Difference between revisions of "SSL Inspector Reports"

From UntangleWiki
Jump to: navigation, search
m (Reports)
m (Reports)
Line 28: Line 28:
 
===== Detail =====
 
===== Detail =====
  
Extra details about the session. For most sessions, this field will include the SNI hostname extracted from the initial message sent from the client to the server.
+
Extra details about the session, with the exact content dependent on the event status.
 +
 
 +
For INSPECTED and UNTRUSTED sessions, this field will include the SNI hostname extracted from the initial message sent from the client to the server. If the SNI information is not available, the server IP address will be used instead.
 +
 
 +
For BLOCKED or IGNORED sessions, this field will contain the description of the rule that matched and was applied to the session.
  
 
For ABANDONED sessions, detail will usually record information about the error that caused inspection to fail. For SSL exceptions, this will include which the session endpoint (client or server) for which traffic was being processed (encrypt or decrypt) when the exception was detected. If available, the SSL error message will also be included. The following table lists the most common error messages and detailed information about each one.
 
For ABANDONED sessions, detail will usually record information about the error that caused inspection to fail. For SSL exceptions, this will include which the session endpoint (client or server) for which traffic was being processed (encrypt or decrypt) when the exception was detected. If available, the SSL error message will also be included. The following table lists the most common error messages and detailed information about each one.
  
 
+
{| class="wikitable"
 +
|+SSL Exception Messages
 +
|-
 +
|unexpected_message || An inappropriate message was received.  This alert is always fatal and should never be observed in communication between proper implementations.
 +
|-
 +
|bad_record_mac || This alert is returned if...
 +
|}
  
  

Revision as of 23:26, 12 June 2017

The Reports tab provides a view of all reports and events for all traffic handled by HTTPS Inspector.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
SSL Inspector Summary A summary of SSL Inspector actions.
Sessions Scanned The amount of SSL sessions over time.
Sessions Inspected The amount of inspected SSL sessions over time.
Top Inspected Sites The number of inspected sessions grouped by site.
Top Ignored Sites The number of ignored sessions grouped by site.
All Sessions All sessions detected by SSL Inspector.
Inspected Sessions Events where traffic was fully processed by the inspector, and all traffic was passed through all the other applications and services.
Ignored Sessions Events where traffic was not or could not be inspected, so the traffic was completely ignored and not analyzed by any applications or services.
Blocked Sessions Events where traffic was blocked because it did not contain a valid SSL request, and the Block Invalid Traffic option was enabled.
Untrusted Sessions Events where traffic was blocked because the server certificate could not be authenticated.
Abandoned Sessions Events where traffic was blocked due to an underlying problems with the SSL session.


The tables queried to render these reports:


Status

The status of the session that generated the event.

  • INSPECTED means the session was fully processed by the inspector, and all traffic was passed through all the other applications and services.
  • IGNORED means the session was not or could not be inspected, so the traffic was completely ignored and not analyzed by any applications or services.
  • BLOCKED means the traffic was blocked because it did not contain a valid HTTPS request, and the Block Invalid Traffic option was enabled.
  • UNTRUSTED means the traffic was blocked because the server certificate could not be authenticated.
  • ABANDONED means the connection failed because an an underlying SSL connection problem. Usually that the client abandoned the connection because the certificate was not trusted.


Detail

Extra details about the session, with the exact content dependent on the event status.

For INSPECTED and UNTRUSTED sessions, this field will include the SNI hostname extracted from the initial message sent from the client to the server. If the SNI information is not available, the server IP address will be used instead.

For BLOCKED or IGNORED sessions, this field will contain the description of the rule that matched and was applied to the session.

For ABANDONED sessions, detail will usually record information about the error that caused inspection to fail. For SSL exceptions, this will include which the session endpoint (client or server) for which traffic was being processed (encrypt or decrypt) when the exception was detected. If available, the SSL error message will also be included. The following table lists the most common error messages and detailed information about each one.

SSL Exception Messages
unexpected_message An inappropriate message was received. This alert is always fatal and should never be observed in communication between proper implementations.
bad_record_mac This alert is returned if...



Related Topics

Report Viewer

Manage Reports