I'm looking to block certain websites without having a WebSense server.
I've gone into the GUI, turned on IP Routing, Assigned it to a VLAN under URL Filterting / Interface Assignments and Added the domain *.hulu.com to the Excluded-domain list as a deny.
Yet as a user, I can still get to the main hulu page.
What gives? Am I missing something?
Running FW R10.5.1.E
Thank you for asking this question in the support community. When you get a chance, would you mind replying and attaching a copy of the current configuration (please remember to remove any sensitive information to the organization)? I will be happy to review the configuration for you, and provide any assistance I can. Furthermore, please, do not hesitate to reply with any additional questions or information.
Levi
Thank you for replying with the configuration file. I'm not sure if it was removed by mistake, but the URL filter portion is missing from this configuration. Here is the detailed Configuring Top Website Reporting and URL Filtering in AOS guide for reference. Here is an example configuration for this quick guide (Configuring Websense and URL Filtering in AOS😞
! ! |
Please, let me know what additional questions you have. I will be happy to help in any way I can.
Levi
Hey Levi,
It looksl like I may have filtered out a part of my config.
ip urlfilter Web_Http_Filter http
ip urlfilter exclusive-domain deny "*.hulu.com"
ip urlfilter exclusive-domain deny "*hulu.com"
ip urlfilter exclusive-domain deny "*.steampowered.com"
ip urlfilter exclusive-domain deny "*.steam*.com"
ip urlfilter allowmode
I have this also in my config.
Since this is a 1335, I don't have any "interface eth 0/1", they are all referred to as "interface switchport 0/xx". When I try to apply "ip urlfilter Web_Http_Filter in", I get unrecognized command.
I can only seem to apply that command to a VLAN interface.
What's strange also, I've tried to apply it to my wireless VLAN, and it actually does work.... for only my wireless traffic. When I apply it to my wired VLAN, it doesn't work. Applied it to both in the same exact manner.
You are correct, on the NetVanta 1335, the URL filter will be applied to the VLAN interfaces.
Which VLAN is the "wired VLAN" where it isn't working? In the configuration, you have the URL filter applied to the wireless VLAN and the data/public VLAN. Is it possible the URL filter should be applied to a different VLAN interface?
When you get a chance, could you send me the output from the following show commands:
show ip urlfilter
show ip urlfilter statistics
show ip urlfilter exclusive-domain
Levi
show ip url filter
Filters
-------
Name: "Web_Http_Filter"
Ports: HTTP(80)
Interfaces that filter is applied to:
vlan 99 inbound
vlan 99 outbound
vlan 7875 inbound
vlan 7875 outbound
Servers
-------
None
Excluded domains
----------------
Deny *.hulu.com
Deny *hulu.com
Deny *.steampowered.com
Deny *.steam*.com
show ip urlfilter statisctics
Current outstanding requests to filter server: 0
Current response packets buffered from web server: 0
Max outstanding requests to filter server: 0
Max response packets buffered from web server: 0
Total requests sent to filter server: 0
Total responses received from filter server: 0
Total requests allowed: 0
Total requests blocked: 0
Total excluded domain requests allowed: 64
Total excluded domain requests blocked: 46
show ip urlfilter exclusive-domain
Excluded domains
----------------
Deny *.hulu.com
Deny *hulu.com
Deny *.steampowered.com
Deny *.steam*.com
Thank you for replying with the requested information. Which VLAN is the "wired VLAN" where it isn't working? In the configuration, you have the URL filter applied to the wireless VLAN and the data/public VLAN. Is it possible the URL filter should be applied to a different VLAN interface? Also, for the VLAN that isn't working, what interface does the traffic arrive on, and which interface is it routed out of?
Levi
Wired is generally on vlan 99.
All outbound traffic shoudl go out and come in on vlan 99
Since traffic is being sent back out the interface it arrived on (often referred to as "hairpinning") and in this case it needs to be processed by the firewall for URL filtering, you will need to add the ip firewall check reflexive-traffic command.
When the AOS firewall receives the first packet in a new flow, it performs a route lookup on the destination IP address. If the destination interface for the packet is the same as the ingress interface, the unit will classify the traffic as reflexive traffic. Such traffic only receives further firewall and access-policy processing if ip firewall check reflexive-traffic is enabled. If the check is disabled (which it is by default), such traffic is forwarded without further processing from the firewall.
Note: The command is not needed to route traffic that arrives on an interface back out that interface to another subnet when firewall processing is not necessary.
Levi
I've applied that command but it doesn't seem to have made any effect on blocking sites for wired traffic on vlan99
With the addition of the ip firewall check reflexive-traffic command, if the "Public" policy-class is applied to your "wired" network, then you will need to remove the keyword stateless from the "allow" statement.
Your current configuration:
ip policy-class Public
discard list web-acl-11
allow list web-acl-2 self
allow list web-acl-12 stateless
Recommended change:
ip policy-class Public
discard list web-acl-11
allow list web-acl-2 self
allow list web-acl-12
Please, let me know if you have further questions after you make this change.
Levi
Strangley when I remove stateless from that, it lose access to the internet. Internal traffic continues to function however.
I must have something misconfigured somewhere.
Thank you for replying with the configuration. At this point, I recommend you open a ticket with ADTRAN Technical Support to assist you with troubleshooting, then you can post the results back to the forum.
You can create a ticket in several ways:
- Over the phone by calling 888-423-8726
- Emailing support@adtran.com
- Opening a webticket on the ADTRAN website
Levi