search cancel

CloudSOC Audit Reports Allows Services that the Firewall Shows Blocked

book

Article ID: 213008

calendar_today

Updated On:

Products

CASB Audit CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

Audit services in CASB indicates that certain traffic is allowed that the customer believes is blocked by the firewall.

Resolution

CASB audit is designed to report traffic greater than 0 bytes

Audit reads from the firewall\proxy logs to discover services first by URL and then by destination IP. CloudSOC tracks IP attributes used by these services such as DNS, certificate details etc...

SaaS vendors can repurpose services for other processes that result in audit reporting an app as allowed.

Check the Discovery Profile of the services for allowed IP's and then cross-reference those IP addresses with the allowed traffic in the firewall. 

Isolating the service to find the IP used for a process can help you determine if this is a problem.  Verify the certificate for that IP.

Additional Information

Example firewall snip-it shows a destination address of 173.194.184.170

2020-09-01T20:16:18+21:00 PFW-NDE-USA-GCS-DOM-01 2020/09/01 21:18:14,7.255E+12,TRAFFIC,end,,9/1/2020 21:18,10.10.0.1,173.194.184.170....,0x40001c,tcp,allow,1545,626,919....

IP 173.194.184.170 has a certificate with subject:

Note: Audit does not differentiate between Google Drive and Google Docs. They share services and or resources. This example could apply to other vendor services that may share a common resource.

Attachments