Url web addresses that user visited
Hi,
M290, 12.11
In Dimension, in the url audit detail, we see the destination web addresses but only shows cert and windows updates. However, we're sure the user visited www.google.com, www.instangram.com, www.youtube.com, but why is it not on the listing. All we see is windows update, and cert links. Is it something we need to enable or another place we can look?
Thanks.
0
Sign In to comment.
Comments
Hi @WGM
Depending on what you're logging in your HTTPS proxy, you may not be logging this data. If users are using QUIC to get to websites, you will not see any logging data aside from the IP the user is going to.
-In your HTTP and HTTPS proxy actions, ensure that "enable logging for reports" is enabled in each proxy action you are using.
-Disable QUIC either on your client's browsers, or deny it via a firewall rule:
(How to prevent connections from browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3dzSAA&lang=en_US
-James Carson
WatchGuard Customer Support
Hi James,
Thanks, for the reply. We do have HTTP and HTTPS "enable logging for reports" That's strange that it's not showing on the report for any public websites, even like going to watchguard.com
Are you seeing HTTPS accesses in Traffic Monitor ?
If not, try disabling QUIC in your web browser.
Hi Bruce, yes we do see https traffic and also destination ip addresses on the log report. but it's strange we cannot see all the domain addresses on the dimension client reports, the only domain addresses we see is "c.pki.goog", but nothing like www.watchguard.com, ford.com kfc.com, etc..and they're not blocked either.
Are you doing Inspect on your HTTPS proxy action?
If not, then the all the HTTPS proxy can see is the SNI or the CN from the certificate of the web site.
You will not see the true URL, which can only be seen if doing Inspect.
So perhaps there is no known URL for un-Inspected sites, and thus no report entries for them.
If one is not doing Inspect, then I would expect that one should get the SNI or the CN for the Domain Name in Dimension reports. But that is not the URL.
is it the HTTPS-Proxy: Content Inspection section that needs to be enabled?
To Inspect all web sites, you set the Action (below the Domain Names list) to Inspect.
Or you can specify selected domains to Inspect by adding the SNI/CN value for the domain to the Domain Names list with Action = Inspect.
Note that you need to have either a certificate from the firewall or from your CA to all devices which use any HTTPS proxy with Inspect enabled.
See this:
Use Certificates with Outbound HTTPS Proxy Content Inspection
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_proxy_resign_c.html
Some web sites will not work with Inspect. For those, you need to add the SNI/CN value for the domain in the Domain Names list - set to Allow.
Thank you!
Hi All, i have a question once we implement the Local CA certificate for the proxy authority. Trusted users on domain with desktops would not need a cert, but what about mobile devices that are on a different subnet, like android/apple tablets and phones? Do they need to install the cert?
Yes, (either your CA cert or the firewall cert) if you want to use Inspect on the HTTPS proxy for them.
Hi Bruce, what if we don't want to inspect, would they be prompt about the cert message if not installed? Basically we would like to avoid if the users on a different subnet from having to install the cert if we don't plan to inspect. Would that be possible?
Then you need a 2nd HTTPS policy for them, one without Inspect.
Ah, Got it. That got me thinking, instead of inspecting all users, and we want to inspect only 1 device, we could just make a different https policy for just that single device and it will not be heavy on the firebox performance. Would that be doable?
Yes,if you wish
Consider Inspect for all of your PCs
Thank you again Bruce!