WSA traffic direct to external IP address's blocked by default?
With the WSA in transparrent redirection mode and using WCCP, would there be any 'normally' expected result that would deny traffic directly to an IP address out to the internet?
I was asked to look into this as our cyber team seemed to be under the impression that when any user tried to access any external URL's directly by IP that they would be blocked based on some function of the IronPort. I don't find this to be the case though and I've never seen it behave this way unless it was due to some other issues.
It used to be when our WBRS settings were more stringent the messages in the access logs would show something like this although the messages vary (generic to level it seems) dependent on the WBRS Score:
IW_infr,-5.8 "Domain has unusually high traffic volume for a very recent registration."
IW_comp,-5.8 "Identified malicious behavior on domain or URI. Domain is associated with risky or offensive content."
IW_adv,-5.8 "Identified malicious behavior on domain or URI. Domain is associated with risky or offensive content."
IW_busi,-5.8 "Domain reported and verified as serving malware."
IW_busi,-5.4 "IP addresses are not typically used as legitimate web hosts."
IW_busi,-5.8 "Identified as a phishing or spam-related site."
Basically I'd like to show them some documentation that points out IronPort doesn't by default block internet traffic to IP address's directly unless we custom set it up to do that...
I realize we do need to have the correct identity,access policy, custom url... etc for that to happen....
Anyone know of something I can give them...documentation on this... Or just some good technical knowledge of how this piece functions?
Do you mean that if a user enters http://98.138..252.30 it would get blocked as opposed to entering http://www.yahoo.com? No the WSA doesn't block just because its an IP in the URL instead of dns names. It blocks based on category/reputation/malware detected/content detected/AVC, etc....
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...