Reports show downloads from a blocked site
search cancel

Reports show downloads from a blocked site

book

Article ID: 174712

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Traffic is being reported as downloaded by a user from a blocked site in Cloud SWG (Web Security Service - WSS) reports.

Environment

Cloud SWG

Cause

When a user tries to access a website, they will send out a TCP handshake which is forwarded by Cloud SWG. When it returns, Cloud SWG has executed a policy verdict for that user and domain. If it is allowed, the TCP initiation continues as normal.

If it is blocked, WSS intercepts the return TCP packet and injects it with a block page. In the reports, it shows this intercepted packet with:

  • A 200 status code
  • An allow verdict
  • A nominal file size (a few hundred bytes)

All other traffic from that blocked domain will show:

  • A 403 status code
  • A block verdict
  • The size of the packet that was blocked (often several kilobytes)

Resolution

There is no solution; Cloud SWG is working as intended.

This may bring up some concern when viewed in reports generated from WSS data. For example, a user has a policy block for Dropbox. When the user attempts to access Dropbox, they get a block page. The reports generated in the Cloud SWG portal, Cloud Access Security Broker (CASB), etc. will show several hundred kilobytes of data being downloaded from Dropbox every time the user attempts to access it.

Admins may wonder why a user is downloading data from a domain they have blocked from accessing. This data is being reported as downloaded but it is not reaching the user.