cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3486
Views
14
Helpful
4
Replies

Ironport incorrectly blocking "shopping" from IT Admin

keithsauer507
Level 5
Level 5

I'm trying to order a laptop locker from a website for busness purposes.  Sure I can go into the IronPort and whitelist the site, but I want to know why the IronPort is so flaky like this.

The error I'm getting is this (sanitised domain name and username):

The website you are trying to access is blocked.



Blocked Site:

www.schoollockers.com

Blocked Category:

Shopping

User:

DOMAINNAME\username@Windows

User Group:

BLOCK_WBRS_11-Information_Technology-Authenticated_Users-NONE-NONE-NONE-NONE

Reauth_URL:

-

Base64Decode error '800a0001'

Bad Base64 string.

/ironport/blocked.asp, line 78

Now why would the blocked category be Shopping, but yet in another tab I am at www.walmart.com and that loads fine?  In fact other sites like Newegg, PCMall, BestBuy, Staples, Officemax, etc... all shopping sites - work great.

Can someone tell me the best way to diagnose this problem rather than bypass the webfilter or maintain long lists of one off exceptions?

S160 running v7.1.3-014 for Web

1 Accepted Solution

Accepted Solutions

Chris Illsley
Level 3
Level 3

Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.

More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup.  But basically:

Grep

1

regular expression: username

Tail the logs: yes

And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.

View solution in original post

4 Replies 4

Chris Illsley
Level 3
Level 3

Simplest way to diagnose is to use the Policy Trace feature under System Administration, this will show all the policies that the account is hitting.

More detailed logs can be found from SSHing to the box and running a grep on the accesslogs, how is best depends on your setup.  But basically:

Grep

1

regular expression: username

Tail the logs: yes

And then do the actions which are getting allowed/denied and use them to find out the reason - AVC is application controls, etc.

Thanks for that.  I really like the grep and tail the logs.  It's like an instant way to see what's going on.

So I did this and today the site is not blocked!!  Weird how it would be blocked one day but not the next. Oh well, at least I got the nifty grep command out of it.

I guess what took me back is that I'm in the IT identity group which does not block much at all.  Shopping is especially not blocked as we make online purchases for various busness needs.

Thank you!

A note on grep.. I typically use the IP address instead of username... that way you'll see things, even if the user isn't authenticated yet...

Stafford Rau
Level 1
Level 1

That "BLOCK_WBRS_11" means that the particular site was blocked due to a low web reputation score, rather than due to the category of the content.

Further along in the access log line for that connection will be the score itself. Here's one of ours:

BLOCK_WBRS_11-All_Access-CC_AD_Identity-NONE-NONE-NONE-NONE -

The -6.4 is the negative reputation score that caused this transaction to be blocked. Cisco has a public site where you can look up the reputation scores: http://senderbase.org

In the upper right corner, just under the "Look up your network" box, click on the Reputation Look Up link.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: