KB Article | Forcepoint Support

Problem Description

Why does the WCG error.log show multiple 'Unknown Host' failures when users have not been browsing sites?
 
“RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/gate.php'
RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/config.bin'
RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”
 
This amounts to a considerable amount of traffic.

Resolution

Checking if the connection is potentially a security risk:

Check the client machines generating the traffic with an anti-virus solution for botnet clients.

The ''http://trust-service.cn/trust/1488/config.bin' example represents a Zeus botnet client; however, many other URLs can be seen.  ZeuS (Zeus (malware)) is a common crimeware kit used for various attacks. You may test a URL, at the following site, to see if a ZeuS client is active on your network.

https://zeustracker.abuse.ch/monitor.php

Other botnets may be found rather than ZeuS, please investigate the URL in question to find if legitimate or malicious.
 
If found to be a legitimate connection:

The following is specific for example error:

“ RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”

This message results in Skype traffic or an unknown non-http protocol.  MDS will decrypt this SSL traffic and then send to WCG.  However, WCG does not understand this traffic.  In addition, since it is non-http, it does not insert MDS headers.  As a result, WCG will not know the source IP address, and instead reports the traffic coming from 127.0.0.1.
 
Skype and other specific applications as well as websites are called out on Websites that have difficulty transiting Content Gateway with instructions for resolving the connection issue.
To resolve a legitimate connection, there are two methods to take, being tunnel unknown protocols, or if the connection is for an HTTPS destination, placing as an SSL Incident.

To Enable tunnel unknown protocols:
  • Forcepoint Software versions 7.6-8.5:
  1. Open Content Gateway manager.
  2. Click Configure > Protocols > HTTPS
  3. Ensure Tunnel unknown protocols is enabled.
 
  • Forcepoint Software versions 7.0-7.5:
  1. ssh into the Linux box with Root access
  2. Run export LD_LIBRARY_PATH=/opt/WCG/sxsuite/lib
  3. Run /opt/WCG/sxsuite/bin/oemtool profileconfig 1 tunnel_unknown_protocols yes
  4. To confirm the parameter change, run /opt/WCG/sxsuite/bin/oemtool get profileconfig 1 tunnel_unknown_protocols
  5. Restart Websense Content Gateway.
 
To create a tunnel incident for HTTPS destination domains:

Important Placing a tunnel incident for a domain will bypass all users for filtering for the domain, use with caution.
  1. Open Content Gateway manager.
  2. Navigate to Configure > SSL > Incidents > Add a Website tab
  3. Remove https:// and enter *.domain.com where domain matches the URL being added.
  4. Select Tunnel from the far right.
  5. Press OK.

Article Feedback



Thank you for the feedback and comments.