Question 1. How do you check whether URL filter settings and cloud lookup profiles are configured?
Answer:
Run the show configuration orgs org-services url-filtering settings CLI command and check that the cloud-lookup-profile is configured.
show configuration orgs org-services url-filtering settings
org-services LM {
url-filtering {
settings {
match-type http-host-uri;
logging {
url-parameter enabled;
}
cloud-lookup {
state enabled;
mode synchronous;
cloud-lookup-profile cloud-profile; <----------
}
}
}
}Question 2. How do you check the URL filtering settings configuration to ensure that cloud lookup is enabled for all traffic?
Answer:
Run the show configuration orgs org-services url-filtering settings CLI command and check that cloud lookup is enabled.
show configuration orgs org-services url-filtering settings
org-services LM {
url-filtering {
settings {
match-type http-host-uri;
logging {
url-parameter enabled;
}
cloud-lookup {
state enabled; <--------------
mode synchronous;
cloud-lookup-profile cloud-profile;
}
}
}
}Question 3: How do you check the URL filtering profile configuration to ensure that cloud lookup is enabled for specific traffic?
Answer:
Run the show configuration orgs org-services tenant security profiles url-filtering URLF profile name cloud-lookup CLI command and check that cloud lookup is enabled for the specific traffic.
admin@versa-flexvnf-cli> show configuration orgs org-services LM security profiles url-filtering urlfil-prof
cloud-lookup enabled; <--------------------
lef-profile lef-profile;
decrypt-bypass true;
default-action {
predefined allow;
}
blacklist {
evaluate-referrer false;
action {
predefined ask;
}
}
whitelist {
log-enable true;
evaluate-referrer false;
}
category-action-map {
cat-action-map {
url-categories {
predefined [ social_network ];
}
action {
predefined ask;
}
}
versa_blocked_categories {
url-categories {
predefined [ abused_drugs adult_and_pornography gambling nudity phishing_and_other_frauds ];
}
action {
predefined block;
}
}
}Question 4: How do you check that URLF is activated in the cloud lookup profile configuration?
Answer:
Run the show configuration orgs org-services tenant objects cloud-profile cloud profile name CLI command and check that the output displays the type as urlf-cloud-profile.
show configuration orgs org-services LM objects cloud-profile cloud-profile
activation enabled; <-------------
connection-pool 256;
type {
urlf-cloud-profile; <------------
}
snat-pool SNAT-POOL1;Question 5: How to you check DNS configuration and its server reachability?
Answer:
Run the show configuration system dns CLI command to check the DNS configuration.
admin@DC2-CPE2-cli> show configuration system dns
Customer1-LAN-VR {
name-servers [ 10.48.0.99 ];
}
ISP-A-Transport-VR {
name-servers [ 8.8.8.8 10.48.0.99 ]; <-------------
}
global {
name-servers [ 8.8.8.8 10.48.0.99 ]; <-------------
}Run the show configuration orgs org-services dns-proxy CLI command to check the DNS proxy settings.
admin@DC2-CPE2-cli> show configuration orgs org-services dns-proxy
org-services Customer1 {
dns-proxy {
settings {
routing-instance ISP-A-Transport-VR; <--------
forwarders [ 8.8.8.8 ]; <-------------
}
}
}Ping service.brightcloud.com to check that it resolves to a nearest IP address.
ping service.brightcloud.com routing-instance ISP-A-Transport-VR
Question 6: How do you clear the cloud lookup profile and URL cloud lookup profile counters?
Answer:
Run the following CLI commands to clear the cloud lookup profile and URL cloud lookup profile counters.
admin@versa-flexvnf-cli> request clear statistics object cloud-profile all status success result cleared admin@versa-flexvnf-cli> request clear statistics security urlf-cloud-lookup all status success result cleared
Question 7: After sending the traffic, how do you check that the cloud lookup profile counters and URL cloud lookup counters are incrementing?
Answer:
Run the show orgs org-services tenant objects cloud-profile cloud-profile name statistics CLI command to check the cloud profile counters.
admin@versa-flexvnf-cli> show orgs org-services LM objects cloud-profile statistics objects cloud-profile statistics cloud-profile sslcld-snat-req-sent-cnt 2 sslcld-snat-resolved-cnt 2 slcld-snat-pool-not-exists-cnt 0 sslcld-snat-port-null-cnt 0 sslcld-dns-query-sent-cnt 2 sslcld-dns-resolved-cnt 2 sslcld-dns-failure-cnt 0 sslcld-state-connecting-cnt 512 sslcld-state-connected-cnt 512 sslcld-syn-request-timeout-cnt 0 sslcld-session-closed-cnt 0 sslcld-session-drop-cnt 0 sslcld-session-timeout-cnt 0 sslcld-session-not-available-cnt 0 sslcld-session-connect-failed-cnt 0 sslcld-cloud-req-sent-cnt 4 sslcld-cloud-rsp-recvd-cnt 4 sslcld-cloud-req-timeout-cnt 0 sslcld-cloud-req-null-rsp-cnt 0 [ok][2019-11-20 23:27:46]
Run the show orgs org-services tenant security url-filtering url-filtering name statistics cloud-lookup CLI command to check URL filtering stats.
