Access logs show that some blocked categories were allowed

book

Article ID: 166978

calendar_today

Updated On:

Products

Reporter Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

  • The Symantec ProxySG or Advanced Secure Gateway (ASG) access logs show that some blocked categories were allowed.
  • ProxySG or ASG access logs show that a particular URL was Allowed even though the category was Blocked.
  • Reporter might show the category as none.
  • HTTP response code is 404.

Resolution

This is expected behavior. If you would like to stop requests to denied sites, see ProxySG is requesting resources for denied sites.

Additional information

Suppose you have a bad site, such as following:

2009-06-25 06:56:19 1 10.21.62.174 ISUSMCD cn=BlueCoat_Download,ou=Applications,ou=GROUPS,o=osr policy_denied DENIED "Adult/Mature Content;Personals/Dating" -  403 TCP_DENIED GET - http www.oogle.com.au 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)" 10.31.5.10 910 646 -

This was caught and categorized correctly. However, if you take a look at this:

2009-06-25 06:56:20 542 10.21.62.174 ISUSMCD cn=BlueCoat_Download,ou=Applications,ou=GROUPS,o=osr - OBSERVED "none" http://www.oogle.com.au/  404 TCP_NC_MISS GET text/html;%20charset=iso-8859-1 http www.oogle.com.au 80 /blocked_files/osr_logo.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)" 10.31.5.10 785 439 -

It's the same server, but the category is none and the URL was allowed.

The behavior of BCWF/WebPulse is expected.

  • The first URL, http://www.oogle.com.au/, is categorized in the BCWF database, but:
  • The second URL,  http://www.oogle.com.au/blocked_files/osr_logo.gif, is not categorized yet, hence the none category. When a URL receives none category, the ProxySG appliance sends the URL to WebPulse for categorization.

    When the second URL, www.oogle.com.au/blocked_files/osr_logo.gif, is received by WebPulse, it sees that it is requesting an image file, that cannot be analyzed immediately and will be rated manually by Blue Coat. Before that categorization, WebPulse returns a category of none.

Using policy, you can decide how the proxy handles URLs that are categorized as none.