start transaction ------------------- transaction ID=7219863 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC POST https://beacons4.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 852 ms Checkpoint timings: new-connection: start 16 elapsed 0 ms client-in: start 16 elapsed 0 ms server-out: start 16 elapsed 0 ms server-in: start 425 elapsed 0 ms client-out-terminated: start 852 elapsed 0 ms access-logging: start 852 elapsed 0 ms stop-transaction: start 852 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 16 server connection: start 16 DNS Lookup: start 16 elapsed 0 ms server connection: connected 425 first-byte 851 last_byte 851 client connection: first-response-byte 0 last-response-byte 852 Total time added: 1 ms Total latency to first byte: 409 ms Request latency: 0 ms OCS connect time: 409 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219867 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC POST https://beacons4.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 574 ms Checkpoint timings: new-connection: start 9 elapsed 0 ms client-in: start 10 elapsed 0 ms server-out: start 10 elapsed 0 ms server-in: start 417 elapsed 0 ms client-out-terminated: start 573 elapsed 0 ms access-logging: start 574 elapsed 0 ms stop-transaction: start 574 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 10 server connection: start 10 DNS Lookup: start 10 elapsed 0 ms server connection: connected 417 first-byte 573 last_byte 573 client connection: first-response-byte 0 last-response-byte 574 Total time added: 1 ms Total latency to first byte: 407 ms Request latency: 0 ms OCS connect time: 407 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219868 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC POST https://clients2.google.com/domainreliability/upload DNS lookup was unrestricted Content-Length: 603 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 524 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 392 elapsed 0 ms client-out-terminated: start 523 elapsed 0 ms access-logging: start 524 elapsed 0 ms stop-transaction: start 524 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Request Scan: start 1 delay 0 finish 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 392 first-byte 523 last_byte 523 client connection: first-response-byte 0 last-response-byte 524 Total time added: 1 ms Total latency to first byte: 391 ms Request latency: 0 ms OCS connect time: 391 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219835 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:34 UTC POST https://beacons5.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 1476 ms Checkpoint timings: new-connection: start 9 elapsed 0 ms client-in: start 9 elapsed 0 ms server-out: start 9 elapsed 0 ms server-in: start 1050 elapsed 0 ms client-out-terminated: start 1475 elapsed 0 ms access-logging: start 1476 elapsed 0 ms stop-transaction: start 1476 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 9 server connection: start 9 DNS Lookup: start 9 elapsed 0 ms server connection: connected 1050 first-byte 1475 last_byte 1475 client connection: first-response-byte 0 last-response-byte 1476 Total time added: 1 ms Total latency to first byte: 1041 ms Request latency: 0 ms OCS connect time: 1041 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219881 type=ssl.tunnel transaction handed off from: 7219880 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC unknown ssl://hangouts.google.com:443/ DNS lookup was unrestricted user: name="5227" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Google Hangouts application.operation: none application.group: Instant Messaging;VoIP DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219853 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: category="WhiteList Dangerous Files" miss: url.threat_risk.level=6..10 miss: category=("Dynamic DNS Host", Gambling, Hacking, "Mixed Content/Potentially Adult", "Piracy/Copyright Concerns", Placeholders, "Web Ads/Analytics", "Web Hosting", none, pending) miss: category=("File Storage/Sharing", "Software Downloads") miss: category=("File Storage/Sharing", "Software Downloads") MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.38 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bcd0a71455b866c8 DNS lookup was unrestricted User-Agent: Microsoft-CryptoAPI/6.1 user: name="404" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Clean Blacklist@Policy;none@YouTube;Non-Viewable/Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: Microsoft Update application.operation: Update Software application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1215 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms server-out: start 4 elapsed 0 ms server-in: start 1215 elapsed 0 ms client-out-terminated: start 1215 elapsed 0 ms access-logging: start 1215 elapsed 0 ms stop-transaction: start 1215 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 server connection: start 4 DNS Lookup: start 4 elapsed 0 ms server connection: connected 1120 first-byte 1215 last_byte 1215 client connection: first-response-byte 0 last-response-byte 1215 Total time added: 0 ms Total latency to first byte: 1116 ms Request latency: 0 ms OCS connect time: 1116 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219877 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC POST https://clients2.google.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 359 ms Checkpoint timings: new-connection: start 7 elapsed 0 ms client-in: start 7 elapsed 1 ms server-out: start 8 elapsed 0 ms server-in: start 253 elapsed 0 ms client-out-terminated: start 358 elapsed 0 ms access-logging: start 359 elapsed 0 ms stop-transaction: start 359 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 7 server connection: start 8 DNS Lookup: start 8 elapsed 0 ms server connection: connected 253 first-byte 358 last_byte 358 client connection: first-response-byte 0 last-response-byte 359 Total time added: 2 ms Total latency to first byte: 246 ms Request latency: 1 ms OCS connect time: 245 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219892 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://beacons5.gvt3.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 9 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 8 elapsed 1 ms stop-transaction: start 9 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 8 stop transaction -------------------- start transaction ------------------- transaction ID=7219879 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://beacons5.gvt3.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 327 ms Checkpoint timings: new-connection: start 7 elapsed 0 ms client-in: start 7 elapsed 0 ms server-out: start 7 elapsed 0 ms server-in: start 190 elapsed 0 ms client-out-terminated: start 326 elapsed 0 ms access-logging: start 326 elapsed 1 ms stop-transaction: start 327 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 7 server connection: start 7 DNS Lookup: start 7 elapsed 0 ms server connection: connected 190 first-byte 326 last_byte 326 client connection: first-response-byte 0 last-response-byte 326 Total time added: 0 ms Total latency to first byte: 183 ms Request latency: 0 ms OCS connect time: 183 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219870 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC POST https://www.bing.com/AS/IEOneBox/xls.aspx DNS lookup was unrestricted Referer: https://www.bing.com/AS/API/IEOneBox/V2/Init?setlang=en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; ServiceUI 14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 204 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 630 ms Checkpoint timings: new-connection: start 2 elapsed 0 ms client-in: start 2 elapsed 1 ms server-out: start 3 elapsed 0 ms server-in: start 400 elapsed 0 ms client-out-terminated: start 630 elapsed 0 ms access-logging: start 630 elapsed 0 ms stop-transaction: start 630 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 2 server connection: start 3 DNS Lookup: start 3 elapsed 0 ms server connection: connected 400 first-byte 629 last_byte 630 client connection: first-response-byte 0 last-response-byte 630 Total time added: 1 ms Total latency to first byte: 398 ms Request latency: 1 ms OCS connect time: 397 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219884 type=ssl.tunnel transaction handed off from: 7219883 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: request.application.name=Gmail miss: request.application.name="Google Drive" miss: client.address=Remote-users miss: request.application.name="Yahoo Mail" miss: request.application.name=Outlook.com miss: request.application.name=Facebook miss: category="Talent Group" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: request.application.name=Teamviewer miss: client.address="Google Maps users" miss: request.application.name=WeTransfer miss: category=(Music, Sports) miss: request.application.name=YouTube miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) MATCH: ALLOW client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.6 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted origin server next-hop IP address=40.77.226.250 user: name="3187" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 230 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 230 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 228 url_categorization complete time: 0 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 104 Total time added: 0 ms Total latency to first byte: 103 ms Request latency: 0 ms OCS connect time: 103 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219875 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC POST https://beacons4.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 515 ms Checkpoint timings: new-connection: start 8 elapsed 0 ms client-in: start 8 elapsed 0 ms server-out: start 8 elapsed 0 ms server-in: start 371 elapsed 0 ms client-out-terminated: start 514 elapsed 0 ms access-logging: start 515 elapsed 0 ms stop-transaction: start 515 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 8 server connection: start 8 DNS Lookup: start 8 elapsed 0 ms server connection: connected 371 first-byte 514 last_byte 514 client connection: first-response-byte 0 last-response-byte 515 Total time added: 1 ms Total latency to first byte: 363 ms Request latency: 0 ms OCS connect time: 363 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219893 type=ssl.tunnel transaction handed off from: 7219892 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC unknown ssl://beacons5.gvt3.com:443/ DNS lookup was unrestricted origin server next-hop IP address=45.240.64.55 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 173 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 173 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 173 url_categorization complete time: 0 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 45 Total time added: 0 ms Total latency to first byte: 44 ms Request latency: 0 ms OCS connect time: 44 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219891 type=https.forward-proxy transaction handed off from: 7219882 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC GET https://hangouts.google.com/webchat/u/0/host-js?prop=gmail&b=1&zx=stjwx3m88yhx DNS lookup was unrestricted Referer: https://mail.google.com/mail/u/0/?tab=rm&ogbl User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 user: name="5227" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 302 client.response.code: 403 application.name: Google Hangouts application.operation: none application.group: Instant Messaging;VoIP DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 231 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms server-out: start 4 elapsed 0 ms server-in: start 4 elapsed 0 ms client-out-terminated: start 230 elapsed 0 ms access-logging: start 231 elapsed 0 ms stop-transaction: start 231 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 server connection: start 4 DNS Lookup: start 4 elapsed 0 ms server connection: connected 4 first-byte 230 last_byte 230 client connection: first-response-byte 0 last-response-byte 231 Total time added: 2 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219905 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.90 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="2484" realm=iwa_direct authentication start 2 elapsed 0 ms authorization start 2 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 6 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 2 elapsed 0 ms access-logging: start 6 elapsed 0 ms stop-transaction: start 6 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 2 client connection: first-response-byte 0 last-response-byte 6 stop transaction -------------------- start transaction ------------------- transaction ID=7219906 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.9 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="878" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7219903 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.206 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://clients4.google.