cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3477
Views
0
Helpful
5
Replies

Ironport S370 Custom URL Category failing

flurrball
Level 1
Level 1

I have an access policy on an Ironport S370 configured for a locked down AD account that is allowing access to only two internal sites and blocking all other categorized and non-categorized URLs. I've created custom URL categories for these two URLs and added them to this access policy, however about 2 weeks ago one of the URLs started to get blocked because it matched a predefined URL category that is blocked.

This rule is #1 in the order of access policies. Under the Access policy I see the 2 custom URL categories set to 'Allow' and all of the Pre-defined URL categories are set to 'Block'. Is this the recommended setup for doing what I'm trying to do? It seems the pre-defined category settings are over-riding my custom URL categories. Any suggestions?

Thanks!

Mark

5 Replies 5

Erik Kaiser
Cisco Employee
Cisco Employee

Hi Flurrball,

Grep for the access logs using the IP of the PC as the expression. This will tell you if you are trully hitting the correct access policy.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Erik,

Thanks for the info. I can see from the logs it is indeed hitting the correct access policy so I must have it configured wrong. What is the correct way to block all but 2 sites from a user with an access policy?

Thanks,

Marcus

Hi Marcus,

You will want to create a custom URL category and add the 2 URLs to it for example .microsoft.com, microsoft.com. Set it to allow not monitor.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Erik,

Thanks for the fast response again! So I already have the 2 URLs added as custom categories to the access policy. The only other config I have in this access policy is that it BLOCKS all other categorized and un-categorized URLs.

Do the Custom URL categories always override the pre-defined category settings? It seems to be ignoring my custom URL categories.

I'm also using just the domains in the Custom URL categories, so it's cisco.com instead of www.cisco.com. Could this be part of the problem?

Thanks,

Marcus

Hi Marcus,

The custom URLs will only over ride the default action to the access policy categories if you set the action to monitor the URL will be categorized which will be blocked based on the category being blocked. But if you set the action to allow then it will not be scanned aka categorized and be allowed.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: