cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 5

interpreting various web reporter reports

Jump to solution

Where can I find documentation on how to interpret various web reporter reports?

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5

Re: interpreting various web reporter reports

Jump to solution

Well... Bocked doesn't necessaryly mean no traffic is coming IN to your network.  First of all, there are 4 locations to measure bytes. Two up (client -> proxy) and (proxy -> web server). Two down (web server -> proxy) and (proxy -> client).

By default Web Gateway only logs bytes_to_client (proxy -> client).  So all blocks have a few bytes (the block page sent to the user).  But if you consider a large zip file that contains detected malware, then the entire zip is still downloaded before blocked.  The bytes_from_server will be large (size of the zip), but the bytes_to_client (block page) will be small.

Web Reporter has 3 byte columns, one up, one down, and bytes (sum of the other two).  That report displays bytes (sum of up and down).  So you need to know what is logged for your up (bytes_from_client, bytes_to_server) and down (bytes_from_server, bytes_to_client) columns.  Make sure your logging rules are writing the correct value under the correct header.  Web Reporter relies on the logs, so you should always verify that the logs are correct first.

Once you know what is in the logs, you can interpret the data.

Message was edited by: sroering on 10/11/13 9:23:22 AM CDT

View solution in original post

4 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 5

Re: interpreting various web reporter reports

Jump to solution

There is no general documentation.  Bytes are bytes, hits are hits, etc.  If you have a specific example, perhaps I can help.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 5

Re: interpreting various web reporter reports

Jump to solution

Well, that's true. I guess I'm loking for validation about the number of blocks and bytes being returned.

Our top site every day is a site that is being blocked (which I think at this point is the Web Reputation service from our workstation AV platform). It literally shows GIGABytes of blocked traffic??Untitled.jpg

Thoughts on this? This is not traffic coming IN from our internet, as it's being blocked - would this be traffic returned back to workstations in the form of block pages??

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5

Re: interpreting various web reporter reports

Jump to solution

Well... Bocked doesn't necessaryly mean no traffic is coming IN to your network.  First of all, there are 4 locations to measure bytes. Two up (client -> proxy) and (proxy -> web server). Two down (web server -> proxy) and (proxy -> client).

By default Web Gateway only logs bytes_to_client (proxy -> client).  So all blocks have a few bytes (the block page sent to the user).  But if you consider a large zip file that contains detected malware, then the entire zip is still downloaded before blocked.  The bytes_from_server will be large (size of the zip), but the bytes_to_client (block page) will be small.

Web Reporter has 3 byte columns, one up, one down, and bytes (sum of the other two).  That report displays bytes (sum of up and down).  So you need to know what is logged for your up (bytes_from_client, bytes_to_server) and down (bytes_from_server, bytes_to_client) columns.  Make sure your logging rules are writing the correct value under the correct header.  Web Reporter relies on the logs, so you should always verify that the logs are correct first.

Once you know what is in the logs, you can interpret the data.

Message was edited by: sroering on 10/11/13 9:23:22 AM CDT
eelsasser
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 5 of 5

Re: interpreting various web reporter reports

Jump to solution

bytes_to_client would represent the block page returned to the user.

That is about an 9k block page for each hit. That's probably accurate.

I suppose you could change your logs to report bytes_from_server instead. That would usually be 0 bytes per block.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community