We have just observed that people in the organization are able to access some blocked websites by changing the proxy settings. we want to check the details, like the users, when it started, what are the usual websites etc.Is there anyways we can detect the logs in the ESM.We have blucoat and checkpoint on the perimeter.Iam no sure how the use case should.Can anyone please help me in this.
If I understand correctly, they are removing the manual proxy settings and bypassing the Bluecoat leaving only the Checkpoint the opportunity to create logs. The logs to see would be the clients talking directly to hosts on port 80 and 443. In most cases, a firewall rule would be added to prevent this from happening and force the users through the Bluecoat.
Thank you so much Andy for your response.I am new to Mcafee SIEM and not very familiar with the query part.What kind of a search can I do in ESM to find the details.
Sorry, missed your reply. Specifically you would use the Global Filter fields on the right side of any view and filter for internal IP subnets connecting to Destination Port 80 and 443 on any external host (e.g. not your proxy).