cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
goldenbear
New Contributor

URL Filtering

I'm looking to block certain websites without having a WebSense server.

I've gone into the GUI, turned on IP Routing, Assigned it to a VLAN under URL Filterting / Interface Assignments and Added the domain *.hulu.com to the Excluded-domain list as a deny.

Yet as a user, I can still get to the main hulu page.

What gives?  Am I missing something?

Running FW R10.5.1.E

Labels (1)
0 Kudos
17 Replies
Anonymous
Not applicable

Re: URL Filtering

:

Thank you for asking this question in the support community.  When you get a chance, would you mind replying and attaching a copy of the current configuration (please remember to remove any sensitive information to the organization)?  I will be happy to review the configuration for you, and provide any assistance I can.  Furthermore, please, do not hesitate to reply with any additional questions or information.

Levi

goldenbear
New Contributor

Re: URL Filtering

Here's our running config, minus some important things:

Message was edited by: levi (Removed config. and added as attachment)

Anonymous
Not applicable

Re: URL Filtering

:

Thank you for replying with the configuration file.  I'm not sure if it was removed by mistake, but the URL filter portion is missing from this configuration.  Here is the detailed Configuring Top Website Reporting and URL Filtering in AOS guide for reference.  Here is an example configuration for this quick guide (Configuring Websense and URL Filtering in AOS😞

!
ip firewall
!
ip urlfilter my_filter http
ip urlfilter exclusive-domain permit www.adtran.com
ip urlfilter allowmode

!
!
interface eth 0/1
  ip address192.168.100.1255.255.255.0
  ip urlfilter my_filter in
  no shutdown
!

Please, let me know what additional questions you have.  I will be happy to help in any way I can.

Levi

goldenbear
New Contributor

Re: URL Filtering

Hey Levi,

It looksl like I may have filtered out a part of my config.

ip urlfilter Web_Http_Filter http

ip urlfilter exclusive-domain deny "*.hulu.com"

ip urlfilter exclusive-domain deny "*hulu.com"

ip urlfilter exclusive-domain deny "*.steampowered.com"

ip urlfilter exclusive-domain deny "*.steam*.com"

ip urlfilter allowmode

I have this also in my config.

Since this is a 1335, I don't have any "interface eth 0/1", they are all referred to as "interface switchport 0/xx".  When I try to apply "ip urlfilter Web_Http_Filter in", I get unrecognized command.

I can only seem to apply that command to a VLAN interface.

What's strange also, I've tried to apply it to my wireless VLAN, and it actually does work.... for only my wireless traffic.  When I apply it to my wired VLAN, it doesn't work.  Applied it to both in the same exact manner.

Anonymous
Not applicable

Re: URL Filtering

:

You are correct, on the NetVanta 1335, the URL filter will be applied to the VLAN interfaces.

Which VLAN is the "wired VLAN" where it isn't working?  In the configuration, you have the URL filter applied to the wireless VLAN and the data/public VLAN.  Is it possible the URL filter should be applied to a different VLAN interface?

When you get a chance, could you send me the output from the following show commands:

show ip urlfilter

show ip urlfilter statistics

show ip urlfilter exclusive-domain

Levi

goldenbear
New Contributor

Re: URL Filtering

show ip url filter

Filters
-------
Name: "Web_Http_Filter"
  Ports: HTTP(80)
  Interfaces that filter is applied to:
    vlan 99 inbound
    vlan 99 outbound
    vlan 7875 inbound
    vlan 7875 outbound

Servers
-------
None

Excluded domains
----------------
Deny   *.hulu.com
Deny   *hulu.com
Deny   *.steampowered.com
Deny   *.steam*.com

show ip urlfilter statisctics

Current outstanding requests to filter server: 0
Current response packets buffered from web server: 0

Max outstanding requests to filter server: 0
Max response packets buffered from web server: 0

Total requests sent to filter server: 0
Total responses received from filter server: 0
Total requests allowed: 0
Total requests blocked: 0
Total excluded domain requests allowed: 64
Total excluded domain requests blocked: 46

show ip urlfilter exclusive-domain

Excluded domains

----------------

Deny   *.hulu.com

Deny   *hulu.com

Deny   *.steampowered.com

Deny   *.steam*.com

Anonymous
Not applicable

Re: URL Filtering

:

Thank you for replying with the requested information. Which VLAN is the "wired VLAN" where it isn't working?  In the configuration, you have the URL filter applied to the wireless VLAN and the data/public VLAN.  Is it possible the URL filter should be applied to a different VLAN interface?  Also, for the VLAN that isn't working, what interface does the traffic arrive on, and which interface is it routed out of?

Levi

goldenbear
New Contributor

Re: URL Filtering

Wired is generally on vlan 99.

All outbound traffic shoudl go out and come in on vlan 99

Anonymous
Not applicable

Re: URL Filtering

:

Since traffic is being sent back out the interface it arrived on (often referred to as "hairpinning") and in this case it needs to be processed by the firewall for URL filtering, you will need to add the ip firewall check reflexive-traffic command.

When the AOS firewall receives the first packet in a new flow, it performs a route lookup on the destination IP address.  If the destination interface for the packet is the same as the ingress interface, the unit will classify the traffic as reflexive traffic.  Such traffic only receives further firewall and access-policy processing if ip firewall check reflexive-traffic is enabled. If the check is disabled (which it is by default), such traffic is forwarded without further processing from the firewall.

Note:  The command is not needed to route traffic that arrives on an interface back out that interface to another subnet when firewall processing is not necessary.

Levi

Anonymous
Not applicable

Re: URL Filtering

:

Do you have further questions on this topic?  If so, please do not hesitate to reply to this post.

Levi

goldenbear
New Contributor

Re: URL Filtering

I've applied that command but it doesn't seem to have made any effect on blocking sites for wired traffic on vlan99

Anonymous
Not applicable

Re: URL Filtering

:

With the addition of the ip firewall check reflexive-traffic command, if the "Public" policy-class is applied to your "wired" network, then you will need to remove the keyword stateless from the "allow" statement.

Your current configuration:

ip policy-class Public

  discard list web-acl-11

  allow list web-acl-2 self

  allow list web-acl-12 stateless

Recommended change:

ip policy-class Public

  discard list web-acl-11

  allow list web-acl-2 self

  allow list web-acl-12

Please, let me know if you have further questions after you make this change.

Levi

goldenbear
New Contributor

Re: URL Filtering

Strangley when I remove stateless from that, it lose access to the internet.  Internal traffic continues to function however.

I must have something misconfigured somewhere.

Anonymous
Not applicable

Re: URL Filtering

:

When you get a chance, if you reply with a current copy of the configuration (with the changes I recommended), I will be happy to review it for you.  (Please, make sure to remove any information that may be sensitive to the organization).

Levi

goldenbear
New Contributor

Re: URL Filtering

Sorry for the late response.

Here is the current config though I left statless on to prevent the issue I was having.

Anonymous
Not applicable

Re: URL Filtering

:

Thank you for replying with the configuration.  At this point, I recommend you open a ticket with ADTRAN Technical Support to assist you with troubleshooting, then you can post the results back to the forum.

You can create a ticket in several ways:

- Over the phone by calling 888-423-8726

- Emailing support@adtran.com

- Opening a webticket on the ADTRAN website

Levi

Anonymous
Not applicable

Re: URL Filtering

:

I marked this post as "assumed answered," but please do not hesitate to reply if you have further questions.

Levi