Websafety 8.5 Not Logging / Filtering on SNI
21 views
Skip to first unread message
Steve Cleary
Jun 2, 2023, 5:49:47 PM6/2/23
to Diladele Web Safety
Hi
I have two identical VMs, one running Websafety 8.2 and one running 8.5. Both are configured identically (as far as I can tell), and running in transparent mode with no decryption.
8.2 works fine, and shows the SNI in the Traffic Monitor, and Web Filter is able to police the requests. 8.5 does not however (it shows only the IP_address:443 in the logs, and therefore ICAP / Web Filter does not work.
When in explicit proxy mode for 8.5, the SNI / connect is logged and can be actioned by the Web FIlter.
Is there something I'm missing in the configuration of 8.5 to make transparent filtering without decryption work?
Thanks!
Steve Cleary
Jun 2, 2023, 7:10:23 PM6/2/23
to Diladele Web Safety
Here are logs from the two VMs:
8.5:
1685747136.365 10206 192.168.1.224 TCP_TUNNEL/500 36308 CONNECT 205.185.216.10:443 - ORIGINAL_DST/205.185.216.10 - "ws-iid=76" "ws-mac=00:00:00:00:00:00" "ws-duration=115" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=1219"
1685747136.380 10336 192.168.1.224 TCP_TUNNEL/500 323068 CONNECT 205.185.216.42:443 - ORIGINAL_DST/205.185.216.42 - "ws-iid=75" "ws-mac=00:00:00:00:00:00" "ws-duration=198" "ws-timing=1" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=1795"
1685747136.524 26916 192.168.1.224 TCP_TUNNEL/500 244090 CONNECT 205.185.216.10:443 - ORIGINAL_DST/205.185.216.10 - "ws-iid=44" "ws-mac=00:00:00:00:00:00" "ws-duration=15510" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=2371"
1685747136.582 10234 192.168.1.224 TCP_TUNNEL/500 330925 CONNECT 205.185.216.10:443 - ORIGINAL_DST/205.185.216.10 - "ws-iid=77" "ws-mac=00:00:00:00:00:00" "ws-duration=190" "ws-timing=1" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=1237"
1685747139.479 46859 192.168.1.224 TCP_TUNNEL/200 787433 CONNECT 18.164.155.248:443 - ORIGINAL_DST/18.164.155.248 - "ws-iid=36" "ws-mac=00:00:00:00:00:00" "ws-duration=64" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=84321"
1685747140.140 295 192.168.1.224 TCP_TUNNEL/200 0 CONNECT 3.210.25.111:443 - ORIGINAL_DST/3.210.25.111 - "ws-iid=87" "ws-mac=00:00:00:00:00:00" "ws-duration=785" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=566"
1685747141.614 10292 192.168.1.224 TCP_TUNNEL/500 6435 CONNECT 128.116.101.3:443 - ORIGINAL_DST/128.116.101.3 - "ws-iid=79" "ws-mac=00:00:00:00:00:00" "ws-duration=4971" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=8798"
1685747142.326 10188 192.168.1.224 TCP_TUNNEL/500 7454 CONNECT 128.116.101.4:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=80" "ws-mac=00:00:00:00:00:00" "ws-duration=816" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=4427"
1685747143.964 10033 192.168.1.224 TCP_TUNNEL/500 0 CONNECT 35.190.43.134:443 - ORIGINAL_DST/35.190.43.134 - "ws-iid=81" "ws-mac=00:00:00:00:00:00" "ws-duration=1792" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
8.2:
1685746701.861 10237 192.168.1.224 TCP_TUNNEL/500 8979 CONNECT assetdelivery.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4326" "ws-mac=00:00:00:00:00:00" "ws-duration=10" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=4538"
1685746701.952 10339 192.168.1.224 TCP_TUNNEL/500 8642 CONNECT assetdelivery.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4325" "ws-mac=00:00:00:00:00:00" "ws-duration=11" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=8279"
1685746702.388 26582 192.168.1.224 TCP_TUNNEL/500 23596 CONNECT thumbnails.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4162" "ws-mac=00:00:00:00:00:00" "ws-duration=43" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=29815"
1685746702.493 26730 192.168.1.224 TCP_TUNNEL/500 24216 CONNECT thumbnails.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4161" "ws-mac=00:00:00:00:00:00" "ws-duration=5" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=40726"
1685746702.653 17 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.3:443 - HIER_NONE/- - "ws-iid=4331" "ws-mac=00:00:00:00:00:00" "ws-duration=6023" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685746702.659 22 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.3:443 - HIER_NONE/- - "ws-iid=4324" "ws-mac=00:00:00:00:00:00" "ws-duration=11036" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685746703.473 24542 192.168.1.224 TCP_TUNNEL/500 8299 CONNECT ecsv2.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4223" "ws-mac=00:00:00:00:00:00" "ws-duration=1" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=31536"
1685746704.020 41 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.4:443 - HIER_NONE/- - "ws-iid=4335" "ws-mac=00:00:00:00:00:00" "ws-duration=1320" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685746704.047 67 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.4:443 - HIER_NONE/- - "ws-iid=4332" "ws-mac=00:00:00:00:00:00" "ws-duration=1343" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685747136.380 10336 192.168.1.224 TCP_TUNNEL/500 323068 CONNECT 205.185.216.42:443 - ORIGINAL_DST/205.185.216.42 - "ws-iid=75" "ws-mac=00:00:00:00:00:00" "ws-duration=198" "ws-timing=1" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=1795"