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="8305" realm=iwa_direct authentication start 75 elapsed 0 ms authorization start 75 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 81 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 72 ms access-logging: start 81 elapsed 0 ms stop-transaction: start 81 elapsed 0 ms Total Policy evaluation time: 72 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 81 stop transaction -------------------- start transaction ------------------- transaction ID=7219897 type=https.forward-proxy transaction handed off from: 7219885 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: request.application.name=Gmail miss: request.application.name="Google Drive" miss: client.address=Remote-users miss: request.application.name="Yahoo Mail" miss: request.application.name=Outlook.com miss: request.application.name=Facebook miss: category="Talent Group" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: request.application.name=Teamviewer miss: client.address="Google Maps users" miss: request.application.name=WeTransfer miss: category=(Music, Sports) miss: request.application.name=YouTube miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) MATCH: ALLOW client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.6 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://v10.vortex-win.data.microsoft.com/collect/v1 DNS lookup was unrestricted origin server next-hop IP address=40.77.226.250 User-Agent: MSDW user: name="3187" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 246 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 95 elapsed 0 ms server-out: start 246 elapsed 0 ms server-in: start 246 elapsed 0 ms access-logging: start 246 elapsed 0 ms stop-transaction: start 246 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 95 server connection: start 246 DNS Lookup: start 246 elapsed 0 ms server connection: connected 246 client connection: first-response-byte 0 last-response-byte 246 Total time added: 151 ms Total latency to first byte: 151 ms Request latency: 151 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219886 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://beacons3.gvt2.com/domainreliability/upload DNS lookup was unrestricted Content-Length: 578 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 441 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 290 elapsed 0 ms client-out-terminated: start 440 elapsed 0 ms access-logging: start 441 elapsed 0 ms stop-transaction: start 441 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Request Scan: start 1 delay 0 finish 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 290 first-byte 440 last_byte 440 client connection: first-response-byte 0 last-response-byte 441 Total time added: 1 ms Total latency to first byte: 289 ms Request latency: 0 ms OCS connect time: 289 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219896 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://beacons5.gvt3.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 337 ms Checkpoint timings: new-connection: start 8 elapsed 0 ms client-in: start 8 elapsed 0 ms server-out: start 8 elapsed 0 ms server-in: start 180 elapsed 0 ms client-out-terminated: start 336 elapsed 0 ms access-logging: start 337 elapsed 0 ms stop-transaction: start 337 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 8 server connection: start 8 DNS Lookup: start 8 elapsed 0 ms server connection: connected 180 first-byte 336 last_byte 336 client connection: first-response-byte 0 last-response-byte 337 Total time added: 1 ms Total latency to first byte: 172 ms Request latency: 0 ms OCS connect time: 172 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219871 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] miss: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.71 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC GET https://vcsa.vmware.com/ph/api/ui/send/?e_c=click&e_a=element&e_n=div.modal-backdrop.center-children-disabled:nth-child(4)+>+div.vui-wizard.default-text.vui-modal-element.advanced-features-enabled.maximizable.resizable.draggable.ui-resizable.ui-draggable+>+div.wizard-modal-body:nth-child(2)+>+div.wizard-content-container:nth-child(2)+>+div.wizard-content:nth-child(2)+>+div.nw-edit-dvpg-failover-page+>+dvpg-failover-policy-page.dvpg-failover-page.dvpg-failover-page-expand+>+div.dvpg-failover-page.dvpg-failover-page-expand+>+form.compact.dvpg-failover-page-expand+>+div.dvpg-failover-page-expand.dvpg-failover-page-section:nth-child(3)+>+div.form-group.row.dvpg-failover-page-expand:nth-child(2)+>+div.col-lg-12.col-md-12.dvpg-failover-page-expand+>+div.dvpg-failover-page-failover-order.dvpg-failover-page-expand+>+div.flex-grow-auto.relative-container+>+failover-order.absolute-container+>+div.no-column-header.assigned-adapters-datagrid.failover-order+>+div.k-grid.k-widget+>+div.k-header.k-grid-toolbar+>+div.p DNS lookup was unrestricted origin server next-hop IP address=208.91.0.89 Referer: https://192.168.18.144/ui/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0) user: name="4988" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;none@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 201 client.response.code: 201 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 964 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 1 ms server-out: start 2 elapsed 0 ms server-in: start 584 elapsed 0 ms client-out: start 964 elapsed 0 ms access-logging: start 964 elapsed 0 ms stop-transaction: start 964 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 1 server connection: start 2 DNS Lookup: start 2 elapsed 0 ms server connection: connected 584 first-byte 964 last_byte 964 client connection: first-response-byte 964 last-response-byte 964 Total time added: 1 ms Total latency to first byte: 583 ms Request latency: 1 ms OCS connect time: 582 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219898 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] miss: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.71 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC GET https://vcsa.vmware.com/ph/api/ui/send/?e_c=click&e_a=element&e_n=div.modal-backdrop.center-children-disabled:nth-child(4)+>+div.vui-wizard.default-text.vui-modal-element.advanced-features-enabled.maximizable.resizable.draggable.ui-resizable.ui-draggable+>+div.wizard-modal-body:nth-child(2)+>+div.wizard-content-container:nth-child(2)+>+div.wizard-content:nth-child(2)+>+div.nw-edit-dvpg-failover-page+>+dvpg-failover-policy-page.dvpg-failover-page.dvpg-failover-page-expand+>+div.dvpg-failover-page.dvpg-failover-page-expand+>+form.compact.dvpg-failover-page-expand+>+div.dvpg-failover-page-expand.dvpg-failover-page-section:nth-child(3)+>+div.form-group.row.dvpg-failover-page-expand:nth-child(2)+>+div.col-lg-12.col-md-12.dvpg-failover-page-expand+>+div.dvpg-failover-page-failover-order.dvpg-failover-page-expand+>+div.flex-grow-auto.relative-container+>+failover-order.absolute-container+>+div.no-column-header.assigned-adapters-datagrid.failover-order+>+div.k-grid.k-widget+>+div.k-header.k-grid-toolbar+>+div.p DNS lookup was unrestricted origin server next-hop IP address=208.91.0.89 Referer: https://192.168.18.144/ui/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0) user: name="4988" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;none@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 201 client.response.code: 201 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 362 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 2 elapsed 0 ms server-in: start 2 elapsed 0 ms client-out: start 361 elapsed 0 ms access-logging: start 362 elapsed 0 ms stop-transaction: start 362 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 server connection: start 2 DNS Lookup: start 2 elapsed 0 ms server connection: connected 2 first-byte 361 last_byte 361 client connection: first-response-byte 362 last-response-byte 362 Total time added: 2 ms Total latency to first byte: 2 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 1 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219907 type=ssl.tunnel transaction handed off from: 7219905 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.90 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="2484" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219911 type=ssl.tunnel transaction handed off from: 7219903 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.206 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC unknown ssl://clients4.google.com:443/ DNS lookup was unrestricted origin server next-hop IP address=172.217.17.110 user: name="8305" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 216 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 216 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 214 url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 115 Total time added: 0 ms Total latency to first byte: 114 ms Request latency: 0 ms OCS connect time: 114 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219909 type=ssl.tunnel transaction handed off from: 7219906 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.9 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="878" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219900 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://clients2.google.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 363 ms Checkpoint timings: new-connection: start 8 elapsed 0 ms client-in: start 8 elapsed 0 ms server-out: start 8 elapsed 0 ms server-in: start 260 elapsed 0 ms client-out-terminated: start 362 elapsed 0 ms access-logging: start 362 elapsed 1 ms stop-transaction: start 363 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 8 server connection: start 8 DNS Lookup: start 8 elapsed 0 ms server connection: connected 260 first-byte 361 last_byte 361 client connection: first-response-byte 0 last-response-byte 362 Total time added: 1 ms Total latency to first byte: 252 ms Request latency: 0 ms OCS connect time: 252 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219833 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=2 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.136 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:34 UTC GET https://d.la3-c1-ia2.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=58de9864-b63b-449d-b08c-1b66ff9d6427&r=862&Availability.prefix=Visitor&Availability.ids=[57334000000GnMs]&callback=liveagent._.handlePing&deployment_id=57234000000CbD2&org_id=00D3000000001lK&version=45 DNS lookup was unrestricted rewritten URL(s): cache_url=https://d.la3-c1-ia2.salesforceliveagent.com/chat/rest/Visitor/Availability.jsonp?sid=58de9864-b63b-449d-b08c-1b66ff9d6427&r=862&Availability.prefix=Visitor&Availability.ids=[57334000000GnMs]&callback=liveagent._.handlePing&deployment_id=57234000000CbD2&org_id=00D3000000001lK&version=45&bcsi_scan_d9ffd99e1b9d0f43=ZwcDtuBR8t8U9bAH0CvDC+bPhKsBAAAAeSpuAA== origin server next-hop IP address=13.110.34.30 Referer: https://www.fortinet.com/support/contact.html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="8439" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Business/Economy@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Business/Economy@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 2126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 47 ms server-out: start 48 elapsed 0 ms server-in: start 1936 elapsed 0 ms client-out: start 2125 elapsed 0 ms access-logging: start 2125 elapsed 1 ms stop-transaction: start 2126 elapsed 0 ms Total Policy evaluation time: 48 ms url_categorization complete time: 1 ICAP Response Scan: start 2124 delay 0 finish 2125 server connection: start 48 DNS Lookup: start 48 elapsed 0 ms server connection: connected 1936 first-byte 2123 last_byte 2124 client connection: first-response-byte 2125 last-response-byte 2125 Total time added: 48 ms Total latency to first byte: 1937 ms Request latency: 47 ms OCS connect time: 1888 ms Response latency (first byte): 2 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219922 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=3 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=3 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://ib.qnbalahli.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2552" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Financial Services@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 9 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms access-logging: start 9 elapsed 0 ms stop-transaction: start 9 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 9 stop transaction -------------------- start transaction ------------------- transaction ID=7219923 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=3 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=3 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://ib.qnbalahli.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2552" realm=iwa_direct authentication start 5 elapsed 0 ms authorization start 5 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Financial Services@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 12 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 5 elapsed 0 ms access-logging: start 11 elapsed 1 ms stop-transaction: start 12 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 5 client connection: first-response-byte 0 last-response-byte 11 stop transaction -------------------- start transaction ------------------- transaction ID=7219928 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.149 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="854" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7219917 type=https.forward-proxy transaction handed off from: 7219912 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.206 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://clients4.google.com/chrome-sync/experimentstatus DNS lookup was unrestricted Content-Length: 13 User-Agent: Chrome WIN 75.0.3770.100 (cd0b15c8b6a4e70c44e27f35c37a4029bad3e3b0-refs/branch-heads/3770@{#1033}) channel(stable) user: name="8305" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 348 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 107 elapsed 0 ms server-out: start 223 elapsed 0 ms server-in: start 223 elapsed 0 ms client-out-terminated: start 347 elapsed 0 ms access-logging: start 347 elapsed 1 ms stop-transaction: start 348 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 107 ICAP Request Scan: start 223 delay 0 finish 223 server connection: start 223 DNS Lookup: start 223 elapsed 0 ms server connection: connected 223 first-byte 346 last_byte 347 client connection: first-response-byte 0 last-response-byte 347 Total time added: 116 ms Total latency to first byte: 116 ms Request latency: 116 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219915 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://beacons4.gvt2.com/domainreliability/upload DNS lookup was unrestricted Content-Length: 578 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 480 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 345 elapsed 0 ms client-out-terminated: start 479 elapsed 0 ms access-logging: start 480 elapsed 0 ms stop-transaction: start 480 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Request Scan: start 1 delay 0 finish 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 345 first-byte 479 last_byte 479 client connection: first-response-byte 0 last-response-byte 480 Total time added: 1 ms Total latency to first byte: 344 ms Request latency: 0 ms OCS connect time: 344 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219920 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://clients2.google.