17 Replies Latest reply on Sep 6, 2013 1:01 PM by levi

    URL Filtering

    goldenbear New Member

      I'm looking to block certain websites without having a WebSense server.

       

      I've gone into the GUI, turned on IP Routing, Assigned it to a VLAN under URL Filterting / Interface Assignments and Added the domain *.hulu.com to the Excluded-domain list as a deny.

       

      Yet as a user, I can still get to the main hulu page.

       

      What gives?  Am I missing something?

       

      Running FW R10.5.1.E

        • Re: URL Filtering
          levi Employee

          goldenbear:

           

          Thank you for asking this question in the support community.  When you get a chance, would you mind replying and attaching a copy of the current configuration (please remember to remove any sensitive information to the organization)?  I will be happy to review the configuration for you, and provide any assistance I can.  Furthermore, please, do not hesitate to reply with any additional questions or information.

           

          Levi

            • Re: URL Filtering
              goldenbear New Member

              Here's our running config, minus some important things:

               

              Message was edited by: levi (Removed config. and added as attachment)

                • Re: URL Filtering
                  levi Employee

                  goldenbear:

                   

                  Thank you for replying with the configuration file.  I'm not sure if it was removed by mistake, but the URL filter portion is missing from this configuration.  Here is the detailed Configuring Top Website Reporting and URL Filtering in AOS guide for reference.  Here is an example configuration for this quick guide (Configuring Websense and URL Filtering in AOS):

                   

                  !
                  ip firewall
                  !
                  ip urlfilter my_filter http
                  ip urlfilter exclusive-domain permit www.adtran.com
                  ip urlfilter allowmode

                  !
                  !
                  interface eth 0/1
                    ip address192.168.100.1255.255.255.0
                    ip urlfilter my_filter in
                    no shutdown
                  !

                   

                  Please, let me know what additional questions you have.  I will be happy to help in any way I can.

                   

                  Levi

                    • Re: URL Filtering
                      goldenbear New Member

                      Hey Levi,

                       

                      It looksl like I may have filtered out a part of my config.

                       

                       

                      ip urlfilter Web_Http_Filter http

                      ip urlfilter exclusive-domain deny "*.hulu.com"

                      ip urlfilter exclusive-domain deny "*hulu.com"

                      ip urlfilter exclusive-domain deny "*.steampowered.com"

                      ip urlfilter exclusive-domain deny "*.steam*.com"

                      ip urlfilter allowmode

                       

                      I have this also in my config.

                       

                      Since this is a 1335, I don't have any "interface eth 0/1", they are all referred to as "interface switchport 0/xx".  When I try to apply "ip urlfilter Web_Http_Filter in", I get unrecognized command.

                       

                      I can only seem to apply that command to a VLAN interface.

                       

                      What's strange also, I've tried to apply it to my wireless VLAN, and it actually does work.... for only my wireless traffic.  When I apply it to my wired VLAN, it doesn't work.  Applied it to both in the same exact manner.

                        • Re: URL Filtering
                          levi Employee

                          goldenbear:

                           

                          You are correct, on the NetVanta 1335, the URL filter will be applied to the VLAN interfaces.

                           

                          Which VLAN is the "wired VLAN" where it isn't working?  In the configuration, you have the URL filter applied to the wireless VLAN and the data/public VLAN.  Is it possible the URL filter should be applied to a different VLAN interface?

                           

                          When you get a chance, could you send me the output from the following show commands:

                           

                          show ip urlfilter

                          show ip urlfilter statistics

                          show ip urlfilter exclusive-domain

                           

                          Levi

                            • Re: URL Filtering
                              goldenbear New Member

                              show ip url filter

                              Filters
                              -------
                              Name: "Web_Http_Filter"
                                Ports: HTTP(80)
                                Interfaces that filter is applied to:
                                  vlan 99 inbound
                                  vlan 99 outbound
                                  vlan 7875 inbound
                                  vlan 7875 outbound

                              Servers
                              -------
                              None

                              Excluded domains
                              ----------------
                              Deny   *.hulu.com
                              Deny   *hulu.com
                              Deny   *.steampowered.com
                              Deny   *.steam*.com

                               

                              show ip urlfilter statisctics

                              Current outstanding requests to filter server: 0
                              Current response packets buffered from web server: 0

                              Max outstanding requests to filter server: 0
                              Max response packets buffered from web server: 0

                              Total requests sent to filter server: 0
                              Total responses received from filter server: 0
                              Total requests allowed: 0
                              Total requests blocked: 0
                              Total excluded domain requests allowed: 64
                              Total excluded domain requests blocked: 46

                               

                              show ip urlfilter exclusive-domain

                              Excluded domains

                              ----------------

                              Deny   *.hulu.com

                              Deny   *hulu.com

                              Deny   *.steampowered.com

                              Deny   *.steam*.com

                                • Re: URL Filtering
                                  levi Employee

                                  goldenbear:

                                   

                                  Thank you for replying with the requested information. Which VLAN is the "wired VLAN" where it isn't working?  In the configuration, you have the URL filter applied to the wireless VLAN and the data/public VLAN.  Is it possible the URL filter should be applied to a different VLAN interface?  Also, for the VLAN that isn't working, what interface does the traffic arrive on, and which interface is it routed out of?

                                   

                                  Levi

                                    • Re: URL Filtering
                                      goldenbear New Member

                                      Wired is generally on vlan 99.

                                       

                                      All outbound traffic shoudl go out and come in on vlan 99

                                        • Re: URL Filtering
                                          levi Employee

                                          goldenbear:

                                           

                                          Since traffic is being sent back out the interface it arrived on (often referred to as "hairpinning") and in this case it needs to be processed by the firewall for URL filtering, you will need to add the ip firewall check reflexive-traffic command.

                                           

                                          When the AOS firewall receives the first packet in a new flow, it performs a route lookup on the destination IP address.  If the destination interface for the packet is the same as the ingress interface, the unit will classify the traffic as reflexive traffic.  Such traffic only receives further firewall and access-policy processing if ip firewall check reflexive-traffic is enabled. If the check is disabled (which it is by default), such traffic is forwarded without further processing from the firewall.

                                           

                                          Note:  The command is not needed to route traffic that arrives on an interface back out that interface to another subnet when firewall processing is not necessary.

                                           

                                          Levi

                          • Re: URL Filtering
                            levi Employee

                            goldenbear:

                             

                            Do you have further questions on this topic?  If so, please do not hesitate to reply to this post.

                             

                            Levi

                              • Re: URL Filtering
                                goldenbear New Member

                                I've applied that command but it doesn't seem to have made any effect on blocking sites for wired traffic on vlan99

                                  • Re: URL Filtering
                                    levi Employee

                                    goldenbear:

                                     

                                    With the addition of the ip firewall check reflexive-traffic command, if the "Public" policy-class is applied to your "wired" network, then you will need to remove the keyword stateless from the "allow" statement.

                                     

                                    Your current configuration:

                                    ip policy-class Public

                                      discard list web-acl-11

                                      allow list web-acl-2 self

                                      allow list web-acl-12 stateless

                                     

                                    Recommended change:

                                    ip policy-class Public

                                      discard list web-acl-11

                                      allow list web-acl-2 self

                                      allow list web-acl-12

                                     

                                    Please, let me know if you have further questions after you make this change.

                                     

                                    Levi

                                    1 of 1 people found this helpful
                                • Re: URL Filtering
                                  levi Employee

                                  goldenbear:

                                   

                                  I marked this post as "assumed answered," but please do not hesitate to reply if you have further questions.

                                  Levi