Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC Engineers.
Question:
What's logged in access log for HTTPS traffic?
Environment: Cisco Web Security appliance (WSA) running AsyncOS versions 7.1.x and above, HTTPS proxy enabled
The way Cisco Web Security Appliance (WSA) logs HTTPS traffic is different compared to normal HTTP traffic. HTTPS entries recorded in accesslogs will look different depending on how the request was treated. In general it has different characteristics compared to normal HTTP traffic.
What is logged will depend on what deployment mode you are using (explicit forward mode or transparent mode).
First let's look at some keywords which would help you read access logs easily.
TCP_CONNECT - this shows traffic was received transparently (via WCCP or L4 redirect ...etc)
CONNECT - this shows traffic was received explicitly
DECRYPT_WBRS - this shows WSA has decided to Decrypt the traffic due to WBRS score
PASSTHRU_WBRS - this shows WSA has decided to Pass Through the traffic due to WBRS score
DROP_WBRS - this shows WSA has decided to Drop the traffic due to WBRS score
- When HTTPS traffic is decrypted, WSA will log two entries.
- TCP_CONNECT or CONNECT depending on the type of request being received and "GET https://" showing the decrypted URL.
- Full URL will only be visible if WSA decrypts the traffic.
Please also note that:
- In transparent mode, WSA will only see the destination IP address initially
- In explicit mode, WSA will see the destination hostname
Below are some examples of what you would see in accesslogs:
Transparent - Decrypt |
1252543170.769 386 192.168.30.103 TCP_MISS_SSL/200 0 TCP_CONNECT tunnel://192.168.34.32:443/ - DIRECT/192.168.34.32 - DECRYPT_WBRS-DefaultGroup-test.id-NONE-NONE-DefaultRouting <Sear,5.0,-,-,-,-,-,-,-,-,-,-,-,-,-> -
1252543171.166 395 192.168.30.103 TCP_MISS_SSL/200 2061 GET https://www.example.com:443/sample.gif - DIRECT/192.168.34.32 image/gif DEFAULT_CASE-test.policy-test.id-NONE-NONE-NONE <Sear,5.0,0,-,-,-,-,0,-,-,-,-,-,-,-> - |
Transparent- Passthrough |
1252543337.373 690 192.168.30.103 TCP_MISS/200 2044 TCP_CONNECT tunnel://192.168.34.32:443/ - DIRECT/192.168.34.32 - PASSTHRU_WBRS-DefaultGroup-test.id-NONE-NONE-DefaultRouting <Sear,9.0,-,-,-,-,-,-,-,-,-,-,-,-,-> - |
Transparent - Drop |
1252543418.175 430 192.168.30.103 TCP_DENIED/403 0 TCP_CONNECT tunnel://192.168.34.32:443/ - DIRECT/192.168.34.32 - DROP_WBRS-DefaultGroup-test.id-NONE-NONE-DefaultRouting <Sear,-9.1.0,-,-,-,-,-,-,-,-,-,-,-,-,-> - |
Explicit - Decrypt |
252543558.405 385 10.66.71.105 TCP_CLIENT_REFRESH_MISS_SSL/200 40 CONNECT tunnel://www.example.com:443/ - DIRECT/www.example.com - DECRYPT_WBRS-DefaultGroup-test.id-NONE-NONE-DefaultRouting <Sear,5.0,-,-,-,-,-,-,-,-,-,-,-,-,-> - 1252543559.535 1127 10.66.71.105 TCP_MISS_SSL/200 2061 GET https://www.example.com:443/sample.gif - DIRECT/www.example.com image/gif DEFAULT_CASE-test.policy-test.id-NONE-NONE-NONE <Sear,5.0,0,-,-,-,-,0,-,-,-,-,-,-,-> - |
Explicit - Pass through |
1252543491.302 568 10.66.71.105 TCP_CLIENT_REFRESH_MISS/200 2256 CONNECT tunnel://www.example.com:443/ - DIRECT/www.example.com - PASSTHRU_WBRS-DefaultGroup-test.id-NONE-NONE-DefaultRouting <Sear,9.0,-,-,-,-,-,-,-,-,-,-,-,-,-> - |
Explicit - Drop |
1252543668.375 1 10.66.71.105 TCP_DENIED/403 1578 CONNECT tunnel://www.example.com:443/ - NONE/- - DROP_WBRS-DefaultGroup-test.id-NONE-NONE-NONE <Sear,-9.1,-,-,-,-,-,-,-,-,-,-,-,-,-> - |