Transaction Event Fields
Transaction Event Fields
Admins can search, analyze, and correlate data from app events, alerts, incidents, and transaction events. This helps to find trends, create dashboards, and even trigger alerts to improve your business processes and protect your data.
The following sections display information about the transaction event log file fields and possible values for those fields. Each field is grouped in categories, e.g. Application, Authentication, SSL Policy, etc.
TRANSACTION EVENT FORMAT CONFIGURATION
A log format defines how the contents of a log file should be interpreted. Log formats can also define the fields contained within the log file and the data types for those fields. Netskope currently has several log file formats available and in subsequent releases, more formats will be available.
The log file format is structured meaning the order of fields is fixed and cannot be changed.
Note
The format version used to generate transaction events is defined in the backend. Contact your Sales Representative or Support to update the transaction events format.
FORMAT 1
#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value
FORMAT 2
Format 2 is the same as Format 1 with the addition of the italicized fields below.
#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value x-cs-ssl-ja3 x-sr-ssl-ja3s x-ssl-bypass x-ssl-bypass-reason x-r-cert-subject-cn x-r-cert-issuer-cn x-r-cert-startdate x-r-cert-enddate x-r-cert-valid x-r-cert-expired x-r-cert-untrusted-root x-r-cert-incomplete-chain x-r-cert-self-signed x-r-cert-revoked x-r-cert-revocation-check x-r-cert-mismatch x-cs-ssl-fronting-error x-cs-ssl-handshake-error x-sr-ssl-handshake-error x-sr-ssl-client-certificate-error x-sr-ssl-malformed-ssl x-s-custom-signing-ca-error x-cs-ssl-engine-action x-cs-ssl-engine-action-reason x-sr-ssl-engine-action x-sr-ssl-engine-action-reason x-ssl-policy-src-ip x-ssl-policy-dst-ip x-ssl-policy-dst-host x-ssl-policy-dst-host-source x-ssl-policy-categories x-ssl-policy-action x-ssl-policy-name x-cs-ssl-version x-cs-ssl-cipher x-sr-ssl-version x-sr-ssl-cipher x-cs-src-ip-egress
FORMAT 3
Format 3 is the same as Format 2 with the addition of the italicized fields below.
#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value x-cs-ssl-ja3 x-sr-ssl-ja3s x-ssl-bypass x-ssl-bypass-reason x-r-cert-subject-cn x-r-cert-issuer-cn x-r-cert-startdate x-r-cert-enddate x-r-cert-valid x-r-cert-expired x-r-cert-untrusted-root x-r-cert-incomplete-chain x-r-cert-self-signed x-r-cert-revoked x-r-cert-revocation-check x-r-cert-mismatch x-cs-ssl-fronting-error x-cs-ssl-handshake-error x-sr-ssl-handshake-error x-sr-ssl-client-certificate-error x-sr-ssl-malformed-ssl x-s-custom-signing-ca-error x-cs-ssl-engine-action x-cs-ssl-engine-action-reason x-sr-ssl-engine-action x-sr-ssl-engine-action-reason x-ssl-policy-src-ip x-ssl-policy-dst-ip x-ssl-policy-dst-host x-ssl-policy-dst-host-source x-ssl-policy-categories x-ssl-policy-action x-ssl-policy-name x-cs-ssl-version x-cs-ssl-cipher x-sr-ssl-version x-sr-ssl-cipher x-cs-src-ip-egress x-s-dp-name x-cs-src-ip x-cs-src-port x-cs-dst-ip x-cs-dst-port x-sr-src-ip x-sr-src-port x-sr-dst-ip x-sr-dst-port x-cs-ip-connect-xff x-cs-ip-xff x-cs-connect-host x-cs-connect-port x-cs-connect-user-agent x-cs-url x-cs-uri-path x-cs-http-version rs-status x-cs-app-category x-cs-app-cci x-cs-app-ccl x-cs-app-tags x-cs-app-suite x-cs-app-instance-id x-cs-app-instance-name x-cs-app-instance-tag x-cs-app-activity x-cs-app-from-user x-cs-app-to-user x-cs-app-object-type x-cs-app-object-name x-cs-app-object-id x-rs-file-type x-rs-file-category x-rs-file-language x-rs-file-size x-rs-file-md5 x-rs-file-sha256 x-error x-c-local-time x-policy-action x-policy-name x-policy-src-ip x-policy-dst-ip x-policy-dst-host x-policy-dst-host-source x-policy-justification-type x-policy-justification-reason x-sc-notification-name
Note
The number listed in the Position column represents the order the particular field appears in the Format list. The number is fixed and is in the same order for Format 1, Format 2, and Format 3.
