WSS reported transactions return ‘Ambiguous – Special Use’ for source country
search cancel

WSS reported transactions return ‘Ambiguous – Special Use’ for source country


Article ID: 225824


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Users accessing WSS services globally using WSS agent

No issues accessing Web sites and executing policies

Cannot identify source country for many of the HTTP requests processed by WSS

Running reports to determine what country users coming in from appears to show the majority coming from 'Ambiguous - Special case' and not the actual source country as shown below



Parsing the WSS HTTP logs also reports the same 'Ambiguous - Special case' entry for many of the HTTP requests

2021-09-27 07:57:23 "DP1-GESMA11_proxysg1" 178 BCOM\ncash "BCOM\Support All Users" - OBSERVED "Technology/Internet" - 201 TCP_NC_MISS POST application/xml;%20charset=utf-8 https 443 /aethereventhub-monitoring/publishers/97aa7646-f749-4b09-9ff9-1fb81c80117c/messages ?timeout=60&api-version=2014-05 - "Symc Endpoint Agent 3.33" 285 1002 - - no - 0 "ES" client_connector "none" "none" "Ireland" CERT_VALID none - none TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 * "Technology/Internet" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 - ICAP_NO_MODIFICATION - ICAP_REPLACED - "Ireland" - "Ambiguous - Special Use" 2 2 wss-agent architecture=x86_64%20name=Windows%2010%20Enterprise%20version=10.0.19042 b050639c-0654-4fc0-817e-09e2aad0c322 ESW5CG83052BX - - - - SSL_Intercept_1 - - - - - 7364339e1044c457-000000000a5acd94-0000000060ffbc63


Seen with multiple WSS access methods


The access log issue is because the IP address used is the connection's source IP, rather than the "real" client IP. In the above case, the "real" client IP has been translated to an RFC 1918 IP address leading to the 'Ambiguous - Special use' entry.


WSS maintenance updates from Oct 6-11 2021 include fixes for this reported issue.