: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:35:21 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 131 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 129 ms access-logging: start 131 elapsed 0 ms stop-transaction: start 131 elapsed 0 ms Total Policy evaluation time: 129 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 131 stop transaction -------------------- start transaction ------------------- transaction ID=231355 type=ssl.tunnel transaction handed off from: 231354 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:35:21 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=40.114.224.200 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1066 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 702 elapsed 0 ms client-out: start 702 elapsed 0 ms access-logging: start 1066 elapsed 0 ms stop-transaction: start 1066 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 427 url_categorization complete time: 1 ssl_server started tunnel: 790 server connection: start 1 DNS Lookup: start 702 elapsed 0 ms server connection: connected 335 client connection: first-response-byte 0 last-response-byte 1066 Total time added: 0 ms Total latency to first byte: 334 ms Request latency: 0 ms OCS connect time: 334 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=231427 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:36:01 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?b88265b5bb8ba344 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 200 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 131 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 129 ms cache-hit: start 130 elapsed 0 ms client-out: start 131 elapsed 0 ms access-logging: start 131 elapsed 0 ms stop-transaction: start 131 elapsed 0 ms Total Policy evaluation time: 129 ms url_categorization complete time: 1 ICAP Response Scan: start 130 delay 0 finish 131 client connection: first-response-byte 131 last-response-byte 131 stop transaction -------------------- start transaction ------------------- transaction ID=232405 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:46:52 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms access-logging: start 130 elapsed 0 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 130 stop transaction -------------------- start transaction ------------------- transaction ID=232406 type=ssl.tunnel transaction handed off from: 232405 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:46:52 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.142.119.134 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1471 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 705 elapsed 0 ms client-out: start 705 elapsed 0 ms access-logging: start 1471 elapsed 0 ms stop-transaction: start 1471 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 704 url_categorization complete time: 0 ssl_server started tunnel: 827 server connection: start 1 DNS Lookup: start 705 elapsed 0 ms server connection: connected 579 client connection: first-response-byte 0 last-response-byte 1471 Total time added: 0 ms Total latency to first byte: 578 ms Request latency: 0 ms OCS connect time: 578 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=232690 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:49:59 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=232692 type=ssl.tunnel transaction handed off from: 232690 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 09:49:59 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.74 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 107998 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1146 elapsed 0 ms client-out: start 1146 elapsed 0 ms access-logging: start 107998 elapsed 0 ms stop-transaction: start 107998 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 896 url_categorization complete time: 1 ssl_server started tunnel: 1303 server connection: start 1 DNS Lookup: start 1146 elapsed 0 ms server connection: connected 737 client connection: first-response-byte 0 last-response-byte 107998 Total time added: 0 ms Total latency to first byte: 736 ms Request latency: 0 ms OCS connect time: 736 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=233834 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:02:28 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=233835 type=ssl.tunnel transaction handed off from: 233834 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:02:29 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.142.119.134 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 36564 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 750 elapsed 0 ms client-out: start 750 elapsed 0 ms access-logging: start 36564 elapsed 0 ms stop-transaction: start 36564 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 749 url_categorization complete time: 0 ssl_server started tunnel: 880 server connection: start 1 DNS Lookup: start 750 elapsed 0 ms server connection: connected 615 client connection: first-response-byte 0 last-response-byte 36564 Total time added: 0 ms Total latency to first byte: 614 ms Request latency: 0 ms OCS connect time: 614 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=233931 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:03:30 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?76651f2b7d9f4d56 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 124 ms cache-hit: start 125 elapsed 0 ms client-out: start 126 elapsed 0 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 124 ms url_categorization complete time: 0 ICAP Response Scan: start 125 delay 0 finish 126 client connection: first-response-byte 126 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=233932 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:03:30 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae9a3daf057df2d6 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 2 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms cache-hit: start 1 elapsed 0 ms client-out: start 2 elapsed 0 ms access-logging: start 2 elapsed 0 ms stop-transaction: start 2 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Response Scan: start 1 delay 0 finish 2 client connection: first-response-byte 2 last-response-byte 2 stop transaction -------------------- start transaction ------------------- transaction ID=234055 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:04:59 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms access-logging: start 130 elapsed 0 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 130 stop transaction -------------------- start transaction ------------------- transaction ID=234113 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:05:22 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=234114 type=ssl.tunnel transaction handed off from: 234113 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:05:22 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=65.52.226.14 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1099 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 716 elapsed 0 ms client-out: start 716 elapsed 0 ms access-logging: start 1099 elapsed 0 ms stop-transaction: start 1099 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 439 url_categorization complete time: 1 ssl_server started tunnel: 808 server connection: start 1 DNS Lookup: start 716 elapsed 0 ms server connection: connected 344 client connection: first-response-byte 0 last-response-byte 1099 Total time added: 0 ms Total latency to first byte: 343 ms Request latency: 0 ms OCS connect time: 343 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=234056 type=ssl.tunnel transaction handed off from: 234055 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:04:59 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.158.92 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 38180 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1382 elapsed 0 ms client-out: start 1382 elapsed 0 ms access-logging: start 38180 elapsed 0 ms stop-transaction: start 38180 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1026 url_categorization complete time: 1 ssl_server started tunnel: 1608 server connection: start 1 DNS Lookup: start 1382 elapsed 0 ms server connection: connected 797 client connection: first-response-byte 0 last-response-byte 38180 Total time added: 0 ms Total latency to first byte: 796 ms Request latency: 0 ms OCS connect time: 796 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=235421 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:19:59 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms access-logging: start 130 elapsed 0 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 130 stop transaction -------------------- start transaction ------------------- transaction ID=235422 type=ssl.tunnel transaction handed off from: 235421 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:19:59 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.77.34 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 108001 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1517 elapsed 0 ms client-out: start 1517 elapsed 0 ms access-logging: start 108001 elapsed 0 ms stop-transaction: start 108001 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 764 url_categorization complete time: 0 ssl_server started tunnel: 1643 server connection: start 1 DNS Lookup: start 1517 elapsed 0 ms server connection: connected 631 client connection: first-response-byte 0 last-response-byte 108001 Total time added: 0 ms Total latency to first byte: 630 ms Request latency: 0 ms OCS connect time: 630 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=236287 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:29:28 UTC CONNECT tcp://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=236288 type=ssl.tunnel transaction handed off from: 236287 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:29:28 UTC unknown ssl://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.135.251.63 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1340 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 770 elapsed 0 ms client-out: start 770 elapsed 0 ms access-logging: start 1340 elapsed 0 ms stop-transaction: start 1340 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 490 url_categorization complete time: 0 ssl_server started tunnel: 898 server connection: start 1 DNS Lookup: start 770 elapsed 0 ms server connection: connected 365 client connection: first-response-byte 0 last-response-byte 1340 Total time added: 0 ms Total latency to first byte: 364 ms Request latency: 0 ms OCS connect time: 364 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=236803 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:34:59 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 121 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 121 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=236831 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:35:24 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=236832 type=ssl.tunnel transaction handed off from: 236831 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:35:24 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.117.243.30 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1332 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 849 elapsed 0 ms client-out: start 849 elapsed 0 ms access-logging: start 1332 elapsed 0 ms stop-transaction: start 1332 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 574 url_categorization complete time: 0 ssl_server started tunnel: 969 server connection: start 1 DNS Lookup: start 849 elapsed 0 ms server connection: connected 454 client connection: first-response-byte 0 last-response-byte 1332 Total time added: 0 ms Total latency to first byte: 453 ms Request latency: 0 ms OCS connect time: 453 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=236804 type=ssl.tunnel transaction handed off from: 236803 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:34:59 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.76.34 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 37676 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1551 elapsed 0 ms client-out: start 1551 elapsed 0 ms access-logging: start 37676 elapsed 0 ms stop-transaction: start 37676 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1075 url_categorization complete time: 0 ssl_server started tunnel: 1672 server connection: start 1 DNS Lookup: start 1551 elapsed 0 ms server connection: connected 943 client connection: first-response-byte 0 last-response-byte 37676 Total time added: 0 ms Total latency to first byte: 942 ms Request latency: 0 ms OCS connect time: 942 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=237962 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:47:54 UTC CONNECT tcp://iecvlist.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=237963 type=ssl.tunnel transaction handed off from: 237962 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:47:54 UTC unknown ssl://iecvlist.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=152.199.19.161 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 109934 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 717 elapsed 0 ms client-out: start 717 elapsed 0 ms access-logging: start 109934 elapsed 0 ms stop-transaction: start 109934 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 349 url_categorization complete time: 1 ssl_server started tunnel: 774 server connection: start 1 DNS Lookup: start 717 elapsed 0 ms server connection: connected 297 client connection: first-response-byte 0 last-response-byte 109934 Total time added: 0 ms Total latency to first byte: 296 ms Request latency: 0 ms OCS connect time: 296 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=238146 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:49:46 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=238242 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:50:48 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?55ba17f196946034 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab origin server next-hop IP address=205.185.216.10 User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 304 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 494 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms server-out: start 123 elapsed 0 ms server-in: start 493 elapsed 0 ms cache-hit: start 123 elapsed 0 ms client-out: start 493 elapsed 0 ms access-logging: start 493 elapsed 0 ms stop-transaction: start 494 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 1 server connection: start 123 DNS Lookup: start 123 elapsed 248 ms server connection: connected 431 first-byte 493 last_byte 493 client connection: first-response-byte 493 last-response-byte 493 Total time added: 122 ms Total latency to first byte: 430 ms Request latency: 122 ms OCS connect time: 308 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=238147 type=ssl.tunnel transaction handed off from: 238146 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 10:49:46 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.6.46 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 74308 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1793 elapsed 0 ms client-out: start 1793 elapsed 0 ms access-logging: start 74308 elapsed 0 ms stop-transaction: start 74308 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1291 url_categorization complete time: 1 ssl_server started tunnel: 2024 server connection: start 1 DNS Lookup: start 1793 elapsed 0 ms server connection: connected 1053 client connection: first-response-byte 0 last-response-byte 74308 Total time added: 0 ms Total latency to first byte: 1052 ms Request latency: 0 ms OCS connect time: 1052 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=239407 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:03:40 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=239408 type=ssl.tunnel transaction handed off from: 239407 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:03:40 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.156.204.185 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 4171 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 680 elapsed 0 ms client-out: start 680 elapsed 0 ms access-logging: start 4171 elapsed 0 ms stop-transaction: start 4171 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 679 url_categorization complete time: 1 ssl_server started tunnel: 3772 server connection: start 1 DNS Lookup: start 680 elapsed 0 ms server connection: connected 585 client connection: first-response-byte 0 last-response-byte 4171 Total time added: 0 ms Total latency to first byte: 584 ms Request latency: 0 ms OCS connect time: 584 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=239504 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:04:44 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6fbcd81c6e809cfb DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab origin server next-hop IP address=92.123.180.128 User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 304 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 541 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms server-out: start 123 elapsed 0 ms server-in: start 540 elapsed 0 ms cache-hit: start 123 elapsed 0 ms client-out: start 541 elapsed 0 ms access-logging: start 541 elapsed 0 ms stop-transaction: start 541 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 ICAP Response Scan: start 540 delay 0 finish 541 server connection: start 123 DNS Lookup: start 123 elapsed 246 ms server connection: connected 429 first-byte 540 last_byte 540 client connection: first-response-byte 541 last-response-byte 541 Total time added: 123 ms Total latency to first byte: 429 ms Request latency: 122 ms OCS connect time: 306 ms Response latency (first byte): 1 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=239505 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:04:45 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?aedbaaec5bf8ced9 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab origin server next-hop IP address=92.123.180.128 User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 304 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 106 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 105 elapsed 0 ms cache-hit: start 1 elapsed 0 ms client-out: start 106 elapsed 0 ms access-logging: start 106 elapsed 0 ms stop-transaction: start 106 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Response Scan: start 105 delay 0 finish 106 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 105 last_byte 105 client connection: first-response-byte 106 last-response-byte 106 Total time added: 1 ms Total latency to first byte: 1 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 1 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=239525 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:05:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=239580 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:05:25 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=239581 type=ssl.tunnel transaction handed off from: 239580 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:05:25 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.135.251.63 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1270 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 743 elapsed 0 ms client-out: start 743 elapsed 0 ms access-logging: start 1270 elapsed 0 ms stop-transaction: start 1270 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 497 url_categorization complete time: 0 ssl_server started tunnel: 870 server connection: start 1 DNS Lookup: start 743 elapsed 0 ms server connection: connected 367 client connection: first-response-byte 0 last-response-byte 1270 Total time added: 0 ms Total latency to first byte: 366 ms Request latency: 0 ms OCS connect time: 366 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=239526 type=ssl.tunnel transaction handed off from: 239525 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:05:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.23 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 38106 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1613 elapsed 0 ms client-out: start 1613 elapsed 0 ms access-logging: start 38106 elapsed 0 ms stop-transaction: start 38106 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1004 url_categorization complete time: 1 ssl_server started tunnel: 1797 server connection: start 1 DNS Lookup: start 1613 elapsed 0 ms server connection: connected 811 client connection: first-response-byte 0 last-response-byte 38106 Total time added: 0 ms Total latency to first byte: 810 ms Request latency: 0 ms OCS connect time: 810 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=240828 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:19:19 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=240830 type=ssl.tunnel transaction handed off from: 240828 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:19:20 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.156.204.185 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1249 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 595 elapsed 0 ms client-out: start 595 elapsed 0 ms access-logging: start 1249 elapsed 0 ms stop-transaction: start 1249 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 595 url_categorization complete time: 1 ssl_server started tunnel: 699 server connection: start 1 DNS Lookup: start 595 elapsed 0 ms server connection: connected 501 client connection: first-response-byte 0 last-response-byte 1249 Total time added: 0 ms Total latency to first byte: 500 ms Request latency: 0 ms OCS connect time: 500 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=240902 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:20:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 121 ms access-logging: start 123 elapsed 1 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 123 stop transaction -------------------- start transaction ------------------- transaction ID=240903 type=ssl.tunnel transaction handed off from: 240902 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:20:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.22 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 37818 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1415 elapsed 0 ms client-out: start 1415 elapsed 0 ms access-logging: start 37818 elapsed 0 ms stop-transaction: start 37818 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 945 url_categorization complete time: 0 ssl_server started tunnel: 1607 server connection: start 1 DNS Lookup: start 1415 elapsed 0 ms server connection: connected 748 client connection: first-response-byte 0 last-response-byte 37818 Total time added: 0 ms Total latency to first byte: 747 ms Request latency: 0 ms OCS connect time: 747 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=241009 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:21:13 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=241010 type=ssl.tunnel transaction handed off from: 241009 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:21:13 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.75.78 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 37205 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1455 elapsed 0 ms client-out: start 1455 elapsed 0 ms access-logging: start 37205 elapsed 0 ms stop-transaction: start 37205 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 952 url_categorization complete time: 0 ssl_server started tunnel: 1573 server connection: start 1 DNS Lookup: start 1455 elapsed 0 ms server connection: connected 826 client connection: first-response-byte 0 last-response-byte 37205 Total time added: 0 ms Total latency to first byte: 825 ms Request latency: 0 ms OCS connect time: 825 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=241770 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:29:29 UTC CONNECT tcp://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=241771 type=ssl.tunnel transaction handed off from: 241770 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:29:29 UTC unknown ssl://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=65.52.226.14 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1132 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 715 elapsed 0 ms client-out: start 715 elapsed 0 ms access-logging: start 1132 elapsed 0 ms stop-transaction: start 1132 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 469 url_categorization complete time: 1 ssl_server started tunnel: 808 server connection: start 1 DNS Lookup: start 715 elapsed 0 ms server connection: connected 362 client connection: first-response-byte 0 last-response-byte 1132 Total time added: 0 ms Total latency to first byte: 361 ms