Web Logs show IP addresses for requested URL(s)


This article applies to:

  • SWG transparent implementation - WCCP, Bridge, transparent gateway
  • SWG 10.x
  • SWG 11.x

Question:

  • When looking in the Web Logs, why are almost all HTTPS transactions being logged for IP addresses instead of URL(s)?

      

    Information:

    With SWG implemented in Transparent Mode, URL resolution is performed by the client issuing a request, and not by the scanner.
    As a result, when such a request comes in, SWG has to rely on the information sent by the client.
    For HTTP traffic, SWG extracts URL information from the host header present in the HTTP GET request.
    This however, is not available for SSL traffic, and as a result SWG presents IP addresses instead of URL addresses.

    There is a way to obtain URL/hostname information for a request using the certificate data associated with it.
    Navigate to Administration >  System Settings >  SWG Devices. Then under Scanning Server, go to General > Transparent Proxy Mode tab. Enable the Extract hostname from certificate option, as shown below.
    This setting is present on Scanning Server only.



    With this setting enabled, the logs show both IP and URL addresses per a request:

        

    Last Modified 7/28/2013.
    https://support.trustwave.com/kb/KnowledgebaseArticle16025.aspx