Log behavior for web traffic
When a firewall rule to drop traffic on ports 80 and 443 matches traffic, the firewall sends the traffic to the web proxy, which then blocks it.
The log for the Firewall component shows allowed, and the Web filter component shows blocked.
Note
Web exceptions apply even if the firewall rule has its action set to Drop. So, endpoints may still be able to perform actions, such as downloading Windows updates from Microsoft, even if their traffic matches a firewall rule set to Drop.
Firewall action and logs
If you select Log firewall traffic in Firewall rules and specify the other settings shown in the table, the firewall's behavior and the logs in Log viewer are as follows:
Firewall rule settings | Ports other than 80 and 443 | Ports 80 and 443 |
---|---|---|
Drop | Firewall drops the packets. Firewall log shows dropped. | Firewall accepts the incoming packets and passes them to the web proxy. The web proxy sends a block page to the user. Firewall log shows allowed. Web filter log shows blocked. |
Allow Block clients with no Heartbeat | Firewall drops packets from endpoints that don't send a heartbeat. Firewall log shows dropped. | Firewall accepts the incoming packets and passes them to the web proxy. The heartbeat system determines they should be blocked because the endpoint doesn't send a heartbeat. The web proxy sends a block page to the user. Firewall log shows allowed, and another firewall log shows Heartbeat blocked. Web filter log shows blocked. |
Reject | Firewall rejects the packets. Firewall log shows rejected. | Firewall rejects the packets. Firewall log shows rejected. |