Request latency: 0 ms OCS connect time: 361 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=242267 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:35:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 121 ms access-logging: start 123 elapsed 1 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 123 stop transaction -------------------- start transaction ------------------- transaction ID=242268 type=ssl.tunnel transaction handed off from: 242267 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:35:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.88.20 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 2129 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1271 elapsed 0 ms client-out: start 1271 elapsed 0 ms access-logging: start 2129 elapsed 0 ms stop-transaction: start 2129 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 807 url_categorization complete time: 0 ssl_server started tunnel: 1387 server connection: start 1 DNS Lookup: start 1271 elapsed 0 ms server connection: connected 687 client connection: first-response-byte 0 last-response-byte 2129 Total time added: 0 ms Total latency to first byte: 686 ms Request latency: 0 ms OCS connect time: 686 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=242300 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:35:26 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=242301 type=ssl.tunnel transaction handed off from: 242300 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:35:27 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.117.243.30 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1396 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 881 elapsed 0 ms client-out: start 881 elapsed 0 ms access-logging: start 1396 elapsed 0 ms stop-transaction: start 1396 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 629 url_categorization complete time: 0 ssl_server started tunnel: 1009 server connection: start 1 DNS Lookup: start 881 elapsed 0 ms server connection: connected 499 client connection: first-response-byte 0 last-response-byte 1396 Total time added: 0 ms Total latency to first byte: 498 ms Request latency: 0 ms OCS connect time: 498 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=243610 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:49:56 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms access-logging: start 130 elapsed 0 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 130 stop transaction -------------------- start transaction ------------------- transaction ID=243611 type=ssl.tunnel transaction handed off from: 243610 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:49:56 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.142.119.134 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1379 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 651 elapsed 0 ms client-out: start 651 elapsed 0 ms access-logging: start 1379 elapsed 0 ms stop-transaction: start 1379 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 650 url_categorization complete time: 0 ssl_server started tunnel: 779 server connection: start 1 DNS Lookup: start 651 elapsed 0 ms server connection: connected 522 client connection: first-response-byte 0 last-response-byte 1379 Total time added: 0 ms Total latency to first byte: 521 ms Request latency: 0 ms OCS connect time: 521 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=243617 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:50:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=243710 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:50:57 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?8433983622704d58 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms cache-hit: start 129 elapsed 0 ms client-out: start 130 elapsed 0 ms access-logging: start 130 elapsed 0 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 0 ICAP Response Scan: start 129 delay 0 finish 130 client connection: first-response-byte 130 last-response-byte 130 stop transaction -------------------- start transaction ------------------- transaction ID=243618 type=ssl.tunnel transaction handed off from: 243617 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 11:50:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.21 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 73056 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1267 elapsed 0 ms client-out: start 1267 elapsed 0 ms access-logging: start 73055 elapsed 1 ms stop-transaction: start 73056 elapsed 0 ms Total Policy evaluation time: 1 ms ssl server hello complete: 954 url_categorization complete time: 1 ssl_server started tunnel: 1459 server connection: start 1 DNS Lookup: start 1267 elapsed 0 ms server connection: connected 761 client connection: first-response-byte 0 last-response-byte 73055 Total time added: 0 ms Total latency to first byte: 760 ms Request latency: 0 ms OCS connect time: 760 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=245002 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:05:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 131 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 129 ms access-logging: start 131 elapsed 0 ms stop-transaction: start 131 elapsed 0 ms Total Policy evaluation time: 129 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 131 stop transaction -------------------- start transaction ------------------- transaction ID=245052 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:05:28 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 124 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 124 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=245053 type=ssl.tunnel transaction handed off from: 245052 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:05:28 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.117.243.30 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1290 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 810 elapsed 0 ms client-out: start 810 elapsed 0 ms access-logging: start 1290 elapsed 0 ms stop-transaction: start 1290 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 556 url_categorization complete time: 0 ssl_server started tunnel: 926 server connection: start 1 DNS Lookup: start 810 elapsed 0 ms server connection: connected 430 client connection: first-response-byte 0 last-response-byte 1290 Total time added: 0 ms Total latency to first byte: 429 ms Request latency: 0 ms OCS connect time: 429 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=245061 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:05:32 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 124 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 124 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=245062 type=ssl.tunnel transaction handed off from: 245061 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:05:32 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.142.119.134 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1405 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 752 elapsed 0 ms client-out: start 752 elapsed 0 ms access-logging: start 1405 elapsed 0 ms stop-transaction: start 1405 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 751 url_categorization complete time: 0 ssl_server started tunnel: 878 server connection: start 1 DNS Lookup: start 752 elapsed 0 ms server connection: connected 627 client connection: first-response-byte 0 last-response-byte 1405 Total time added: 0 ms Total latency to first byte: 626 ms Request latency: 0 ms OCS connect time: 626 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=245003 type=ssl.tunnel transaction handed off from: 245002 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:05:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.22 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 37740 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1228 elapsed 0 ms client-out: start 1228 elapsed 0 ms access-logging: start 37739 elapsed 1 ms stop-transaction: start 37740 elapsed 0 ms Total Policy evaluation time: 1 ms ssl server hello complete: 859 url_categorization complete time: 0 ssl_server started tunnel: 1422 server connection: start 1 DNS Lookup: start 1228 elapsed 0 ms server connection: connected 668 client connection: first-response-byte 