0

In our ProxySG there is an entry in one of the last layers of the policy to log certain things.

The event logging itself is defined as "EventLogTCP":

$(client.host) $(user) $(client.protocol) $(log_url) $(log_url.port) $(log_url.path) $(exception.reason)

When this rule is hit I sometimes see matches like this in syslog:

Aug 12 16:19:41 192.168.x.y ProxySG: 3B0002 EventLogTCP nothing.attdns.com  http tcp://ssl.google-analytics.com:443/ 443 / Either 'deny' or 'exception' was matched in policy(156265441) UNKNOWN_EVENT pe_policy_action_log_message.cpp 44

The client.host is what distrubs me:

nothing.attdns.com equals to 127.0.0.2.

What is the meaning of this loopback address here?

(If I look at the daily logs produced by the proxy, there are no loopback addresses in there.)

Marki
  • 2,854
  • 3
  • 28
  • 45

1 Answers1

1

This nothing.attdns.com is a name resolution problem and may have been caused by not having the correct reverse lookup zones on the DNS server.

Adding the IP address ranges for all the subnets to the DNS server as reverse lookup zones should resolve the problem.

bentek
  • 2,235
  • 1
  • 15
  • 23