Default error handler rule set

The Default error handler rule set is the default rule set for error handling.

Default error handler rule set – Default
Criteria – Always

The following rule sets are nested in this rule set:

  • Long Running Connections
  • Monitoring
    • Check CPU Overload
    • Check Cache Partition
    • Check Request Overload
  • Log File Manager Incidents
  • Handle Update Incidents
  • Handle License Incidents
  • Block on Antimalware Engine Errors
  • Block on URL Filter Errors
  • Block on All Errors

Long Running Connections

This nested error handler rule set keeps connections alive when a proxy module error occurs.

Nested error handler rule set – Long Running Connections
Criteria – Error.ID equals 20000

The rule set criteria specifies that the rule set applies when the value of the Error.ID property is 20000, which indicates a malfunction of the proxy module.

The rule set contains the following rule.

Keep connection always alive
Always –> Stop Cycle

When the rule is executed, it stops the current processing cycle. The rule is always executed when the criteria of its rule set is matched. Stopping the processing cycle prevents the connection from being closed in the course of further rule processing.

The rule is not enabled by default.

Monitoring

This nested error handler rule set handles measures taken when an incident occurs that involves the appliance system.

Nested error handler rule set – Monitoring
Criteria – Incident.ID equals 5

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 5, which indicates an incident that involves the appliance system.

The following rule sets are nested in this rule set:

  • Check CPU Overload
  • Check Cache Partition
  • Check Request Overload

Check CPU Overload

This nested error handler rule set handles measures that are taken when the CPU load exceeds a configured value.

Nested error handler rule set – Check CPU Overload
Criteria – Statistics.Counter.GetCurrent(“CPULoad”)<Default> greater than or equals 95

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. GetCurrent property for CPU load is 95 or higher. This value indicates the percentage of the maximum load that the CPU is currently running with.

The Statistics module, which provides the value, runs with default settings, as is specified after the CPU Load property parameter.

The rule set contains the following rules.

Create notification message

Always –> Continue – Set User-Defined.loadMessage =

“CPU load at “

+ Number.ToString (Statistics.Counter.GetCurrent(“CPULoad”)<Default>)

+ “%”

The rule is always executed when the criteria of its rule set is matched.
The rule then uses an event to set a user-defined property to a chain of values that make up a message text about the CPU overload.
The Continue action lets processing continue with the next rule.
Send SNMP trap and other rules

Always –> Continue – ...

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set criteria is matched.
The rules then use different events for taking measures to make the administrator aware of the CPU overload.
These rules are not enabled by default.

Check Cache Partition

This nested error handler rule set handles measures that are taken when the web cache usage exceeds a configured value.

Nested error handler rule set – Check Cache Partition
Criteria – Statistics.Counter.GetCurrent(“WebCacheDiskUsage”)<Default> greater than or equals 95

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. GetCurrent property for web cache usage is 95 or higher.This value indicates the percentage of the maximum allowed usage of the web cache that is currently in use.

The Statistics module, which provides the value, runs with default settings, as is specified after the WebCacheDiskUsage property parameter.

The rule set contains the following rules.

Create notification message

Always –> Continue – Set User-Defined.cacheMessage =

“Cache partition usage at “

+Number.ToString (Statistics.Counter.GetCurrent(“WebCacheDiskUsage”)<Default>)

+ “%”

The rule is always executed when the criteria of its rule set is matched.
The rule then uses two events to set user-defined properties. One of these properties is set to the number of requests that are currently processed on the appliance per second. The other is set to a chain of values that make up a message text about the web cache usage..
The Continue action lets processing continue with the next rule.
Send SNMP trap and other rules

Always –> Continue – ...

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set criteria is matched.
The rules then use different events for taking measures to make the administrator aware of the web cache usage.
These rules are not enabled by default.

Check Request Overload

This nested error handler rule set handles measures that are taken when the number of requests processed on an appliance per second exceeds a configured value.

Nested error handler rule set – Check Request Overload
Criteria – Statistics.Counter.GetCurrent(“HttpRequests”)<Default> greater than or equals 480000

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. GetCurrent property for requests is 480,000 or higher. This value is the number of requests that are currently processed one an appliance per second.

The Statistics module, which provides the value, runs with default settings, as is specified after the HttpRequests property parameter.

The rule set contains the following rules.

Create notification message

Always –> Continue – Set User-Defined.requestsPerSecond =

Statistics.Counter.GetCurrent(“HttpRequests”)<Default>)

/ 60

Set User-Defined.requestLoadMessage =

“detected high load: ”

+ Number.ToString (User-Defined.requestsPerSecond)

+ “requests per second”

The rule is always executed when the criteria of its rule set is matched.
The rule then uses two events to set user-defined properties. One of these properties is set to the number of requests that are currently processed on an appliance per second. The other is set to a chain of values that make up a message text about this number.
The Continue action lets processing continue with the next rule.
Send SNMP trap and other rules

Always –> Continue – ...

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set criteria is matched.
The rules then use different events for taking measures to make the administrator aware of the request overload.
These rules are not enabled by default.

Log File Manager Incidents

This nested error handler rule set handles measures taken when an incident occurs that involves the Log File Manager.

Nested error handler rule set – Log File Manager Incidents
Criteria – Incident.ID greater than or equals 501 AND Incident ID less than or equals 600

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is within the range of incidents that involve the Log File Manager.

The rule set contains the following rules.

Create notification message

Incident.ID equals 501 –> Continue – Set User-Defined.notificationMessage =

“License expires in ”

+ Number.ToString (License.RemainingDays)

+ “ days”

The rule is always executed when the criteria of its rule set is matched.
The rule then uses an event to set a user-defined property to a chain of values that make up a message text on the remaining number of days for your license.
The Continue action lets processing continue with the next rule.
Create syslog entry

Always –> Continue – ...