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 371 ms Checkpoint timings: new-connection: start 9 elapsed 0 ms client-in: start 9 elapsed 1 ms server-out: start 10 elapsed 0 ms server-in: start 247 elapsed 0 ms client-out-terminated: start 370 elapsed 0 ms access-logging: start 371 elapsed 0 ms stop-transaction: start 371 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 9 server connection: start 10 DNS Lookup: start 10 elapsed 0 ms server connection: connected 247 first-byte 370 last_byte 370 client connection: first-response-byte 0 last-response-byte 371 Total time added: 2 ms Total latency to first byte: 238 ms Request latency: 1 ms OCS connect time: 237 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219929 type=ssl.tunnel transaction handed off from: 7219928 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.149 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="854" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7219933 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC CONNECT tcp://0.client-channel.google.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 5 elapsed 0 ms authorization start 5 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 9 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 5 elapsed 0 ms access-logging: start 9 elapsed 0 ms stop-transaction: start 9 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 5 client connection: first-response-byte 0 last-response-byte 9 stop transaction -------------------- start transaction ------------------- transaction ID=7219921 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist MATCH: ALLOW category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=2 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.35 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC GET https://vmp.boldchat.com/aid/446067838964256264/bc.vm?script=true&blur=true&poll=485000&pvid=443911095942180101T46F0D252C009E8B8CA861D027519DDE23AAC9731718F06A18D800FA627F796FA67ED4CC7F8BE8922BE4C30D218C960568198C482B77AF187D8AAAE201C9D6FAD&bdid=0.2622291103692589&0.2622291103692589_cbdid=442093415623760739&1563199596986&_bcvm_vrid_=true&_bcvm_vid_446067838964256264=1563199596871S443911063627715089T4B8F62B1B5903DB8E875BEEC4C84203F5FAC6E0BCA154B001C0F2240E3DB223E482DD0CAB4A2128A3D2CE3FF329CE6021BF8994B9B42BEEF2A0AD86C8F3B4D3D&_bcvm_vrid_446067838964256264=1563199596871S443910127573885965TD1F54D9CF2887067BCC5699A7B36E8B0C76AD3075245F132D743D1DEDAEDCBDF45F24D7FA79A0DE55CE008EBE3619BE421C4E3B98B36B1EC7B469937CF5BEF39&curl=url%3Dhttps%253A//support.opentext.com/portal/site/css%253FticketId%253D4211272& DNS lookup was unrestricted rewritten URL(s): cache_url=https://vmp.boldchat.com/aid/446067838964256264/bc.vm?script=true&blur=true&poll=485000&pvid=443911095942180101T46F0D252C009E8B8CA861D027519DDE23AAC9731718F06A18D800FA627F796FA67ED4CC7F8BE8922BE4C30D218C960568198C482B77AF187D8AAAE201C9D6FAD&bdid=0.2622291103692589&0.2622291103692589_cbdid=442093415623760739&1563199596986&_bcvm_vrid_=true&_bcvm_vid_446067838964256264=1563199596871S443911063627715089T4B8F62B1B5903DB8E875BEEC4C84203F5FAC6E0BCA154B001C0F2240E3DB223E482DD0CAB4A2128A3D2CE3FF329CE6021BF8994B9B42BEEF2A0AD86C8F3B4D3D&_bcvm_vrid_446067838964256264=1563199596871S443910127573885965TD1F54D9CF2887067BCC5699A7B36E8B0C76AD3075245F132D743D1DEDAEDCBDF45F24D7FA79A0DE55CE008EBE3619BE421C4E3B98B36B1EC7B469937CF5BEF39&curl=url%3Dhttps%253A%2F%2Fsupport.opentext.com%2Fportal%2Fsite%2Fcss%253FticketId%253D4211272&&bcsi_scan_d9ffd99e1b9d0f43=KV2t08xwP6QtlCeOcfaOPp+JnO8BAAAA0SpuAA== origin server next-hop IP address=67.217.81.1 Referer: https://support.opentext.com/portal/site/css?ticketId=4211272 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="6422" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: BoldChat application.operation: none application.group: Embedded;Instant Messaging DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 417 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 42 ms server-out: start 43 elapsed 1 ms server-in: start 44 elapsed 0 ms client-out: start 417 elapsed 0 ms access-logging: start 417 elapsed 0 ms stop-transaction: start 417 elapsed 0 ms Total Policy evaluation time: 43 ms url_categorization complete time: 0 ICAP Response Scan: start 291 delay 0 finish 417 server connection: start 44 DNS Lookup: start 44 elapsed 0 ms server connection: connected 44 first-byte 291 last_byte 291 client connection: first-response-byte 417 last-response-byte 417 Total time added: 169 ms Total latency to first byte: 169 ms Request latency: 43 ms OCS connect time: 0 ms Response latency (first byte): 126 ms Response latency (last byte): 126 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219890 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://beacons5.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 1103 ms Checkpoint timings: new-connection: start 8 elapsed 0 ms client-in: start 9 elapsed 0 ms server-out: start 9 elapsed 0 ms server-in: start 666 elapsed 0 ms client-out-terminated: start 1102 elapsed 0 ms access-logging: start 1103 elapsed 0 ms stop-transaction: start 1103 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 9 server connection: start 9 DNS Lookup: start 9 elapsed 0 ms server connection: connected 666 first-byte 1102 last_byte 1102 client connection: first-response-byte 0 last-response-byte 1103 Total time added: 1 ms Total latency to first byte: 657 ms Request latency: 0 ms OCS connect time: 657 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219931 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] miss: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.71 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC GET https://vcsa.vmware.com/ph/api/ui/send/?e_c=click&e_a=element&e_n=div.modal-backdrop.center-children-disabled:nth-child(4)+>+div.vui-wizard.default-text.vui-modal-element.advanced-features-enabled.maximizable.resizable.draggable.ui-resizable.ui-draggable+>+div.wizard-modal-body:nth-child(2)+>+div.wizard-content-container:nth-child(2)+>+div.wizard-content:nth-child(2)+>+div.nw-edit-dvpg-failover-page+>+dvpg-failover-policy-page.dvpg-failover-page.dvpg-failover-page-expand+>+div.dvpg-failover-page.dvpg-failover-page-expand+>+form.compact.dvpg-failover-page-expand+>+div.dvpg-failover-page-expand.dvpg-failover-page-section:nth-child(3)+>+div.form-group.row.dvpg-failover-page-expand:nth-child(2)+>+div.col-lg-12.col-md-12.dvpg-failover-page-expand+>+div.dvpg-failover-page-failover-order.dvpg-failover-page-expand+>+div.flex-grow-auto.relative-container+>+failover-order.absolute-container+>+div.no-column-header.assigned-adapters-datagrid.failover-order+>+div.k-grid.k-widget+>+div.k-grid-content.k-auto-scrollabl DNS lookup was unrestricted origin server next-hop IP address=208.91.0.89 Referer: https://192.168.18.144/ui/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0) user: name="4988" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;none@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 201 client.response.code: 201 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 379 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 1 ms server-in: start 2 elapsed 0 ms client-out: start 378 elapsed 0 ms access-logging: start 378 elapsed 1 ms stop-transaction: start 379 elapsed 0 ms Total Policy evaluation time: 2 ms url_categorization complete time: 1 server connection: start 2 DNS Lookup: start 2 elapsed 0 ms server connection: connected 2 first-byte 378 last_byte 378 client connection: first-response-byte 378 last-response-byte 378 Total time added: 1 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219932 type=https.forward-proxy transaction handed off from: 7219930 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.149 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC POST https://v10.vortex-win.data.microsoft.com/collect/v1 DNS lookup was unrestricted origin server next-hop IP address=40.77.226.250 User-Agent: MSDW user: name="854" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 242 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 118 elapsed 0 ms server-out: start 242 elapsed 0 ms server-in: start 242 elapsed 0 ms access-logging: start 242 elapsed 0 ms stop-transaction: start 242 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 118 server connection: start 242 DNS Lookup: start 242 elapsed 0 ms server connection: connected 242 client connection: first-response-byte 0 last-response-byte 242 Total time added: 124 ms Total latency to first byte: 124 ms Request latency: 124 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219934 type=ssl.tunnel transaction handed off from: 7219933 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC unknown ssl://0.client-channel.google.com:443/ DNS lookup was unrestricted origin server next-hop IP address=108.177.119.189 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 233 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 233 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 232 url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 113 Total time added: 0 ms Total latency to first byte: 112 ms Request latency: 0 ms OCS connect time: 112 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219937 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC POST https://www.bing.com/AS/IEOneBox/xls.aspx DNS lookup was unrestricted Referer: https://www.bing.com/AS/API/IEOneBox/V2/Init?setlang=en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; ServiceUI 14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 204 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 438 ms Checkpoint timings: new-connection: start 15 elapsed 0 ms client-in: start 16 elapsed 0 ms server-out: start 16 elapsed 0 ms server-in: start 329 elapsed 0 ms client-out-terminated: start 437 elapsed 0 ms access-logging: start 438 elapsed 0 ms stop-transaction: start 438 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 16 server connection: start 16 DNS Lookup: start 16 elapsed 0 ms server connection: connected 329 first-byte 437 last_byte 437 client connection: first-response-byte 0 last-response-byte 438 Total time added: 1 ms Total latency to first byte: 313 ms Request latency: 0 ms OCS connect time: 313 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219889 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:36 UTC POST https://beacons5.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 1665 ms Checkpoint timings: new-connection: start 16 elapsed 0 ms client-in: start 16 elapsed 0 ms server-out: start 16 elapsed 0 ms server-in: start 673 elapsed 0 ms client-out-terminated: start 1664 elapsed 0 ms access-logging: start 1665 elapsed 0 ms stop-transaction: start 1665 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 16 server connection: start 16 DNS Lookup: start 16 elapsed 0 ms server connection: connected 673 first-byte 1664 last_byte 1664 client connection: first-response-byte 0 last-response-byte 1665 Total time added: 1 ms Total latency to first byte: 657 ms Request latency: 0 ms OCS connect time: 657 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219938 type=https.forward-proxy transaction handed off from: 7219935 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC GET https://0.client-channel.google.com/client-channel/gsid DNS lookup was unrestricted rewritten URL(s): cache_url=https://0.client-channel.google.com/client-channel/gsid?bcsi_scan_d9ffd99e1b9d0f43=dHlRJOcpbCXOs9+s7oVwLAOfgNIBAAAA4ipuAA== origin server next-hop IP address=108.177.119.189 Referer: https://0.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22gmail%22%2C%227%22%3A%22chat_frontend_20190709.06_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%22AOUFjjg0GM%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F0.client-channel.google.com%2Frobots.txt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 484 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 12 elapsed 0 ms server-out: start 13 elapsed 0 ms server-in: start 13 elapsed 0 ms client-out: start 484 elapsed 0 ms access-logging: start 484 elapsed 0 ms stop-transaction: start 484 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 12 ICAP Response Scan: start 116 delay 0 finish 484 server connection: start 13 DNS Lookup: start 13 elapsed 0 ms server connection: connected 13 first-byte 116 last_byte 116 client connection: first-response-byte 484 last-response-byte 484 Total time added: 369 ms Total latency to first byte: 369 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 368 ms Response latency (last byte): 368 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219942 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC POST https://beacons5.gvt3.