0 last-response-byte 37739 Total time added: 0 ms Total latency to first byte: 667 ms Request latency: 0 ms OCS connect time: 667 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=245105 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:06:02 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?762010a87a70c9dd DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 127 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 125 ms cache-hit: start 126 elapsed 0 ms client-out: start 127 elapsed 0 ms access-logging: start 127 elapsed 0 ms stop-transaction: start 127 elapsed 0 ms Total Policy evaluation time: 125 ms url_categorization complete time: 1 ICAP Response Scan: start 126 delay 0 finish 127 client connection: first-response-byte 127 last-response-byte 127 stop transaction -------------------- start transaction ------------------- transaction ID=245107 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:06:02 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d66765366da27b30 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 200 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 2 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms cache-hit: start 1 elapsed 0 ms client-out: start 2 elapsed 0 ms access-logging: start 2 elapsed 0 ms stop-transaction: start 2 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 ICAP Response Scan: start 1 delay 0 finish 2 client connection: first-response-byte 2 last-response-byte 2 stop transaction -------------------- start transaction ------------------- transaction ID=246373 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:20:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=246374 type=ssl.tunnel transaction handed off from: 246373 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:20:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.128.43 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 37802 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1445 elapsed 0 ms client-out: start 1445 elapsed 0 ms access-logging: start 37802 elapsed 0 ms stop-transaction: start 37802 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 955 url_categorization complete time: 1 ssl_server started tunnel: 1627 server connection: start 1 DNS Lookup: start 1445 elapsed 0 ms server connection: connected 766 client connection: first-response-byte 0 last-response-byte 37802 Total time added: 0 ms Total latency to first byte: 765 ms Request latency: 0 ms OCS connect time: 765 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=246485 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:21:13 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=246486 type=ssl.tunnel transaction handed off from: 246485 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:21:13 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.158.92 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 38018 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1599 elapsed 0 ms client-out: start 1599 elapsed 0 ms access-logging: start 38018 elapsed 0 ms stop-transaction: start 38018 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 945 url_categorization complete time: 1 ssl_server started tunnel: 1824 server connection: start 1 DNS Lookup: start 1599 elapsed 0 ms server connection: connected 715 client connection: first-response-byte 0 last-response-byte 38018 Total time added: 0 ms Total latency to first byte: 714 ms Request latency: 0 ms OCS connect time: 714 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=247262 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:29:31 UTC CONNECT tcp://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=247263 type=ssl.tunnel transaction handed off from: 247262 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:29:31 UTC unknown ssl://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.117.243.30 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1253 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 735 elapsed 0 ms client-out: start 735 elapsed 0 ms access-logging: start 1253 elapsed 0 ms stop-transaction: start 1253 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 487 url_categorization complete time: 0 ssl_server started tunnel: 852 server connection: start 1 DNS Lookup: start 735 elapsed 0 ms server connection: connected 368 client connection: first-response-byte 0 last-response-byte 1253 Total time added: 0 ms Total latency to first byte: 367 ms Request latency: 0 ms OCS connect time: 367 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=247756 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:35:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=247757 type=ssl.tunnel transaction handed off from: 247756 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:35:00 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.73 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 2809 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1660 elapsed 0 ms client-out: start 1660 elapsed 0 ms access-logging: start 2809 elapsed 0 ms stop-transaction: start 2809 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1112 url_categorization complete time: 1 ssl_server started tunnel: 1815 server connection: start 1 DNS Lookup: start 1660 elapsed 0 ms server connection: connected 954 client connection: first-response-byte 0 last-response-byte 2809 Total time added: 0 ms Total latency to first byte: 953 ms Request latency: 0 ms OCS connect time: 953 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=247802 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:35:30 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=247804 type=ssl.tunnel transaction handed off from: 247802 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:35:30 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=40.114.224.200 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1026 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 655 elapsed 0 ms client-out: start 655 elapsed 0 ms access-logging: start 1026 elapsed 0 ms stop-transaction: start 1026 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 404 url_categorization complete time: 1 ssl_server started tunnel: 746 server connection: start 1 DNS Lookup: start 655 elapsed 0 ms server connection: connected 324 client connection: first-response-byte 0 last-response-byte 1026 Total time added: 0 ms Total latency to first byte: 323 ms Request latency: 0 ms OCS connect time: 323 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=249114 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:50:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 123 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 123 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=249216 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:51:03 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?83b126b5bdcc2a69 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab origin server next-hop IP address=95.101.114.67 User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 304 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 ICAP RESPMOD Scan Summary: Error code: none Transaction timing: total-transaction-time 536 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 121 ms server-out: start 123 elapsed 0 ms server-in: start 534 elapsed 0 ms cache-hit: start 123 elapsed 0 ms client-out: start 536 elapsed 0 ms access-logging: start 536 elapsed 0 ms stop-transaction: start 536 elapsed 0 ms Total Policy evaluation time: 121 ms url_categorization complete time: 0 ICAP Response Scan: start 535 delay 0 finish 536 server connection: start 123 DNS Lookup: start 123 elapsed 253 ms server connection: connected 436 first-byte 534 last_byte 534 client connection: first-response-byte 536 last-response-byte 536 Total time added: 124 ms Total latency to first byte: 437 ms Request latency: 122 ms OCS connect time: 313 ms Response latency (first byte): 2 ms Response latency (last byte): 2 ms stop transaction -------------------- start transaction ------------------- transaction ID=249231 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:51:09 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms access-logging: start 129 elapsed 1 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 129 