Suspicious log lines in WSS user client IP report showing 10.x.x.x IP addresses

book

Article ID: 220897

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Security team monitoring WSS tenant logs and found some weird / suspicious log lines 
Tenant used WSS in "explicit proxy mode" only with 4 locations that obviously use public IPs.
However the log lines show user IP address entries from PRIVATE IP addresses, like 10.230.15.180 and many others out of the 10.230.0.0/16 range
Most users reported valid IP addresses but a small subset of logs had these private IP addresses
These IP addresses do not match any of our user IP addresses

Cause

Policy evaluation bug caused user IP address to be rewritten to internal NATed IP addresses under certain criteria

Environment

Explicit mode

Also seen with SEP WTR access method and Proxy Forwarding (both also uses explicit mode) 

Resolution

Re-run reports. WSS update from July '21 addresses this. Any reports run before this time will occasionally show the 10.x.x.x/8 private IP addresses.