Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1677
Views
0
Helpful
3
Replies

Using Web Tracking

Go to solution
Shao-Yu Chen
Level 1
Level 1

‎01-22-2014 10:46 AM

Been playing with Ironport for few month now, and still trying to understand the in and out. By looking at Web Tracking Results, how can I be so sure that the user X is successfully login to a website XYZ.com and able to jump from pages to pages with no problem. Clicking on the Display Details..., I can see more on the URL details and end with XYZ.com/.../members-login, XYZ.com/.../link/id/####, and XYZ.com/.../#.jpg. And under Disposition column, Allow is displayed for each website results. But the user X is saying the sub pages are "BLOCKED" and asking for access.

Without remoting user X computer, not knowing users member login, but I do know the web results showed up all allowed from Web Tracking for the last two weeks. Does that mean everthing is good? Is there another feature on Ironport that I can verify and say "Dude, nothing is blocked for this site!". Thank you for the help and educate me a little.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
donnylee
Cisco Employee
Cisco Employee

‎01-28-2014 03:42 AM

As long as the traffic to site is not by-passed in the WSA, it will be logged.

This also means it will show up in reporting.

If you do not see anything "blocked" in report for mr. X's traffic in the last two weeks, I'd assume he has been a good user

You can also use Policy Trace under System Administration menu in GUI, fill in the details and test to confirm if the site will be blocked by your policy.

Hope this helps.

- Donny

View solution in original post

0 Helpful
3 Replies 3

Go to solution
donnylee
Cisco Employee
Cisco Employee

‎01-28-2014 03:42 AM

As long as the traffic to site is not by-passed in the WSA, it will be logged.

This also means it will show up in reporting.

If you do not see anything "blocked" in report for mr. X's traffic in the last two weeks, I'd assume he has been a good user

You can also use Policy Trace under System Administration menu in GUI, fill in the details and test to confirm if the site will be blocked by your policy.

Hope this helps.

- Donny

0 Helpful

Go to solution
Shao-Yu Chen
Level 1
Level 1
In response to donnylee

‎01-29-2014 09:57 AM

While using Policy Trace I have noticed something. I removed myself from an active directory group, but the Policy Trace still shows I am in that group. Where can I verify that the Ironport is synced with active directory?

0 Helpful

Go to solution
donnylee
Cisco Employee
Cisco Employee
In response to Shao-Yu Chen

‎01-29-2014 03:14 PM

Depending on the surrogate type used, your IP address may still be recognized after you've been removed from AD.

You may check or flush yourself out from the surrogate list, this can be done from CLI mode using command authcache'

However, I personally find policy trace as a simulator, and I'd double-confirm by sending real traffic and check the access log to confirm if my policy is working correctly.

0 Helpful
Customers Also Viewed These Support Documents