I've read the articles about the processes that take place when analyzing traffic and understand that sometimes there could be an allow status when it seems there shouldn't be. However it also seems that if the traffic truly shouldn't be allowed there would be an associated log entry with some kind of denial.
In my case there is no associated denial and I'm would still like to know why this traffic seems to be allowed when apparently not matching my Custom URL Category.
Forgive me if I'm still just misunderstanding something about this.
Here's what I'm seeing in my logs:
Sorry for the delay in responding but I've been tied up with other things.
Also I will not be able to work on this for the next week.
When I can get back to this I will look at some of the things you've mentioned.
However in regard to your comment:
"What is likely happening is that the firewall allows the TCP/80 traffic, even identifies it as web-browsing, and then it attempts to match that traffic with your permit rules. If it matches, great. If not, it stops. The trick question is, how should the firewall log the traffic? Should it log the traffic as being denied (when some portion went through?)"
I would think that if the firewall is going to log this traffic as allowed because it got part way through the process, it should also have a denied entry when it determines that something about the rule (in my case the URL Category) prevents it. It seems like this isn't happening and maybe that's just the way it works, however I find this confusing.
Thanks very much for your insight.
I have discovered that in 60% of the cases the destination IP Address allowed that shows "any" for URL Category in the logs has been also been allowed sometimes with the correct URL Category showing. I'm not sure why this is and am at a loss to explain the remaining 40% that never show the correct URL Category.
At this point I am willing to accept this behavior but will continue to monitor.
Thanks for your time on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!