Cisco Cisco Web Security Appliance S380 User Guide

Ensure the L4 Traffic Monitor is ‘logically’ connected after the proxy ports and before any device 
that performs network address translation (NAT) on client IP addresses. 

Choose Security Services > L4 Traffic Monitor.

Click Edit Global Settings.

Choose whether or not to enable the L4 Traffic Monitor.

When you enable the L4 Traffic Monitor, choose which ports it should monitor:

All ports. Monitors all 65535 TCP ports for rogue activity.

All ports except proxy ports. Monitors all TCP ports except the following ports for rogue activity. 

Configure the Global Settings

See 

Create L4 TrafficMonitor Policies

See 

Known allowed 

Any IP address or hostname listed in the Allow List property. These addresses 
appear in the log files as “whitelist” addresses.

Unlisted 

Any IP address that is not known to be a malware site nor is a known allowed 
address. They are not listed on the Allow List, Additional Suspected Malware 
Addresses properties, or in the L4 Traffic Monitor Database. These addresses do 
not appear in the log files.

Ambiguous 

These appear in the log files as “greylist” addresses and include:

Any IP address that is associated with both an unlisted hostname and a 
known malware hostname.

Any IP address that is associated with both an unlisted hostname and a 
hostname from the Additional Suspected Malware Addresses property

Known malware 

These appear in the log files as “blacklist” addresses and include:

Any IP address or hostname that the L4 Traffic Monitor Database 
determines to be a known malware site and not listed in the Allow List.

Any IP address that is listed in the Additional Suspected Malware 
Addresses property, not listed in the Allow List and is not ambiguous