Additional Information - How-to-troubleshoot-CP-Secure-Web-Filtering-Webroot/Additional-Information

How to Troubleshoot Secure Web Filtering (Webroot)
NetCloud Feature
Security
ft:locale
en-US
ft:sourceName
Salesforce
allViewCount
3221
Document Type
Article

  • Secure Web Filter interacts with the dnsmasq service

    • You may not see traffic going out the WAN because dnsmasq caches

    • dnsmasq does have a limit to how many requests it can service. When it hits that limit it will just start dropping requests

  • The Webroot queue can fill up although this typically occurs due to an issue unrelated to Webroot (e.g. WAN interface is down)

In the following example Webroot blocks a request for indeed.com because the Job Search category is blocked.

[admin@AER2200-abc: /]$ log -f
04:48:20 PM DEBUG wf-webroot handle_udp_connection : client ('192.168.22.28', 55082)
04:48:20 PM DEBUG wf-webroot handle_udp_connection: que request for indeed.com from 192.168.22.28:55082
04:48:20 PM DEBUG wf-webroot process_queue_data - client: ('192.168.22.28', 55082)
04:48:20 PM DEBUG wf-webroot dns_req_urlname: indeed.com []
04:48:20 PM DEBUG wf-webroot is_special_dns_domain - split DNS match: [] known_host match []
04:48:20 PM DEBUG wf-webroot is_special_dns_domain - returning: False
04:48:20 PM DEBUG wf-webroot Lookup w/Rep: indeed.com for 192.168.22.28:55082
04:48:20 PM DEBUG wf-webroot Lookup cache miss on: indeed.com - Not Found
04:48:20 PM DEBUG wf-webroot lookup_callback: sending resp back ('indeed.com', 'indeed.com', [(26, 83)], 81, 1)
04:48:20 PM DEBUG wf-webroot uncat: False defblk: False lookup_results: ('indeed.com', 'indeed.com', [(26, 83)], 81, 1)
04:48:20 PM DEBUG wf-webroot lookup_results : ('indeed.com', 'indeed.com', [(26, 83)], 81, 1) blocked : True reason : policy reason_val 26
04:48:20 PM INFO wf-webroot 192.168.22.28 blocked requesting indeed.com reason is policy (test) category (Job Search)
04:48:20 PM DEBUG wf-webroot DNS Response (b'\xber\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00\x06indeed\x03com\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x1e\x00\x04\xc63d[')


[admin@AER2200-abc: /]$ tcpdump -i any port 53 -n
16:48:20.256555 ethertype IPv4, IP 192.168.22.28.55082 > 192.168.22.1.53: 48754+ A? indeed.com. (28)
16:48:20.256555 IP 192.168.22.28.55082 > 192.168.22.1.53: 48754+ A? indeed.com. (28)
16:48:20.256555 IP 192.168.22.28.55082 > 192.168.22.1.53: 48754+ A? indeed.com. (28)
16:48:20.338442 IP 192.168.22.1.53 > 192.168.22.28.55082: 48754 1/0/0 A 198.51.100.91 (44)
16:48:20.338732 IP 192.168.22.1.53 > 192.168.22.28.55082: 48754 1/0/0 A 198.51.100.91 (44)
16:48:20.338996 ethertype IPv4, IP 192.168.22.1.53 > 192.168.22.28.55082: 48754 1/0/0 A 198.51.100.91 (44)