Hello, I have been asked to find out how I can exlude access to local URLs/ IP addresses from going through the proxy (without using a proxy.pac file) or if thats not possible how can I exclude access to local URLs / IP addresses from appearing in the reports?
What is your deployment method? Are you using Web Reporter to generate reports? Whitelisting IPs from going to the Web Gateway is possible but it depends on your deployment. Also, what version of Web Gateway are you using?
if you use MWG in explicit proxy mode (clients are aware of proxy) you cannot prevent URLs from going through the proxy. You can prevent them from being touched by MWG, but they will still go through the proxy. In this case you told the browser to send its request to MWG and there is no technology which allows MWG to tell the browser to ignore the request and send a new one directly to the internet. This is what proxy.pac is used for.
In the transparent modes there may be ways to achieve this but most likely only on destination IP rather than based on server names, which may not be suitable.
I would go ahead and leave the requests running through MWG but completely exclude them from being filtered by not applying any rules to them or apply the HTTP tunnel event. In case you create a list of host names or URLs you don't want to pass through MWG you can utilize this list again in the log handler to create a rule in the access log rule set which calls "stop ruleset" in case the URL belongs to your list. The "stop ruleset" will skip the rules which write the logfiles, so there will not be any entry for those requests.
Additionally you can leave the logs untouched (maybe for debugging) and exclude the respective line when you import them to the reporting solution.
Hello, sorry I haven't replied to this sooner and thanks to those who did.
We are currently in explicit proxy mode and so I understand we can only use the PROXY.PAC file to exclude internal addresses. Eventually we will use WCCP on our firewall to redirect web connections from client PCs to the web gateway. As I understand it WCCP encapsulates the request into a GRE packet and hands it to the web gateway to deal with. In this scenario if a client accesses an internal web address would the firewall know not to hand the request to the web gateway, or will it simply throw all http/https traffic at the web gateway regardless of the destination?
Thanks for any help.