Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9208
Views
5
Helpful
19
Replies

URL filtering on ESA

Jason Meyer
Level 1
Level 1

‎09-09-2014 07:34 AM

So I've started to test the URL filtering capabilities on our C670s.  So far I have found that there are quite a few false positives or incorrectly categorized web sites.   Is there any mechanism in place to request a reclassification of a website?

 

Jason

Labels:
0 Helpful
19 Replies 19

Paul Cardelli
Level 1
Level 1
In response to Robert Sherwin

‎11-11-2014 09:06 PM

Really a good document, for getting started with URL filtering.

What would make the URL filtering feature even better, is the ability to setup a custom blacklist, or category that can be used in filters to enter URLs we know are phishing or malicious.

I have seen a number of phishing, SPAM, urls that are setup in such a way that the root domain looks harmless. It's the trick for keeping your malicious domain from being marked as a malicious domain by content filters. A good example is http://security-upgrade.com/ which in many systems is just looked at as a security updated domain, but if you get the link is a malicious Adobe Flash domain. Really everything about the domain is bogus and it was only registered in the past week. This is what they do to get around URL content filters.

Sometimes a legit domain is compromised, and we just need to block it temporarily until it is fixed. 

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to Paul Cardelli

‎11-12-2014 07:00 AM

Thanks Paul.  I'll take the suggestion as an Enhancement Request.  As this feature is still new as of the 8.5.x release, it's a growing (and very popular) feature.  So --- I am hoping that we'll continue to see improvements with the web security aspects of the OS.  This and AMP are introducing a new learning curve for everyone.

-Robert

Cheers,
Robert Sherwin
0 Helpful

uaeuitsec
Level 1
Level 1
In response to Robert Sherwin

‎11-16-2014 09:28 AM

Hi Robert,

Cisco Ironport is not having any phishing category.

https://securityhub.cisco.com/web/submit_urls

Using the above link, how we can report phishing URL.

many emails with phishing url.

FYI

Check the boxes and then assign a category:
 
 
 
Check
www.mirror.co.uk/news/uk-news/lottery-winner-give-away-26million-3967400
News
ithelpdeskservice.wix.com/service
Computers and Internet
mail.a4.3space.info
Computers and Internet
www.arabyonline.com
News
box1box1.wix.com
Computers and Internet
mypartners.netotrade.com
Business and Industry

 

--Sajid--

0 Helpful

exMSW4319
Level 3
Level 3
In response to Robert Sherwin

‎05-20-2015 01:28 AM

That's a very helpful paper, Robert.

Apologies for the thread necromancy, but this appears to be the best thread on URL filtering in the forum and I need to ask a very simple question.

I seem to have been confused by some of the initial statements on URL filtering when it was originally released. Does an ESA customer also have to be a WSA customer in order to make any practical use of the filter?

Do we have any guidelines on the likely bandwidth or CPU hits for turning the filtering on? We already have basic Outbreak filtering running.

Is it now possible to comment on the concerns over relatively fresh malign URLs that have yet to be categorised? Everything we've had to follow up this year has been zero-day, which would make the technique of relatively limited value.

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to exMSW4319

‎05-20-2015 06:14 AM

No - you don't have to be a WSA customer, or have WSA running.  All of this is on-board ESA.  While the callout from the service goes through to the same cloud that WSA is using, it is independent.

Bandwidth/CPU - it honestly will boil down to the appliance size you have running, and then the other options you also have running.  Some users enabling URL Filtering and the associated mail logging of the URL and score have seen small increase in CPU, others don't.  If you have a heavy burdened appliance already, rule of thumb would be: know that you are turning this on, monitor and check your message flow and stats graphs post-implementation.

Fresh/Un-caught URLs that aren't in the system is always a threat - as the day-to-day methods and workarounds by most out there change daily, there is always the chance that a malicious URL goes un-noticed at first, then is re-scored later and caught.  With URL filtering enabled and logging with the VOF setting, it's really the most helpful to have that running so you can in fact go through and look at the mail logs, getting the URL and scoring recorded for your administrative review.

-Robert

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents