Enhanced Web Filtering categorizes HTTP proxy traffic as “uncategorized”

When a proxy server is used for HTTP traffic, Enhanced Web Filtering (EWF) may incorrectly categorize web traffic as “uncategorized”.

This issue is fixed in the following releases.

  • 10.4R15
  • 11.4R9
  • 12.1R7
  • 12.1X44-D20
  • 12.1X45-D10

It is common for enterprise customers to deploy a proxy server for HTTP traffic. However, when a proxy server is used for HTTP traffic, EWF may incorrectly categorize web traffic as uncategorized.

The EWF parser is the component on EWF that extracts the URL address from HTTP traffic and forwards it to an EWF server for categorization. In a proxy server environment, the URL request (HTTP GET) may appear as follows:

The URL request contains an absolute URL obtained from the GET command. This is different from normal, non-proxied traffic, which obtains a relative URL from the GET command.
The normal process of the EWF parser will merge the information from the Host field with the URL from the GET command, so a full requested URL will be obtained. As this URL request contains an absolute URL from the GET command, the operation of the parser will result in a URL with repeating on the hostname. If this URL address is sent to the EWF server, the EWF server will fail to find this URL and will label it uncategorized.

The issue fixed as below:

In case the GET”command contains the absolute URL, the EWF parser will skip to reference the information from the Host field.
This issue is fixed in the following releases.

  • 10.4R15
  • 11.4R9
  • 12.1R7
  • 12.1X44-D20
  • 12.1X45-D10

About the author

Prasanna

Leave a Comment