APPLICATION
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-cs-app | Cloud application name. | Dropbox | 24 |
x-cs-app-category | Cloud application category from the CCI database. | Business Intelligence and Data Analytics | 116 |
x-cs-app-cci | Cloud Confidence Index of the Cloud application from the CCI database. | A number ranging from 0 – 100 | 117 |
x-cs-app-ccl | Cloud Confidence Level of the Cloud application from the CCI database. | High Score: 75 to 89 | 118 |
x-cs-app-tags | Cloud application tags from the CCI database. | Marketing, HR | 119 |
x-cs-app-suite | The cloud application suite name. | 120 | |
x-cs-app-instance-id | The cloud application instance ID identified by the proxy. | mycompany.com | 121 |
x-cs-app-instance-name | Reserved for future use. | N/A | 122 |
x-cs-app-instance-tag | Reserved for future use. | N/A | 123 |
x-cs-app-activity | The cloud application activity identified by the proxy. | Browse | 124 |
x-cs-app-from-user | The user identity detected in the cloud application. | user@company.com | 125 |
x-cs-app-to-user | The recipients of a share/send activity detected in the cloud application. | user@partner.com | 126 |
x-cs-app-object-type | The type of the object transferred to/from the cloud application. | File | 127 |
x-cs-app-object-name | The name of the object transferred to/from the cloud application. | sample-data.pdf | 128 |
x-cs-app-object-id | The ID of the object transferred to/from the cloud application. | 1iNtlIbpIivrmMEHPgtjEDk_T5Fe0a778 | 129 |
AUTHENTICATION
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
cs-username | The client’s username. | Bill@companyname.com | 9 |
BYTES
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
cs-bytes | Bytes received from the client. | 1093 | 4 |
sc-bytes | Bytes received from the server. | 17084 | 5 |
bytes | Sum of client bytes plus server bytes. | 18177 | 6 |
CONNECTION
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
c-ip | Client IP as seen by the Netskope proxy. This will be the machine IP if available, IPv4 address. | 70.42.129.126 | 7 |
s-ip | The server IPv4 address. NOTE: During SSL bypass, the s-ip field displays as Unavailable when it’s neither IPv4 or IPv6. | 216.58.193.33 | 8 |
x-cs-access-method | Steering method used to access the Netskope cloud. | Client | 23 |
x-cs-userip | The client IP address. If the client IP address is not found, the field is left blank. | 199.188.180.55 | 44 |
x-cs-tunnel-id | VPN tunnel ID | 998a4499-a5a6-4a55-b243-b67ce89dd870 | 46 |
x-cs-src-ip-egress | The public IP used to contact the NewEdge data plane on the traffic coming from the Client device. | 70.42.129.126 | 97 |
x-s-dp-name | The dataplane name processing the request. | FR-PAR1 | 98 |
x-cs-src-ip | The source IP of the client to proxy session. | 70.42.129.126 | 99 |
x-cs-src-port | The source port of the client to proxy session. | 54447 | 100 |
x-cs-dst-ip | The destination IP of the client to proxy session. | 216.58.193.67 | 101 |
x-cs-dst-port | The destination port of the client to proxy session. | 443 | 102 |
x-sr-src-ip | The source IP of the proxy to remote server session. This field is blank if dedicated IPs are used. | 163.116.163.24 | 103 |
x-sr-src-port | The source port of the proxy to remote server session. This field is blank if dedicated IPs are used. | 15556 | 104 |
x-sr-dst-ip | The destination IP of the proxy to remote server session. | 216.58.193.67 | 105 |
x-sr-dst-port | The destination port of the proxy to remote server session. | 443 | 106 |
DEVICE
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-c-os | Operating system of the client. | Windows 10 | 37 |
x-c-browser | Client’s browser. | Firefox | 38 |
x-c-browser-version | Client’s browser version. | 50 | 39 |
x-c-device | Client’s device type. | Windows device | 40 |
FILE
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-rs-file-type | The type of the object transferred to/from the remote server. | text/plain | 130 |
x-rs-file-category | The category of the object transferred to/from the remote server. | Word Processor | 131 |
x-rs-file-language | Reserved for future use. | N/A | 132 |
x-rs-file-size | Reserved for future use. | N/A | 133 |
x-rs-file-md5 | The MD5 Hash of the object transferred to/from the remote server. | bcdd51c6a4f3f99c4e658f07e4c57e91 | 134 |
