Content Gateway error.log shows multiple failed connections for sites never visited
- Article Number: 000003859
- Products: Forcepoint V10000 Appliance, Forcepoint V20000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, Forcepoint X Series Appliance, TRITON AP-WEB, Web Security Gateway, Web Security Gateway Anywhere
- Version: 8.5, 8.4, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.0
- Last Published Date: July 16, 2020
Notes & Warnings
Note An unknown host is an error message that generates when a destination computer or host server name cannot be resolved. The message indicates that the user's provided host server name does not exist or match any Domain Name System (DNS) records.
If you have intermittent issues with page not loading or unknown host messages see Intermittent issues with pages not loading properly or “unknown host” messages.
Why does the Content Gateway error.log show multiple 'Unknown Host' failures when users have not been browsing sites?
“RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/gate.php'This amounts to a considerable amount of traffic.
RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/config.bin'
RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”
Checking if the connection is potentially a security risk:
Check the client machines generating the traffic with an anti-virus solution for botnet clients.
The ''http://trust-service.cn/trust/1488/config.bin' example represents a Zeus botnet client; however, many other URLs can be seen. ZeuS (Zeus (malware)) is a common crimeware kit used for various attacks.
Other botnets may be found rather than ZeuS, please investigate the URL in question to find if legitimate or malicious.
If found to be a legitimate connection:The following is specific for example error:
“ RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”
This message results in Skype traffic or an unknown non-http protocol. MDS will decrypt this SSL traffic and send to the Content Gateway. However, the Content Gateway does not understand this traffic. In addition, since it is non-http, it does not insert MDS headers. As a result, the Content Gateway will not know the source IP address, and instead reports the traffic coming from 127.0.0.1.
Skype and other specific applications as well as websites are called out on Websites that have difficulty transiting Content Gateway with instructions for resolving the connection issue.
To resolve a legitimate connection, there are two methods to take, being tunnel unknown protocols, or if the connection is for an HTTPS destination, placing as an SSL Incident.
To Enable tunnel unknown protocols:
To create a tunnel incident for HTTPS destination domains:Important Placing a tunnel incident for a domain will bypass all users for filtering for the domain, use with caution.
Keywords: unknown host; dns issue; could not resolve dns; http status code 504; status 504; ssl incident; tunnel; tunnel unknown protocol.