Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
0
Helpful
5
Replies

FMC - All URL's are Uncategorized

scvvuuren
Level 1
Level 1

‎10-23-2020 12:42 AM

Good Day

 

I have recently setup a new FMC 6.6 with FTD environment for a customer.

Mostly all feeds seems to be working(Threat Intel/IPS/Updates) but for the life of me I cant seem to get the URL Categories in the system.

The first thing I noticed is the FMC does not use the proxy configuration to query the URL Categories, so we allowed FMC IP to query it directly and it seemed to update the feed now.

As for the policy it is essentially an any any permit for URL Category at this stage.

 

In the Connection Events View the application for example shows Facebook but the URL Category remains unknown.

It has to be noted that the actual connection destination is a Proxy Server that is not encrypted to the FTD can see the URL so I do not think that should be an issue.

 

Has anyone seen this behavior before or am I missing something on the policy side?

1 person had this problem
Preview file
73 KB
0 Helpful
5 Replies 5

Aref Alsouqi
VIP
VIP

‎10-23-2020 03:44 AM

Did you enable the URL filtering on FMC? the URL category and reputation data are downloaded from Cisco cloud. If you did not enable URL filtering on FMC, FMC would not be able to talk to Cisco cloud, hence, won't be able to categorize the URLs.

On FMC go to System > Integration > Cloud Services and enable automatic updates and Query Cisco Cloud for Unknown URLs.

0 Helpful

scvvuuren
Level 1
Level 1
In response to Aref Alsouqi

‎10-23-2020 05:30 AM - edited ‎10-23-2020 05:30 AM

URL Filtering is enabled yes and confirmed on the GUI that it is updating, Query Cisco Cloud for Unknown URLs are disabled as the customer does not wish to submit their internal DNS entries which they deem Sensitive.

 

From my understanding if the Category Download Runs it should show the categories for well known sites at least?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to scvvuuren

‎10-23-2020 06:16 AM

I think until you enable Query Cisco Cloud option, the FMC would not be able to categorize the URLs. The FMC would not be able to know the "well-known" URLs till it lookup for them, so, first time the FMC sees the URL, it would not have any clue about its reputation/category, this is why you see its reputation/category as unknown. The FMC then tries to lookup for that URL via contacting Cisco cloud, and just after that is successful, the FMC would be able to categorize it.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-23-2020 04:36 AM

In addition to what @Aref Alsouqi mentioned, you didn't mention if you have the URL Filtering license and have associated with the managed device.

0 Helpful

INFOTECH.jw
Level 1
Level 1

‎10-25-2020 02:43 AM

Please check https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs71034

If this matches you should rename the virtual account.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card