This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Security Reporting Issue

Reporting is definitely not a strong suite for the Astaro and hopefully one day will get better. But this I completely don't understand.

So as you can see I've got Web Security Enabled for Transparent Proxy with Agent Based Authentication for all Active Directory Users.

I've got Social Networking selected to be blocked and even so the Category Filter.

I've also got an Exception for a select few users that are allowed to get to Facebook.

However, on the Web Security Report I have a Facebook.com Action passed on a User that isn't allowed to get to Facebook.com. So now I have to go verify if this user can indeed access facebook.com and figure out if this is just an error in the Web Security Reporting.

Any ideas as to why Web Security would list Facebook.com as allowed even through it is blocked?

This thread was automatically locked due to age.

0 BAlfson over 13 years ago

Have you looked in the Web Filtering logfile to see the lines where she was allowed? Maybe you could post one or two representative lines.

Your exception with, for example, REGEX ^https?://.*\.facebook.com should work, but the "classic" one would be ^https?://[A-Za-z0-9.-]*facebook\.com.

Another approach would be to go with a Profile approach instead of an Exception. Using AAA to Allow a Single User to Download .exe Files is a corrected post about how to use AAA with Profiles.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 StephenWeber over 13 years ago

I've ever had a problem with the Regex working correctly. I haven't had a chance to review the log file for that day yet, but will as soon as I get a few minutes. I'm having to gather reports for my client and the first that they will see is that Facebook.com is listed as a Pass for that user, that is locked down.

I know that the site is locked down because it works with my test user account.
Cancel
Vote Up 0 Vote Down

Cancel

0 StephenWeber over 13 years ago

The quick answer is that the Astaro isn't blocking the Web Sites like it should be according to the Default Policy.

2012:03:13-16:22:06 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="302" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x86b4178" url="www.facebook.com/" exceptions="url" error=""

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="429010" request="0x86b4178" url="www.facebook.com/.../html" application="facebook"

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.31.17.195" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="152" request="0xc7e08748" url="static.ak.fbcdn.net/.../x-icon" application="facebook"

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="110" request="0x86b4178" url="www.facebook.com/ai.php

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="63.236.253.88" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2759" request="0x8642b40" url="profile.ak.fbcdn.net/.../jpeg" application="facebook"

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="63.236.253.88" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1569" request="0xc05c32f8" url="profile.ak.fbcdn.net/.../jpeg" application="facebook"

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="110" request="0x92f7760" url="www.facebook.com/ai.php

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="31.13.76.26" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="10349" request="0x932fe50" url="sphotos.xx.fbcdn.net/.../jpeg" application="facebook"

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="204.245.34.144" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6536" request="0xbe5eb890" url="creative.ak.fbcdn.net/.../jpeg" application="facebook"

2012:03:13-16:22:27 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="204.245.34.144" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="8198" request="0xc7ec1a30" url="creative.ak.fbcdn.net/.../jpeg" application="facebook"

2012:03:13-16:22:28 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="204.245.34.144" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3366" request="0xbe5eb890" url="creative.ak.fbcdn.net/.../jpeg" application="facebook"

2012:03:13-16:22:28 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3032" request="0x92f7760" url="www.facebook.com/.../reconnect.php

2012:03:13-16:22:28 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.35" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="67" request="0xbe18de38" url="pixel.facebook.com/.../log_ticker_render.php

2012:03:13-16:22:29 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="81900" request="0x86b4178" url="www.facebook.com/.../multi_story

2012:03:13-16:22:29 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="34" request="0x92f7760" url="www.facebook.com/.../promo_action.php

2012:03:13-16:22:30 FPHASG httpproxy[14260]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.201" dstip="69.171.229.12" user="lbryant" statuscode="200" cached="0" profile="REF_HttProOfficeLan (Office LAN)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="319" request="0x86b4178" url="www.facebook.com/.../user_info.php

0 dilandau over 13 years ago

From that log the traffic is being allowed because it matches your exception for facebook, as it shows exceptions="url".

If that user is not suppose to have access via the exception, you might have to look at any user groups you may have added to the exception that are allowing the access.
Cancel
Vote Up 0 Vote Down

Cancel
0 StephenWeber over 13 years ago

Yeah I saw that when digging further and found that one of my techs added an Exception for a few users and instead of using the "Matching URL and Username" They used "Matching URL or Username" So the user had full Internet Access. At first glance I didn't catch it until I saw that Exception "url" then I went and took a close look.

Just makes me mad that I'm chasing issues made by one of my techs not paying attention.
Cancel
Vote Up 0 Vote Down

Cancel