This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why does one website get blocked but a similar one does not?

I am trying to block a couple of bad websites.  I went into base policy and created a list of sites, including "*.badsite1.com" and "*.badsite2.com".  The first site is blocked with a message of "an error occurred while handling your request" and "connection refused".  The second site gets the message of "Content blocked" with a button that allows for unblocking.  Why the difference?

Here's the log entries for each site:

2018:04:18-16:43:28 tsefw-1 httpproxy[5784]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.24.32.252" dstip="209.239.175.95" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="2543" request="0x1db71000" url="http://www.badsite1.com/" referer="" error="Connection refused" authtime="0" dnstime="88" cattime="110" avscantime="0" fullreqtime="57988" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0" exceptions="" category="130" reputation="malicious" categoryname="Malicious Sites"

2018:04:18-16:42:50 tsefw-1 httpproxy[5784]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="172.24.32.252" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3213" request="0x17f8c600" url="http://www.badsite2.com/" referer="" error="" authtime="0" dnstime="0" cattime="75" avscantime="0" fullreqtime="269" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0" exceptions="" reason="category" category="149" reputation="neutral" categoryname="Pornography"





This thread was automatically locked due to age.
Parents
  • Hello SteveGross,

    I'm not familiar with the UTM but ...
    a similar one
    on a higher level perhaps though badsite1 has reputation="malicious" categoryname="Malicious Sites" whereas badsite2 reputation="neutral" categoryname="Pornography", note also that for the former no reason tag is logged, for the latter it's reason="category". This might explain the different behaviour.

    Christian

  • Thanks Christian.  I think this would mean that the emails get processed first by something other than the Default Block Policy.  Would anyone know what that is?

Reply Children
  • Hello SteveGross,

    emails
    emails? Isn't this about web and HTTP?
    I hoped that some UTM expert (like Bob - ) would give a more helpful answer - just threw in my two cents when I saw that you query was unanswered for "many hours" [:)].

    First of all, I noticed statuscode="502" together with error="Connection refused" in the first entry so maybe the destination did actually refuse the connection.
    But anyway, I'd have thought that a blacklist/whitelist would have precedence - how did you add it to your policy?

    Christian