x-rs-file-sha256 | Reserved for future use. | N/A | 135 |
GENERAL
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
date | Date of generation, YY-MM-DD format. NOTE: Human readable string for the “x-cs-timestamp” field. | 08/07/19 | 1 |
time | Time of generation in HH:MM-SEC format in GMT. NOTE: Human readable string for the “x-cs-timestamp” field. | 01:02-39 | 2 |
x-cs-timestamp | Date of the request as epoch time. NOTE: This field is the epoch version of the “date” and “time” fields. | 1480330369 | 42 |
x-error | The error encountered when processing the transaction. | dns-resolution | 136 |
x-c-local-time | The local time of the client calculated from geolocation of the device IP. | 2019-08-07 12:23:01 | 137 |
GEOLOCATION
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-s-country | Destination country | United States | 25 |
x-s-latitude | Destination latitude | 37.4192009 | 26 |
x-s-longitude | Destination longitude | -122.0574036 | 27 |
x-s-location | Destination location (e.g. city) | Menlo Park | 28 |
x-s-region | Destination region (e.g. state) | California | 29 |
x-s-zipcode | Destination zip code | 94025 | 30 |
x-c-country | Country of the client (user) | United States | 31 |
x-c-latitude | Latitude of the client | 37.3394 | 32 |
x-c-longitude | Longitude of the client | -121.895 | 33 |
x-c-location | Location of the client | Palo Alto | 34 |
x-c-region | Region of the client | California | 35 |
x-c-zipcode | Zip code of the client | 84414 | 36 |
HTTP
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
cs-method | The HTTP method (e.g. GET, POST). | POST | 10 |
cs-uri-scheme | The protocol used. | https | 11 |
cs-uri-query | The query string portion of the HTTP request. | q=a&b=c | 12 |
cs-user-agent | The user-agent header in the HTTP request. | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 | 13 |
cs-content-type | The content-type header in the HTTP request. | application/json | 14 |
sc-status | The HTTP status code received from the server. | 200 | 15 |
sc-content-type | The content-type header from the response. | text/html | 16 |
cs-dns | The destination domain requested. | google.co.in | 17 |
cs-host | The value in the host header from the request. | google.co.in | 18 |
cs-uri | Path information plus query string. | /home.html?key=123 | 19 |
cs-uri-port | Port specified in the request header. | 443 | 20 |
cs-referer | The value of the referrer header. | https://www.google.com | 21 |
x-cs-session-id | A session for the current user which consists of: user, device, OS, app, browser. | 50530900000000000 | 22 |
x-cs-site | Destination site. | Google Maps | 41 |
x-cs-page-id | Identifier associated with the page event object. | 1170730000000000000 | 43 |
x-cs-traffic-type | Type of traffic could be “Web” or “CloudApp”. NOTE: During SSL bypass, x-cs-traffic-type always displays as Unavailable. | Web | 45 |
x-type | The type of log message, which can be “http_transaction” or “WebSocket”. NOTE: When parsing an HTTP Upgrade response, Netskope uses the Upgrade header to determine if the traffic is WebSocket. | http_transaction | 49 |
x-transaction-id | Transaction ID needed to correlate application events with transaction events. | 1821255295454864980 | 52 |
x-request-id | Request ID needed to correlate DLP and TSS incidents with transaction events. | 2234064361201696768 | 53 |
x-sr-headers-name | List of custom headers inserted | X-Dropbox-allowed-Team-Ids, x-my-header | 58 |
x-sr-headers-value | List of custom header values inserted | 1234, 123456 | 59 |
x-cs-ip-connect-xff | X-Forwarded-For header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or if the field is missing. | 192.168.1.1 | 107 |
x-cs-ip-xff | X-Forwarded-For header value received in the Client to Proxy GET request. This field is empty if there is no header or if GET is not decrypted. | 192.168.1.2 | 108 |
x-cs-connect-host | The host value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT. | www.google.com | 109 |
x-cs-connect-port | The port value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT. | 443 | 110 |
x-cs-connect-user-agent | The User-Agent header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or the field is missing. | “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0)Gecko/20100101 Firefox/50.0” | 111 |
