Content Filtering errors in class matches

TEAM-ind
Getting noticed

Content Filtering errors in class matches

I have an MX400 with content filtering enabled and we are blocking many categories, including Malware.  I am seeing several sites that seem to have errors in classifications and are getting blocked.  Most recently:

 

If you feel you have received this message in error, please contact your network operator with the following information:

URL:

http://www.marclatulippe.com/ManuelShopMotoneige/Polaris/2010-2012%20Polaris.pdf

Category:

Malware Sites

Server:

50.63.202.32:80

BrightCloud's lookup tool returns this URL as a Business and Economy match.

What's going on here?  The engine the Meraki uses is Bright Cloud, correct?

 

 

8 REPLIES 8
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Are you pulling the full list or top sites? Also, is this MX that is doing the filtering behind a firewall with egress rules?

TEAM-ind
Getting noticed

I am using the "Top Sites only" setting.  In this mode, how often does the MX pull the list from BrightCloud? 

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I would change it from top sites to full. You will either need to wait 30 minutes or so or just do a reboot after you switch it over before testing. The way we do dynamic lookups have changed with the newer versions. There is a local hashed database on the MX device and that database size= amount of sites differs depending on the model. If it isn't in the reputation DB we will do a lookup. There have been some significant improvements with the newer version in wired 13+ so if the issue still persists try that as a last step if your not already there?

Thanks for the reply.  I am still wondering how often the cache is updated if you are using Top Sites rather than Full.  Or am I to understand that Top Sites is no longer supported?

 

I've seen several posts regarding incorrect classes, and a suggestion to go to 13.x.  We are an 12.26.  It is my understanding 12.26 is the latest stable release.  I see the 13 chain is now "stable release candidate" and there is a 14 build in Beta.  Is it an error on my side to assume the latest stable release is where I should be?

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I recommend my customers moving to 13.28.

 

13.28 was the first MX major firmware version that has gone through the new firmware release process. The stable release candidate version is no longer considered a beta firmware, but it will not yet be the default version when new networks are created. 

 

For more information on firmware release process, please see the following documents:

Meraki Firmware Release Process

Managing Firmware Upgrades

PhilipDAth
Kind of a big deal
Kind of a big deal

I second @DCooper - upgrade to 13.28.  In earlier firmware versions the IP reputation history was checked before the URL reputation, meaning a server with one bad web site would result in every web site on that server being black listed.

 

This was later switched around to check the url reputation first.

thanks for the feedback @PhilipDAth.   I will have to consider the upgrade.  I did check both the IP and URL with BrightCloud, and both are fine.  Only the MX is classifying it as malware...just wondering how it's making that decision if it's supposed to get it's marching orders from BrightCloud.  I guess it must be a bug in the code.                       

Dylan_YYC
Getting noticed

yes, however if you're not running version 13 in beta this is a known issue...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels