11-15-2022 02:43 PM
When I look in the URL filter, I see myself going to a webpage with the URL.
Than I copy the IP of the URL and look in the traffic log.
I see the that myself and one other person has accessed that IP.
However the URL Filter only shows that I have went to that URL.
The only difference I can see is the Application type on the traffic filter.
Does anyone have a idea why the user is not showing they accessed the site in the URL filter page?
The user that does not sure up in the URL filter has the application type of "web-browser", while my application type is "SSL"
11-15-2022 04:14 PM
Does anyone have any idea's why one particular URL is not showing a certain user accessing it but the URL's IP does show up in the traffic log? All other URL traffic for this user is showing up in the URL Filtering page. The user is in a remote office and that office has it's own Firewall.
Well, the web-browsing is not the issue. I looked at other sites the user accesses that are listed in the URL filter, and the traffic filter shows web-browsing as the application too.
I tried to search Google for the webpage, and then click on click on the webpage on the search result page. I saw the website show up in the URL filtering. This tells me the issue is not the user is clicking on the link from another webpage.
11-16-2022 07:52 AM
Are you using SSL decryption on the branch side? Because it seems that the user's traffic is being decrypted, hence the web-browsing app using port 443. Once you decrypt traffic, URL tends to be more specific thanks to the deep packet inspection, although the main domain should be the same. When you don't use decryption, most of your internet traffic will be on port 443 and app will show SSL, for this traffic the FW depends on certificate's field like common-name (eg *.google.com) that the server-side gives while establishing the SSL session. So that could be the reason that the URL is different.
11-16-2022 08:09 AM
Additionally, whenever you are running into an issue with logging that you expect to be present not being recorded you should be verifying that the rule the user is hitting is actually setup properly from a logging aspect. Does your 'Trust to Untrust - Shared' entry actually have a URL Filtering profile that has the category set to at least Alert? I'd go out on a limb and say that you simply aren't telling the firewall to log this traffic as you'd expect.
11-16-2022 08:25 AM
Yes, we are using SSL. There is only one website for a least one user who is at a branch site that is not showing in the URL filter. All other websites for this user does show in the URL Filter.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
