Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[IAG] Abnormal IAG behavior audit QQ application log in bypass mode – monitoring network segment setting problem

Posted
Updated
Byadmin
Views2

Problem Description

Customer Internet traffic ——>First-level agent ——>Second-level agent ——>Shangwai.com

973005db6b79da0dc8.png (23.69 KB)

The source addresses of all QQ application behavior logs audited on IAG are all the IP addresses of the secondary proxy server, as shown in the figure

10775db6b6a139406.png (280.85 KB)

Process——

  1. Check whether the traffic mirroring data is the traffic between the PC and the primary proxy server, because only by auditing this traffic can the real user IP be audited.
  2. Check whether the primary and secondary proxy servers are excluded in [Monitoring network segments and excluded IPs], confirm and exclude all proxy server addresses
  3. After asking the customer, I found that the first-level proxy server was deployed in a cluster and the cluster IP was not added to the excluded IP.

Root cause

The audit log shows that all of them are secondary proxy server addresses, which means that the secondary proxy server addresses are divided into the [Monitoring Segment] because our device IAG only audits data in the LAN->WAN direction, and the IP in the [Monitoring Segment] is in the LAN direction. The IP excluded from the monitoring segment or the IP not in the monitoring segment is in the WAN direction.
The customer's proxy server is deployed in a cluster, and the cluster VIP is not excluded in [Monitoring network segment and exclude IP]

solution

Exclude cluster VIP: 10.2.5.77, the result is as shown in the figure

654015db6b712db23f.png (169.55 KB)

Check the IAG behavior audit log, normal

629945db6b72874d62.png (177.07 KB)

Suggestions and Conclusion

Monitoring network segment: The network segment that needs to be audited (generally configured as an intranet that needs to be audited), represented as the LAN direction

Exclude IP: exclude the IP from the monitoring network segment. For IAG, the IP is in the WAN direction.

  1. In IAG bypass mode, intranet users access the Internet through a proxy server. The proxy server IP needs to be excluded from the monitoring network segment (if the proxy IP does not exist in the monitoring network segment, it does not need to be excluded).
  2. If the intranet user proxy server is deployed in a cluster, it is necessary to exclude the cluster VIP of the first-level proxy and second-level proxy servers and the IP of the real server, otherwise audit exceptions will occur.
  3. IAG only supports auditing data in the lan->wan direction, and cannot audit data in other directions such as lan->lan/wan->wan

Original Link

https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=7174&isOpen=true