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 129 stop transaction -------------------- start transaction ------------------- transaction ID=249232 type=ssl.tunnel transaction handed off from: 249231 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:51:09 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.142.119.134 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1424 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 656 elapsed 0 ms client-out: start 656 elapsed 0 ms access-logging: start 1424 elapsed 0 ms stop-transaction: start 1424 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 655 url_categorization complete time: 0 ssl_server started tunnel: 778 server connection: start 1 DNS Lookup: start 656 elapsed 0 ms server connection: connected 528 client connection: first-response-byte 0 last-response-byte 1424 Total time added: 0 ms Total latency to first byte: 527 ms Request latency: 0 ms OCS connect time: 527 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=249115 type=ssl.tunnel transaction handed off from: 249114 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 12:50:01 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.77.34 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 73122 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1804 elapsed 0 ms client-out: start 1804 elapsed 0 ms access-logging: start 73122 elapsed 0 ms stop-transaction: start 73122 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 995 url_categorization complete time: 0 ssl_server started tunnel: 1932 server connection: start 1 DNS Lookup: start 1804 elapsed 0 ms server connection: connected 868 client connection: first-response-byte 0 last-response-byte 73122 Total time added: 0 ms Total latency to first byte: 867 ms Request latency: 0 ms OCS connect time: 867 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=250506 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:05:00 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 130 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 127 ms access-logging: start 129 elapsed 1 ms stop-transaction: start 130 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 129 stop transaction -------------------- start transaction ------------------- transaction ID=250544 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:05:31 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=250545 type=ssl.tunnel transaction handed off from: 250544 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:05:31 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=40.114.224.200 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1207 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 884 elapsed 0 ms client-out: start 884 elapsed 0 ms access-logging: start 1207 elapsed 0 ms stop-transaction: start 1207 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 545 url_categorization complete time: 1 ssl_server started tunnel: 962 server connection: start 1 DNS Lookup: start 884 elapsed 0 ms server connection: connected 455 client connection: first-response-byte 0 last-response-byte 1207 Total time added: 0 ms Total latency to first byte: 454 ms Request latency: 0 ms OCS connect time: 454 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=250507 type=ssl.tunnel transaction handed off from: 250506 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:05:01 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.128.9 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 38527 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1718 elapsed 0 ms client-out: start 1718 elapsed 0 ms access-logging: start 38527 elapsed 0 ms stop-transaction: start 38527 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1009 url_categorization complete time: 0 ssl_server started tunnel: 1931 server connection: start 1 DNS Lookup: start 1718 elapsed 0 ms server connection: connected 794 client connection: first-response-byte 0 last-response-byte 38527 Total time added: 0 ms Total latency to first byte: 793 ms Request latency: 0 ms OCS connect time: 793 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=250607 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:06:03 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f3f64ba0f700d058 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab origin server next-hop IP address=8.250.159.254 User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 304 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 513 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 128 ms server-out: start 130 elapsed 0 ms server-in: start 513 elapsed 0 ms cache-hit: start 129 elapsed 0 ms client-out: start 513 elapsed 0 ms access-logging: start 513 elapsed 0 ms stop-transaction: start 513 elapsed 0 ms Total Policy evaluation time: 128 ms url_categorization complete time: 1 server connection: start 130 DNS Lookup: start 130 elapsed 246 ms server connection: connected 444 first-byte 513 last_byte 513 client connection: first-response-byte 513 last-response-byte 513 Total time added: 129 ms Total latency to first byte: 443 ms Request latency: 129 ms OCS connect time: 314 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=250609 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_secure_connection MATCH: response.icap_service.secure_connection(auto) Called policy definition: BC_malware_scanner MATCH: response.icap_service(bluecoat-local-response, fail-closed) Called policy definition: BC_malware_scanning_HighPerformance MATCH: condition=ShouldScanHighPerformance policy.BC_malware_scanner policy.BC_malware_scanning_secure_connection Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance MATCH: condition=ShouldScanHighPerformance response.icap_feedback(trickle_end) Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:06:04 UTC GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9f7a8ebf38423225 DNS lookup was restricted rewritten URL(s): cache_url=http://windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab origin server next-hop IP address=8.250.159.254 User-Agent: Microsoft-CryptoAPI/10.0 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 304 client.response.code: 304 application.name: Microsoft Update application.operation: Update Software application.group: none Set-Object-TTL: 1728000 DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 70 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 69 elapsed 0 ms cache-hit: start 1 elapsed 0 ms client-out: start 70 elapsed 0 ms access-logging: start 70 elapsed 0 ms stop-transaction: start 70 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 1 server connection: start 1 DNS Lookup: start 1 elapsed 0 ms server connection: connected 1 first-byte 69 last_byte 69 client connection: first-response-byte 70 last-response-byte 70 Total time added: 1 ms Total latency to first byte: 1 ms Request latency: 0 ms OCS connect time: 0 ms Response latency (first byte): 1 ms Response latency (last byte): 1 ms stop transaction -------------------- start transaction ------------------- transaction ID=250655 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:06:45 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 125 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 125 elapsed 0 ms stop-transaction: start 125 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 125 stop transaction -------------------- start transaction ------------------- transaction ID=250656 type=ssl.tunnel transaction handed off from: 250655 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:06:45 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.156.204.185 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1146 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 656 elapsed 0 ms client-out: start 656 elapsed 0 ms access-logging: start 1145 elapsed 1 ms stop-transaction: start 1146 elapsed 0 ms Total Policy evaluation time: 1 ms ssl server hello complete: 655 url_categorization complete time: 1 ssl_server started tunnel: 749 server connection: start 1 DNS Lookup: start 656 elapsed 0 ms server connection: connected 561 client connection: first-response-byte 0 last-response-byte 1145 Total time added: 0 ms Total latency to first byte: 560 ms Request latency: 0 ms OCS connect time: 560 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=251863 