I checked the firewall to verify 443 traffic was still being sent to the WSA The decryption policy was set to Monitor. Changed this to Decrypt. Verified that it is set to Block in the Access Policies.
Policy Trace seems to not work for http ... everything comes back "Transaction permitted" with no webcat listed. For https, testing a proxy site comes back: URL Category: Proxies & Translators Policy Match: ... (all global, which has Proxies set to Monitor now) Request completed Details: PASSTHRU_ADMIN
Tailing the grep does no good ... it's only showing when I attempt https, not https, but https traffic is indeed being forwarded from the same place https is.
You can verify the WBRS score from the access logs. Here is a sample access log line:
Thu Dec 11 10:42:02 2008 22 10.1.1.29 TCP_MISS/200 66187 GET http://www.foxnews.com/ DOMAIN\user@AD DIRECT/www.foxnews.com text/html ALLOW_WBRS-WhiteList-DefaultRouting - News -
I've checked the score and the score is -0.70
The reason the WBRS score is relevant is that if an HTTPS site has a 6.0+ score it will be "passed through" the WSA. Any traffic that is passed through is essentially allowed through the WSA, since the stream will be encrypted between the client and the web server.
This behavior can be changed via the HTTPS WBRS policies.
I recommend opening up a support ticket, as this is probably going to require some further specific troubleshooting.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...