Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
2
Replies

Problem with HTTP request parameters in FirePower log messages

bob.jensen
Level 1
Level 1

‎01-06-2018 03:13 PM - edited ‎02-21-2020 07:05 AM

Hi everyone,

 

For example we make a HTTP(S) request through FirePower, something like this:

 

GET test.site.com/search?text=TEST

 

however URL field in log line will contain only test.site.com, without request parameters or even a path. But in next requests we will see our full request in Referer field)

 

Is there is way to fix this? Since many other firewalls, proxies, UTMs handle this properly, I hope that should be a solution.

Labels:
0 Helpful
2 Replies 2

er.shivamdubey31190
Level 1
Level 1

‎01-09-2018 04:32 AM

Hi Bob,

 

Hope you are doing good.

Please clarify that what exactly you want to achive.

 

1 -Do you wanna see every detail in log line (i.e. along with the request parameters and path ) OR 

2 - You dont wanna see " full request in Referer field"

 

Answering the first concern, Firepower make use of pre-processors, which are used to normalize traffic of each protocol and then forward it for inspection to the inspection engine, so that it becomes smooth for inspection engine to inspect the traffic. So I belive, if you are see the HTTP request traffic in the manner you described, it shall be due to pre-processor behaviour.

 

I am also curious to know that this how is this behaviour is leading any problem.

 

Br

Shivdbe

EX Cisco-TAC

 

0 Helpful

bob.jensen
Level 1
Level 1
In response to er.shivamdubey31190

‎01-09-2018 08:36 AM

Thank you for reply. 

 

I want to see full HTTP(S) GET request URL with parameters. For example we have request like this:

https://site.com/search/?query=MY+REQUEST

 

This is how it looks like in Squid log(with HTTPS inspection):

1515252780.448    786 192.168.0.233 TCP_MISS/200 67620 GET https://site.com/search/? - HIER_DIRECT/- text/html /search/?query=MY+REQUEST 1311 ""

 

as you can see there is a separate field with URL path and parameters, however it can be configured to store whole URL in one field.

 

With FirePower I cant achieve this, I get only domain name in URL field in log messages, i.e. in the example above I will get only this:

URL: https://site.com

 

PS: In FirePower I have configured SSL policy with Decrypt - Resign action.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card