Guest

Preview Tool

Cisco Bug: CSCvr97009 - QoS (rate limit) not enforced when using URL categories

Last Modified

May 28, 2020

Products (35)

  • Cisco Firepower Management Center
  • Cisco FirePOWER Appliance 8360
  • Cisco Firepower Management Center 4600
  • Cisco Firepower Management Center 2500
  • Cisco FirePOWER Appliance 8260
  • Cisco FirePOWER Appliance 7050
  • Cisco FirePOWER Appliance 8120
  • Cisco AMP 8150
  • Cisco AMP 7150
  • Cisco FirePOWER Appliance 8130
View all products in Bug Search Tool Login Required

Known Affected Releases

6.2.3.13 6.2.3.6 6.3.0 6.4.0 6.5.0 6.7.0

Description (partial)

Symptom:
When QoS policies are configured with URL categories, rate limiting is not enforced.

The rule can be find with in the QoS rules:

cat /ngfw/usr/local/sf/detection_engines/4a9ae230-f653-11e9-8df1-d17952f36f72/qos.rules | grep 268439577

268439577 ratelimit 2 any  any any any  any any any  (urlcat 63) (urlrep le 0)

When you turn on the Firewall Engine Debug id of the policy rule on Lina is not populated.

 7 match rule order 8, id 0 action Rate Limit

 QOS rules includes Source IP and URL category. Here the rate limiting is not applied and the website foxnews.com loads normally. On the QoS rule we get QoS rule id (0)

Please specify an IP protocol: 172.30.10.20? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?tcp
Please specify a client IP address: 172.10? ?? ?30.10.2
Please specify a client port:
Please specify a server IP address:
Please specify a server port: 443
Enable firewall-engine-debug too? [n]: y
Monitoring packet tracer debug messages


3.248.167.36-443 - 172.30.10.2-61787 6 Packet: TCP, ACK, seq 864117408, ack 2686812886
3.248.167.36-443 - 172.30.10.2-61787 6 AppID: service HTTPS (1122), application unknown (0)
172.30.10.2-61787 > 3.248.167.36-443 6 Firewall: allow rule, 'Management_VLAN_Allowed', allow
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 Starting with minimum 0, id 0 and SrcZone first with zones 1 -> 2, geo 0(0) -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 1122, payload -1, client 1296, misc 0, user 9999997, min url-cat-list 0-4-0, url sn.webrootcloudav.com, xff
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 no match rule order 2, id 268437536 app s=1122 c=1296 p=-1 m=0
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 no match rule order 3, id 268439571 app s=1122 c=1296 p=-1 m=0
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 no match rule order 4, id 268439572 app s=1122 c=1296 p=-1 m=0
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 no match rule order 5, id 268439573 app s=1122 c=1296 p=-1 m=0
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 no match rule order 6, id 268439574 app s=1122 c=1296 p=-1 m=0
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 no match rule order 7, id 268439576 app s=1122 c=1296 p=-1 m=0
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 match rule order 8, id 0 action Rate Limit
172.30.10.2-61787 > 3.248.167.36-443 6 AS 1 I 7 QoS policy match status (match found), match action (Rate Limit), QoS rule id (0)
172.30.10.2-61787 > 3.248.167.36-443 6 Snort id 7, NAP id 1, IPS id 0, Verdict PASS

Conditions:
QoS rule must be configured with URL categories
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.