x-cs-url | The full URL of the request received, includes scheme, host, port, path and query. | https://play.google.com/log?format=json&hasfast=true&authuser=0 | 112 |
x-cs-uri-path | Path of the URI from the received HTTP request. | /example/path | 113 |
x-cs-http-version | The version of the HTTP protocol of the request. | HTTP2 | 114 |
rs-status | The HTTP status code received from the remote server. | 200 | 115 |
PERFORMANCE
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
time-taken | Delta (integer value in ms) when the request processing started and the full response was received. | 589 | 3 |
REAL-TIME PROTECTION POLICY
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-category | Primary category name applicable for the url in this transaction. | “Cloud Storage” | 47 |
x-other-category | Secondary categories applicable for the url in this transaction. | “News & Media; Entertainment” | 48 |
x-category-id | Primary category ID applicable for the url in this transaction, e.g. category ID is 7 for the Cloud Storage category. | 7 | 56 |
x-other-category-id | IDs of secondary categories applicable for the url in this transaction, e.g. category ID is 537 for the News & Media; Entertainment category. | 537 | 57 |
x-policy-action | The action performed by the proxy on the transaction after the Real-time policy engine analysis (e.g. allow, block, bypass, alert, user alert) | block | 138 |
x-policy-name | The Real-time policy name that triggered the action. | DefaultAction | 139 |
x-policy-src-ip | The source IP computed by the Real-time policy engine from the source IP or XFF header. | 10.50.1.192 | 140 |
x-policy-dst-ip | The destination IP computed by the Real-time policy engine, from DNS resolution. | 142.251.46.206 | 141 |
x-policy-dst-host | The hostname computed by the Real-time policy engine. The source for the hostname is provided in the x-policy-dst-host-source field. | chat.google.com | 142 |
x-policy-dst-host-source | The source for the hostname value computed by the Real-time policy engine (e.g. OriginalDestDomain, Sni, Uri, HttpHostHeader). | HttpHostHeader | 143 |
x-policy-justification-type | The justification type selected by the end user in case of “useralert” action. | justification | 144 |
x-policy-justification-reason | The justification provided by the end user in case of “useralert” action. | sharing with a trusted partner | 145 |
x-sc-notification-name | The name of the user notification displayed to the end user in case of action “block” or “useralert”. | block_page.html | 146 |
SSL CERTIFICATE
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-cs-sni | The hostname that the client is attempting to connect to using the SNI extension in the TLS handshake. | google.co.in | 54 |
x-cs-domain-fronted-sni | The SNI of the SSL connection where Netskope detected domain fronting. In other words, the SNI and Host header were mismatched. SSL inspection must be enabled to see this field. | google.co.in | 55 |
x-r-cert-subject-cn | The CN attribute of the server certificate received from the destination server. | upload.video.google.com | 64 |
x-r-cert-issuer-cn | The issuer CN attribute of the server certificate received from destination server. | GTS CA 1C3 | 65 |
x-r-cert-startdate | The start date/time of the server certificate received from the destination server. | Oct 17 08:18:30 2022 GMT | 66 |
x-r-cert-enddate | The end date/time of the server certificate received from the destination server. | Jan 9 08:18:29 2023 GMT | 67 |
x-r-cert-valid | Overall result of the evaluation of the validity of the server certificate received from destination server. This field doesn’t reflect the action of the SSL Engine. | yes | 68 |
x-r-cert-expired | Indicates if the server certificate received from the destination server is expired or not yet valid. | no | 69 |
x-r-cert-untrusted-root | Indicates if the server certificate received from the destination server is signed by a trusted issuer. | no | 70 |
x-r-cert-incomplete-chain | Indicates if the server certificate received from destination server has an incomplete issuer chain. | no | 71 |
x-r-cert-self-signed | Indicates if the server certificate received from the destination server is self-signed. | no | 72 |
x-r-cert-revoked | Indicates if the server certificate received from the destination server is revoked. | no | 73 |
x-r-cert-revocation-check | Reserved for future use. | n/a | 74 |
