Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 668 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log entries failed https connection

rfcat_vk

Hi folks,

while reviewing CM reports I found that one of my applications is failing to connect to its update server with the following error message

log_subtype="Allowed" log_component="HTTP" reason="not eligible" log_type="Content Filtering" fw_rule_id="2"

What I would like to understand is what is it not eligible for?

When I look at other entries for different sites also using https there is 'no reason' record.

Ian



This thread was automatically locked due to age.
Parents
  • +1

    Not Eligible is a Sandstorm term. 

    For transactions that require Sandstorm analysis, records the Sandstorm status.
    eligible. The file was identified as eligible for Sandstorm analysis but was excluded from analysis. This may be because Sandstorm was disabled in the firewall rule, in a filetype exclusion, in a web exception, or because Sandstorm is not licensed.
    not eligible. The file was not eligible for Sandstorm analysis because it is not a risky type, or not a type which can be analyzed by the Sandstorm cloud service.
    pending. The item required analysis in the cloud; the end-user was not able to download the item immediately.
    cached clean. The file has been previously analyzed and is known to be clean.
    cloud clean. The item was found to be clean after analysis in the cloud.
    For all items sent to the Sandstorm cloud for analysis, there will be two entries in the Content Filter log: one with reason="pending"when the file is initially requested by the user, and one with reason="cloud clean"when the file is known to be OK to download. If the file is found to be malicious, it will be logged in the anti-virus log with reason="cloud malicious".
Reply
  • +1

    Not Eligible is a Sandstorm term. 

    For transactions that require Sandstorm analysis, records the Sandstorm status.
    eligible. The file was identified as eligible for Sandstorm analysis but was excluded from analysis. This may be because Sandstorm was disabled in the firewall rule, in a filetype exclusion, in a web exception, or because Sandstorm is not licensed.
    not eligible. The file was not eligible for Sandstorm analysis because it is not a risky type, or not a type which can be analyzed by the Sandstorm cloud service.
    pending. The item required analysis in the cloud; the end-user was not able to download the item immediately.
    cached clean. The file has been previously analyzed and is known to be clean.
    cloud clean. The item was found to be clean after analysis in the cloud.
    For all items sent to the Sandstorm cloud for analysis, there will be two entries in the Content Filter log: one with reason="pending"when the file is initially requested by the user, and one with reason="cloud clean"when the file is known to be OK to download. If the file is found to be malicious, it will be logged in the anti-virus log with reason="cloud malicious".
Children
  • 0 in reply to LuCar Toni

    Hi Lucar Toni,

    thank you fo Beth list of reasons. Being a home user I have enable Sandstorm to pass information to Sophos for analysis a dn provide assistances eto others. So if I don't have a Sandstorm subscription how does the connection work if you understand what I mean.

    Ian

  • 0 in reply to rfcat_vk

    Eligible and not Eligible are "sales" methods or some feature to show the administrator, there would be X files, he "could" scan with sandstorm, if he would purchase Sandstorm. As a Home user, you cannot purchase, but as you know, Home and the business version of XG are the same. So the methods like Sandstorm of rating files are the same. XG consider those files as "i could scan them, if i have sandstorm". 

  • 0 in reply to LuCar Toni

    Hi  Lucar Toni,

    I have investigated my XG and I cannot find any records they only show up in CM. While the error I reported at the start of this thread was one of many, they seem to have disappeared and the report in CM was only one day old. I can find new entries for the error that only show in CM for a different device.

    So, does the report actually mean the traffic failed and if so whey don't the details appear in the XG?

    Ian

  • 0 in reply to rfcat_vk

    This is not a problem. Its only a notice that this file could be scanned or not be scanned by Sandstorm, if you would have Sandstorm in the first place. 

    HTTPs or other links, which are encrypted, cannot be scanned by Sandstorm, as they are encrypted.