Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2623
Views
0
Helpful
1
Replies

Proxywatch feature in Stealthwatch

mshboul89
Level 1
Level 1

‎02-21-2018 02:53 PM - last edited on ‎08-20-2019 12:29 PM by Cisco Employee

As i understand, Proxywatch feature should correlate the external proxied IP/port with the real client IP/port, so that we get to know the real user IP that corresponds to a specific proxied access as seen from outside the proxy.

 

I am using WSA with Stealthwatch in my case, where WSA sends proxy logs in W3C format to FC.

 

The question is:

How does stealthwatch correlate the external and internal proxy connections ? Based on which fields ?

 

Thanks in advance.

 

Labels:
0 Helpful
1 Reply 1

hanjabbo
Cisco Employee
Cisco Employee

‎09-08-2019 12:23 AM

For the proxy watch feature to work properly you have to have flow from before the proxy and from after the proxy in addition to the proxy logs . the correlation happens using the timestamps, source ip /port, destination ip / port. from flows before and after in addition to the logs

0 Helpful
Customers Also Viewed These Support Documents