3 Replies Latest reply on Jan 28, 2015 8:08 AM by ilindblo

    URL Filtering on L2 firewall

    mcoy

      Hi,

       

      I'm preparing very simple configuration, unfortunately I have a problem with URL filtering. I've installed SMC 5.8.1 and 2 firewalls 325 (5.8 x64). Firewalls works in L2 mode (inline). SMC and management interfaces of firewalls are in the same network, with full access to internet. In firewall configuration I've setup DNS servers. Routing (from management interfaces of firewalls and SMC) is setup correctly. I have a license for URL filtering, license was correctly installed on both firewalls. I've setup simple firewall policy based on firewall L2 template with inspection. I've created inspection policy based on High-security template (Medium-Security was tested) . When I try to change in inspection action in URL Filtering to Terminate (no matter categories) all HTTP traffic is blocked. Firewall policy is very simple Any source to any destination HTTP and DNS (udp) allow.

       

      Any help will be appreciated

       

      Regards  

        • 1. Re: URL Filtering on L2 firewall
          vnippula

          For the Layer 2 FW policy I verify that you are using Layer 2 Firewall Inspection template based policy. With the template inspection is turned on. Additionally rule ID 1 allows DNS from firewall itself.

           

          The problem sounds like firewall is trying to reach servers to query for category and thus delaying connection heavily when waiting for timeout. If you log in to engine you should see among established connections firewall having established connection to port 2316 on server (#netstat -an | grep 2316). You can also try to ping "service.brightcloud.com", requires policy to allow ping from firewall.

           

          If license would not be including the feature you would get validation warning telling web filtering to be ignored on policy install.

           

          Hope this helps at least to verify whether the nodes have connection to category server or not.

          • 2. Re: URL Filtering on L2 firewall
            mcoy

            Hi Vnippula,

             

            I've testes connections from firewall to brightcloud:

             

            tcp        0      0 192.168.1.10:18766     54.76.87.181:2316       TIME_WAIT 

            tcp        0      0 172.168.1.10:7474      54.154.206.196:2316     ESTABLISHED

            tcp        0      0 192.168.1.10:18769     54.76.87.181:2316       TIME_WAIT 

            tcp        0      0 192.168.1.10:7473      54.154.206.196:2316     TIME_WAIT

             

            I've tested new evaluation license - all features enabled - the same problem. I've tested the same policy in my lab (this time policy was installed on MFE s1104 - firewall in L2), everything works - magic .... 

             

            BTW

             

            ICMP to service.brightcloud.com is blocked.


            Regards

            • 3. Re: URL Filtering on L2 firewall

              Please check /data/diagnostics/urlcatd.log for any relevant errors.