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 188 ms Checkpoint timings: new-connection: start 9 elapsed 0 ms client-in: start 9 elapsed 0 ms server-out: start 9 elapsed 0 ms server-in: start 83 elapsed 0 ms client-out-terminated: start 187 elapsed 0 ms access-logging: start 188 elapsed 0 ms stop-transaction: start 188 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 9 server connection: start 9 DNS Lookup: start 9 elapsed 0 ms server connection: connected 83 first-byte 187 last_byte 187 client connection: first-response-byte 0 last-response-byte 188 Total time added: 1 ms Total latency to first byte: 74 ms Request latency: 0 ms OCS connect time: 74 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219946 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC CONNECT tcp://hangouts.google.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 user: name="5227" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Google Hangouts application.operation: none application.group: Instant Messaging;VoIP DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms access-logging: start 8 elapsed 0 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 8 stop transaction -------------------- start transaction ------------------- transaction ID=7219940 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] miss: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.71 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:37 UTC GET https://vcsa.vmware.com/ph/api/ui/send/?e_c=click&e_a=element&e_n=div.modal-backdrop.center-children-disabled:nth-child(4)+>+div.vui-wizard.default-text.vui-modal-element.advanced-features-enabled.maximizable.resizable.draggable.ui-resizable.ui-draggable+>+div.wizard-modal-body:nth-child(2)+>+div.wizard-content-container:nth-child(2)+>+div.wizard-content:nth-child(2)+>+div.nw-edit-dvpg-failover-page+>+dvpg-failover-policy-page.dvpg-failover-page.dvpg-failover-page-expand+>+div.dvpg-failover-page.dvpg-failover-page-expand+>+form.compact.dvpg-failover-page-expand+>+div.dvpg-failover-page-expand.dvpg-failover-page-section:nth-child(3)+>+div.form-group.row.dvpg-failover-page-expand:nth-child(2)+>+div.col-lg-12.col-md-12.dvpg-failover-page-expand+>+div.dvpg-failover-page-failover-order.dvpg-failover-page-expand+>+div.flex-grow-auto.relative-container+>+failover-order.absolute-container+>+div.no-column-header.assigned-adapters-datagrid.failover-order+>+div.k-grid.k-widget+>+div.k-header.k-grid-toolbar+>+div.p DNS lookup was unrestricted origin server next-hop IP address=208.91.0.89 Referer: https://192.168.18.144/ui/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0) user: name="4988" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;none@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 201 client.response.code: 201 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 329 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 2 elapsed 0 ms server-in: start 2 elapsed 0 ms client-out: start 329 elapsed 0 ms access-logging: start 329 elapsed 0 ms stop-transaction: start 329 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 server connection: start 2 DNS Lookup: start 2 elapsed 0 ms server connection: connected 2 first-byte 329 last_byte 329 client connection: first-response-byte 329 last-response-byte 329 Total time added: 1 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219943 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC GET https://0.client-channel.google.com/client-channel/gsid DNS lookup was unrestricted rewritten URL(s): cache_url=https://0.client-channel.google.com/client-channel/gsid?bcsi_scan_d9ffd99e1b9d0f43=m/f3IbGKVy4JrFJk52cwd+3+JfABAAAA5ypuAA== origin server next-hop IP address=108.177.119.189 Referer: https://0.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22gmail%22%2C%227%22%3A%22chat_frontend_20190709.06_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%22AOUFjjg0GM%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F0.client-channel.google.com%2Frobots.txt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 183 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1 elapsed 0 ms client-out: start 183 elapsed 0 ms access-logging: start 183 elapsed 0 ms stop-transaction: start 183 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Response Scan: start 79 delay 0 finish 183 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 78 last_byte 79 client connection: first-response-byte 183 last-response-byte 183 Total time added: 104 ms Total latency to first byte: 105 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 105 ms Response latency (last byte): 104 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219948 type=ssl.tunnel transaction handed off from: 7219946 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC unknown ssl://hangouts.google.com:443/ DNS lookup was unrestricted user: name="5227" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Google Hangouts application.operation: none application.group: Instant Messaging;VoIP DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219854 type=ssl.tunnel transaction handed off from: 7219851 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:35 UTC unknown ssl://browser.pipe.aria.microsoft.com:443/ DNS lookup was unrestricted user: name="8672" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219952 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC GET https://0.client-channel.google.com/client-channel/channel/cbp?ctype=hangouts&prop=gmail&appver=chat_frontend_20190709.06_p0&gsessionid=fg-b0MFH6KyNV0CGCDR011ncgZXAw2RB&VER=8&MODE=init&zx=z39nmllc43dj&t=1 DNS lookup was unrestricted rewritten URL(s): cache_url=https://0.client-channel.google.com/client-channel/channel/cbp?ctype=hangouts&prop=gmail&appver=chat_frontend_20190709.06_p0&gsessionid=fg-b0MFH6KyNV0CGCDR011ncgZXAw2RB&VER=8&MODE=init&zx=z39nmllc43dj&t=1&bcsi_scan_d9ffd99e1b9d0f43=Qml1b2OND2Pdw1kcGppAvdrgbqcBAAAA8CpuAA== origin server next-hop IP address=108.177.119.189 Referer: https://0.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22gmail%22%2C%227%22%3A%22chat_frontend_20190709.06_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%22AOUFjjg0GM%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F0.client-channel.google.com%2Frobots.txt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 165 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1 elapsed 0 ms client-out: start 165 elapsed 0 ms access-logging: start 165 elapsed 0 ms stop-transaction: start 165 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 ICAP Response Scan: start 164 delay 0 finish 165 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 151 last_byte 164 client connection: first-response-byte 165 last-response-byte 165 Total time added: 1 ms Total latency to first byte: 14 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 14 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219947 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC POST https://beacons5.gvt3.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 346 ms Checkpoint timings: new-connection: start 17 elapsed 0 ms client-in: start 17 elapsed 0 ms server-out: start 17 elapsed 0 ms server-in: start 103 elapsed 0 ms client-out-terminated: start 345 elapsed 1 ms access-logging: start 346 elapsed 0 ms stop-transaction: start 346 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 17 server connection: start 17 DNS Lookup: start 17 elapsed 0 ms server connection: connected 103 first-byte 345 last_byte 345 client connection: first-response-byte 0 last-response-byte 346 Total time added: 1 ms Total latency to first byte: 86 ms Request latency: 0 ms OCS connect time: 86 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219953 type=https.forward-proxy transaction handed off from: 7219949 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC GET https://hangouts.google.com/webchat/u/0/host-js?prop=gmail&b=1&zx=s5fm6dl72wf DNS lookup was unrestricted Referer: https://mail.google.com/mail/u/0/?tab=rm&ogbl User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 user: name="5227" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 302 client.response.code: 403 application.name: Google Hangouts application.operation: none application.group: Instant Messaging;VoIP DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 259 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms server-out: start 4 elapsed 0 ms server-in: start 4 elapsed 0 ms client-out-terminated: start 257 elapsed 0 ms access-logging: start 258 elapsed 1 ms stop-transaction: start 259 elapsed 0 ms Total Policy evaluation time: 2 ms url_categorization complete time: 3 server connection: start 4 DNS Lookup: start 4 elapsed 0 ms server connection: connected 4 first-byte 257 last_byte 257 client connection: first-response-byte 0 last-response-byte 258 Total time added: 2 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219958 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.70 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="6271" realm=iwa_direct authentication start 118 elapsed 0 ms authorization start 118 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 123 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 114 ms access-logging: start 123 elapsed 0 ms stop-transaction: start 123 elapsed 0 ms Total Policy evaluation time: 114 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 123 stop transaction -------------------- start transaction ------------------- transaction ID=7219957 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC POST https://clients2.google.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 540 ms Checkpoint timings: new-connection: start 9 elapsed 0 ms client-in: start 10 elapsed 0 ms server-out: start 10 elapsed 0 ms server-in: start 273 elapsed 0 ms client-out-terminated: start 539 elapsed 0 ms access-logging: start 540 elapsed 0 ms stop-transaction: start 540 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 10 server connection: start 10 DNS Lookup: start 10 elapsed 0 ms server connection: connected 273 first-byte 539 last_byte 539 client connection: first-response-byte 0 last-response-byte 540 Total time added: 1 ms Total latency to first byte: 263 ms Request latency: 0 ms OCS connect time: 263 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219964 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.119 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="7512" realm=iwa_direct authentication start 3 elapsed 1 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms access-logging: start 7 elapsed 1 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 2 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7219959 type=ssl.tunnel transaction handed off from: 7219958 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.70 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="6271" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7219968 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: condition="Symantec APP" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.25 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC CONNECT tcp://roaming.officeapps.live.com:443/ DNS lookup was unrestricted user: name="1942" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7219965 type=ssl.tunnel transaction handed off from: 7219964 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.119 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="7512" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219955 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC GET https://0.client-channel.google.com/client-channel/channel/cbp?ctype=hangouts&prop=gmail&appver=chat_frontend_20190709.06_p0&gsessionid=fg-b0MFH6KyNV0CGCDR011ncgZXAw2RB&VER=8&TYPE=xmlhttp&zx=fxv8n99ubtum&t=1 DNS lookup was unrestricted rewritten URL(s): cache_url=https://0.client-channel.google.com/client-channel/channel/cbp?ctype=hangouts&prop=gmail&appver=chat_frontend_20190709.06_p0&gsessionid=fg-b0MFH6KyNV0CGCDR011ncgZXAw2RB&VER=8&TYPE=xmlhttp&zx=fxv8n99ubtum&t=1&bcsi_scan_d9ffd99e1b9d0f43=XG+9w0KKkGx8CK6K5X/rmM2qtAwBAAAA8ypuAA== origin server next-hop IP address=108.177.119.189 Referer: https://0.