Boss wanted some logging, wanted to "see where folks are going". Also wanted to block access to a couple of sites. Coo, no problem! Setup rules for such things, then watch the logs.
Problem is, the logs show us only the destination IP address. Say we block a site called www.porno.com - plug in the IP address and set it up so that if IE attemptes to contact that site via ports 80, etc. outbound TCP that it will block and log. It does block, very well (as long as you use the site's IP address and NOT host name, but that's another story) It does LOG, too, but it only shows the host IP address, not the host name.
Setup a rule so that you watch IE for outbound on port 80 again, and log where it's going, the logs there, too, show only the hosts IP address.
Odd, Symantec says it should show the host NAME in there if there is a name (some addresses don't resolve to a name, sneaky advertising methods, etc. Ours do not show host names, just a list of address, and if I want to know where someone went, I have to manually nslookup the addresses.
Now the kicker. If I install a cell modem in a test computer, and use that modem to get to the Internet, and browse say to symantec.com, the logs SHOW SYMANTEC.COM and not the IP address. If I quickly switch back from cell modem to our own network and hit symantec.com again, the logs show the IP address. I can switch quickly between our network and an outside ISP very quickly using either a dirty feed to Mediacom, a cable provider, or the cell modem, Verizon, and watch the logs as I refresh. If I'm on our network, it shows IP, if I hit an outside provider and disconnect from our network, it shows names! Go figure! Yet on the same test workstations, for that matter, ANY workstation, NSLOOKUP will resolve those names just fine! No problem!
A sniff shows it's using UDP and the proper port for name resolution when using NSLOOKUP.
So, when our network is the provider, SEP won't log host names, when any other ISP is the provider, SEP logs host names. NSLOOKUP works fine, the trace looks normal.
What next? Thoughts??? We need to have the logs show host names, not cryptic IP addresses - imagine sending THAT report to the boss!