search cancel

Suspicious log lines in WSS user client IP report showing 10.x.x.x IP addresses


Article ID: 220897


Updated On:


Web Security Service - WSS


Security team monitoring WSS tenant logs and found some weird / suspicious log lines 
Tenant used WSS in "explicit proxy mode" only with 4 locations that obviously use public IPs.
However the log lines show user IP address entries from PRIVATE IP addresses, like and many others out of the range
Most users reported valid IP addresses but a small subset of logs had these private IP addresses
These IP addresses do not match any of our user IP addresses


Policy evaluation bug caused user IP address to be rewritten to internal NATed IP addresses under certain criteria


Explicit mode

Also seen with SEP WTR access method and Proxy Forwarding (both also uses explicit mode) 


Re-run reports. WSS update from July '21 addresses this. Any reports run before this time will occasionally show the 10.x.x.x/8 private IP addresses.