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:20:01 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 124 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 124 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=251864 type=ssl.tunnel transaction handed off from: 251863 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:20:01 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.132.23 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 109238 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1999 elapsed 0 ms client-out: start 1999 elapsed 0 ms access-logging: start 109238 elapsed 0 ms stop-transaction: start 109238 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1302 url_categorization complete time: 1 ssl_server started tunnel: 2190 server connection: start 1 DNS Lookup: start 1999 elapsed 0 ms server connection: connected 1109 client connection: first-response-byte 0 last-response-byte 109238 Total time added: 0 ms Total latency to first byte: 1108 ms Request latency: 0 ms OCS connect time: 1108 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=252737 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:29:32 UTC CONNECT tcp://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 1 static categorization time: 1 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=252739 type=ssl.tunnel transaction handed off from: 252737 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:29:32 UTC unknown ssl://europe.smartscreen-prod.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=137.117.243.30 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1414 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 871 elapsed 0 ms client-out: start 871 elapsed 0 ms access-logging: start 1414 elapsed 0 ms stop-transaction: start 1414 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 623 url_categorization complete time: 1 ssl_server started tunnel: 999 server connection: start 1 DNS Lookup: start 871 elapsed 0 ms server connection: connected 496 client connection: first-response-byte 0 last-response-byte 1414 Total time added: 0 ms Total latency to first byte: 495 ms Request latency: 0 ms OCS connect time: 495 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=253233 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:35:01 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 122 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 122 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=253234 type=ssl.tunnel transaction handed off from: 253233 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:35:01 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.32.7 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 4252 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1913 elapsed 0 ms client-out: start 1913 elapsed 0 ms access-logging: start 4252 elapsed 0 ms stop-transaction: start 4252 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1391 url_categorization complete time: 1 ssl_server started tunnel: 2229 server connection: start 1 DNS Lookup: start 1913 elapsed 0 ms server connection: connected 1076 client connection: first-response-byte 0 last-response-byte 4252 Total time added: 0 ms Total latency to first byte: 1075 ms Request latency: 0 ms OCS connect time: 1075 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=253294 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:35:32 UTC CONNECT tcp://c.urs.microsoft.com:443/ DNS lookup was restricted User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 126 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 124 ms access-logging: start 126 elapsed 0 ms stop-transaction: start 126 elapsed 0 ms Total Policy evaluation time: 124 ms url_categorization complete time: 1 client connection: first-response-byte 0 last-response-byte 126 stop transaction -------------------- start transaction ------------------- transaction ID=253295 type=ssl.tunnel transaction handed off from: 253294 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:35:32 UTC unknown ssl://c.urs.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=65.52.226.14 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Web Infrastructure@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1076 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 698 elapsed 0 ms client-out: start 698 elapsed 0 ms access-logging: start 1076 elapsed 0 ms stop-transaction: start 1076 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 452 url_categorization complete time: 1 ssl_server started tunnel: 790 server connection: start 1 DNS Lookup: start 698 elapsed 0 ms server connection: connected 348 client connection: first-response-byte 0 last-response-byte 1076 Total time added: 0 ms Total latency to first byte: 347 ms Request latency: 0 ms OCS connect time: 347 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=253457 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:37:21 UTC CONNECT tcp://settings-win.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 121 ms access-logging: start 124 elapsed 0 ms stop-transaction: start 124 elapsed 0 ms Total Policy evaluation time: 121 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 124 stop transaction -------------------- start transaction ------------------- transaction ID=253458 type=ssl.tunnel transaction handed off from: 253457 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:37:21 UTC unknown ssl://settings-win.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.156.204.185 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 71372 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 655 elapsed 0 ms client-out: start 655 elapsed 0 ms access-logging: start 71372 elapsed 0 ms stop-transaction: start 71372 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 655 url_categorization complete time: 1 ssl_server started tunnel: 749 server connection: start 1 DNS Lookup: start 655 elapsed 0 ms server connection: connected 550 client connection: first-response-byte 0 last-response-byte 71372 Total time added: 0 ms Total latency to first byte: 549 ms Request latency: 0 ms OCS connect time: 549 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=254599 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:50:01 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 123 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 121 ms access-logging: start 123 elapsed 0 ms stop-transaction: start 123 elapsed 0 ms Total Policy evaluation time: 121 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 123 stop transaction -------------------- start transaction ------------------- transaction ID=254600 type=ssl.tunnel transaction handed off from: 254599 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) n/a: condition=__USER85 n/a: client.host.substring=jc183778 n/a: condition=__GROUP4 miss: category=("Blocked Sites For All", Games, Abortion, "Adult/Mature Content", Alcohol, "Child Pornography", "Controlled Substances", Gambling, Hacking, "Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", Nudity, "Peer-to-Peer (P2P)", Phishing, Pornography, "Proxy Avoidance", "Remote Access", "Scam/Questionable Legality", "Sexual Expression", Spam) miss: condition="__CondList1Blocked Sites For VIP" MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 13:50:01 UTC unknown ssl://v10.events.data.microsoft.com:443/ DNS lookup was restricted origin server next-hop IP address=52.114.128.8 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' client.host: 10.16.4.168 (rdns resolution: query rejected) url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 73884 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 1641 elapsed 0 ms client-out: start 1641 elapsed 0 ms access-logging: start 73884 elapsed 0 ms stop-transaction: start 73884 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 1278 url_categorization complete time: 0 ssl_server started tunnel: 1854 server connection: start 1 DNS Lookup: start 1641 elapsed 0 ms server connection: connected 1059 client connection: first-response-byte 0 last-response-byte 73884 Total time added: 0 ms Total latency to first byte: 1058 ms Request latency: 0 ms OCS connect time: 1058 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=268226 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [local:8] miss: condition=ByPassWindowsUpdate [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) miss: condition=ByPassWindowsUpdate miss: condition=ByPassWindowsUpdate miss: request.application.name="Microsoft Update" MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 14:46:02 UTC CONNECT tcp://www.bing.