1

I have a question involving a firewall issue. Is it possible for a activity log from the Fastvue firewall to show a website being ‘hit’ when the user did not actually browse that site? There is an incident of a prohibited site being hit (and obviously blocked immediately) and the user in question definitely not browsing that site. Are there circumstances that might cause this to happen? Also, the system registered that there were (apparently) 50 hits on this prohibited site. However, if the site is immediately blocked, how could there be this number of hits?

5 Spice ups
2

Could the user have clicked on a corrupted ad? Whether clicked intentionally or accidentally some of the crap ads out there will redirect to harmful sites that aren’t anything like what the ad seems to be.

4 Spice ups
3

Could be content in a HTML email, another link they are visiting that has blocked content, like Ads as @Suzanne-Spiceworks pointed out.

It’s not uncommon to see sites being ‘hit’ that users don’t directly visit, this is one of the biggest issues of dynamic websites.

4 Spice ups
4

Thanks to you both for this. It is unlikely to be an advert, due to the nature of the site being hit. Is it possible for a website that has been visited previously being placed in the cache and then triggering the firewall at a later date? To be frank, I am speaking about myself as I have been accused of trying to access adult sites when I was patently not, but I was browsing normal sites at the time. I am now trying to clear my name. I accidentally clicked on a phishing email the week before this event, which resulted in adult sites being opened and automatically blocked. Two of those sites were the ones that I allegedly ‘hit’ a week after, hence the idea of the cache triggering the firewall.

1 Spice up
5

Thank you for your honesty.

Explain this to them, have them clear your cache or do it yourself and have them confirm your machine is clear or infections, if ransomware or scareware is on your machine, then yes, an application it is linked to in the background could still be active and reaching out to those sites.

If however these sites are being blocked, I’m not sure why there is much concern, the filter/firewall is doing what it is supposed to do, and clearly you can’t be sitting there watching this content, as it’s not allowed.

It’s possible these are pop-ups and you agreed to allow them in your browser, check your browser for allowed popup sites and remove any that look spurious or mark them as ‘block’

I don’t know your IT experience or competence level, but perhaps seek guidance from a colleague who has a more established IT background to help you track down the root cause.

4 Spice ups
6

The other way you will get a delayed ‘hit’ is if your browser crashes and restores tabs, this will load the pages it thinks it has tabs for, even when you weren’t necessarily viewing them at the time of the crash. firefox in particular can have weird recovery behavior, loading 20 or 30 tabs when you only had a few open when it crashed…

And we are assuming your machine doesn’t have malware hiding in it loading things in the background…

2 Spice ups
7

Check for browser extensions also. Junk extensions that are not necessarily malware can cause all sorts of issues as they make “suggestions” and “help” users.

BTW: You’re not a local administrator on your own pc are you?

3 Spice ups
8

if the traffic is in the firewall logs then yes the traffic did occur.

But that doesn’t mean it was user generated. A firewall log most likely is only going to point to the IP of the machine the traffic came from not what on that machine generated the traffic.

You also don’t mention what prohibited site means in this context, I am guessing you mean Adult Images. Our firewall logs are full of prohibited sites, that are completely innocent, but we block for various reasons on our work networks.

You will need additional logging on the machine to be able to point back to the source that requested it, and even then it can be tricky to 100% nail it down to the user. Logging that can go into details like saying what process on the computer made the call and what context (account) that process was running in.

Just to give an example when you load a website say abc.com the website unless its a super simple static site is almost certainly going to call out to dozens of other sites in the back ground in addition to the user initiated abc.com while it loads resources and other items it uses. It wouldn’t be a stretch for a site to get compromised and start calling out to things it shouldn’t or where not intended by its owner.

This doesn’t even touch on other items that could be on a computer. Almost everything on a computer calls outbound to internet resources these days.

If this is truly and issue an expert should be brought in to investigate the computer… but even then if proper logging wasn’t already in place the data might simply not exist to definitively say what called the URL in question

4 Spice ups
9

Here, even if sites are getting blocked, a user trying to access them more than once is viewed as a risk. Sooner or later, they may land on a site that for whatever reason hasn’t been flagged. Then someone walking by at the right moment could feel uncomfortable or harassed. So, we prefer to nip it in the bud.

3 Spice ups
10

Again, thanks for all your suggestions. For context, I was browsing on my personal Iphone, but connected to the company wifi. Hence the firewall was triggered. Is the cache idea a possibility i.e. can a previously visited website with its information stored in the cache cause a hit later on, even if that website is not visited by the user and while they are browsing normal sites?

1 Spice up
11

I need to have this on an index card as it would save me from having to explain it a few times a year.

