search cancel

Reports show downloads from a blocked site

book

Article ID: 174712

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Traffic is being reported as downloaded by a user from a blocked site in Web Security Service (WSS) reports.

Cause

When a user tries to access a website, they will send out a TCP handshake which is forwarded by WSS. When it returns, WSS has executed a policy verdict for that user and domain. If it is allowed, the TCP initiation continues as normal.

If it is blocked, WSS intercepts the return TCP packet and injects it with a block page. In the reports, it shows this intercepted packet with:

  • A 200 status code
  • An allow verdict
  • A nominal file size (a few hundred bytes)

All other traffic from that blocked domain will show:

  • A 403 status code
  • A block verdict
  • The size of the packet that was blocked (often several kilobytes)

Environment

Web Security Service

Resolution

There is no solution; WSS is working as intended.

This may bring up some concern when viewed in reports generated from WSS data. For example, a user has a policy block for Dropbox. When the user attempts to access Dropbox, they get a block page. The reports generated in the WSS portal, Cloud Access Security Broker (CASB), etc. will show several hundred kilobytes of data being downloaded from Dropbox every time the user attempts to access it.

Admins may wonder why a user is downloading data from a domain they have blocked from accessing. This data is being reported as downloaded but it is not reaching the user.