I have an access policy on an Ironport S370 configured for a locked down AD account that is allowing access to only two internal sites and blocking all other categorized and non-categorized URLs. I've created custom URL categories for these two URLs and added them to this access policy, however about 2 weeks ago one of the URLs started to get blocked because it matched a predefined URL category that is blocked.
This rule is #1 in the order of access policies. Under the Access policy I see the 2 custom URL categories set to 'Allow' and all of the Pre-defined URL categories are set to 'Block'. Is this the recommended setup for doing what I'm trying to do? It seems the pre-defined category settings are over-riding my custom URL categories. Any suggestions?
Thanks for the info. I can see from the logs it is indeed hitting the correct access policy so I must have it configured wrong. What is the correct way to block all but 2 sites from a user with an access policy?
Thanks for the fast response again! So I already have the 2 URLs added as custom categories to the access policy. The only other config I have in this access policy is that it BLOCKS all other categorized and un-categorized URLs.
Do the Custom URL categories always override the pre-defined category settings? It seems to be ignoring my custom URL categories.
I'm also using just the domains in the Custom URL categories, so it's cisco.com instead of www.cisco.com. Could this be part of the problem?
The custom URLs will only over ride the default action to the access policy categories if you set the action to monitor the URL will be categorized which will be blocked based on the category being blocked. But if you set the action to allow then it will not be scanned aka categorized and be allowed.
Erik Kaiser WSA CSE WSA Cisco Forums Moderator
WSA Cisco Forums Moderator
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :