Content filtering doesn´t "filter" https
I have RV082 running latest firmware If I try to enable web filerfing under "Content Filter" by web address or keyword it ony works for HTTP sites. Lets say I try to block www.facebook.com I get "This URLs or Page has been blocked"
If I type https://www.facebook.com I get to facebook no problem. It looks like only HTTP is checked and blocked.
Also If i try to "Scheduling" and Apply the rule from 8:00 to 13:00 it allow me to access it.Am I missing something?
Hi Mario, HTTPS can't really be blocked unless the router is able to perform reverse DNS lookup. If you want to block https flavors of a website you would need a service that can perform the reverse DNS lookups such as OpenDNS.
-Tom
Please mark answered for helpful posts
Similar Messages
-
IOS Content Filtering - Is No More ?
Cisco very quickly End of Lifed the IOS Content Filtering offering last year
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
Cisco are pushing Scansafe as their current offering, which has probably led toa falling out with Trend who provided the underlying service for
IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
So we are left with a router platform which is fine and content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
(i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
Or of any alternative simple and cost effective solution we can configure the router to use
(please tell me we're not back to SurfControl/Websense solutions again..)
thanks
SezApproached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
Sez -
Using Content filters (HTML Filter)
Hello.
I'm having problem displaying an html-page in the portal with an url-iview. The problem is that the portal is accessed using HTTPS, and the url-iview links to a html-page using http.
This will generate a popup in internet explorer about unsecure content.
I thought that a way to solve this could be to connect KM to the page and then let the url-iview show the html-page throw the KM Repository.
This works fine, however there is still one problem.
Inside the HTML page, there is <IMG src> tags that reffers to the http site.
How can I configure HTML filters to rewrite all image and stylesheet references via KM instead of to the http-site?
I've tried to understand the documentation on Content Filters (http://help.sap.com/saphelp_nw04/helpdata/en/55/921d7bb0c611d5993800508b6b8b11/content.htm), but I don't know what to write in "Base Tag" property, or ir this even works.
Does anyone know if there is an example about this? Or perhaps know how to configure this?
Regards, MikaelThis can be done, but it might not be a optimal solution. You would basically parse each HTML file and replace the links before streaming the content. You can create your own version of com.sap.km.cm.docs component which streams the content of a HTML file by replacing the links. And you would use your own component for creating the KM doc iviews that way you will have altered HTML links.
-
I have a Samsung Galaxy SII with T-Mobile. The model #is SGH-T989, Android version 2.3.6
"Content filter" is the Android Market's method for restricting certain applications that may provide access to "mature" content. You can disable content filtering in the settings of the Market app on your phone.
-Michelle -
<blockquote>Locking duplicate thread.<br>
Please continue here: [[/questions/918255]]</blockquote>
When I try to download Firefox for Android I get the message as previously stated. I have a Samsung Galaxy SII with T-Mobile."Content filter" is the Android Market's method for restricting certain applications that may provide access to "mature" content. You can disable content filtering in the settings of the Market app on your phone.
-Michelle -
IOS web content filtering cannot get trend micro filter
hi, i just wondering how really i can get my router's content filtering connect to trps.trendmicro.com server again. previously it was success to get connect to the server, after i doing some changes on my zone-pair firewall then it cannot connect to the trend micro server anymore.
sh ip trm subscription status showing that i successfully connected and registerd
all the installation guide is doing accordingly,then i turn on my debug crypto pli validation and debug ip trm detail, all showing success connection to trendmicro site.
parameter-map type trend-global <param> are pointing to the trps.trendmicro.com, my class-map and policy-map didn't have any changes since last success connection.
zone-pair setting also attach with the right policy-map that serve for service-policy urlfilter <name>
overall, after my zone-pair firewall is UP again, then my web content filtering is gone, while registeration is made..
anyone have any idea what really happen?
thanks
NoelHi Yongkhang,
I think in order to figure out what is happening, we need to troubleshoot and see the config, data and other show commands. I'm not sure if you would feel comfortable posting that here. Therefore, i think its best to open up a case with tac on it so that it can be troubleshot to see why you cant access the trend micro server.
can you let me know what you mean by when you turn on your ZBF, your web content filtering is gone. Are you saying, when you turn on zbf, the web content filtering is no longer blocking or allowing sites?
have you ran the following debugs?
debug ip urlfilter detail
debug ip urlfilter event
debug ip url filter function-trace
also, what does this show:
show policy-map type inspect zone-pair urlfilter
Are you sure you have the class maps in the proper order since its processed sequentially..
regards,
scott -
IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?
I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Thanks!
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?Hmm... no thoughts over the weekend. Anyone?
-
Content filtering, I think...
So I listen to Bubba the Love Sponge on Radioio.com. There web browser player uses Adobe Flash and there desktop players uses Air. I can listen to all of the radioio music stations with no problem, but when I try to listen to Bubba's 2 stations the player won't work. I've contacted the Radioio support team and they have no idea why only the bubba stations are being blocked. I'm running Windows 7 Pro. I've checked the content filter on Windows 7 and it's not turned on. I've check both Internet Explorer's and Firefox content filtering and they are set to the lowest setting possible. I've tested it on a comple computers in the office that are running XP pro and it work's fine, I've tested his channels on my home computer that has windows 7 home and it works fine. So there is something on my windows 7 pro computer at work that is stopping the feed. I've checked every other part out and I'm down to it either being Adobe Flash or Adobe Air. I really hope someone knows what's going on.
Thanks for you help
JeffrIn article <[email protected]>, Sjdimare wrote:
> But if it would be difficult to remove from NDS, then I am not sure it
> will be worth it. It looks like it should be an easy removal but I
> wanted to confirm that.
>
It doesn't really 'integrate with NDS'. You load it (and unload it)
with an NCF file. You use it in BMgr by adding an access rule. Simply
don't load the NCF file and remove the rule, and it doesn't run. To
delete it entirely, you just delete the linkwall folder where it puts
its files.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Hello
Previously I used Exchange 2010 with Forefront Threat Protection installed and this used to do a good job of stopping all the spam.
However since updating to Exchange 2013 earlier this year and enabling the integrated spam filtering everyone noticed a sudden increase in the amount of spam which was getting through which has been bad for a long time.
We have been living with it but in the last 3 weeks everyone has started getting about 40 emails a day from Pfizer for Viagra. All these seem to defeat the content filtering as Viagra is spelt with an extra I and the email address is always different.
Also images in emails are blocked by default but somehow all the images on these spam messages appear for everyone.
I am not sure the spam filtering is working at all and I'm not sure how to tell as ForeFront gives you a nice graphical dashboard but I can find nothing similar to this in Exchange and PowerShell seems the only way to configure the limited functionality
of the content filter.
Is there any way to get rid of these messages as it doesn't look very good when they are constantly popping up for everyone?
Thanks
Robin
Robin WilsonHello ManU
Thanks for the reply.
I have checked the logs and see this quite often:
AcceptMessage,,SCL,not available: policy is disabled
But other times it says this:
RejectMessage,550 5.7.1 Message rejected as spam by Content Filtering
Which seems to indicate it is rejecting some.
This is what one of the email headers look like:
Received: from RWS-MAIL.rwsservices.net (192.168.2.151) by
RWS-MAIL.rwsservices.net (192.168.2.151) with Microsoft SMTP Server (TLS) id
15.0.775.38 via Mailbox Transport; Sat, 28 Dec 2013 10:59:26 +0000
Received: from RWS-MAIL.rwsservices.net (192.168.2.151) by
rws-mail.rwsservices.net (192.168.2.151) with Microsoft SMTP Server (TLS) id
15.0.775.38; Sat, 28 Dec 2013 10:58:38 +0000
Received: from [90.169.106.204] (90.169.106.204) by mail.rwsservices.net
(192.168.2.151) with Microsoft SMTP Server id 15.0.775.38 via Frontend
Transport; Sat, 28 Dec 2013 10:58:37 +0000
Date: Sat, 28 Dec 2013 12:05:58 +0200
From: US.Pfizer eStore <[email protected]>
To: robin.wilson <[email protected]>
Message-ID: <[email protected]>
Subject: Dear robin.wilson up to 65% OFF!
