I'm attempting to lock down outbound Internet access on some networks. I'd like to take the "slow and careful" approach to this by creating individual permissive rules per each subnet and then log the outbound traffic so I know what is going out those networks and bypassing our proxy server (Ironport).
However, I've noticed that although TCP 80 is proxy'd on my networks and the proxy server does appear to be handling those requests I still see hits on my Interface ACLs for those networks as the source address.
For example, let's say my proxy server is 18.104.22.168.
If I proxy via WCCP all traffic from 22.214.171.124/24 I would expect to see 0 hits on my ACL for outbound traffic from 126.96.36.199/24 to any via TCP 80 since the proxy server (188.8.131.52) would be handling it.
However, it does appear that interface ACLS are processed before WCCP redirection rules.
Can anyone confirm?
Edit: Looking at this more, it appears that Interface ACL permits are required even if the traffic is to be sent through the proxy. This creates some major issues as there is then, no way to deny non-proxy'd traffic from exiting the network. Seems like I'm missing something here but this appears to be very broken.
Edit: Moved to WSA group as it appears that while hosts are going through the proxy server they are being sent as the originating hosts' source IP Address.
Traffic will be filtered via the interface ACL (if one is configured) before being redirected to WCCP. The source of the packet will remain as the original as the WSA does not proxy out on behalf of the client. It merely gives a permit/deny and or some caching.