic are likely required to understand what's happening and why.
There are likely other debugs necessary here that the TAC can advise you on.

the_rock
Legend
Legend

@Bulu_N ...I agree with @PhoneBoy and his last response. Those are all GREAT points, so TAC case would probably be best in your case.

Andy

0 Kudos
Ryan_Ryan
Advisor

Manage and settings / blades / application control And URL filtering / advanced settings / general / Fail mode
is it set to fail-open or fail-closed ?

 

if its failed-closed I would check var/log/messages for the same time as you saw drops for any indication of errors.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events