X-Mailer: Airmail (223)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="dd2ee3ea_586bb9e4_6f04"
Return-Path: [email protected]
X-MS-Exchange-Organization-PRD: 001-taxis.co.uk
X-MS-Exchange-Organization-SenderIdResult: Neutral
Received-SPF: Neutral (rws-mail.rwsservices.net: 90.169.106.204 is neither
permitted nor denied by domain of [email protected])
X-MS-Exchange-Organization-Network-Message-Id: e8825204-1f32-48be-a331-08d0d1d30209
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13223.464;SID:SenderIDStatus Neutral;OrigIP:90.169.106.204
X-EXCLAIMER-MD-CONFIG: 079171ba-394f-46d5-a160-56e416712e8e
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: rws-mail.rwsservices.net
X-MS-Exchange-Organization-AuthAs: Anonymous
The emails use a different sender email address every time and there is always a poem in very light grey writing in the body of the email. The drugs are always misspelt as well. Is this why these are getting through?
Thanks
Robin
Robin Wilson -
Exchange 2013 SP1 EDGE role content filtering ?
Hello,
Have Exchange 2013 SP1 with CU5 with antispam enabled on mailbox role server. And i wonder if i deploy 2013 Edge role, will i get more granular content filter control, like there is in Office 365? For example: i want to treat empty messages as not
spam.
I have read that control of Edge server is done ONLY by powershell. So if edge role is deployed, still there is no content filter control in ECP (like in office365) ??Hi,
The Content Filter agent assigns a spam confidence level (SCL) rating to each message. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam.
Based on my knowledge, I'm afraid we can't filter the empty messages and treat them as not spam.
Here is an article about content filtering in Exchange 2013 for your reference.
Content Filtering
http://technet.microsoft.com/en-us/library/bb124739(v=exchg.150).aspx
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Belinda Ma
TechNet Community Support -
Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
Package Name: Security & Productivity (Trial)
Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
Expiration-Date: Mon Aug 20 02:00:00 2012
Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from policy-map configuration mode
no Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
Content Filters have been selected through My Verizon Security Suite; however, it blocks TV shows that I would like to watch. How do I prevent this?
I know the importance of safe guarding your children, sdkullman. The Droid Maxx would be able to support content filters. What happens when you try adding them: http://vz.to/1xqrYFw There are third party applications that can be installed through the Play Store which allow you to filter content. However, because these are third party it is recommended that you read the reviews to understand how it will affect the device.
AndreaS_VZW
Follow us on Twitter @VZWSupport -
Web Content Filtering / Virus Scanning appliance
Hello all,
I'm in the market for a content / url / virus scanning device for our network. We are currently using MXLogic's Web Defense service and while it's very cheap it is not suiting our needs. What I'm looking for is an appliance that will do content filtering but also virus / malware / spyware scanning on web traffic. I'd also need to be able to setup policies / groups for different set's of users. For instance the folks who purchase the products we sell need to be able to see our vendors media (streaming video) content while our sales folks don't. I can't currently do this with MXLogic, it's all or nothing.
Our firewall is an ASA5510 and I've looked at the Content Security SSM-10 module with the plus license and while the pricing is definitely attractive I have a few questions about it. Does it integrate with MS Active Directory? In other words and it filter based on groups and policies or is it more IP / ACL based? Also does it perform well?
I've also looked at the IronPort product cisco sell's and have similar questions regarding that mainly what are folks experience with it, is it something you would recommend?Hi Allen,
To answer your questions related to the CSC module:
1. No, the CSC module does not integrate with Active Directory. This is something that Trend Micro has in the works, but as of now there is no ETA for this functionality.
2. The CSC module will perform fairly well if used in the environment it was designed for. I would recommend taking a look at the CSC sizing guide to see if the CSC-SSM-10 would be something that is scalable enough for your network:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.html
I cannot speak to the performance/functionality of IronPort as I have not used it personally, but I have heard good things. Also, external appliances from Websense seem to be a popular choice when you need a product that is a bit more scalable or granular than what the CSC module can provide.
Hope that helps.
-Mike -
Message filters vs Content Filters
Differences:
1. Message filters occur earlier in the email pipeline than content filters. Message filters before the email goes into the workqueue. The content filters occur inside the workqueue.
2. Message filters are currently only administered from the command line. Content filters can be administered from both the CLI and the GUI interface, however, the GUI interface is the recommended mehtod.