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22gmail%22%2C%227%22%3A%22chat_frontend_20190709.06_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%22AOUFjjg0GM%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F0.client-channel.google.com%2Frobots.txt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 1134 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1 elapsed 0 ms client-out: start 1133 elapsed 0 ms access-logging: start 1133 elapsed 1 ms stop-transaction: start 1134 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 0 ICAP Response Scan: start 1132 delay 0 finish 1133 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 152 last_byte 1132 client connection: first-response-byte 1133 last-response-byte 1133 Total time added: 1 ms Total latency to first byte: 981 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 981 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219970 type=ssl.tunnel transaction handed off from: 7219968 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: condition="Symantec APP" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.25 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC unknown ssl://roaming.officeapps.live.com:443/ DNS lookup was unrestricted origin server next-hop IP address=52.109.32.23 user: name="1942" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 257 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 257 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 255 url_categorization complete time: 0 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 117 Total time added: 0 ms Total latency to first byte: 116 ms Request latency: 0 ms OCS connect time: 116 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219954 type=https.forward-proxy transaction handed off from: 7219855 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=2 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC POST https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application/bond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-JS-1.5.0&x-apikey=a387cfcf60114a43a7699f9fbb49289e-9bceb9fe-1c06-460f-96c5-6a0b247358bc-7238,ea84b6a3285140258eaeb7caaab5884a-9d3ca75b-b3ee-42b8-a22c-ab0759ad4d38-7330&client-time-epoch-millis=1563199595187 DNS lookup was unrestricted Referer: https://portal.office.com/adminportal/home User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="8672" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1219 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 90 elapsed 0 ms server-out: start 237 elapsed 1 ms server-in: start 238 elapsed 0 ms client-out-terminated: start 1218 elapsed 0 ms access-logging: start 1219 elapsed 0 ms stop-transaction: start 1219 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 90 server connection: start 238 DNS Lookup: start 238 elapsed 0 ms server connection: connected 238 first-byte 1218 last_byte 1218 client connection: first-response-byte 0 last-response-byte 1219 Total time added: 149 ms Total latency to first byte: 148 ms Request latency: 148 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219975 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.177 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8189" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7219969 type=https.forward-proxy transaction handed off from: 7219960 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.70 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC POST https://v10.vortex-win.data.microsoft.com/collect/v1 DNS lookup was unrestricted origin server next-hop IP address=64.4.54.254 User-Agent: MSDW user: name="6271" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 350 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 97 elapsed 0 ms server-out: start 349 elapsed 0 ms server-in: start 349 elapsed 0 ms access-logging: start 349 elapsed 1 ms stop-transaction: start 350 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 97 server connection: start 349 DNS Lookup: start 349 elapsed 0 ms server connection: connected 349 client connection: first-response-byte 0 last-response-byte 349 Total time added: 252 ms Total latency to first byte: 252 ms Request latency: 252 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219973 type=https.forward-proxy transaction handed off from: 7219966 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.119 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC POST https://v10.vortex-win.data.microsoft.com/collect/v1 DNS lookup was unrestricted origin server next-hop IP address=64.4.54.254 User-Agent: MSDW user: name="7512" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 332 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 98 elapsed 0 ms server-out: start 331 elapsed 0 ms server-in: start 331 elapsed 0 ms access-logging: start 331 elapsed 1 ms stop-transaction: start 332 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 98 server connection: start 331 DNS Lookup: start 331 elapsed 0 ms server connection: connected 331 client connection: first-response-byte 0 last-response-byte 331 Total time added: 233 ms Total latency to first byte: 233 ms Request latency: 233 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219978 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC CONNECT tcp://www.googleapis.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2552" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 9 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms access-logging: start 9 elapsed 0 ms stop-transaction: start 9 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 9 stop transaction -------------------- start transaction ------------------- transaction ID=7219967 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.20 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC POST https://clients2.google.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5790" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 893 ms Checkpoint timings: new-connection: start 16 elapsed 0 ms client-in: start 16 elapsed 0 ms server-out: start 16 elapsed 0 ms server-in: start 269 elapsed 0 ms client-out-terminated: start 892 elapsed 0 ms access-logging: start 893 elapsed 0 ms stop-transaction: start 893 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 16 server connection: start 16 DNS Lookup: start 16 elapsed 0 ms server connection: connected 269 first-byte 892 last_byte 892 client connection: first-response-byte 0 last-response-byte 893 Total time added: 1 ms Total latency to first byte: 253 ms Request latency: 0 ms OCS connect time: 253 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219974 type=https.forward-proxy transaction handed off from: 7219971 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: condition="Symantec APP" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.25 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc DNS lookup was unrestricted rewritten URL(s): cache_url=https://roaming.officeapps.live.com/rs/RoamingSoapService.svc?bcsi_scan_d9ffd99e1b9d0f43=nThoyE68bHU1RWy0RCVeLP2CK/oBAAAABituAA== origin server next-hop IP address=52.109.32.23 Content-Length: 2302 User-Agent: MS-WebServices/1.0 user: name="1942" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 386 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 13 elapsed 1 ms server-out: start 152 elapsed 0 ms server-in: start 152 elapsed 0 ms client-out: start 386 elapsed 0 ms access-logging: start 386 elapsed 0 ms stop-transaction: start 386 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 13 ICAP Response Scan: start 260 delay 0 finish 386 server connection: start 152 DNS Lookup: start 152 elapsed 0 ms server connection: connected 152 first-byte 260 last_byte 260 client connection: first-response-byte 386 last-response-byte 386 Total time added: 265 ms Total latency to first byte: 265 ms Request latency: 139 ms OCS connect time: 0 ms Response latency (first byte): 126 ms Response latency (last byte): 126 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219976 type=ssl.tunnel transaction handed off from: 7219975 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.177 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8189" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7219979 type=ssl.tunnel transaction handed off from: 7219978 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC unknown ssl://www.googleapis.com:443/ DNS lookup was unrestricted origin server next-hop IP address=172.217.20.106 user: name="2552" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 240 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 240 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 239 url_categorization complete time: 0 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 123 Total time added: 0 ms Total latency to first byte: 122 ms Request latency: 0 ms OCS connect time: 122 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219987 type=ssl.tunnel transaction handed off from: 7219986 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) late: [builtin-prolog:323] late: [builtin-prolog:329] late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP late: condition=__CondList1Whitelist_SSL_Validation miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg late: request.application.name="Office 365 General" late: condition=__GROUP19 late: condition=__GROUP44 late: condition=__GROUP45 late: condition="__CondList1Allowed APP Users" late: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) late: category=URL_No_ICAP late: category=URL_No_ICAP late: category="Always verify cache" miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=(value undetermined) request.header.Referer.url.threat_risk.effective_level=(value undetermined) server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.30 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://emailfake.com:443/ user: name="1414" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'force_deny' or 'force_exception' was matched in policy application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7219989 type=https.forward-proxy transaction handed off from: 7219988 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) late: [builtin-prolog:323] late: [builtin-prolog:329] late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP late: condition=__CondList1Whitelist_SSL_Validation miss: condition=__CondList1WhiteListHTTPSPort_By_IP late: category="WhiteList SSL special ports" miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg late: request.application.name="Office 365 General" late: condition=__GROUP19 late: condition=__GROUP44 late: condition=__GROUP45 late: condition="__CondList1Allowed APP Users" late: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) late: category=URL_No_ICAP late: category=URL_No_ICAP late: category="Always verify cache" miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=(value undetermined) request.header.Referer.url.threat_risk.effective_level=(value undetermined) server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.30 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC GET https://emailfake.com/socket.io/?EIO=3&transport=polling&t=MlrzFP3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="1414" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'force_deny' or 'force_exception' was matched in policy url.category: none@Policy;none@YouTube;Spam@Blue Coat;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 4 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms server-in: start 4 elapsed 0 ms client-out-terminated: start 4 elapsed 0 ms access-logging: start 4 elapsed 0 ms stop-transaction: start 4 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 4 stop transaction -------------------- start transaction ------------------- transaction ID=7219986 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ MATCH: variable.url.threat_risk.effective_level=7..10 FORCE_DENY("Denied by risk level : $(cs-threat-risk)") late: condition=__GROUP19 late: condition=__GROUP44 late: condition=__GROUP45 late: condition="__CondList1Allowed APP Users" late: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes late: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=7 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.30 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://emailfake.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="1414" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'force_deny' or 'force_exception' was matched in policy url.category: none@Policy;none@YouTube;Spam@Blue Coat;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 16 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms client-out-terminated: start 4 elapsed 0 ms access-logging: start 10 elapsed 0 ms stop-transaction: start 16 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 10 stop transaction -------------------- start transaction ------------------- transaction ID=7219990 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.29 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="5339" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7219985 type=https.forward-proxy transaction handed off from: 7219980 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC POST https://www.googleapis.com/oauth2/v4/token DNS lookup was unrestricted Content-Length: 229 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2552" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 155 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms server-out: start 4 elapsed 0 ms server-in: start 4 elapsed 0 ms client-out-terminated: start 154 elapsed 1 ms access-logging: start 155 elapsed 0 ms stop-transaction: start 155 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 ICAP Request Scan: start 3 delay 0 finish 4 server connection: start 4 DNS Lookup: start 4 elapsed 0 ms server connection: connected 4 first-byte 154 last_byte 155 client connection: first-response-byte 0 last-response-byte 155 Total time added: 1 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219994 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://ssl.gstatic.