Cisco Cisco Web Security Appliance S170 User Guide
Chapter 21 L4 Traffic Monitor
How the L4 Traffic Monitor Works
21-2
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
•
Known allowed address. Any IP address or hostname listed in the Allow List
property. These addresses appear in the log files as “whitelist” addresses.
property. These addresses appear in the log files as “whitelist” addresses.
•
Unlisted address. Any IP address that is not known to be a malware site nor
is a known allowed address. They are not listed on the Allow List or
Additional Suspected Malware Addresses properties, nor are they listed in the
L4 Traffic Monitor Database as a known malware site. These addresses do not
appear in the log files.
is a known allowed address. They are not listed on the Allow List or
Additional Suspected Malware Addresses properties, nor are they listed in the
L4 Traffic Monitor Database as a known malware site. These addresses do not
appear in the log files.
•
Ambiguous address. These addresses appear in the log files as “greylist”
addresses. They include any of the following addresses:
addresses. They include any of the following addresses:
–
Any IP address that is associated with both an unlisted hostname and a
known malware hostname.
known malware hostname.
–
Any IP address that is associated with both an unlisted hostname and a
hostname from the Additional Suspected Malware Addresses property.
hostname from the Additional Suspected Malware Addresses property.
•
Known malware address. These addresses appear in the log files as
“blacklist” addresses. They include any of the following addresses:
“blacklist” addresses. They include any of the following addresses:
–
Any IP address or hostname that the L4 Traffic Monitor Database
determines to be a known malware site and not listed in the Allow List.
determines to be a known malware site and not listed in the Allow List.
–
Any IP address that is listed in the Additional Suspected Malware
Addresses property and not listed in the Allow List and not determined
to be ambiguous.
Addresses property and not listed in the Allow List and not determined
to be ambiguous.
Note
You can define the Allow List and the Additional Suspected Malware Addresses
properties on the Web Security Manager > L4 Traffic Monitor Policies page.
properties on the Web Security Manager > L4 Traffic Monitor Policies page.
The L4 Traffic Monitor listens to and monitors network ports for rogue activity.
It performs one of the following actions on all traffic on your network:
It performs one of the following actions on all traffic on your network:
•
Allow. It always allows traffic to and from known allowed and unlisted
addresses.
addresses.
•
Monitor. It monitors traffic under the following circumstances:
–
When the Action for Suspected Malware Addresses option is set to
Monitor, it always monitors all traffic that is not to or from a known
allowed address.
Monitor, it always monitors all traffic that is not to or from a known
allowed address.
–
When the Action for Suspected Malware Addresses option is set to
Block, it monitors traffic to and from ambiguous addresses.
Block, it monitors traffic to and from ambiguous addresses.