Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
0
Helpful
1
Replies

WSA traffic direct to external IP address's blocked by default?

kerryjudy
Level 1
Level 1

‎11-04-2014 12:04 PM

Hello,

    With the WSA in transparrent redirection mode and using WCCP, would there be any 'normally' expected result that would deny traffic directly to an IP address out to the internet?

    I was asked to look into this as our cyber team seemed to be under the impression that when any user tried to access any external URL's directly by IP that they would be blocked based on some function of the IronPort. I don't find this to be the case though and I've never seen it behave this way unless it was due to some other issues.

    It used to be when our WBRS settings were more stringent the messages in the access logs would show something like this although the messages vary (generic to level it seems) dependent on the WBRS Score:

IW_infr,-5.8    "Domain has unusually high traffic volume for a very recent registration."

IW_comp,-5.8 "Identified malicious behavior on domain or URI. Domain is associated with risky or offensive content."

IW_adv,-5.8    "Identified malicious behavior on domain or URI. Domain is associated with risky or offensive content."

IW_busi,-5.8    "Domain reported and verified as serving malware."

IW_busi,-5.4    "IP addresses are not typically used as legitimate web hosts."

IW_busi,-5.8    "Identified as a phishing or spam-related site."

 

Basically I'd like to show them some documentation that points out IronPort doesn't by default block internet traffic to IP address's directly unless we custom set it up to do that...

I realize we do need to have the correct identity,access policy, custom url... etc  for that to happen....

 

Anyone know of something I can give them...documentation on this... Or just some good technical knowledge of how this piece functions?

 

Thanks so much...

 

KJ

 

WSA ver. 7.5.2-118

SMA ver. 7.9.1-102

 

Labels:
0 Helpful
1 Reply 1

Ken Stieers
VIP
VIP

‎11-04-2014 01:17 PM

Do you mean that if a user enters http://98.138..252.30 it would get blocked as opposed to entering http://www.yahoo.com?   No the WSA doesn't block just because its an IP in the URL instead of dns names.  It blocks based on category/reputation/malware detected/content detected/AVC, etc....

Do I have docs that say that anywhere? no...

0 Helpful
Customers Also Viewed These Support Documents