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Clean Whitelist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms access-logging: start 8 elapsed 0 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 8 stop transaction -------------------- start transaction ------------------- transaction ID=7219983 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: condition="Symantec APP" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.25 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:39 UTC POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc DNS lookup was unrestricted rewritten URL(s): cache_url=https://roaming.officeapps.live.com/rs/RoamingSoapService.svc?bcsi_scan_d9ffd99e1b9d0f43=wjVo7IRCIhJdp5Jw/aWvk7Wo9UwBAAAADytuAA== origin server next-hop IP address=52.109.32.23 Content-Length: 15326 User-Agent: MS-WebServices/1.0 user: name="1942" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 354 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1 elapsed 0 ms client-out: start 354 elapsed 0 ms access-logging: start 354 elapsed 0 ms stop-transaction: start 354 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 ICAP Response Scan: start 352 delay 0 finish 354 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 352 last_byte 352 client connection: first-response-byte 354 last-response-byte 354 Total time added: 2 ms Total latency to first byte: 2 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 2 ms Response latency (last byte): 2 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219984 type=https.forward-proxy transaction handed off from: 7219977 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.177 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC POST https://v10.vortex-win.data.microsoft.com/collect/v1 DNS lookup was unrestricted origin server next-hop IP address=64.4.54.254 User-Agent: MSDW user: name="8189" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 348 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 92 elapsed 0 ms server-out: start 347 elapsed 0 ms server-in: start 347 elapsed 0 ms access-logging: start 347 elapsed 1 ms stop-transaction: start 348 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 92 server connection: start 347 DNS Lookup: start 347 elapsed 0 ms server connection: connected 347 client connection: first-response-byte 0 last-response-byte 347 Total time added: 255 ms Total latency to first byte: 255 ms Request latency: 255 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219998 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8672" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 10 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms access-logging: start 10 elapsed 0 ms stop-transaction: start 10 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 10 stop transaction -------------------- start transaction ------------------- transaction ID=7219995 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC POST https://0.client-channel.google.com/client-channel/channel/bind?ctype=hangouts&prop=gmail&appver=chat_frontend_20190709.06_p0&gsessionid=fg-b0MFH6KyNV0CGCDR011ncgZXAw2RB&VER=8&RID=37754&CVER=5&zx=fhon4gxw6lgb&t=1 DNS lookup was unrestricted Referer: https://0.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22gmail%22%2C%227%22%3A%22chat_frontend_20190709.06_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%22AOUFjjg0GM%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F0.client-channel.google.com%2Frobots.txt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 153 ms Checkpoint timings: new-connection: start 2 elapsed 0 ms client-in: start 2 elapsed 0 ms server-out: start 2 elapsed 0 ms server-in: start 3 elapsed 0 ms client-out-terminated: start 152 elapsed 1 ms access-logging: start 153 elapsed 0 ms stop-transaction: start 153 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 2 server connection: start 2 DNS Lookup: start 3 elapsed 0 ms server connection: connected 3 first-byte 151 last_byte 152 client connection: first-response-byte 0 last-response-byte 153 Total time added: 1 ms Total latency to first byte: 1 ms Request latency: 0 ms OCS connect time: 1 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220001 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://www.google.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 9 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms access-logging: start 9 elapsed 0 ms stop-transaction: start 9 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 9 stop transaction -------------------- start transaction ------------------- transaction ID=7219996 type=ssl.tunnel transaction handed off from: 7219994 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://ssl.gstatic.com:443/ DNS lookup was unrestricted user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Clean Whitelist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7220002 type=ssl.tunnel transaction handed off from: 7220001 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://www.google.com:443/ DNS lookup was unrestricted origin server next-hop IP address=172.217.168.196 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 192 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 192 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 190 url_categorization complete time: 0 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 100 Total time added: 0 ms Total latency to first byte: 99 ms Request latency: 0 ms OCS connect time: 99 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220008 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.108 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="7415" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7220005 type=https.forward-proxy transaction handed off from: 7219997 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC GET https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif?zx=aj5qlufryvjh DNS lookup was unrestricted Referer: https://mail.google.com/mail/u/0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Clean Whitelist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 103 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 8 elapsed 1 ms server-out: start 9 elapsed 0 ms server-in: start 9 elapsed 0 ms client-out-terminated: start 102 elapsed 0 ms access-logging: start 103 elapsed 0 ms stop-transaction: start 103 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 8 server connection: start 9 DNS Lookup: start 9 elapsed 0 ms server connection: connected 9 first-byte 102 last_byte 102 client connection: first-response-byte 0 last-response-byte 103 Total time added: 2 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219991 type=ssl.tunnel transaction handed off from: 7219990 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.29 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="5339" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7219962 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:38 UTC POST https://www.bing.com/AS/IEOneBox/xls.aspx DNS lookup was unrestricted Referer: https://www.bing.com/AS/API/IEOneBox/V2/Init?setlang=en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; ServiceUI 14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 204 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 1843 ms Checkpoint timings: new-connection: start 21 elapsed 0 ms client-in: start 22 elapsed 0 ms server-out: start 22 elapsed 0 ms server-in: start 1631 elapsed 0 ms client-out-terminated: start 1842 elapsed 1 ms access-logging: start 1843 elapsed 0 ms stop-transaction: start 1843 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 22 server connection: start 22 DNS Lookup: start 22 elapsed 0 ms server connection: connected 1631 first-byte 1842 last_byte 1842 client connection: first-response-byte 0 last-response-byte 1843 Total time added: 1 ms Total latency to first byte: 1609 ms Request latency: 0 ms OCS connect time: 1609 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220007 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.90 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC GET https://www.google.com/async/finance_wholepage_price_updates?ei=G3EsXZ61Do-ysAfynJbQDw&rlz=1C1GCEV_enEG841EG845&safe=active&yv=3&dfsl=1&async=mids:/g/1dtw9b2h,currencies:,_fmt:jspb DNS lookup was unrestricted rewritten URL(s): cache_url=https://www.google.com/async/finance_wholepage_price_updates?ei=G3EsXZ61Do-ysAfynJbQDw&rlz=1C1GCEV_enEG841EG845&safe=active&yv=3&dfsl=1&async=mids:%2Fg%2F1dtw9b2h,currencies:,_fmt:jspb&bcsi_scan_d9ffd99e1b9d0f43=+Xhziw7Okq7kCa9iZXuKjy903osBAAAAJytuAA== origin server next-hop IP address=172.217.168.196 Referer: https://www.google.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="2484" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 168 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1 elapsed 0 ms client-out: start 168 elapsed 0 ms access-logging: start 168 elapsed 0 ms stop-transaction: start 168 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Response Scan: start 167 delay 0 finish 168 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 166 last_byte 167 client connection: first-response-byte 168 last-response-byte 168 Total time added: 1 ms Total latency to first byte: 2 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 2 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7219999 type=ssl.tunnel transaction handed off from: 7219998 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8672" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7220009 type=https.forward-proxy transaction handed off from: 7220003 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC GET https://www.google.com/images/cleardot.gif?zx=m29cl9pkx8p9 DNS lookup was unrestricted origin server next-hop IP address=172.217.168.196 Referer: https://0.client-channel.google.com/client-channel/client?cfg=%7B%222%22%3A%22hangouts%22%2C%226%22%3A%22gmail%22%2C%227%22%3A%22chat_frontend_20190709.06_p0%22%2C%228%22%3Afalse%2C%2213%22%3Afalse%7D&ctype=hangouts&xpc=%7B%22cn%22%3A%22AOUFjjg0GM%22%2C%22tp%22%3Anull%2C%22osh%22%3Anull%2C%22ppu%22%3A%22https%3A%2F%2Fhangouts.google.com%2Frobots.txt%22%2C%22lpu%22%3A%22https%3A%2F%2F0.client-channel.google.com%2Frobots.txt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 251 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 20 elapsed 1 ms server-out: start 139 elapsed 0 ms server-in: start 139 elapsed 0 ms client-out: start 251 elapsed 0 ms access-logging: start 251 elapsed 0 ms stop-transaction: start 251 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 20 server connection: start 139 DNS Lookup: start 139 elapsed 0 ms server connection: connected 139 first-byte 250 last_byte 251 client connection: first-response-byte 251 last-response-byte 251 Total time added: 119 ms Total latency to first byte: 120 ms Request latency: 119 ms OCS connect time: 0 ms Response latency (first byte): 1 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220014 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8672" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 6 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 2 elapsed 1 ms access-logging: start 6 elapsed 0 ms stop-transaction: start 6 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 2 client connection: first-response-byte 0 last-response-byte 6 stop transaction -------------------- start transaction ------------------- transaction ID=7220006 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.189 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC POST https://sites.google.com/u/0/_/logImpressions?token=AHL0AtLEj34HQtvezV1GB8KmXik9OtC_zw:1563113265588&authuser=0 DNS lookup was unrestricted Referer: https://sites.google.com/site/rhdisk0/unix/aix/aixcommands User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="8596" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 463 ms Checkpoint timings: new-connection: start 10 elapsed 0 ms client-in: start 10 elapsed 1 ms server-out: start 11 elapsed 0 ms server-in: start 199 elapsed 0 ms client-out-terminated: start 462 elapsed 0 ms access-logging: start 463 elapsed 0 ms stop-transaction: start 463 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 10 server connection: start 11 DNS Lookup: start 11 elapsed 0 ms server connection: connected 199 first-byte 457 last_byte 462 client connection: first-response-byte 0 last-response-byte 463 Total time added: 2 ms Total latency to first byte: 189 ms Request latency: 1 ms OCS connect time: 188 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220010 type=ssl.tunnel transaction handed off from: 7220008 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.108 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="7415" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7220020 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.206 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8305" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms access-logging: start 8 elapsed 0 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 8 stop transaction -------------------- start transaction ------------------- transaction ID=7220024 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.171 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="2299" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7220028 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.31 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC CONNECT tcp://clientservices.googleapis.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="7578" realm=iwa_direct authentication start 77 elapsed 0 ms authorization start 77 elapsed 0 ms authentication status='none' authorization status='none' url.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 83 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 74 ms access-logging: start 83 elapsed 0 ms stop-transaction: start 83 elapsed 0 ms Total Policy evaluation time: 74 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 83 stop transaction -------------------- start transaction ------------------- transaction ID=7220021 type=ssl.tunnel transaction handed off from: 7220020 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.206 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8305" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7220032 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC CONNECT tcp://ssl.gstatic.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 user: name="5227" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Clean Whitelist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7217828 type=ssl.tunnel transaction handed off from: 7217819 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist MATCH: ALLOW category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:05:27 UTC unknown ssl://mtalk.google.com:5228/ DNS lookup was unrestricted user: name="2552" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Chat (IM)/SMS@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Google Hangouts application.operation: none application.group: Instant Messaging;VoIP DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 75040 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 75040 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 75040 Total time added: 0 ms Total latency to first byte: 75039 ms Request latency: 0 ms OCS connect time: 75039 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220029 type=ssl.tunnel transaction handed off from: 7220028 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.31 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC unknown ssl://clientservices.googleapis.com:443/ DNS lookup was unrestricted origin server next-hop IP address=172.217.17.35 user: name="7578" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 253 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 253 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 250 url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 135 Total time added: 0 ms Total latency to first byte: 134 ms Request latency: 0 ms OCS connect time: 134 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220025 type=ssl.tunnel transaction handed off from: 7220024 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.171 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="2299" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7220027 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:41 UTC POST https://www.bing.com/AS/IEOneBox/xls.aspx DNS lookup was unrestricted Referer: https://www.bing.com/AS/API/IEOneBox/V2/Init?setlang=en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; ServiceUI 14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 204 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 532 ms Checkpoint timings: new-connection: start 14 elapsed 0 ms client-in: start 15 elapsed 0 ms server-out: start 15 elapsed 0 ms server-in: start 374 elapsed 0 ms client-out-terminated: start 531 elapsed 0 ms access-logging: start 532 elapsed 0 ms stop-transaction: start 532 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 15 server connection: start 15 DNS Lookup: start 15 elapsed 0 ms server connection: connected 374 first-byte 531 last_byte 531 client connection: first-response-byte 0 last-response-byte 532 Total time added: 1 ms Total latency to first byte: 359 ms Request latency: 0 ms OCS connect time: 359 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220033 type=ssl.tunnel transaction handed off from: 7220032 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC unknown ssl://ssl.gstatic.com:443/ DNS lookup was unrestricted user: name="5227" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Clean Whitelist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7220038 type=https.forward-proxy transaction handed off from: 7220034 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance miss: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance miss: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.83 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC GET https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif?zx=ly3jtsv4x7gv DNS lookup was unrestricted Referer: https://mail.google.com/mail/u/0/?tab=rm&ogbl User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 user: name="5227" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Clean Whitelist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Email@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 142 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms server-out: start 4 elapsed 0 ms server-in: start 4 elapsed 0 ms client-out-terminated: start 141 elapsed 0 ms access-logging: start 142 elapsed 0 ms stop-transaction: start 142 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 server connection: start 4 DNS Lookup: start 4 elapsed 0 ms server connection: connected 4 first-byte 141 last_byte 141 client connection: first-response-byte 0 last-response-byte 142 Total time added: 2 ms Total latency to first byte: 1 ms Request latency: 1 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220040 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 miss: condition=__GROUP45 miss: condition="__CondList1Allowed APP Users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.24.20.165 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="3347" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 2 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7220036 type=https.forward-proxy transaction handed off from: 7220030 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: category="WhiteList Dangerous Files" miss: url.threat_risk.level=6..10 miss: category=("Dynamic DNS Host", Gambling, Hacking, "Mixed Content/Potentially Adult", "Piracy/Copyright Concerns", Placeholders, "Web Ads/Analytics", "Web Hosting", none, pending) miss: category=("File Storage/Sharing", "Software Downloads") miss: category=("File Storage/Sharing", "Software Downloads") MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.31 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC GET https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=74 DNS lookup was unrestricted rewritten URL(s): cache_url=https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=74&bcsi_scan_d9ffd99e1b9d0f43=O7xjG/1jisGV/kd3FaSymTLoZwABAAAARCtuAA== origin server next-hop IP address=172.217.17.35 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 user: name="7578" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: Google Maps URLS@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 565 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 110 elapsed 0 ms server-out: start 240 elapsed 1 ms server-in: start 241 elapsed 0 ms client-out: start 565 elapsed 0 ms access-logging: start 565 elapsed 0 ms stop-transaction: start 565 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 110 ICAP Response Scan: start 389 delay 0 finish 564 server connection: start 241 DNS Lookup: start 241 elapsed 0 ms server connection: connected 241 first-byte 389 last_byte 564 client connection: first-response-byte 565 last-response-byte 565 Total time added: 132 ms Total latency to first byte: 307 ms Request latency: 131 ms OCS connect time: 0 ms Response latency (first byte): 176 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220043 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.170 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8754" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms access-logging: start 8 elapsed 0 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 8 stop transaction -------------------- start transaction ------------------- transaction ID=7220041 type=ssl.tunnel transaction handed off from: 7220040 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 miss: condition=__GROUP45 miss: condition="__CondList1Allowed APP Users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.24.20.165 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted origin server next-hop IP address=64.4.54.254 user: name="3347" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 451 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 451 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 449 url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 232 Total time added: 0 ms Total latency to first byte: 231 ms Request latency: 0 ms OCS connect time: 231 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220048 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC CONNECT tcp://browser.pipe.aria.microsoft.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="8672" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 10 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms access-logging: start 9 elapsed 1 ms stop-transaction: start 10 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 9 stop transaction -------------------- start transaction ------------------- transaction ID=7220044 type=ssl.tunnel transaction handed off from: 7220043 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.170 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:42 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8754" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7220055 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.110 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC CONNECT tcp://www.mastercardconnect.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2547" realm=iwa_direct authentication start 68 elapsed 0 ms authorization start 68 elapsed 0 ms authentication status='none' authorization status='none' url.category: WhiteList SSL Interception@Policy;none@YouTube;Financial Services@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 74 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 64 ms access-logging: start 74 elapsed 0 ms stop-transaction: start 74 elapsed 0 ms Total Policy evaluation time: 64 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 74 stop transaction -------------------- start transaction ------------------- transaction ID=7220049 type=ssl.tunnel transaction handed off from: 7220048 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC unknown ssl://browser.pipe.aria.microsoft.com:443/ DNS lookup was unrestricted user: name="8672" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7220057 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.232 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC POST https://beacons5.gvt3.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5180" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 483 ms Checkpoint timings: new-connection: start 8 elapsed 0 ms client-in: start 9 elapsed 0 ms server-out: start 9 elapsed 0 ms server-in: start 332 elapsed 0 ms client-out-terminated: start 482 elapsed 0 ms access-logging: start 483 elapsed 0 ms stop-transaction: start 483 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 9 server connection: start 9 DNS Lookup: start 9 elapsed 0 ms server connection: connected 332 first-byte 482 last_byte 482 client connection: first-response-byte 0 last-response-byte 483 Total time added: 1 ms Total latency to first byte: 323 ms Request latency: 0 ms OCS connect time: 323 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220053 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=1 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.192 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC POST https://www.bing.com/AS/IEOneBox/xls.aspx DNS lookup was unrestricted Referer: https://www.bing.com/AS/API/IEOneBox/V2/Init?setlang=en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; ServiceUI 14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 user: name="7168" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 1 static categorization time: 1 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 204 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 723 ms Checkpoint timings: new-connection: start 86 elapsed 0 ms client-in: start 86 elapsed 1 ms server-out: start 87 elapsed 0 ms server-in: start 441 elapsed 0 ms client-out-terminated: start 723 elapsed 0 ms access-logging: start 723 elapsed 0 ms stop-transaction: start 723 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 86 server connection: start 87 DNS Lookup: start 87 elapsed 0 ms server connection: connected 441 first-byte 722 last_byte 722 client connection: first-response-byte 0 last-response-byte 723 Total time added: 2 ms Total latency to first byte: 355 ms Request latency: 1 ms OCS connect time: 354 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220065 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.31 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="7578" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 8 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 1 ms access-logging: start 8 elapsed 0 ms stop-transaction: start 8 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 8 stop transaction -------------------- start transaction ------------------- transaction ID=7220016 type=ssl.tunnel transaction handed off from: 7220014 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:40 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8672" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7220061 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.144 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC GET https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=https://ib.qnbalahli.com&oit=3&cp=24&pgcl=4&gs_rn=42&psi=zfGFUHpqzl6UYt8F&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw DNS lookup was unrestricted rewritten URL(s): cache_url=https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=https%3A%2F%2Fib.qnbalahli.com&oit=3&cp=24&pgcl=4&gs_rn=42&psi=zfGFUHpqzl6UYt8F&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw&bcsi_scan_d9ffd99e1b9d0f43=gK8emzQ7r/WGwyQ3UvT4xT7XwD8BAAAAXStuAA== User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2552" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' EXCEPTION(invalid_request): Request could not be handled url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 400 application.name: Google Search application.operation: none application.group: Search Engine DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 752 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 404 elapsed 0 ms client-out-terminated: start 626 elapsed 0 ms access-logging: start 751 elapsed 1 ms stop-transaction: start 752 elapsed 0 ms Total Policy evaluation time: 1 ms url_categorization complete time: 0 ICAP Response Scan: start 625 delay 0 finish 751 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 404 first-byte 625 last_byte 626 client connection: first-response-byte 0 last-response-byte 627 Total time added: 1 ms Total latency to first byte: 403 ms Request latency: 0 ms OCS connect time: 403 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220064 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" miss: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.201 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC GET http://app.fbpv.info/online/?user_id=0&v=1.1.14 DNS lookup was unrestricted rewritten URL(s): cache_url=http://app.fbpv.info/online/?user_id=0&v=1.1.14&bcsi_scan_d9ffd99e1b9d0f43=kccgIkSYN0315mmHEYobyT/x7XgBAAAAYCtuAA== origin server next-hop IP address=188.138.41.205 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="1429" realm=iwa_direct authentication start 78 elapsed 0 ms authorization start 78 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Content Servers@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 353 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 74 ms server-out: start 78 elapsed 0 ms server-in: start 345 elapsed 0 ms client-out: start 353 elapsed 0 ms access-logging: start 353 elapsed 0 ms stop-transaction: start 353 elapsed 0 ms Total Policy evaluation time: 74 ms url_categorization complete time: 4 ICAP Response Scan: start 345 delay 0 finish 352 server connection: start 78 DNS Lookup: start 78 elapsed 0 ms server connection: connected 205 first-byte 345 last_byte 345 client connection: first-response-byte 353 last-response-byte 353 Total time added: 82 ms Total latency to first byte: 209 ms Request latency: 74 ms OCS connect time: 127 ms Response latency (first byte): 8 ms Response latency (last byte): 8 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220069 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.110 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC CONNECT tcp://docs.google.