Cisco Cisco Web Security Appliance S360 Fehlerbehebungsanleitung

Aug 05, 2014

Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC Engineers.

What's logged in access log for HTTPS traffic?

Environment: Cisco Web Security appliance (WSA) running AsyncOS versions 7.1.x and above, HTTPS
proxy enabled

The way Cisco Web Security Appliance (WSA) logs HTTPS traffic is different compared to normal HTTP
traffic.  HTTPS entries recorded in accesslogs will look different depending on how the request was treated.
In general it has different characteristics compared to normal HTTP traffic.

What is logged will depend on what deployment mode you are using (explicit forward mode or transparent
mode).

First let's look at some keywords which would help you read access logs easily.

TCP_CONNECT − this shows traffic was received transparently (via WCCP or L4 redirect ...etc)
CONNECT − this shows traffic was received explicitly
DECRYPT_WBRS − this shows WSA has decided to Decrypt the traffic due to WBRS score
PASSTHRU_WBRS − this shows WSA has decided to Pass Through the traffic due to WBRS score
DROP_WBRS − this shows WSA has decided to Drop the traffic due to WBRS score

When HTTPS traffic is decrypted, WSA will log two entries.

• 

TCP_CONNECT or CONNECT depending on the type of request being received and "GET https://"
showing the decrypted URL.

• 

Full URL will only be visible if WSA decrypts the traffic.

• 

Please also note that:

In transparent mode, WSA will only see the destination IP address initially

• 

In explicit mode, WSA will see the destination hostname

• 

Below are some examples of what you would see in accesslogs:

Transparent − Decrypt

1252543170.769 386 192.168.30.103 TCP_MISS_SSL/200 0 TCP_CONNECT tunnel://192.168.34.32:443/
− DIRECT/192.168.34.32 −     DECRYPT_WBRS−DefaultGroup−test.id−NONE−NONE−DefaultRouting