admin@versa-flexvnf-cli> show orgs org-services LM security url-filtering statistics cloud-lookup security url-filtering statistics cloud-lookup hits 4 sync-hits 4 async-hits 0 invalid-cloud-profile 0 sync-request 4 sync-request-send 4 sync-request-failure 0 sync-partial-response 0 sync-complete-response 3 sync-response-timeout 0 sync-invalid-response 0 sync-session-miss-response 1 async-request 0 async-request-send 0 async-request-failure 0 async-partial-response 0 async-complete-response 0 async-response-timeout 0 async-invalid-response 0 cache-update 3 session-hold 4 session-release 4 [ok][2019-11-20 23:58:26]
Question 8: How do you interpret cloud lookup profile counters?
Answer:
The following table describes the cloud lookup profile counters.
| Counter Name | Description |
| sslcld-snat-req-sent-cnt | Request to resolve SNAT is sent. |
| sslcld-snat-resolved-cnt | SNAT request is served and completed through egress interface. |
| slcld-snat-pool-not-exists-cnt | If this counter is increasing, SNAT is configured incorrectly. Correct the SNAT configuration. |
| sslcld-snat-port-null-cnt | If this counter is increasing, SNAT is configured incorrectly. Correct the SNAT configuration. |
| sslcld-dns-query-sent-cnt | DNS query to resolve cloud server IP address is sent from appliance to the name server. |
| sslcld-dns-resolved-cnt | DNS query is resolved and received a response. |
| sslcld-dns-failure-cnt | If this counter is increasing, DNS is configured incorrectly, and DNS fails. Correct the name server configuration |
| sslcld-state-connecting-cnt | Once DNS is resolved, appliance is trying to establish a TCP connection with the cloud. |
| sslcld-state-connected-cnt | At this stage, the TCP connection to cloud server is established. |
| sslcld-syn-request-timeout-cnt | If this counter is increasing, connection is not established because a syn request has timed out. |
| sslcld-session-closed-cnt | If this counter is increasing, TCP session is closed. |
| sslcld-session-drop-cnt | If this counter is increasing, session is dropped because of an error. |
| sslcld-session-timeout-cnt | If this counter is increasing, session got expired because it timed out. |
| sslcld-session-not-available-cnt | If this counter is increasing, session is not available to send a cloud request. To resolve this, increase the “connection-pool” size in cloud profile. |
| sslcld-session-connect-failed-cnt | If this counter is increasing, session connection failed. |
| sslcld-cloud-req-sent-cnt | Cloud requests sent from appliance to cloud server. |
| sslcld-cloud-rsp-recvd-cnt | Response received from cloud server. |
| sslcld-cloud-req-timeout-cnt | If this counter is increasing, cloud lookup request to cloud server has timed out. |
| sslcld-cloud-req-null-rsp-cnt | If this counter is increasing, a null response was received from cloud server. |
Question 9: How do you interpret URLF cloud lookup stats?
Answer:
The following table describes the URLF cloud lookup statistics.
| Stats | Description |
| hits | Total number of cloud requests sent. |
| sync-hits | Number of synchronous cloud requests sent. |
| async-hits | Number of asynchronous cloud requests sent. |
| invalid-cloud-profile | If this counter is increasing, the cloud profile in the urlf settings is incorrect or invalid. |
| sync-request | Number of sync requests made. |
| sync-request-send | Number of sync requests sent. |
| sync-request-failure | Increases when a sync request is made but cannot be sent. |
| sync-partial-response | Increases when a partial cloud response was received. |
| sync-complete-response | Number of times a complete cloud response was received. |
| sync-response-timeout | Number of times a cloud response timed out. |
| sync-invalid-response | Number of times an invalid response was received from the cloud. |
| sync-session-miss-response | Number of times cloud response was received after session hold timeout (default 1000 milliseconds) |
| async-request | Number of async requests. |
| async-request-send | Number of async requests sent. |
| async-request-failure | Increases when the async request is made but cannot be sent. |
| async-partial-response | Increases when a partial cloud response was received. |
| async-complete-response | Number of times complete cloud response was received. |
| async-response-timeout | Number of times cloud response timed out. |
| async-invalid-response | Number of times invalid response was received from cloud. |
| cache-update | Number of times cache was updated because of a successful cloud response. |
| session-hold | Number of sessions that were held until cloud response is received or until response timeout (1000 milliseconds). This counter increments only when a synchronous hit occurs. |
| session-release | Number of sessions that were released because of synchronous hits. The session hold and session release counters should be identical to indicate that all the held sessions were released. |