To make it worse, some sites that border on NSFW(Not Safe For Work) without quite crossing the line, have links/pull ads from sites that are 100% NSFW.

I’ve learned here to avoid showing raw logs to upper management.

3 Spice ups
12

As molan said, if the log shows traffic then the traffic did occur. I guess the question I am asking is: What is the best way to prove that this traffic was not initiated by me?

1 Spice up
13

And now you know why you shouldn’t.

If the company provides guest Wi-Fi, it should be used for guests, not personal use, even if you did nothing wrong, I would avoid this for the reasons above. Just use your data plan and avoid the risks.

Now we know this is an iPhone and not a computer, there is a possibility you’ve installed software that isn’t as legit as it seems, check what known malicious IOS apps are out there as these often masquerade as legitimate ones and remove them.

5 Spice ups
14

When you started your conversation, you mentioned that you were browsing sites on your phone at that time.

I would suspect the device in question was compromised in some way. If you truly do not willingly browse to questionable websites, it likely is the fact that there is some malicious software, or an application on your phone that has ads in it.

I can tell you that I have found many gaming apps to contain ads to gambling sites.

If the phone should not be doing this, why not have the firewall guy pull up a live log, and try to replicate the behavior? Try a few browsers and see if they all do the same thing in the log.

You also mentioned that you were browsing using your phone at the time of the alert; so that is helpful information, and perhaps will allow you to replicate. Did you mistakenly install a web browser from the “suggested” ads section of the play store?

I suppose if this situation were occurring to me, I would try to work with IT to figure out why my phone is doing this.

If that is not an option for you, or you don’t desire it - I would then completely disconnect from the company wifi. You do not need to use their wifi when at work, and if it is causing IT conversations to escalate, I do not see any advantage. You might also consider just leaving your phone in your car, and tell anyone that needs you in an emergency to call you at your work number.

I would personally wipe my phone to factory default, and only install necessary trusted apps. And, would, at home, establish some logging and monitoring to see what sites my phone is trying to use when on WIFI and fix the situation myself.

3 Spice ups
15

If you have a website open in a background tab of your iPhone, it may refresh periodically if you are just using the browser (but not accessing that tab). That could easily hit 50 HTTP requests (one request per image).

Thus you wouldn’t have been actively browsing the site, but the corporate firewall would have seen the attempts to refresh the page in the background, and logged that activity.

The other option is a bad app - verify what is allowed to use background data. Remove all gaming or gambling apps.

3 Spice ups
16

but did you close the tabs? you may have switched out of the browser, but still had multiple tabs loaded and your phone then could have tried refreshing them regardless of if you were viewing it while connected to the wifi.

It sounds like you learned a lesson about mixing work and personal devices… and the risks of connecting a personal device to someone else’s wifi. with the large data plans available these days there is very little reason to connect a personal device like a phone to a company network (or any public network).

3 Spice ups
17

The problem you may have is the person looking at the log may not be sufficiently skilled.

Now you are probably being passed information that is not accurate or just a summary.
Fastvue is not a firewall - it is just an application that analyses the log of a firewall.
You would need to know if this is a simple firewall rule log - or a web filtering category.
Unless the log has the URL (the web page address) that was actually accessed then false positives are very likely - this is because many websites share ip addresses etc.
Some forms of filtering are very basic.

It is important to know that a typical ‘web page’ will refer to many other web addresses. Adverts being one common example.

If you have the time at which this was logged then you could look at your phone browser history to try and determine what you were doing. then agree a time to test these to see if they are logged as an issue.

If they cannot provide detailed information such as the exact URL requested then it would have to be agreed as a false positive. No It professional would be willing to guarantee that a web filter / firewall rule is 100% accurate.
If you have explained it was not intentional then it sounds like they are jerks unfortunately.

5 Spice ups
18

Thanks again. Another ridiculous feature of the log is that one prohibited link was allegedly hit 50 times and had a browsing time of over 6 mins. What kind of person would click on a blocked website that number of times and how could it have a browsing time if it is permanently blocked? Any ideas about how this could have been logged?

1 Spice up
19

Without knowing exactly what was logged, you cannot assume it was a single link being clicked repeatedly.

Every element on a webpage invokes it’s own HTTP request. If you have a page with 20 images, you’ll have at least 21 requests seen in a firewall (one for the page, and 20 for images).

2 Spice ups
20

As explained in many of the above posts, user “clicks” most probably do NOT play a role in everything getting logged.

Phildrew explained how the user may only “click” abc.com and that one click could generate dozens (hundreds?) of log entries.

2 Spice ups