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 1 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms access-logging: start 1 elapsed 0 ms stop-transaction: start 1 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 1 stop transaction -------------------- start transaction ------------------- transaction ID=268227 type=ssl.tunnel transaction handed off from: 268226 [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [local:8] miss: condition=ByPassWindowsUpdate [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) miss: condition=ByPassWindowsUpdate miss: condition=ByPassWindowsUpdate miss: request.application.name="Microsoft Update" MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 14:46:02 UTC unknown ssl://www.bing.com:443/ DNS lookup was restricted origin server next-hop IP address=13.107.21.200 user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' url.category: none@Policy;none@YouTube;Search Engines/Portals@Blue Coat total categorization time: 0 static categorization time: 0 application.name: none application.operation: none application.group: none DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 124433 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms server-out: start 1 elapsed 0 ms server-in: start 370 elapsed 0 ms client-out: start 370 elapsed 0 ms access-logging: start 124433 elapsed 0 ms stop-transaction: start 124433 elapsed 0 ms Total Policy evaluation time: 0 ms ssl server hello complete: 369 url_categorization complete time: 0 ssl_server started tunnel: 439 server connection: start 1 DNS Lookup: start 370 elapsed 0 ms server connection: connected 278 client connection: first-response-byte 0 last-response-byte 124433 Total time added: 0 ms Total latency to first byte: 277 ms Request latency: 0 ms OCS connect time: 277 ms Response latency (first byte): 0 ms Response latency (last byte): 0 ms stop transaction -------------------- start transaction ------------------- transaction ID=269147 type=http.proxy [builtin-prolog:712] MATCH: variable.false_flag(false) [builtin-prolog:718] MATCH: variable.time_quota_enforced(false) [builtin-prolog:722] MATCH: variable.volume_quota_enforced(false) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) [vpm-cpl:4402] miss: condition=__is_notify_internal [vpm-cpl:4439] miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url.regex="(.*)/notified-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/verify-WelcomePage\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Splash-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notified-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/verify-Ack-Page\?([^;]+);(.*)" miss: url.regex="(.*)/notify-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/accepted-NotifyUser1\?([^;]+);(.*)" miss: url.regex="(.*)/verify-NotifyUser1\?([^;]+);(.*)" [local:8] miss: condition=ByPassWindowsUpdate [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") [builtin-prolog:329] n/a: request.header.Referer.url.threat_risk.level=0..10 MATCH: variable.request.header.Referer.url.threat_risk.effective_level(5) [builtin-epilog:9] miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: [builtin-epilog:17] variable.time_quota_enforced=true miss: [builtin-epilog:21] variable.time_quota_enforced=true miss: [builtin-epilog:25] variable.time_quota_enforced=true miss: [builtin-epilog:34] variable.time_quota_enforced=true miss: [builtin-epilog:39] variable.time_quota_enforced=true miss: [builtin-epilog:52] variable.volume_quota_enforced=true miss: [builtin-epilog:66] variable.volume_quota_enforced=true miss: [builtin-epilog:71] variable.volume_quota_enforced=true [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") miss: [builtin-epilog:56] variable.volume_quota_enforced=true MATCH: policy.BC_malware_scanning_solution MATCH: policy.BC_malware_scanning_solution_proxy miss: variable.false_flag=true miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") miss: category=("Audio/Video Clips", "Mixed Content/Potentially Adult") MATCH: condition=__CondList1NoAuthComputers authenticate(no) MATCH: ALLOW client.address="Allowed Servers" MATCH: response.icap_service(bluecoat-local-response, fail_closed) miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ miss: [Rule] url=http://notify.bluecoat.com/ [Rule] miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: url=http://notify.bluecoat.com/ miss: [Rule] variable.bc_notify1=variable.bc_notify2 [Rule] MATCH: action.__delete_notify_cookies(yes) miss: condition=ByPassWindowsUpdate miss: condition=ByPassWindowsUpdate miss: request.application.name="Microsoft Update" MATCH: client.address=10.16.4.168 trace.destination(function_disabled_access) trace.request(yes) miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.time_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true miss: variable.volume_quota_enforced=true Called policy definition: BC_malware_scanning_HighPerformance n/a: condition=ShouldScanHighPerformance MATCH: response.icap_service(no) Called policy definition: BC_malware_scanning_solution MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_HighPerformance Called policy definition: BC_malware_scanning_proxy_HighPerformance n/a: condition=ShouldScanHighPerformance Called policy definition: BC_malware_scanning_solution_proxy MATCH: ami.config.threat-protection.malware-scanning.level='(BC-Malware-Scanning-Scan-Level "high-performance")' policy.BC_malware_scanning_proxy_HighPerformance Assigned values of transaction variables: dns.request.threat_risk.effective_level=(value undetermined) url.threat_risk.effective_level=1 request.header.Referer.url.threat_risk.effective_level=5 server_url.threat_risk.effective_level=1 server.certificate.hostname.threat_risk.effective_level=(value undetermined) bc_notify1=empty1 bc_notify2=empty2 time_quota_enforced=FALSE time_quota_name=(value undetermined) time_quota_frequency=(value undetermined) time_quota_limit=(value undetermined) time_quota_warning_limit=(value undetermined) time_quota_exceeded=(value undetermined) time_quota_warning=(value undetermined) time_quota_warning_exists=(value undetermined) guest_time_quota_exceeded=(value undetermined) guest_time_quota_warning=(value undetermined) guest_time_quota_warning_exists=(value undetermined) time_recorded=(value undetermined) guest_time_recorded=(value undetermined) volume_quota_enforced=FALSE volume_quota_name=(value undetermined) volume_quota_frequency=(value undetermined) volume_quota_limit=(value undetermined) volume_quota_warning_limit=(value undetermined) volume_quota_exceeded=(value undetermined) volume_quota_warning=(value undetermined) volume_quota_warning_exists=(value undetermined) guest_volume_quota_exceeded=(value undetermined) guest_volume_quota_warning=(value undetermined) guest_volume_quota_warning_exists=(value undetermined) user_authentication_is_on=(value undetermined) false_flag=FALSE connection: service.name=Explicit HTTP client.address=10.16.4.168 proxy.port=80 client.interface=1:0.1 routing-domain=default location-id=0 access_type=unknown time: 2019-10-06 14:49:50 UTC CONNECT tcp://v10.events.data.microsoft.com:443/ DNS lookup was restricted user: unauthenticated authentication status='not_attempted' authorization status='not_attempted' url.category: Microsoft Devoloper Sites@Policy;none@YouTube;Technology/Internet@Blue Coat total categorization time: 0 static categorization time: 0 server.response.code: 0 client.response.code: 200 application.name: Office 365 General application.operation: none application.group: Online Productivity Suite DSCP client outbound: 65 DSCP server outbound: 65 Transaction timing: total-transaction-time 2 ms Checkpoint timings: new-connection: start 1 elapsed 0 ms client-in: start 1 elapsed 0 ms access-logging: start 1 elapsed 0 ms stop-transaction: start 2 elapsed 0 ms Total Policy evaluation time: 0 ms url_categorization complete time: 0 client connection: first-response-byte 0 last-response-byte 1 stop transaction --------------------