This sounds like a daft question but can someone provide an explanation as to what the Default policy is used for (in the scenario below)?
The reason I ask is that there are 6 policies configured on the webgateway (6.9.x) which use webmapping rules. The webmapping rules use Active Directory groups to map to the one of the 6 policies.
(The parameter "group name" extracted from standard (ICAP) header (X-Authenticated-Groups))
There are 5 specific policies that map to 5 specific AD groups (e.g. "unrestricted" policy mapped to AD group "unrestricted internet access")
Should a user not be a member of any of the 5 specfic groups, then they are mapped to the "standard" policy. The rule entry maps policy "Standard" to *.
My understanding is that any user accesses will be logged under one of the 6 policies and this seems to be supported by analysis of the raw log files.
My query is that under Home tab > Traffic Volume, there is traffic for that policy so where is this coming from?
To see why the traffic is not using one of the 6 policies, I have created reports (destinations/ source IP & users) under Reporting > Live Reporting > default policy.
The users reports shows only user-agent strings
The destinations are valid as are the source IPs but if I examine the log files, then the source IPs are using one of the 6 policies...
Can someone explain what I'm missing?
It's hard to visualize what exactly you are describing. The policy mapping has always been challenging to determine the sequence.
One thing that helps me visualize the order of events is built into the list converter tool:
Make a backup of the configuration and see if you can load it into the tool. once it's loaded, there is a policy report icon you can click:
And it will display a sequenced list of policies;
IP map directly IP-Direct-1
Group Name map directly Group-Direct-1
Location: Transparent Authentication (Group)
User Name map directly User-Direct-1
Location: Transparent Authentication (User)
See if this gives you any insigth into the mapping.
Thanks, I've used that a few times but am none the wiser - the default policy is not listed under any of the webmapping rules. I would post an image but it would contain sensitve information - although I can erase the source fields and keep the policy field...
Thank you for your reply. There is no policy defined under the proxy port so according to the help "the policy that was configured for the ICAP server will be used".
When I check the ICAP server settings, I cannot see anywhere that defines a policy.
Don't worry too much about this as I am migrating to V7 anyway. I was just curious as to why there was traffic showing on the policy.
It could just be the authentication requests perhaps. They would not have group information or user information to match on the above rules.
Unless the default dominates your traffic graphs, that theory wouldnt be correct.
Thanks for your answer although I'm not entirely clear as to whether you mean that high default traffic means that they could be auth requests or not?
I've done some very basic/ rough calculations and the default traffic is generally about 2-3% of the 'standard' policy traffic so it's very minimal.