I have an MX400 with content filtering enabled and we are blocking many categories, including Malware. I am seeing several sites that seem to have errors in classifications and are getting blocked. Most recently:
If you feel you have received this message in error, please contact your network operator with the following information:
BrightCloud's lookup tool returns this URL as a Business and Economy match.
What's going on here? The engine the Meraki uses is Bright Cloud, correct?
Are you pulling the full list or top sites? Also, is this MX that is doing the filtering behind a firewall with egress rules?
I would change it from top sites to full. You will either need to wait 30 minutes or so or just do a reboot after you switch it over before testing. The way we do dynamic lookups have changed with the newer versions. There is a local hashed database on the MX device and that database size= amount of sites differs depending on the model. If it isn't in the reputation DB we will do a lookup. There have been some significant improvements with the newer version in wired 13+ so if the issue still persists try that as a last step if your not already there?
Thanks for the reply. I am still wondering how often the cache is updated if you are using Top Sites rather than Full. Or am I to understand that Top Sites is no longer supported?
I've seen several posts regarding incorrect classes, and a suggestion to go to 13.x. We are an 12.26. It is my understanding 12.26 is the latest stable release. I see the 13 chain is now "stable release candidate" and there is a 14 build in Beta. Is it an error on my side to assume the latest stable release is where I should be?
I recommend my customers moving to 13.28.
13.28 was the first MX major firmware version that has gone through the new firmware release process. The stable release candidate version is no longer considered a beta firmware, but it will not yet be the default version when new networks are created.
For more information on firmware release process, please see the following documents:
I second @DCooper - upgrade to 13.28. In earlier firmware versions the IP reputation history was checked before the URL reputation, meaning a server with one bad web site would result in every web site on that server being black listed.
This was later switched around to check the url reputation first.
thanks for the feedback @PhilipDAth. I will have to consider the upgrade. I did check both the IP and URL with BrightCloud, and both are fine. Only the MX is classifying it as malware...just wondering how it's making that decision if it's supposed to get it's marching orders from BrightCloud. I guess it must be a bug in the code.