02-01-2018 11:00 PM
Hello,
As a network admin, when user escalates that he cannot access some specify website, what's the best way to find the property log which was triggered by use's browsing activity?
Of course we can apply filer as "username", but even though, we will still got a lot of logs in a very short time period.
What's your best practice?
Thanks
02-02-2018 04:27 AM
Find the IP address of the web site and look in the unified log with the following filter:
( addr.dst in x.x.x.x ) and ( action neq allow ) and ( action neq alert )
This shold get you all the traffic to that web site that has been blocked either by policy (deny rule) or threat prevention.
02-02-2018 06:04 AM
I'd actually recommend that you not filter by username, just because if a user-id drop was part of the issue you won't see the traffic at that point. As @TerjeLundbo pointed out you can target the specific destination address and look for log entries outside of 'allow' or 'alert' with the commands stated.
I'd actually make a further recommendation that you create a rule specific to that users source IP address with a deny 'any' 'any' policy that mimics the interzone-default policy and enable logging. This allows you to log any traffic that may potentially be running into the default security policy without generating un-needed logs by enabling logging across the default interzone-default policy where you would likely generate more logs than actually desired.
02-06-2018 12:59 AM
I raised this concern since we met a issue is, we have a application group include web-broswing, and this group is allowed to be access by all trust clients.
But when user tried to access some specific website, they cannot display that page property, looks like CSS cannot be loaded.
So for such case, how can I know the root cause of this issue from log?
Thanks
02-06-2018 03:56 AM
There could be elements on the web site that is being blocked by the firewall. Examples could be flash content if flash is not member of the allowed application group or ads identified as malware. These will be listed in your firewall logs. If you find nothing there then I would suspect client browser trouble.
02-06-2018 07:05 AM
Hello,
Here is what I usually do when I get those requests:
Ask the user what the URL was and what they were trying to click on.
I then reproduce the issue either on my machine or a test machinethat has little traffic outbound.
Filter the Unified logs by the source IP, as @BPry mentioned, if the user-id dropped, you might miss something.
Then recreate what the user was attempting and look for any blocks.
I look for URL blocks first, then move to application blocks due to ssl decrypting
Those are the big steps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