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="2547" realm=iwa_direct authentication start 4 elapsed 0 ms authorization start 4 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;File Storage/Sharing@Blue Coat;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Google Drive application.operation: none application.group: File Sharing;Storage DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 10 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 4 elapsed 0 ms access-logging: start 10 elapsed 0 ms stop-transaction: start 10 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 4 client connection: first-response-byte 0 last-response-byte 10 stop transaction -------------------- start transaction ------------------- transaction ID=7220072 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.189 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC CONNECT tcp://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8596" realm=iwa_direct authentication start 3 elapsed 0 ms authorization start 3 elapsed 0 ms authentication status='none' authorization status='none' url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 7 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 0 ms access-logging: start 7 elapsed 0 ms stop-transaction: start 7 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 7 stop transaction -------------------- start transaction ------------------- transaction ID=7220070 type=ssl.tunnel transaction handed off from: 7220069 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList MATCH: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) exception(user_defined.custom_exception) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.110 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC unknown ssl://docs.google.com:443/ DNS lookup was unrestricted user: name="2547" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' EXCEPTION(custom_exception): Either 'deny' or 'exception' was matched in policy url.category: none@Policy;none@YouTube;File Storage/Sharing@Blue Coat;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 stop transaction -------------------- start transaction ------------------- transaction ID=7220060 type=https.forward-proxy transaction handed off from: 7220050 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=2 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.73 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:43 UTC POST https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application/bond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-JS-1.5.0&x-apikey=a387cfcf60114a43a7699f9fbb49289e-9bceb9fe-1c06-460f-96c5-6a0b247358bc-7238,ea84b6a3285140258eaeb7caaab5884a-9d3ca75b-b3ee-42b8-a22c-ab0759ad4d38-7330&client-time-epoch-millis=1563199603220 DNS lookup was unrestricted Referer: https://portal.office.com/adminportal/home User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="8672" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 request.header.Referer.url.category: none@Policy;none@YouTube;Office/Business Applications@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1240 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 91 elapsed 0 ms server-out: start 270 elapsed 0 ms server-in: start 270 elapsed 0 ms client-out-terminated: start 1239 elapsed 0 ms access-logging: start 1240 elapsed 0 ms stop-transaction: start 1240 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 91 server connection: start 270 DNS Lookup: start 270 elapsed 0 ms server connection: connected 270 first-byte 1239 last_byte 1239 client connection: first-response-byte 0 last-response-byte 1240 Total time added: 180 ms Total latency to first byte: 179 ms Request latency: 179 ms OCS connect time: 0 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220066 type=ssl.tunnel transaction handed off from: 7220065 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.31 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="7578" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7220063 type=https.forward-proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: condition=__CondList1WhiteListHTTPSPort_By_IP miss: category="WhiteList SSL special ports" miss: condition=!__HostPort1 miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" MATCH: condition=__CondList1DLP-Trigger request.icap_service(dlp, fail_closed) request.icap_service.secure_connection[dlp](no) miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes miss: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=2 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=2 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.232 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC POST https://beacons5.gvt2.com/domainreliability/upload DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5180" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Default secure policy mode url.category: none@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.certficate.hostname.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 403 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 ICAP REQMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 962 ms Checkpoint timings: new-connection: start 8 elapsed 0 ms client-in: start 8 elapsed 0 ms server-out: start 8 elapsed 0 ms server-in: start 714 elapsed 0 ms client-out-terminated: start 961 elapsed 0 ms access-logging: start 962 elapsed 0 ms stop-transaction: start 962 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 8 server connection: start 8 DNS Lookup: start 8 elapsed 0 ms server connection: connected 714 first-byte 961 last_byte 961 client connection: first-response-byte 0 last-response-byte 962 Total time added: 1 ms Total latency to first byte: 706 ms Request latency: 0 ms OCS connect time: 706 ms Response latency (first byte): 0 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=7220073 type=ssl.tunnel transaction handed off from: 7220072 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) late: [builtin-prolog:335] [builtin-prolog:246] MATCH: t_procedure.dashboard_blocked_stats_infinity [builtin-prolog:237] MATCH: t_procedure.dashboard_record_hourly [builtin-prolog:240] MATCH: t_procedure.dashboard_record_daily [builtin-prolog:243] MATCH: t_procedure.dashboard_record_monthly MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg MATCH: ALLOW request.application.name="Office 365 General" miss: condition=__GROUP19 miss: condition=__GROUP44 MATCH: DENY category="Clean Blacklist" miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=(value undetermined) server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 Called transaction procedure: dashboard_record_hourly Called transaction procedure: dashboard_record_daily Called transaction procedure: dashboard_blocked_stats_infinity Called transaction procedure: dashboard_record_monthly connection: service.name=Explicit-8080 client.address=172.25.25.189 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:44 UTC unknown ssl://v10.vortex-win.data.microsoft.com:443/ DNS lookup was unrestricted user: name="8596" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' DENIED: Either 'deny' or 'exception' was matched in policy url.category: Socail Media Blacklist@Policy;Apps&Mngr Blacklist@Policy;Clean Blacklist@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms client-out-terminated: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 stop transaction -------------------- start transaction ------------------- transaction ID=7220080 type=http.proxy [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.232 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:45 UTC CONNECT tcp://google.com:443/ DNS lookup was unrestricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 user: name="5180" realm=iwa_direct authentication start 50 elapsed 0 ms authorization start 50 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 57 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 3 elapsed 47 ms access-logging: start 56 elapsed 1 ms stop-transaction: start 57 elapsed 0 ms Total Policy evaluation time: 48 ms url_categorization complete time: 3 client connection: first-response-byte 0 last-response-byte 56 stop transaction -------------------- start transaction ------------------- transaction ID=7220082 type=ssl.tunnel transaction handed off from: 7220080 [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: condition=__CondList1WhitelistSSL_By_IP miss: condition=__CondList1Whitelist_SSL_Validation MATCH: server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) miss: client.protocol=https miss: condition=__CondList1Whitelist-Auth-By-IP miss: client.address="Server subnets" MATCH: authenticate(iwa_direct) authenticate.force(yes) authenticate.mode(proxy-ip) miss: client.address=Bloomberg miss: request.application.name="Office 365 General" n/a: condition=__CondList1DLP-Trigger miss: p2p.client=yes miss: condition=__CondList1BC-Servers miss: client.address=Bloomberg miss: url.domain=//eicar.org/ miss: variable.url.threat_risk.effective_level=7..10 miss: condition="DynDns Dangerous" miss: condition=Malvertising miss: condition="Uncategorized Dangerous" miss: category=Global-Whitelist miss: category=Global-BlackList miss: category=(Entertainment, Film, Games, "Adult/Mature Content", Alcohol, Auctions, "Audio/Video Clips", "Chat (IM)/SMS", "Child Pornography", "Controlled Substances", E-Card/Invitations, Email, Extreme, "File Storage/Sharing", "For Kids", Gambling, Hacking, Humor/Jokes, "Internet Telephony", "Intimate Apparel/Swimsuit", "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Marijuana, "Media Sharing", Nudity, "Online Meetings", "Peer-to-Peer (P2P)", "Personal Sites", Personals/Dating, Phishing, "Piracy/Copyright Concerns", Placeholders, Pornography, "Potentially Unwanted Software", "Proxy Avoidance", "Radio/Audio Streams", Reference, "Remote Access Tools", Scam/Questionable/Illegal, "Sex Education", "Sexual Expression", "Social Networking", "Software Downloads", Spam, Sports/Recreation, Suspicious, Tobacco, "TV/Video Streams", Vehicles, Violence/Hate/Racism, Weapons, "Web Ads/Analytics", IWF-Restricted) MATCH: ALLOW condition=__CondList1Default-internet miss: condition=__GROUP19 miss: condition=__GROUP44 miss: category="Clean Blacklist" miss: condition=__CondList1Clean_Whitelist miss: category=(Entertainment, Auctions, "Chat (IM)/SMS", "Computer/Information Security", E-Card/Invitations, Email, "Media Sharing", Newsgroups/Forums, "Personal Sites", "Society/Daily Living", "Software Downloads", Sports/Recreation, Vehicles) miss: request.application.name=Netflix miss: client.address="Microsof Update users" miss: client.address="Gmail Users" miss: client.address="Google Drive Users" miss: client.address=Remote-users miss: client.address="Yahoo users" miss: client.address="Outlook-hotmail users" miss: client.address="Facebook Users" miss: client.address="Talent Group Users" miss: client.address="Rss Feed Users" miss: client.address="Symantec Users" miss: client.address="I-Tunes Users" miss: client.address="Team Viewer users" miss: client.address="Google Maps users" miss: client.address="We-Transfer users" miss: client.address="YouTube users" miss: client.address="YouTube users" miss: client.address="Skypp users" n/a: condition="__CondList1Restricted Files Type" MATCH: delete_on_abandonment(yes) MATCH: response.icap_feedback(trickle_end) miss: category=URL_No_ICAP miss: streaming.client=yes n/a: response.header.content-length.as_number=100000000..18446744073709551615 miss: category=URL_No_ICAP miss: streaming.client=yes miss: category="Always verify cache" MATCH: cache(yes) force_cache(no) miss: client.address=Bloomberg MATCH: trace.request(yes) miss: client.address="Whitelist USers" Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 connection: service.name=Explicit-8080 client.address=172.25.25.232 proxy.port=8080 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-07-15 14:06:45 UTC unknown ssl://google.com:443/ DNS lookup was unrestricted origin server next-hop IP address=216.58.211.110 user: name="5180" realm=iwa_direct authentication start 0 elapsed 0 ms authorization start 0 elapsed 0 ms authentication status='none' authorization status='none' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 269 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms stop-transaction: start 269 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 267 url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 127 Total time added: 0 ms Total latency to first byte: 126 ms Request latency: 0 ms OCS connect time: 126 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction --------------------