Cisco
Login
Search
Software Secure Workload
Activity Configure

Network Flows-Traffic Visibility Visibility in Proxied Flows

Last updated: Jun 09, 2025

Visibility in Proxied Flows

A proxy acts as a server positioned between client machines and the internet, controlling and restricting direct client access to the internet. When a client wants to access internet services, it directs the proxy server to initiate a TCP connection with web servers on its behalf. After successfully establishing the connection, the proxy sends an HTTP response with a status to the client. Later, the client interacts over the established TCP connection, appearing to communicate directly with the web service. The proxy serves as a bridge, facilitating the transmission of data across the two TCP connections.

The workload, hosting an application with the CSW agent installed, initiates a request for internet services. Initially, it instructs the proxy to create a communication channel on its behalf. The interaction with the internet service takes place over the established connection to the proxy. The CSW agent captures solely the flow between the workload and the proxy server. The actual destination of this flow remains unknown with the current CSW agent configuration.

The agent employs the current PCAP filter to analyze all the outgoing TCP packets, scanning for the "CONNECT" HTTP verb within the payload. This process enables the agent to capture the proxy request within the flow. Upon exporting the flows to Collectors, the agent generates an Effective Flow for each identified proxy flow. It establishes a connection between the proxy and proxied flows using the related_key field, incorporating the 5-tuple information.


 

The visibility in proxied flows is on by default. To disable the feature, add enable_proxy_flows_visibility: 0 to the sensor config file.

Prerequisite

Set Flow Analysis Fidelity to Detailed mode.


 

  • Operates solely with HTTP/ HTTPS proxy.

  • Captures CONNECT requests only. Currently, there is no support for GET requests.

  • By default, the flow analysis fidelity mode in agents is Conversations.

Procedure

  1. From the navigation menu, choose Investigate > Traffic.

    The Traffic page facilitates swift filtering and in-depth exploration of the flow corpus.

  2. Click the Expand icon to view the Flow Details.

    Agents of Version 3.9 and later can capture the destination of proxied flows. On the Investigate > Traffic page, you can observe two distinct flows:

    • Proxy Flow: Originates from the workload to the proxy.

    • Proxied Flow: Represents an effective and tunneled flow from the workload to the remote Fully Qualified Domain Name (FQDN) or IP Address.

    These flows are interconnected and designated as Related. Specific considerations include:

    • If the request to the proxy is directed at a remote FQDN, the Provider Address of the effective flow is marked as Unknown, but the Provider Domain Name is set to the FQDN.

    • If the request to the proxy is directed at a remote IP address, the Provider Address is that specific address, while the Provider Domain Name is left empty.

    Figure 1: Flow Details
Previous topic Conversation Mode Next topic Visibility of Well-Known Malicious IPv4 Addresses