Use rule tracing to find out why a request was blocked

When a request for web access that a user sent from a client of Web Gateway has been blocked, you can use rule tracing to find the rule that blocked the request and the reason why it was done.

This is a sample procedure that describes one of several ways to use rule tracing for recording and analyzing rule processing on Web Gateway.

Task

  1. Select Troubleshooting and on the appliances tree, select Rule Tracing Central.
    The rule tracing panes appear.
  2. Create rule traces.
    1. In the traces pane, leave the name of the current appliance, which appears in the appliances names field.
      In this sample procedure, you will perform rule tracing for requests that were processed on this appliance.
    2. In the client IP address field, enter the IP address of the client that sent the request you want to do rule tracing for.
    3. Click Go.
      Rule traces for the latest requests received from the client are created. When trace creation is completed, entries for the traces appear in the traces field.
  3. Filter the rule traces.
    1. In the time and URL filtering field, enter the URL that was sent with the blocked request.

      The rule traces are filtered to show only entries for traces that were performed for requests to access a web object with this URL.

      Let us assume that a request with this URL was only submitted once by the client in question. This would mean only one entry is shown as the filtering result.

    2. Select the entry.
      Detailed information from the trace that recorded rule processing for the request with this URL is shown in the rules and details panes.
  4. Review a rule trace.
    1. Review the tracing information in the rules pane.

      The rules that were processed to deal with the request are shown with their rule sets.

      The rule that blocked the request is selected and marked by a red arrow. If the arrow points to the right, the rule blocked the request in the request cycle. If the arrow points to the left, it was in the response cycle.

    2. Review the tracing information in the details pane.
      • The cycle in which the rule blocked the request, the name of the rule, its criteria, action, and event are shown.

        The criteria is marked with a grey hook, which means it has matched.

      • Under Evaluated in the field below the criteria with the hook, the criteria is repeated.

        Under Value in the same field the value is shown that the property had at the time when the criteria matched and the rule blocked the request.

      Let us assume that, for example, the details pane shows the following details for the rule that blocked the request.

      • Cycle — Response
      • Rule name — Block if virus was found
      • Criteria — Antimalware.Infected<Gateway Anti.Malware> equals true
      • Evaluated — Antimalware.Infected equals true, Value — true
      • Action — Block<Virus found>
      • Event — Statistics.Counter.Increment<Default>("BlockedByAntiMalware", 1>

Results

This means that rule tracing showed the request was blocked because the requested object had been found to be infected by a virus or other malware.

The blocking action was performed by a virus and malware filtering rule, which was processed in the response cycle when the object was received from a particular web server in response to the request.

The criteria of this rule included the Antimalware.Infected property. To find out what this property must be set to, the Anti-Malware engine on Web Gateway was called. It scanned the requested web object and detected an infection, so the property could be set to true and the rule criteria matched.