Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

WSA traffic direct to external IP address's blocked by default?


    With the WSA in transparrent redirection mode and using WCCP, would there be any 'normally' expected result that would deny traffic directly to an IP address out to the internet?

    I was asked to look into this as our cyber team seemed to be under the impression that when any user tried to access any external URL's directly by IP that they would be blocked based on some function of the IronPort. I don't find this to be the case though and I've never seen it behave this way unless it was due to some other issues.

    It used to be when our WBRS settings were more stringent the messages in the access logs would show something like this although the messages vary (generic to level it seems) dependent on the WBRS Score:

IW_infr,-5.8    "Domain has unusually high traffic volume for a very recent registration."

IW_comp,-5.8 "Identified malicious behavior on domain or URI. Domain is associated with risky or offensive content."

IW_adv,-5.8    "Identified malicious behavior on domain or URI. Domain is associated with risky or offensive content."

IW_busi,-5.8    "Domain reported and verified as serving malware."

IW_busi,-5.4    "IP addresses are not typically used as legitimate web hosts."

IW_busi,-5.8    "Identified as a phishing or spam-related site."


Basically I'd like to show them some documentation that points out IronPort doesn't by default block internet traffic to IP address's directly unless we custom set it up to do that...

I realize we do need to have the correct identity,access policy, custom url... etc  for that to happen....


Anyone know of something I can give them...documentation on this... Or just some good technical knowledge of how this piece functions?


Thanks so much...




WSA ver. 7.5.2-118

SMA ver. 7.9.1-102



Do you mean that if a user

Do you mean that if a user enters http://98.138..252.30 it would get blocked as opposed to entering   No the WSA doesn't block just because its an IP in the URL instead of dns names.  It blocks based on category/reputation/malware detected/content detected/AVC, etc....

Do I have docs that say that anywhere? no...

CreatePlease to create content