How do I tell which user clicked the dodgy link?

We have DNSWatch protecting the network, but when I see an alert for a phishing link clicked in DNSWatch it only shows my external IP from the firewall. So I search the firewall logs for the dodgy domain, or the landing page or any reference to DNSWatch and find nothing so I have no idea who to speak to about clicking on suspect links? Any advice?


  • Noticed the same thing. Sorta hoped I would see [email protected] since everything is SSO and AD integrated. At least an internal IP would be nice, but no dice.

    It's usually something simple.

  • The issue is the DNS request packet heading to the DNSWatch DNS server comes from the external interface of the firewall.
    So the DNSWatch DNS server has no information about the real source of the DNS packet - the internal IP addr, user, etc.

    However, it would seem that the DNSWatch process in XTM could be set up to log info related to the block, so that we could see it in Traffic Monitor & Dimension.

  • The only thing I can think of that would get you anywhere remotely close is the timestamp of the DNSWatch hit and looking backwards a few seconds before that time. That may not be fun if you have a lot of web traffic.

    Gregg Hill

  • Been there - done that... What was also useful was tracking through the browser history - made somewhat easier by the use of roaming profiles..

    Adrian from Australia

  • Does DNSWatch GO do a good job at logging this for clients?

Sign In to comment.