URL VISIBILITY
(config) # url-visibility
This feature is best used along with ALE.
http://www.arubanetworks.com/products/networking/analytics/ale/
There is no visibility support on IAP as a standalone solution.
show log system, i.e. sent to syslog, will only show if the configuration changes have taken effect & will not show the URL.
URL visibility data from IAP is fed to ALE periodically; this URL data will be available on IAP (temporary) as part of CLI-cmd 'show url-visibility' till IAP posts to ALE.
IAP5# show url-visibility
Client URL List
----------------
SrcIP DstIP URL URL Length HitCount
----- ----- --- ---------- --------
192.168.50.101 54.165.205.112 sync.adaptv.advertis... 133 1
192.168.50.101 107.20.222.31 tap.rubiconproject.c... 57 1
192.168.50.101 54.239.26.242 fls-na.amazon.com/1/... 180 1
192.168.50.101 54.230.144.111 ecx.images-amazon.co... 77 1
192.168.50.101 216.58.192.228 google.com 10 1
192.168.50.101 54.239.26.242 fls-na.amazon.com/1/... 273 1
IAP's full URL data is sent to ALE server not to the syslog server.
You can also use CLI command - 'show url-visibility verbose' to get the full/whole URL detail in the cache.
For any IAP deployment which needs client URL data visibility, it has to consume from ALE rest/pub-sub mechanism.
One major thing to note here is that, we can only extract the full URL for HTTP traffic. For HTTPs, it is only the domain name, & not the full URL, which can be extracted from SNI field of client hello exchnage. With most major sites moving towards defaulting to HTTPs, the number of useful sites you can extract is going to come down. Obviously it is useful for retail analytics with sites like amazon, which still keeps the product search/view in HTTP and move to HTTPs only in payment processing, but a majority of google sites are HTTPs only if you are signed-in.