3. Content filters have an inbound and an outbound set of content filters, depending upon the direction of the message. That is, whether it's a relayed email (outgoing content filters) or inbound mail(inbound content filters). Message filters on the other hand, are autmoatically applied to both inbound and outgoing traffic, unless you lock it down to a specific listener. If you only have one listener, you may need to differentiate your flow of traffic by sendergroups or something else.
4. Message filters and content filters can pretty much have the same conditions and actions. However, message filters allow for if-else conditions, so they are more robust.
5. You can use message and content filters in unison. For example, use a message filter to insert a custom header that you content filter can key off of. However, this does not work the other way around. You cannot insert a custom header in the content filter and have the message filter key off of that info. Due to the way the email pipeline is set up, message filters come first, then content filters.
6. Easy of use: content filters are a bit more intuitive and user-friendly. message filters are more advanced, so it has a bigger learning curve.
7. Content filters used with customized incoming or outgoing mail policies allow you to splinter messages. Splintering messages allow you to split messages up by recipients. Message filters don't allow splintering and are applied to the entire message.
AsyncOS User Guide: Content Filters Overview
https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_User_Guide/AsyncOS_4.6_User_Guide-12-3.html
AsyncOS User Guide: Message Filters
https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_Adv_User_Guide/AsyncOS_4.6_Adv_User_Guide-09-2.html
AsyncOS User Guide: Email Pipeline
https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_User_Guide/AsyncOS_4.6_User_Guide-09-2.htmlActually, I just did a test on this and your point is half correct.
It's not the content filter that does the splintering, it's either the incoming or outgoing mail policy that does the splintering.
For example, if you only have one Default outgoing policy and an outgoing content filter that drops the mail if the destination is @yahoo.com.
If you sent in a test email with two recipients: [email protected] and [email protected]
Then the entire message would get dropped since there was only one Default outgoing policy.
However, you can allow for splintering if you had additional custom policies.
For example,
1. gmail-recipients
2. yahoo-recipients
3. Default policy
In that case, your test email would split into two separate emails and then you could have the content filters apply to each separately.
You are correct that message filters apply to the entire message and does not allow for message splintering.
However, content filtering, message splintering is only applicable if you have additional custom policy, either inbound or outgoing.
So, in additional to the requirement of mutliple recipients, you also need multiple policies, otherwise, have multiple recipients and only one Default policy will affect the entire message also.
Thanks for the attention to detail.
You've missed one of the biggest differences...
Message filters act on a _message_. Content filters act on a message/recipient pair.
If a message is only going to a single person then there's not any difference, but if a message is addresses to multiple people then the message filter will take the same action for all recipients, whilst the content filter will split ("splinter") the one message into multiple messages, with one (or possibly more) recipients each, and then act on each individually. -
Any way to provide content filtering for web access (aka: block porn, etc.)? The previously posted solution was "Unite" software which is no longer available.
I would recommend Content Barrier (www.intego.com), although I think it does block sites based on a list, it is very good and will monitor the admin account as well. Plus a trial version is available which is always a plus.
The only content filter that monitors based on actual site content is DansGuardian which is free, but I found a pain to set up. Still, it's worth trying if you can find a decent mac setup guide. A mac version is available here: http://mac.softpedia.com/get/Internet-Utilities/DansGuardian.shtml, and the DansGuardian homepage is here: http://dansguardian.org/
Maybe you are looking for
-
I dunno about you guys... but this is the best phone I've ever had.
Yeah, 4G isnt always there. But, this phone is BLAZING fast. I've had maybe 5 stutters of lag in the last week or so that i've had it. Coming from a Droid Incredible, this is a godsend. I had to set Force GPU Rendering and Window and Transition Anim
-
I think I restricted iTunes app on my iPad, and now I can't find it. How do I retrieve it?
-
will i get Xcode with mac mini installed in it or do i have to install it..and from where..
-
How to see page ends/page breaks in JTextPane?
Hi guys! I have a JTextPane with HTMLEditorKit. can i make possible for user to see page ends in document? If i'm not wrong it's related with ViewFactory, but how to do it? and is that possible at all? thank you
-
Setting Photoshop CS5 as the default for opening all photo files?
How do I make Photoshop CS5 the default for opening all photo files?