Troubleshooting Content Filter Drops
03/26/2020 33 4724
How to determine which CFS policy is dropping traffic or determine if CFS is blocking website access
Content filtering is suspected to be the cause of dropped traffic. The customer believes an exclusion has been added but still not able to access website.
1. Navigate to Manage|Log Settings|Base setup
If you prefer the legacy view navigate to Log|Settings How to Enable Legacy View
2. While in log settings click the drop downs for Security Services|Content Filter then click the configuration editor for 'Website Blocked'
3. Be sure the logging level matches the event priority then set the value for 'Display Events in Log Monitor' to 0 sec redundancy and click accept. Note- this change should be reverted once troubleshooting is complete. Logging every website block in the GUI can potentially increase CPU usage and flood the GUI with unnecessary logs.
4. With log redundancy set to zero replicate the website drop by attempting to navigate to the website, this will trigger a GUI log to be displayed if CFS is dropping traffic. Search the GUI logs for the local source IP you are testing from and click the icon to open log details for 'Web site access denied'
5. In the log details we can determine which URL should be excluded, which policy is blocking the traffic and which category the block falls under.
Once the category log redundancy is set to 0, if you do not see a GUI log presented for 'Website Access Denied' during replication, it's safe to say CFS is not denying website access. Check for a misconfiguration in Access Rules, App Rules, App Control, or Geo-IP filter.