1685747136.524 26916 192.168.1.224 TCP_TUNNEL/500 244090 CONNECT 205.185.216.10:443 - ORIGINAL_DST/205.185.216.10 - "ws-iid=44" "ws-mac=00:00:00:00:00:00" "ws-duration=15510" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=2371"
1685747136.582 10234 192.168.1.224 TCP_TUNNEL/500 330925 CONNECT 205.185.216.10:443 - ORIGINAL_DST/205.185.216.10 - "ws-iid=77" "ws-mac=00:00:00:00:00:00" "ws-duration=190" "ws-timing=1" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=1237"
1685747139.479 46859 192.168.1.224 TCP_TUNNEL/200 787433 CONNECT 18.164.155.248:443 - ORIGINAL_DST/18.164.155.248 - "ws-iid=36" "ws-mac=00:00:00:00:00:00" "ws-duration=64" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=84321"
1685747140.140 295 192.168.1.224 TCP_TUNNEL/200 0 CONNECT 3.210.25.111:443 - ORIGINAL_DST/3.210.25.111 - "ws-iid=87" "ws-mac=00:00:00:00:00:00" "ws-duration=785" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=566"
1685747141.614 10292 192.168.1.224 TCP_TUNNEL/500 6435 CONNECT 128.116.101.3:443 - ORIGINAL_DST/128.116.101.3 - "ws-iid=79" "ws-mac=00:00:00:00:00:00" "ws-duration=4971" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=8798"
1685747142.326 10188 192.168.1.224 TCP_TUNNEL/500 7454 CONNECT 128.116.101.4:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=80" "ws-mac=00:00:00:00:00:00" "ws-duration=816" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=4427"
1685747143.964 10033 192.168.1.224 TCP_TUNNEL/500 0 CONNECT 35.190.43.134:443 - ORIGINAL_DST/35.190.43.134 - "ws-iid=81" "ws-mac=00:00:00:00:00:00" "ws-duration=1792" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
8.2:
1685746701.861 10237 192.168.1.224 TCP_TUNNEL/500 8979 CONNECT assetdelivery.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4326" "ws-mac=00:00:00:00:00:00" "ws-duration=10" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=4538"
1685746701.952 10339 192.168.1.224 TCP_TUNNEL/500 8642 CONNECT assetdelivery.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4325" "ws-mac=00:00:00:00:00:00" "ws-duration=11" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=8279"
1685746702.388 26582 192.168.1.224 TCP_TUNNEL/500 23596 CONNECT thumbnails.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4162" "ws-mac=00:00:00:00:00:00" "ws-duration=43" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=29815"
1685746702.493 26730 192.168.1.224 TCP_TUNNEL/500 24216 CONNECT thumbnails.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4161" "ws-mac=00:00:00:00:00:00" "ws-duration=5" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=40726"
1685746702.653 17 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.3:443 - HIER_NONE/- - "ws-iid=4331" "ws-mac=00:00:00:00:00:00" "ws-duration=6023" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685746702.659 22 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.3:443 - HIER_NONE/- - "ws-iid=4324" "ws-mac=00:00:00:00:00:00" "ws-duration=11036" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685746703.473 24542 192.168.1.224 TCP_TUNNEL/500 8299 CONNECT ecsv2.roblox.com:443 - ORIGINAL_DST/128.116.101.4 - "ws-iid=4223" "ws-mac=00:00:00:00:00:00" "ws-duration=1" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=16777216" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=31536"
1685746704.020 41 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.4:443 - HIER_NONE/- - "ws-iid=4335" "ws-mac=00:00:00:00:00:00" "ws-duration=1320" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
1685746704.047 67 192.168.1.224 NONE_NONE/000 0 CONNECT 128.116.101.4:443 - HIER_NONE/- - "ws-iid=4332" "ws-mac=00:00:00:00:00:00" "ws-duration=1343" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=home_policy" "ws-member=None" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0"
8.2 includes the SNI in the logs, whereas 8.5 does not.
My policy for category enforcement is also ignored on 8.5.
Thanks
rafael....@diladele.com
Jun 3, 2023, 2:50:38 AM6/3/23
to Diladele Web Safety
Hello Steve,
From the point of view of Admin UI the generated config for HTTPS decryption in case of transparent interception is the same in both 8.2 and 8.5 versions, so it might be related somehow to maybe small difference in configs.If you do not mind you can send me the Admin UI / Squid / General / Verification tab from both machines (as text) to sup...@diladele.com
I will then run the diff to see what is different in both versions - maybe the order or decryption rules...
The transparent interception is not part of acceptance test suit in our test lab - we only deploy it when making tutorials - and there were not a lot of changes in that area lately anyway :(
Best regards,
Rafael
rafael....@diladele.com
Jun 3, 2023, 2:51:51 AM6/3/23
to Diladele Web Safety
And what method you used to deploy the transparent interception? Your proxy VM acts as a gateway for test machines or some otherway like WCCP, PBR?
Steve Cleary
Jun 4, 2023, 11:34:49 AM6/4/23
to Diladele Web Safety
Awesome - thanks Rafael! Really appreciate the fast response! I'll send you the outputs of the verification lab later today.
Steve
rafael....@diladele.com
Jun 5, 2023, 6:10:21 AM6/5/23
to Diladele Web Safety
Reply all
Reply to author
Forward
0 new messages