cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Filtering errors in class matches

Here to help

Content Filtering errors in class matches

I have an MX400 with content filtering enabled and we are blocking many categories, including Malware.  I am seeing several sites that seem to have errors in classifications and are getting blocked.  Most recently:

 

If you feel you have received this message in error, please contact your network operator with the following information:

URL:

http://www.marclatulippe.com/ManuelShopMotoneige/Polaris/2010-2012%20Polaris.pdf

Category:

Malware Sites

Server:

50.63.202.32:80

BrightCloud's lookup tool returns this URL as a Business and Economy match.

What's going on here?  The engine the Meraki uses is Bright Cloud, correct?

 

 

8 REPLIES 8
Meraki Alumni (Retired)

Re: Content Filtering errors in class matches

Are you pulling the full list or top sites? Also, is this MX that is doing the filtering behind a firewall with egress rules?

Here to help

Re: Content Filtering errors in class matches

I am using the "Top Sites only" setting.  In this mode, how often does the MX pull the list from BrightCloud? 

Meraki Alumni (Retired)

Re: Content Filtering errors in class matches

I would change it from top sites to full. You will either need to wait 30 minutes or so or just do a reboot after you switch it over before testing. The way we do dynamic lookups have changed with the newer versions. There is a local hashed database on the MX device and that database size= amount of sites differs depending on the model. If it isn't in the reputation DB we will do a lookup. There have been some significant improvements with the newer version in wired 13+ so if the issue still persists try that as a last step if your not already there?

Here to help

Re: Content Filtering errors in class matches

Thanks for the reply.  I am still wondering how often the cache is updated if you are using Top Sites rather than Full.  Or am I to understand that Top Sites is no longer supported?

 

I've seen several posts regarding incorrect classes, and a suggestion to go to 13.x.  We are an 12.26.  It is my understanding 12.26 is the latest stable release.  I see the 13 chain is now "stable release candidate" and there is a 14 build in Beta.  Is it an error on my side to assume the latest stable release is where I should be?

Meraki Alumni (Retired)

Re: Content Filtering errors in class matches

I recommend my customers moving to 13.28.

 

13.28 was the first MX major firmware version that has gone through the new firmware release process. The stable release candidate version is no longer considered a beta firmware, but it will not yet be the default version when new networks are created. 

 

For more information on firmware release process, please see the following documents:

Meraki Firmware Release Process

Managing Firmware Upgrades

Kind of a big deal

Re: Content Filtering errors in class matches

I second @DCooper - upgrade to 13.28.  In earlier firmware versions the IP reputation history was checked before the URL reputation, meaning a server with one bad web site would result in every web site on that server being black listed.

 

This was later switched around to check the url reputation first.

Highlighted
Here to help

Re: Content Filtering errors in class matches

thanks for the feedback @PhilipDAth.   I will have to consider the upgrade.  I did check both the IP and URL with BrightCloud, and both are fine.  Only the MX is classifying it as malware...just wondering how it's making that decision if it's supposed to get it's marching orders from BrightCloud.  I guess it must be a bug in the code.                       

Getting noticed

Re: Content Filtering errors in class matches

yes, however if you're not running version 13 in beta this is a known issue...

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.