Url web addresses that user visited

Hi,

M290, 12.11
In Dimension, in the url audit detail, we see the destination web addresses but only shows cert and windows updates. However, we're sure the user visited www.google.com, www.instangram.com, www.youtube.com, but why is it not on the listing. All we see is windows update, and cert links. Is it something we need to enable or another place we can look?

Thanks.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @WGM
    Depending on what you're logging in your HTTPS proxy, you may not be logging this data. If users are using QUIC to get to websites, you will not see any logging data aside from the IP the user is going to.

    -In your HTTP and HTTPS proxy actions, ensure that "enable logging for reports" is enabled in each proxy action you are using.

    -Disable QUIC either on your client's browsers, or deny it via a firewall rule:

    (How to prevent connections from browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3dzSAA&lang=en_US

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    Thanks, for the reply. We do have HTTP and HTTPS "enable logging for reports" That's strange that it's not showing on the report for any public websites, even like going to watchguard.com

  • Are you seeing HTTPS accesses in Traffic Monitor ?
    If not, try disabling QUIC in your web browser.

  • WGMWGM
    edited March 28

    Hi Bruce, yes we do see https traffic and also destination ip addresses on the log report. but it's strange we cannot see all the domain addresses on the dimension client reports, the only domain addresses we see is "c.pki.goog", but nothing like www.watchguard.com, ford.com kfc.com, etc..and they're not blocked either.

  • Are you doing Inspect on your HTTPS proxy action?
    If not, then the all the HTTPS proxy can see is the SNI or the CN from the certificate of the web site.

    You will not see the true URL, which can only be seen if doing Inspect.
    So perhaps there is no known URL for un-Inspected sites, and thus no report entries for them.

    If one is not doing Inspect, then I would expect that one should get the SNI or the CN for the Domain Name in Dimension reports. But that is not the URL.

  • WGMWGM
    edited March 28

    is it the HTTPS-Proxy: Content Inspection section that needs to be enabled?

  • To Inspect all web sites, you set the Action (below the Domain Names list) to Inspect.
    Or you can specify selected domains to Inspect by adding the SNI/CN value for the domain to the Domain Names list with Action = Inspect.

    Note that you need to have either a certificate from the firewall or from your CA to all devices which use any HTTPS proxy with Inspect enabled.

    See this:
    Use Certificates with Outbound HTTPS Proxy Content Inspection
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_proxy_resign_c.html

    Some web sites will not work with Inspect. For those, you need to add the SNI/CN value for the domain in the Domain Names list - set to Allow.

  • Thank you!

Sign In to comment.