User initiated web traffic

Can the XG logs show whether an attempt to access a blocked website was user initiated or an automated pop-up, notification etc?

  • How can the XG knows about it ? The request comes from the application, or at least from your user IP, but how can the box find if it's a user-click or a link in the webpage or in the script ?

  • You can get some information, but not a lot.  Only useful for detective work ("No I did not click on porn, it must have been due to a page load").

    Go to Log Viewer.  Click the little icon that switches to Detailed View.  Now change module to Web Filter.

     

    You'll see a log line looks like this:


    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="1" web_policy="" category="Information Technology" category_type="Acceptable" url="http://www.sophostest.com/img/head-shadow.gif" content_type="image/gif" override_token="" response_code="" src_ip="10.108.107.93" dst_ip="176.34.160.144" protocol="TCP" src_port="58583" dst_port="80" bytes_sent="389" bytes_received="1837" domain="www.sophostest.com" exception="" activity_name="" reason="not eligible" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" status_code="200" transaction_id="" referer="http://www.sophostest.com/img/theme.css" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1017174944" app_name="" app_is_cloud="0"

     

     

    Here are the relevant fields:

    user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

    The user_agent tells you which browser, but it can also be things like Adobe Updater.

    The referrer tells you what page caused the load.  In this case a .css file caused a .gif to load.  But if a user clicks on a link the page they started from is also the referrer, so you don't really know if it was automatic or user click.  If the referrer is blank it is because they hit reload or used a bookmark.  The next diagnostic is to look at the timestamps.  If you see the one you are interested in was loaded at the same time as a bunch of other stuff with the same referrer then you can deduce it was a page load that loaded it.  But if it is a timestamp all on its own (or the first in a bunch) it is likely due to a user click.

  • In reply to Michael Dunn:

    Thanks Mike..

    I knew it was a bit of a long shot but this will certainly help when the students claim it was a "pop-up".

    Thanks again

    Mat

  • In reply to Michael Dunn:

    Hi,

     

    the timestamp is a clue but can't be opposed to the student. Some page have a script which load some ads after a while.

    Same for the referer it can be removed on the link, so you van have a blank referer with a popup.