The Create syslog entry rule and other rules in the rule set check the value of the Incident.ID property in the same way as the Create notification message rule and use different events to take measures if this value is 501.
These rules are not enabled by default.

Handle Update Incidents

This nested error handler rule set handles measures taken when an incident occurs that involves the Log File Manager.

Nested error handler rule set – Handle Update Incidents
Criteria – IIncident.OriginName equals “Updater” OR Incident.ID equals 850 OR Incident.ID equals 851 OR Incident.ID equals 940 OR Incident.ID equals 941 OR Incident.ID equals 1050 OR Incident.ID equals 1051 OR Incident.ID equals 1650 OR Incident.ID equals 1651

The rule set criteria specifies that the rule set applies when the update module is specified by the value of the Incident.OriginName property or the value of the Incident.ID property is one of those hat involve the update module.

The rule set contains the following rules.

Create update incident message

Always –> Continue – Set User-Defined.eventMessage =

“Update Event triggered [“

+ Number.ToString (Incident.ID)

+ “]:”

+ Incident.Description

+ “; origin:”

+ Incident.OriginNamey

+ “; severity:”

+ Number.ToString (Incident.Severity)

The rule is always executed when the criteria of its rule set is matched.

The rule then uses an event to set a user-defined property to a chain of values that make up a message text about the update incident. The message includes values for several incident properties.

The Continue action lets processing continue with the next rule.
Create syslog entry

Always –> Continue – ...

The Create syslog entry rule and other rules in the rule set use different events to take measures if the respective rule criteria is matched.
These rules are not enabled by default.

Handle License Incidents

This nested error handler rule set handles measures taken when an incident occurs that involves the expiration date of the license for your appliance.

Nested error handler rule set – Handle License Incidents
Criteria – Incident.ID equals 200

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 200, which indicates that the remaining number of days for your licence has been checked.

The rule set contains the following rules.

Create license incident message

Always –> Continue – Set User-Defined.notificationMessage =

“A log file cannot be pushed. Please have a look at the mwg-logfilemanager errors log (/opt/mwg/log/mwg-errors/mwg-logmanager.errors.log).”

The rule checks whether the value of the Incident.ID property is 501, which indicates that the Log File manager could not push a log file.
If this is the case, the rule uses an event to set a user-defined property for sending a notification message to a string value that is the text of this message.
The Continue action lets processing continue with the next rule.
Create syslog entry

Always –> Continue – ...

The Create syslog entry rule and other rules in the rule set use different events to take measures if the respective rule criteria is matched.
These rules are not enabled by default.

Block on Anti-Malware Errors

This nested error handler rule set blocks access to all web objects when the Anti-Malware module cannot be loaded or is overloaded.

Nested error handler rule set – Block on Anti-Malware Errors
Criteria – Always

The rule set contains the following rules.

Block if Anti-Malware engine cannot be loaded
Error.ID equals 14000 –> Block<Cannot Load Anti-Malware>

The rule blocks access to all web objects when the value of the Error.ID property is 14000, which indicates an error that prevents the Anti-Malware module (also known as engine) from loading.

The action settings specify a message to a requesting user.
Block if Anti-Malware engine is overloaded
Error.ID equals 14001 –> Block<Anti-Malware Engine Overloaded>

The rule blocks access to all web objects when the value of the Error.ID property is 14001, which indicates all connections to the Anti-Malware module (also known as engine) are currently in use and the module is overloaded.

The action settings specify a message to a requesting user.

Block on URL Filter Errors

This nested error handler rule set blocks access to all web objects when the URL Filter module cannot be loaded or another error regarding this module occurs.

Nested error handler rule set – Block on URL Filter Errors
Criteria – Error.ID greater than or equals 15000 AND Error.ID less than or equals 15999

The rule set criteria specifies that the rule set applies when the value of the Error.ID property lies within the specified range, which is the range for errors related to URL filtering.

The rule set contains the following rules.

Block if the URL Filter engine cannot be loaded
Error.ID equals 15000 OR Error.ID equals 15002 OR Error.ID equals 15004 OR Error.ID equals15005 –> Block<Cannot Load URL Filter>
The rule blocks all requests for web access when the value of the Error.ID property is one of those specified in the rule criteria. These values indicate errors that prevent the URL Filter module (also known as engine) from loading.
The action settings specify a message to a requesting user.
Block all other internal URL Filter errors
Always –> Block<Internal URL Filter Error>
The rule is always executed when its rule set applies and the rule preceding it in the rule set has not been executed. The rule then blocks all requests for web access.
The action settings specify a message to a requesting user.

Block on All Errors

This nested error handler rule set blocks access to all web objects when an internal error occurs on the appliance.

Nested error handler rule set – Block on All Errors
Criteria – Always

The rule set contains the following rule.

Always block
Always –> Block<Internal Error>
The rule blocks access to all web objects when an internal error occurs.
The action settings specify a message to a user who requested access.
The rule in this rule set is for handling internal errors on the appliance. It is executed at the time when an internal error occurs, which can, of course, not be predicted and can happen at any time during the filtering process or not at all. In this sense, processing the rule is not part of the normal process flow.
After executing the blocking, the rule stops all further processing of rules for the requests,responses, or embedded objects that were being filtered when the internal error occurred.
This way it is ensured that no malicious or inappropriate web objects enter your network or leave it while the appliance is not fully available.
The process flow continues when the next request is received if the internal error did not lead to a general interruption of the appliance functions.