Rule tracing

To debug issues with rule processing, you can use rule tracing functions on the user interface.

Rule traces can be created, which record the activities that were completed to process the implemented rules when users of your network sent requests for web access from particular clients.

You can filter these traces according to the date of creation, the URL that was sent with a request, or the rule action, such as Block, Redirect, or Continue, and others, that was executed when a rule was processed.

Tracing covers all activities in the different processing cycles that were performed for a request, including the request, response, and embedded object cycles. Tracing results can be viewed separately for different cycles.

Properties in the criteria of the rules that were involved in the processing can also be viewed separately, together with the values they were set to when the rules were processed.

Three panes are provided on the rule tracing page of the user interface to let you complete rule tracing activities.

  • Traces pane — Allows you to create traces, filter, and remove them

    You can also export and store traces and import them again for viewing later on or import traces that have been created on other Web Gateway appliances.

  • Rules pane — Allows you to select a processing cycle and view the rule sets and individual rules that were processed in this cycle

  • Details pane — Allows you to view the rule criteria of individual rules with their properties and the values the properties have been set to

Cycles in rule tracing

Processing starts when a request for web access has been received from a client of Web Gateway. It is performed in different cycles, beginning with the request cycle, in which rules are processed that are related to the elements of the request itself, for example, to a URL that was sent with a request.

If none of the rules in this cycle forbids a forwarding of the request to the web, for example, due to a negative categorization of a URL, the request is forwarded. Processing then waits for a response from the web.

When the response arrives, the rules of the response cycle are processed. For example, when a file that was requested for downloading is sent in response, it is scanned for virus and other malware infections according to a particular rule and eventually passed on or not to the client that requested the download.

Other processing cycles are performed for embedded objects sent with requests or responses. Processing activities can also be logged according to the configured logging rules.

All processing that is performed in the different cycles for an initial request from a client of Web Gateway can be viewed as an entity, which is termed a transaction.

To debug an issue with rule processing, you can analyze the complete rule trace of a transaction or focus on a particular cycle that seems interesting with regard to problem solving.

Properties in rule tracing

Whether a rule applies and executes a particular action, for example, a Block action that blocks a request for web access, depends on the rule criteria, which contains properties that are set to particular values during the processing.

For example, the Antimalware.Infected property, which is contained in the rule criteria of a default anti-malware rule, is set to true when a scanned web object has been found to be infected by viruses or other malware. Then the criteria of this rule matches, and a Block action is executed.

When analyzing a rule trace, it can be useful to look at the properties that were involved in rule processing and the values they were set to. Therefore, properties and their values can also be viewed separately.

Deleting and restoring rule traces

Rule traces can be removed from the panes of the rule tracing page, but not deleted on that page.

To delete rule traces, you need to access the Rule tracing files section, which is provided for every individual appliance under the Troubleshooting top-level menu.

In this section, you can also restore traces to the rule tracing panes that you have previously removed.

Note:

Up to 5000 traces can be stored on an appliance. When this number is exceeded, the oldest traces are deleted.

The deletion is not reflected on the rule tracing panes, so you might see entries for traces that you cannot access because the traces have already been deleted.