Cisco Cisco Web Security Appliance S170 Guía Del Usuario
H O W T H E L 4 T R A F F I C M O N I T O R W O R K S
C H A P T E R 1 7 : L 4 T R A F F I C M O N I T O R
387
H O W T H E L 4 TR A F F I C M O N I T O R WO R K S
The L4 Traffic Monitor listens to network traffic that comes in over all ports on the appliance
and matches domain names, and IP addresses against entries in its own database tables to
determine whether to allow incoming and outgoing traffic.
and matches domain names, and IP addresses against entries in its own database tables to
determine whether to allow incoming and outgoing traffic.
All web destinations fall under one of the following categories:
• Known allowed address. Any IP address or host name listed in the Allow List property.
These addresses appear in the log files as “whitelist” addresses.
• Unlisted address. Any IP address that is not known to be a malware site nor is a known
allowed address. They are not listed on the Allow List or Additional Suspected Malware
Addresses properties, nor are they listed in the L4 Traffic Monitor Database as a known
malware site. These addresses do not appear in the log files.
Addresses properties, nor are they listed in the L4 Traffic Monitor Database as a known
malware site. These addresses do not appear in the log files.
• Ambiguous address. These addresses appear in the log files as “greylist” addresses. They
include any of the following addresses:
• Any IP address that is associated with both an unlisted host name and a known
malware host name.
• Any IP address that is associated with both an unlisted host name and a host name
from the Additional Suspected Malware Addresses property.
• Known malware address. These addresses appear in the log files as “blacklist” addresses.
They include any of the following addresses:
• Any IP address or host name that the L4 Traffic Monitor Database determines to be a
known malware site and not listed in the Allow List.
• Any IP address that is listed in the Additional Suspected Malware Addresses property
and not listed in the Allow List and not determined to be ambiguous.
Note — You can define the Allow List and the Additional Suspected Malware Addresses
properties on the Web Security Manager > L4 Traffic Monitor Policies page.
properties on the Web Security Manager > L4 Traffic Monitor Policies page.
The L4 Traffic Monitor listens to and monitors network ports for rogue activity. It performs one
of the following actions on all traffic on your network:
of the following actions on all traffic on your network:
• Allow. It always allows traffic to and from known allowed and unlisted addresses.
• Monitor. It monitors traffic under the following circumstances:
• When the Action for Suspected Malware Addresses option is set to Monitor, it always
monitors all traffic that is not to or from a known allowed address.
• When the Action for Suspected Malware Addresses option is set to Block, it monitors
traffic to and from ambiguous addresses.
• Block. When the Action for Suspected Malware Addresses option is set to Block, it blocks
traffic to and from known malware addresses.