Traffic is being reported as downloaded by a user from a blocked site in Web Security Service (WSS) reports.
Web Security Service
When a user tries to access a website, they will send out a TCP handshake which is forwarded by WSS. When it returns, WSS has executed a policy verdict for that user and domain. If it is allowed, the TCP initiation continues as normal.
If it is blocked, WSS intercepts the return TCP packet and injects it with a block page. In the reports, it shows this intercepted packet with:
A 200 status code
An allow verdict
A nominal file size (a few hundred bytes)
All other traffic from that blocked domain will show:
A 403 status code
A block verdict
The size of the packet that was blocked (often several kilobytes)
There is no solution; WSS is working as intended.
This may bring up some concern when viewed in reports generated from WSS data. For example, a user has a policy block for Dropbox. When the user attempts to access Dropbox, they get a block page. The reports generated in the WSS portal, Cloud Access Security Broker (CASB), etc. will show several hundred kilobytes of data being downloaded from Dropbox every time the user attempts to access it.
Admins may wonder why a user is downloading data from a domain they have blocked from accessing. This data is being reported as downloaded but it is not reaching the user.
Subscribing will provide email updates when this Article is updated. Login is required.