Cisco Cisco Web Security Appliance S690 User Guide

Choose Security Services > L4 Traffic Monitor.

Click Edit Global Settings.

Choose whether or not to enable the L4 Traffic Monitor.

When you enable the L4 Traffic Monitor, choose which ports it should monitor:

All ports. Monitors all 65535 TCP ports for rogue activity.

All ports except proxy ports. Monitors all TCP ports except the following ports for rogue activity. 

Ports configured in the “HTTP Ports to Proxy” property on the Security Services > Web Proxy 
page (usually port 80).

Ports configured in the “Transparent HTTPS Ports to Proxy” property on the Security Services 
> HTTPS Proxy page (usually port 443).

Submit and Commit Changes.

Choose Security Services > L4 Traffic Monitor.

Known allowed 

Any IP address or hostname listed in the Allow List property. These addresses 
appear in the log files as “whitelist” addresses.

Unlisted 

Any IP address that is not known to be a malware site nor is a known allowed 
address. They are not listed on the Allow List, Additional Suspected Malware 
Addresses properties, or in the L4 Traffic Monitor Database. These addresses do 
not appear in the log files.

Ambiguous 

These appear in the log files as “greylist” addresses and include:

Any IP address that is associated with both an unlisted hostname and a 
known malware hostname.

Any IP address that is associated with both an unlisted hostname and a 
hostname from the Additional Suspected Malware Addresses property

Known malware 

These appear in the log files as “blacklist” addresses and include:

Any IP address or hostname that the L4 Traffic Monitor Database 
determines to be a known malware site and not listed in the Allow List.

Any IP address that is listed in the Additional Suspected Malware 
Addresses property, not listed in the Allow List and is not ambiguous