Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC Engineers.
What's logged in access log for HTTPS traffic?
Environment: Cisco Web Security appliance (WSA) running AsyncOS versions 7.1.x and above, HTTPS proxy enabled
The way Cisco Web Security Appliance (WSA) logs HTTPS traffic is different compared to normal HTTP traffic. HTTPS entries recorded in accesslogs will look different depending on how the request was treated. In general it has different characteristics compared to normal HTTP traffic.
What is logged will depend on what deployment mode you are using (explicit forward mode or transparent mode).
First let's look at some keywords which would help you read access logs easily.
TCP_CONNECT - this shows traffic was received transparently (via WCCP or L4 redirect ...etc) CONNECT - this shows traffic was received explicitly DECRYPT_WBRS - this shows WSA has decided to Decrypt the traffic due to WBRS score PASSTHRU_WBRS - this shows WSA has decided to Pass Through the traffic due to WBRS score DROP_WBRS - this shows WSA has decided to Drop the traffic due to WBRS score
When HTTPS traffic is decrypted, WSA will log two entries.
TCP_CONNECT or CONNECT depending on the type of request being received and "GET https://" showing the decrypted URL.
Full URL will only be visible if WSA decrypts the traffic.
Please also note that:
In transparent mode, WSA will only see the destination IP address initially
In explicit mode, WSA will see the destination hostname
Below are some examples of what you would see in accesslogs: