Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
2
Replies

Specific log entries not understood

Dominick Converse
Level 1
Level 1

‎06-05-2013 08:05 AM

Is there a location that we can review to explain what specific log entries are referencing as seen in the examples below in red:

1370444184.475 289 10.245.221.85 TCP_CLIENT_REFRESH_MISS/200 5041 CONNECT tunnel://fbcdn-dragon-a.akamaihd.net:443/ "tsp1dvc@Ldap" DIRECT/fbcdn-dragon-a.akamaihd.net - DEFAULT_CASE_11-Security_Access-Security_Access-NONE-NONE-NONE-DefaultGroup <IW_infr,4.0,"1","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_infr,-,"-","-","Facebook General","Facebook","Encrypted","-",139.54,0,-,"-","-"> -

1370444246.826 60622 10.245.221.85 TCP_CLIENT_REFRESH_MISS/200 93164 CONNECT tunnel://www.facebook.com:443/ "tsp1dvc@Ldap" DIRECT/www.facebook.com - DEFAULT_CASE_11-Security_Access-Security_Access-NONE-NONE-NONE-DefaultGroup <IW_snet,7.0,"1","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_snet,-,"-","-","Facebook General","Facebook","Encrypted","-",12.29,0,-,"-","-"> -

I am trying to troubleshoot a specfic configuration change and I am gaining access based on these entries, I am trying to block this access. Any help is appreciated.

Thanks

Dominick

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎06-05-2013 08:40 AM

Those are categories.

infr = infrastructure

snet=social networking

Not sure what version you're on, but if you're running 7.5 or higher, you can enable Application Visibility and Control on Security Services/Acceptable Use Controls, and then under Web Security Manager/Access Policies change what your users can do under Applications.  This includes specific Facebook features.

Looking at your snips, you don't want to block Infrastructure as lots of sites use Akamai... and you may not want to just block Social Media...

You could create a custom category and block Facebook.com (there are a couple of other domains too... search this forum) but you may like the flexiblity that the AVC gives you instead.

Ken

0 Helpful

Dominick Converse
Level 1
Level 1
In response to Ken Stieers

‎06-05-2013 08:47 AM

Ken,

Thanks for the information, I was thinking that but not sure. As for the policies I have 3 different policies already for different types of access to social networking. I was requested to create another policy that will work around these other 3 to allow only access to facebook to certain individuals. I keep tripping up on all the different policies that managment is requesting.

Dominick

0 Helpful
Customers Also Viewed These Support Documents