cancel
Showing results for 
Search instead for 
Did you mean: 
rajjesh
Level 9

Reports showing action allowed to malicious sites while the policies on web gateway are blocked

Dear Team,

As a daily task we generated a daily report based upon top ten categories, and were surprised to find that the report contained "njnj.redirectme.net" entry which belongs to Malicious downloads category.

Then we added the actions column into the reports and found that it was showing allowed.   We then checked into the webwasher category actions and found that the category is blocked for all the policies.

After checking directly into the access.log, we found that the entries for the above website were followed by trend micro antivirus.  The client is using TRend micro antivirus.

We also checked accessing the same website directly from the client browser, for whom its showing allowed in the action, the site got blocked and showed the right category.

Can some one please let me know what exactly might be going on  in the backend.

0 Kudos
3 Replies
andyclements
Level 12

Re: Reports showing action allowed to malicious sites while the policies on web gateway are blocked

Can you do a rule engine trace for that site?  There is nothing happening in the backend that your rules don't tell it to do, we just need to find out what the rules are saying.

You will need to enable the trace.  This should be at the top of your rule sets, and is generally best to have it specific to the site or user in question.

ruletrace.png

There is an article about how to use them (7.3.2 and later) here.  Before that version, you need to manually read through the XML output.

0 Kudos
Regis
Level 12

Re: Reports showing action allowed to malicious sites while the policies on web gateway are blocked

In 7.3.2 and later,  I'm led to believe that it's even more fun than that... I don't think you need to touch the policy to do a rule trace (which is really nice).  Or did I hear that incorrectly?

on 10/15/13 9:01:19 AM CDT
0 Kudos
sroering
Level 13

Re: Reports showing action allowed to malicious sites while the policies on web gateway are blocked

You are correct, the new rule engine tracing doesn't need to modify policy. You just enter the IP address of the client you want to trace. 

0 Kudos