SSL/URL Filtering is pending when using EWC

APPLICABLE PRODUCTS

SNS appliances using the Extended Web Control feature.

DESCRIPTION

This article describes a possible workaround for URL classification issue causing the access to websites through the HTTP or SSL proxy to randomly fail with an error page showing the URL Filtering is pending error.

In the SSL/web logs you can see the following error:

id=firewall time="2020-08-19 14:55:53" ...  msg="URLFiltering service temporarily unavailable"
id=firewall time="2020-08-17 12:07:58" ... msg="rule matches OnFailedPolicy: Block" srccontinent="na" srccountry="us" srchostrep=134 dstcontinent="na" dstcountry="us"

SOLUTION

This workaround has been tested on SNS version 4.0.3

A possible workaround for this issue is to configure the proxy to allow connections if URL classification failed.

Configuring the classification failure policy to "pass"

The default behaviour when the URL classification failed is to block the connection. It is, however, possible to change this behaviour by following the steps below:

  • Connect to the web administration interface
  • Open the Application prototection > Protocols > HTTP menu
  • Select the IPS profile used for your proxy traffic
  • Navigate to the Proxy tab
  • Set the Action when classification of URL failed to Pass

onfailpassurl.png

It is also required to make the change from the certification classification:

 

  • Open the Application prototection > Protocols > SSL menu
  • Select the IPS profile used for your proxy traffic
  • Navigate to the Proxy tab
  • Set the If classification of certificate fails to Pass without decrypting


pass_without_decrypting.png