Skip to main content
IrbkOrrum
IrbkOrrum
Explorer III
March 27, 2025
Question

Originally accessed website in logs

  • March 27, 2025
  • 2 replies
  • 2041 views

I'm trying to lock down some of my web rules.  The issue is many of the server owners don't understand what web access they "need" so I resort to turning on full logging.  I put a more restrictive rule above the less restrictive rule, and check the logs on the less restrictive rule. The end goal being that eventually there will be no more traffic on the less restrictive rule and I can remove it.  I've got logging turned on, but sometimes the logs can be a bit deceiving.  For example

wdcp.microsoft.com

resolves to something like
wd-prod-cp-us-east-<number>-fe.<east or west>us.cloudapp.azure.com

Often times I'll see in the logs that the server accessed wd-prod-cp-us-east-<number>-fe.<east or west>us.cloudapp.azure.com when, in fact, they actually accessed wdcp.microsoft.com (but I don't know that fact).  I'll put *.<east or west>us.cloudapp.azure.com in the rule that I use above the more restrictive rule, but then the next day I see more traffic in the less restrictive rule to wd-prod-cp-us-east-<number>-fe.<east or west>us.cloudapp.azure.com because I'm not realizing that traffic is actually going to wdcp.microsoft.com.

Is there some way through the logs that I can see what the actual site that the server tried to visit was when the logs are giving me 'less than completely truthful' URLs with the IPs?

 

2 replies

ebrlima
Staff
ebrlima
Staff
March 27, 2025

I think the best way to get the info you want is applying webfilter profile to your rules. The action per category should be at least monitor, so you can have webfiltering logs, which contain hostnames and full url information. Don't use the "allow" action, but use monitor instead. 

    IrbkOrrum
    IrbkOrrumAuthor
    Explorer III
    March 27, 2025

    Oh, I'd not thought of that.  Where does that end up in logs?  Is that under a specific location or does it still end up under the "show matching logs" when you right click on a rule?  

    ebrlima
    Staff
    ebrlima
    Staff
    March 27, 2025

    Check this KB @IrbkOrrum 

     

    How to get a complete URL log - Fortinet Community

      dingjerry_FTNT
      Staff
      dingjerry_FTNT
      Staff
      March 27, 2025

      > nslookup wdcp.microsoft.com 8.8.8.8
      Server: dns.google
      Address: 8.8.8.8

      Non-authoritative answer:
      Name: wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com
      Address: 48.211.71.194
      Aliases: wdcp.microsoft.com
      wd-prod-cp.trafficmanager.net

       

      So the web server for the URL wdcp.microsoft.com is hosted on a Azure Cloud server. Actually, I would say, it is an entry pointing to something like a server farm.

       

      And the alias "wd-prod-cp.trafficmanager.net" is for MicroSoft Azure Traffic Manager. 

       

      So it seems that wdcp.microsoft.com is just an entry for one server farm and the backend balancer will distribute your traffic to some server in the Azure cloud.

       

      I think that you are not using SSL Deep Inspection.  You may try to use it and it will detect the real URL wdcp.microsoft.com you are accessing.

       

        Terms & ConditionsAccessibility statement