search cancel

CloudSOC Audit Reports Allows Services that the Firewall Shows Blocked


Article ID: 213008


Updated On:


CASB Audit CASB Security Advanced CASB Security Premium CASB Security Standard


Audit services in CASB indicates that certain traffic is allowed that the customer believes is blocked by the firewall.


CASB audit is designed to report traffic greater than 0 bytes

Audit reads from the firewall\proxy logs to discover services first by URL and then by destination IP. CloudSOC tracks IP attributes used by these services such as DNS, certificate details etc...

SaaS vendors can repurpose services for other processes that result in audit reporting an app as allowed.

Check the Discovery Profile of the services for allowed IP's and then cross-reference those IP addresses with the allowed traffic in the firewall. 

Isolating the service to find the IP used for a process can help you determine if this is a problem.  Verify the certificate for that IP.

Additional Information

Example firewall snip-it shows a destination address of

2020-09-01T20:16:18+21:00 PFW-NDE-USA-GCS-DOM-01 2020/09/01 21:18:14,7.255E+12,TRAFFIC,end,,9/1/2020 21:18,,,0x40001c,tcp,allow,1545,626,919....

IP has a certificate with subject:

Note: Audit does not differentiate between Google Drive and Google Docs. They share services and or resources. This example could apply to other vendor services that may share a common resource.