x-r-cert-mismatch | Indicates if the server certificate received from the destination server has a mismatch between the SNI and the CN/SAN. | no | 75 |
SSL ENGINE
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-server-ssl-err | Description of SSL error between proxy and content servers. | Handshake error (error:141A318A:SSL routines: tls_process_ske_dhe:dh key too small) Blocked by SSL_HANDSHAKE_ERROR | 50 |
x-client-ssl-err | Description of SSL error between client (browser) and proxy. | Handshake error (error:1417A0C1:SSL routines: tls_post_process_client_hello:no shared cipher) | 51 |
x-cs-ssl-ja3 | Fingerprints the way the Client communicates over TLS. | 2d908070f157946cc4ea9dca39dbe374 | 60 |
x-sr-ssl-ja3s | Fingerprints the way the server responds to the TLS. | 907bf3ecef1c987c889946b737b43de8 | 61 |
x-cs-ssl-fronting-error | Indicates if the server certificate received from the destination server has a mismatch between the SNI and the hostname of the encrypted HTTP request. | no | 76 |
x-cs-ssl-handshake-error | Indicates if the SSL Engine encountered a problem when establishing the SSL/TLS negotiation. For more information, refer to the x-server-ssl-err and x-client-ssl-err fields. | no | 77 |
x-sr-ssl-handshake-error | Indicates if the SSL Engine encountered a problem to establish SSL/TLS negotiation. For more information, refer to the x-server-ssl-err and x-client-ssl-err fields for more information. | no | 78 |
x-sr-ssl-client-certificate-error | Indicates that the destination server requested a Client certificate during SSL/TLS negotiation. | yes | 79 |
x-sr-ssl-malformed-ssl | Indicates that the SSL Engine encountered a malformed SSL packet during SSL/TLS negotiation. | yes | 80 |
x-s-custom-signing-ca-error | Indicates that the SSL Engine failed to intercept with a Custom signing CA. | no | 81 |
x-cs-ssl-engine-action | Indicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS negotiation. Possible values include: allow, block, or bypass. | allow | 82 |
x-cs-ssl-engine-action-reason | Provides details of the SSL Engine action. | SSL Error – Incomplete Certificate Trust Chain | 83 |
x-sr-ssl-engine-action | Indicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS Negotiation. Possible values include: allow, block, or bypass. | allow | 84 |
x-sr-ssl-engine-action-reason | Provides details of the SSL Engine action. | InvalidCert (malformed or invalid certificate) | 85 |
x-cs-ssl-version | The SSL Version negotiated between the Client device and the NewEdge data plane for the HTTPS request. | TLSv1.3 | 93 |
x-cs-ssl-cipher | The SSL Cipher negotiated between the Client device and the NewEdge data plane for the HTTPS request. | TLS_AES_256_GCM_SHA384 | 94 |
x-sr-ssl-version | The SSL Version negotiated between the NewEdge data plane and the Destination Server for the HTTPS request. | TLSv1.3 | 95 |
x-sr-ssl-cipher | The SSL Cipher negotiated between the NewEdge data plane and the Destination Server for the HTTPS request. | TLS_AES_256_GCM_SHA384 | 96 |
SSL POLICY
FIELD NAME | DESCRIPTION | EXAMPLE | POSITION |
---|---|---|---|
x-ssl-bypass | Indicates if the request was SSL bypassed. | No | 62 |
x-ssl-bypass-reason | Inidacates if the request was SSL bypassed, this field provides the reason. | SSL Error – SSL Handshake Error | 63 |
x-ssl-policy-src-ip | The Source IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies. | 10.1.1.1 | 86 |
x-ssl-policy-dst-ip | The Destination IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies. | 141.193.213.20 | 87 |
x-ssl-policy-dst-host | The Destination Hostname computed by the SSL Policy Engine to evaluate the SSL Decryption Policies. | www.netskope.com | 88 |
x-ssl-policy-dst-host-source | Describes how the Destination Hostname was computed by the SSL Policy Engine. Possible values include from SNI or original host | Sni | 89 |
x-ssl-policy-categories | Destination Hostname Categories computed by the SSL Policy Engine to evaluate the SSL Decryption Policies. | Content Server, Cloud Storage | 90 |
x-ssl-policy-action | Action of the SSL Decryption Policy that matched the request. Possible values include, Decrypt or DoNotDecrypt. | Do not decrypt | 91 |
x-ssl-policy-name | Name of the SSL Decryption Policy that matched the request. | Do not decrypt Financial Services | 92 |