Web Browsing and Associated Traffic Logs

So here's the URL log view:

Unfortunately no where does this log say anything about an IP address or the FQDN block totally not associated with MSN that prevented this page from even loading.

Try:

(referer contains "msn.com") and (action neq alert)

No dice on that search query.

But what happens?

Users see block page?

Try to get timeframe when user had issues and find blocked session to identify what was exactly blocked.

*EDIT - Fixed the summary of the last two captures, they needed to be flipped*

So here's a PCAP from the FW the Rx stage and Drop stage from me going to the site.

Looking at stream 1 that's me trying to go to the site.  With the timehack of 15:31:40.123961

This is the drop stage where you can see continual request to the IP occuring at timehack 15:31:40.155869 which again is immediately after the inital web request.

This is looking at the Rx stage where you can see where the communication to the IP in question for the FQDN drops.  This is occuring on stream 20 at 15:31:40.155287, so after the "start" of the web request.

So does anyone have a good way to track in some sort of consolidated log without performing a report on a specific user every time this comes up?

So this is stemming from a security policy that I've since had changed, but in essence this was a FQDN drop, so a L3 drop.  The original intent was users wouldn't be getting a response page at all.  The security team didn't want "callbacks" to malicious domains so there was just a L3 drop rule for specific stuff.

I've since gotten this changed where these types of things are getting integatred into a L7 block so users would see a response page.

In short I'm trying to troubleshoot something that I don't foresee being a big issue moving forward, but I'm still curious to understand how understand the academic question of how can I see an "end-to-end" log of a single session so to speak from when a user tries to vist a single page without creating a specific user report.

Yeah you are blocking already at TCP SYN level and it never gets to HTTP GET.

You can check what you see in traffic log if you filter traffic that goes to 64.33.232.56

Click on the mag glass and check if you see any more details there.

@Raido_Rattameister I get what you're saying but I'm looking for a straight forward way for an admin to "follow the trail" of a user when they're intiating this traffic.

The only reason I know that this dropped traffic is associated to the web page loading is because I can create policy in the firewall and put my traffic above these FQDN denies.  When doing so this destination traffic isn't dropped and the web pages load.

Session IDs (Funny enough there isn't even a session ID for the dropped traffic.  To me this seems like where this should be a feature enhancement or something where an admin can correlate a drop to something a user is actually doing.) are different between the URL logs and the traffic logs of the traffic that's being dropped so there's really no way for me to correlate in any fashion, that I can find, a these various logs into something useable which define a single action from a user.

Am I missing something?

What is the reason this traffic is blocked?

Do you allow traffic to only limited number of ip addresses through FQDN objects in policy destination field?

If you would block traffic based on URL category then session would be created and you could follow referer field in URL filter log.

If you throw away traffic based on ip/port then session is not created and that is the reason you don't see session number.

Traffic is blocked because of past spearfishing.

0 hosts are allowed to the FQDN object.

Yes

Item 4 really doesn't provide for any conext within the enviornment for what precipiatetd the original traffic.

I've still yet to understand how to track traffic back to specific user actions