03-07-2019 12:06 PM
I have two WSAs and on #1 when I view the access logs using the grep command within shell for my machine IP I see a different username than mine. If I run the same accesslog report on #2 I see my username. The username that shows up for #1 is that of an old employee that no longer works with the company, however he did have direct access to the WSAs. When I run the same test on #1 with a co-worker his username shows up as expected. When I go to a blocked site the and WSA received the notification in the browser, it shows my username and within the WSA GUI I see my username as well, no sign of this other user, other then in the accesslog report. Any thoughts on why this would happen?
From WSA1:
1532546707.470 1215 x.x.x.125 TCP_MISS/200 7 TCP_CONNECT 205.254.131.119:443 "Domain\Not-Bob@Sufix" DIRECT/205.254.131.119 - PASSTHRU_CUSTOMCAT_7-Decryption_Passthrough-Websites_to_bypass_decryption-DefaultGroup-NONE-NONE-DefaultGroup <C_DUF0,-3.5,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",0.05,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -
From WSA2:
1551924501.283 233 x.x.x.125 TCP_MISS_SSL/200 0 TCP_CONNECT 216.58.192.238:443 "Domain\Bob@Sufix" DIRECT/clients1.google.com - DECRYPT_WEBCAT_7-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup <IW_srch,3.4,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","Encrypted","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -
03-07-2019 12:50 PM
If you look at the Logs there is a difference in the logs. there may be some access/identity rules associated with the IP /or user.
Questions :
How are you managing this 2 Kits, Centrally Policy Push with SMA ?
how the user redirected to proxy ? WCCP or Explicit ?
From WSA1:
1532546707.470 1215 x.x.x.125 TCP_MISS/200 7 TCP_CONNECT 205.254.131.119:443 "Domain\Not-Bob@Sufix" DIRECT/205.254.131.119 - PASSTHRU_CUSTOMCAT_7-Decryption_Passthrough-Websites_to_bypass_decryption-DefaultGroup-NONE-NONE-DefaultGroup <C_DUF0,-3.5,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",0.05,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -
From WSA2:
1551924501.283 233 x.x.x.125 TCP_MISS_SSL/200 0 TCP_CONNECT 216.58.192.238:443 "Domain\Bob@Sufix" DIRECT/clients1.google.com - DECRYPT_WEBCAT_7-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup <IW_srch,3.4,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","Encrypted","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -
03-07-2019 01:02 PM
03-18-2019 11:08 AM
Hi Balaji,
I suspect your problem is , one of your WSA has not been receiving traffic for a while. (You can check that via ftp, when your access logs files has rolled.)
So on that "idle" WSA, when you grep, you grep old logs.
I went ahead and converted the unix timestamps on your logs.
One is significantly old.
1532546707.470 GMT: Wednesday, 25 July 2018 19:25:07.470
1551924501.283 GMT: Thursday, 7 March 2019 02:08:21.283
Kind regards
Sadik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: