Ironport incorrectly blocking "shopping" from IT Admin

Answered Question
Mar 6th, 2012

I'm trying to order a laptop locker from a website for busness purposes.  Sure I can go into the IronPort and whitelist the site, but I want to know why the IronPort is so flaky like this.

The error I'm getting is this (sanitised domain name and username):

The website you are trying to access is blocked.



Blocked Site:

www.schoollockers.com

Blocked Category:

Shopping

User:

DOMAINNAME\username@Windows

User Group:

BLOCK_WBRS_11-Information_Technology-Authenticated_Users-NONE-NONE-NONE-NONE

Reauth_URL:

-

Base64Decode error '800a0001'

Bad Base64 string.

/ironport/blocked.asp, line 78

Now why would the blocked category be Shopping, but yet in another tab I am at www.walmart.com and that loads fine?  In fact other sites like Newegg, PCMall, BestBuy, Staples, Officemax, etc... all shopping sites - work great.

Can someone tell me the best way to diagnose this problem rather than bypass the webfilter or maintain long lists of one off exceptions?

S160 running v7.1.3-014 for Web

I have this problem too.
0 votes
Correct Answer by mooncat76 about 2 years 1 month ago

Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.

More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup.  But basically:

Grep

1

regular expression: username

Tail the logs: yes

And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.8 (4 ratings)
Correct Answer
mooncat76 Tue, 03/06/2012 - 23:48

Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.

More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup.  But basically:

Grep

1

regular expression: username

Tail the logs: yes

And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.

keithsauer507 Wed, 03/07/2012 - 06:44

Thanks for that.  I really like the grep and tail the logs.  It's like an instant way to see what's going on.

So I did this and today the site is not blocked!!  Weird how it would be blocked one day but not the next. Oh well, at least I got the nifty grep command out of it.

I guess what took me back is that I'm in the IT identity group which does not block much at all.  Shopping is especially not blocked as we make online purchases for various busness needs.

Thank you!

kstieers1 Wed, 03/07/2012 - 06:59

A note on grep.. I typically use the IP address instead of username... that way you'll see things, even if the user isn't authenticated yet...

sallanrau Wed, 03/14/2012 - 11:11

That "BLOCK_WBRS_11" means that the particular site was blocked due to a low web reputation score, rather than due to the category of the content.

Further along in the access log line for that connection will be the score itself. Here's one of ours:

BLOCK_WBRS_11-All_Access-CC_AD_Identity-NONE-NONE-NONE-NONE -

The -6.4 is the negative reputation score that caused this transaction to be blocked. Cisco has a public site where you can look up the reputation scores: http://senderbase.org

In the upper right corner, just under the "Look up your network" box, click on the Reputation Look Up link.

Actions

Login or Register to take actions

This Discussion

Posted March 6, 2012 at 7:40 AM
Stats:
Replies:4 Avg. Rating:4.75
Views:1637 Votes:0
Shares:0

Related Content

Discussions Leaderboard