WCG error.log shows multiple failed connections for sites never visited
- Article Number: 000003859
- Products: Forcepoint V10000 Appliance, Forcepoint V20000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, Forcepoint X Series Appliance, TRITON AP-WEB, Web Security Gateway, Web Security Gateway Anywhere
- Version: 8.5, 8.4, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.0
- Last Published Date: October 14, 2016
Why does the WCG error.log show multiple 'Unknown Host' failures when users have not been browsing sites?
“RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/gate.php'This amounts to a considerable amount of traffic.
RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/config.bin'
RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”
Checking if the connection is potentially a security risk:
Check the client machines generating the traffic with an anti-virus solution for botnet clients.
The ''http://trust-service.cn/trust/1488/config.bin' example represents a Zeus botnet client; however, many other URLs can be seen. ZeuS (Zeus (malware)) is a common crimeware kit used for various attacks. You may test a URL, at the following site, to see if a ZeuS client is active on your network.
Other botnets may be found rather than ZeuS, please investigate the URL in question to find if legitimate or malicious.
If found to be a legitimate connection:
The following is specific for example error:
“ RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”
This message results in Skype traffic or an unknown non-http protocol. MDS will decrypt this SSL traffic and then send to WCG. However, WCG does not understand this traffic. In addition, since it is non-http, it does not insert MDS headers. As a result, WCG will not know the source IP address, and instead reports the traffic coming from 127.0.0.1.
Skype and other specific applications as well as websites are called out on Websites that have difficulty transiting Content Gateway with instructions for resolving the connection issue.
To resolve a legitimate connection, there are two methods to take, being tunnel unknown protocols, or if the connection is for an HTTPS destination, placing as an SSL Incident.
To Enable tunnel unknown protocols:
To create a tunnel incident for HTTPS destination domains:
Important Placing a tunnel incident for a domain will bypass all users for filtering for the domain, use with caution.