As a daily task we generated a daily report based upon top ten categories, and were surprised to find that the report contained "njnj.redirectme.net" entry which belongs to Malicious downloads category.
Then we added the actions column into the reports and found that it was showing allowed. We then checked into the webwasher category actions and found that the category is blocked for all the policies.
After checking directly into the access.log, we found that the entries for the above website were followed by trend micro antivirus. The client is using TRend micro antivirus.
We also checked accessing the same website directly from the client browser, for whom its showing allowed in the action, the site got blocked and showed the right category.
Can some one please let me know what exactly might be going on in the backend.
Can you do a rule engine trace for that site? There is nothing happening in the backend that your rules don't tell it to do, we just need to find out what the rules are saying.
You will need to enable the trace. This should be at the top of your rule sets, and is generally best to have it specific to the site or user in question.
There is an article about how to use them (7.3.2 and later) here. Before that version, you need to manually read through the XML output.
In 7.3.2 and later, I'm led to believe that it's even more fun than that... I don't think you need to touch the policy to do a rule trace (which is really nice). Or did I hear that incorrectly?on 10/15/13 9:01:19 AM CDT
You are correct, the new rule engine tracing doesn't need to modify policy. You just enter the IP address of the client you want to trace.