Troubleshoot URL Filtering
Expected URL Category is Missing from the Categories List
The URL filtering feature uses a different set of categories than the Security Intelligence feature; the category that you expect to see may be a Security Intelligence category. To see those categories, look at the URLs tab on the Security Intelligence tab in an access control policy.
Initial Packets Are Passing Uninspected
See Inspection of Packets That Pass Before Traffic Is Identified and subtopics.
See also DNS Filtering: Identify URL Reputation and Category During DNS Lookup.
Health alert: "URL Filtering registration failure"
Verify that your management center and any proxies can connect to the Cisco cloud. You may need information about URL Filtering and URL categories in the following topics: Internet Access Requirements and Communication Port Requirements.
How can I find the category and reputation of a particular URL?
Do a manual lookup. See .
Error when attempting a manual lookup: "Cloud Lookup Failure for <URL>"
Make sure the feature is properly enabled. See the prerequisites in .
URL appears to be incorrectly handled based on its URL category and reputation
Problem: The system does not handle the URL correctly based on its URL category and reputation.
Solutions:
-
Verify that the URL category and reputation associated with the URL are what you think they are. See .
-
The following issues may be addressed by settings described in URL Filtering Options, accessible using Enable URL Filtering Using Category and Reputation.
-
The URL cache may hold stale information. See information about the Cached URLs Expire setting in URL Filtering Options.
-
The local data set may not be updated with current information from the cloud. See information about the Enable Automatic Updates setting in URL Filtering Options.
-
The system may be configured to not check the cloud for current data. See information about the Query Cisco cloud for unknown URLs setting in URL Filtering Options.
-
-
Your access control policy may be configured to pass traffic to the URL without checking the cloud. See information about the Retry URL cache miss lookup setting in Access Control Policy Advanced Settings.
-
See also Best Practices for URL Filtering.
-
If the URL is processed using an SSL rule, see Decryption Rule Guidelines and Limitations and SSL Rule Order
-
Verify that the URL is being handled using the access control rule that you think it is being handled by, and that the rule does what you think it does. Consider rule order.
-
Verify that the local URL category and reputation database on the management center is successfully being updated from the cloud and that managed devices are successfully being updated from the management center.
Status of these processes are reported in the Health Monitor, in the URL Filtering Monitor module and the Threat Data Updates on Devices module. For details, see Health.
If you want to immediately update the local URL category and reputation database, go to , click Cloud Services, then click Update Now. For more information, see URL Filtering Options.
A URL category or reputation is not correct
For access control or QoS rules: Use manual filtering, paying careful attention to rule order. See Manual URL Filtering and Configuring URL Conditions.
For SSL rules: Manual filtering is not supported. Instead, use distinguished name conditions.
See also Dispute URL Category and Reputation.
Web pages are slow to load
There is a tradeoff between security and performance. Some options:
-
Consider modifying the Cached URLs Expire setting. Click , then select Cloud Services. For information, see URL Filtering Options.
-
Consider deselecting the Retry URL cache miss lookup setting in Access Control Policy Advanced Settings.
Events Do Not Include URL Category and Reputation
-
Make sure you have included applicable URL rules in an access control policy, the rules are active, and the policies have been deployed to the relevant devices.
-
URL category and reputation do not appear in an event if the connection is processed before it matches a URL rule.
-
The rule that handles the connection must be configured for URL category and reputation.
-
Even if you have configured URL categories in the Categories tab in an SSL rule, you must also configure the URLs tab in a rule in your access control policy.
DNS Filtering is not working
Make sure you have completed all prerequisites and steps in Enable DNS Filtering to Identify URLs During Domain Lookup.
An End User Tries to Access a Blocked URL and the Page Just Spins and Times Out
When DNS Filtering is enabled and end users access a URL that is blocked, the page will spin but not load. End users are not notified that the page is blocked. This is currently a limitation when DNS filtering is enabled.
Events Include URL Category and Reputation but URL Field is Blank
If the DNS Query field is populated and the URL field is empty, this is expected when the DNS filtering feature is enabled.
Multiple Events are Generated for a Single Transaction
A single web transaction sometimes generates two connection events, one for DNS filtering and one for URL filtering. This is expected when DNS filtering is enabled and:
-
the access control rule action for the traffic is Allow or Trust.
-
the system encounters a URL for the first time.