Before creating special ACLs for these websites I'd first try and set the "Relax Protocol Enforcement" option accordingly (that resolved about 95% of the problems for me).
If you have an upstream proxy configured that might be another possible problem. Especially the combination of Smartfilter and Squid sometimes completely messes up things that worked before (disabling Squid solved that so I assume the problem is due to bugs in Squid).
Regarding websites: I've had these problems with quite a few websites (including popular ones like Facebook and Microsoft) but don't remember the exact URLs.
I can't believe support doesn't have a list but maybe they aren't using Sidewinders or have AppDefense turned off
I have smartfilter and relaxed enforcements off and upstream proxy enabled. This is not my core firewall, this firewall bascially takes any 80 and 443 traffic and re-directs it to the web gateway where all the content filtering is done before heads out to the internet.
1 of 1 people found this helpful
You can see Application Defense violation audits with this filter:
$> acat -e "category appdef_violation"
If you have a certain rule you want to watch for app. defense violations on, you can add the rule_name into the filter:
$> acat -e "category appdef_violation and rule_name 'Internet Services'"
(you need single-quotes around a rule name if it has a space)
Here's the kicker: these filters are on a firewall by default; you can already use them to alert you if an app. defense violation happens.
- Go to Monitor -> IPS Attack Responses.
- Click 'New'. This launches the 'Attack Reponse Wizard,' which you can use to create a response (an alert) to an action (an audit message basically).
- Give it a name.
- Now you have choices for the type of 'Attack' (policy violation) you want to alert on.
- You have two choices for app. defenses: 'Application Defense Violation All' and Application 'Defense Violation Severe.'
You can see what these two Attack filters entail by running these commands:
$> cf audit q name='Application Defense Violation All'
audit add filter name='Application Defense Violation All' \
comments='Detects attacks of all severities that violate active policy defined by Application Defenses. This attack category includes mime and keyword filter failure attacks.' \
filter_type=attack number=0 sacap_filter=AUDIT_X_APPDEF_VIOLATION
$> cf audit q name='Application Defense Violation Severe'
audit add filter name='Application Defense Violation Severe' \
comments='Detects when severe attacks violate active policy defined by Application Defenses, including mime and keyword filter reject audits.' \
filter_type=attack number=0 sacap_filter=AUDIT_X_APPDEF_VIOLATION_SEVERE
You can see the 'sacap_filter' (audit filter) names there: AUDIT_X_APPDEF_VIOLATION and AUDIT_X_APPDEF_VIOLATION_SEVERE. The 'AUDIT_X' denotes that this is a pre-defined filter that combines various expressions in a 'canned' value (that's from the 'man sacap_filter' page).
To see what these 'canned' values represent, you run 'acat -c | less' and the search for 'X_APPDEF' (press /, then type X_APPDEF and hit Enter to search). This is what those values mean (the sacap_filter is below the name of the filter value):
(category AUDIT_C_APPDEF_VIOLATION) && (priority AUDIT_P_EMERGENCY || priority AUDIT_P_ALERT || priority AUDIT_P_CRIT || priority AUDIT_P_FATAL || priority AUDIT_P_MAJOR)
You can see that AUDIT_X_APPDEF_VIOLATION is the audit filter "category AUDIT_C_APPDEF_VIOLATION". If you look at 'acat -c' you'll see that "appdef_violation" is what's called a 'short message' for AUDIT_C_APPDEF_VIOLATION -- it's a shorthand way to use that filter. Our first audit filter at the top (acat -e "category appdef_violation") is the same as 'acat -e AUDIT_X_APPDEF_VIOLATION' then.
The filter AUDIT_X_APPDEF_VIOLATION_SEVERE is the same thing except it only gets the most severe audit 'priority' types (as evidenced by its name).
I just did a simple test where I turned on 'HTTP URL Control' and then turn off ALL the HTTP commands (so no HTTP commands were allowed through, like a GET). When the system blocked me the audit message had a priority of 'p_minor,' so the SEVERE audit filter would not have picked up that audit message (so don't use that filter for catching these messages).
If you want to create your own filter to only alert you if your 'Internet Services' rule is hit with an appdef_violation, you can do that in the GUI by going to Monitor -> Audit Viewing, right-click on 'Custom' and select 'New Filter' and type a filter in there (that is on versiion 7.0.1.02). Or you can run this command on the CLI:
$> cf audit add filter name='App Def Violation Internet Rule' filter_type=attack number=0 sacap_filter="category appdef_violation and rule_name 'Internet Services'"
(put the rule name in single-quotes if it has a space in it)
Once you create the filter, you can then select this filter in the 'Attack Reponse Wizard' and setup your 'response' to it (SNMP trap, email, blackhole). If your 'Internet Services' rule is hit and an application defense block happens, you can then be alerted to it.
Thank you, I will look into all the information you provided.