0 Replies Latest reply on Apr 12, 2017 2:55 PM by jebeling

    Coaching for Uncategorized Sites

    jebeling

      So what to do with uncategorized sites. They are a big, big problem. Best practice is to simply block them all, but that can become an administrative nightmare. If you aren't going to block them, at least subject them to a great deal more scutiny. That is turn on certificate verification and SSL scanning if not already on and crank up the sensitivity on your anti-malware. Another useful option is to warn the user in addition and log all access to uncategorized sites that were a result of "clicking through" the warning. The coaching feature of MWG is great for this and further modifications make the standard ruleset even better.

       

      Attached is my modification of the standard ruleset. It adds logging and a separate Coaching configuration strictly for uncategorized sites. In case you weren't already aware if you have multiple categories for coaching with a single configuration, all categories designated for coaching will be allowed for the duration of the coaching session. That is if my coaching categories are sports, alcohol and gambling and my setting is for two minutes. After clicking through on sports, I will also be able to go to alcohol and gambling without additional prompts for the next 2 minutes. You can restrict coaching to singular categories, but you would need a ruleset and coaching config for each category. Obviously with the previously stated warnings about uncategorized sites, we might want to handle them separately.

       

      Two custom logs are created with my ruleset CoachPresent logs both presentation of the block page and click through. CoachAccess logs all accesses that were permitted due to the coaching session.

       

      Don't forget that you will need to allow Uncategorized sites and any other categories that you designate for coaching in your base URL filtering policy.

       

      Rule Sets
      Coaching With Uncategorized

      [This ruleset contains rules for coaching for categorized urls, uncategorized urls, user and ip. This ruleset will not be exectued if SSL is disabled and a HTTPS request has been done.]

      [✔] Enabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
      1: SSL.ClientContext.IsApplied equals true
      2: OR Command.Name does not equal "CONNECT"
      Coaching With URL Configuration
      [✔] Enabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: URL.Categories<Default> at least one in list URL Category Blocklist for Coaching
      2: OR URL.Host matches in list URL Hosts Blocklist for Coaching°
      3: OR Quota.Coaching.IsActivationRequest.Strict<URL Category Configuration> equals true
      EnabledRuleActionEventsComments
      [✔] EnabledRedirect After Starting New Coaching Session and Write Coaching Present Log
      1: Quota.Coaching.IsActivationRequest equals true
      Redirect<Redirection After Coaching Session Activation>Set User-Defined.logLine =
           "Click(Cat\Host):" +
           DateTime.ToWebReporterString +
           " "" +
           Authentication.Realm +
           "\" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories<Default>) +
           "" "" +
           String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           Number.ToString(Block.ID) +
           "" "" +
           Cache.Status +
           "" "" +
           User-Defined.Geolocation +
           """
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Coaching Present Log Config>
      [✘] DisabledWrite Coaching Present Log
      1: Quota.Coaching.SessionExceeded<URL Category Configuration> equals false
      Stop Rule SetSet User-Defined.logLine =
           "Access(Cat\Host):" +
           DateTime.ToWebReporterString +
           " "" +
           Authentication.Realm +
           "\" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories<Default>) +
           "" "" +
           String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           Number.ToString(Block.ID) +
           "" "" +
           Cache.Status +
           "" "" +
           User-Defined.Geolocation +
           """
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Coaching Access Log Config>
      [✔] EnabledCheck if Coaching Session Has Been Exceeded and Write Coaching Present Log
      1: Quota.Coaching.SessionExceeded<URL Category Configuration> equals true
      Block<ActionCoachingBlocked>Set User-Defined.logLine =
           "Present(Cat\Host):" +
           DateTime.ToWebReporterString +
           " "" +
           Authentication.Realm +
           "\" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories<Default>) +
           "" "" +
           String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           Number.ToString(Block.ID) +
           "" "" +
           Cache.Status +
           "" "" +
           User-Defined.Geolocation +
           """
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Coaching Present Log Config>
      Uncategorized Coaching
      [✔] Enabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: Quota.Coaching.IsActivationRequest.Strict<Uncategorized Configuration> equals true
      2: OR URL.Categories<Default> equals Empty Category List°
      EnabledRuleActionEventsComments
      [✔] EnabledRedirect After Starting New Coaching Session and Write Coaching Present Log
      1: Quota.Coaching.IsActivationRequest equals true
      Redirect<Redirection After Coaching Session Activation>Set User-Defined.logLine =
           "Click(Uncat):" +
           DateTime.ToWebReporterString +
           " "" +
           Authentication.Realm +
           "\" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories<Default>) +
           "" "" +
           String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           Number.ToString(Block.ID) +
           "" "" +
           Cache.Status +
           "" "" +
           User-Defined.Geolocation +
           """
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Coaching Present Log Config>
      [✔] EnabledWrite Coaching Present Log
      1: Quota.Coaching.SessionExceeded<Uncategorized Configuration> equals false
      Stop Rule SetSet User-Defined.logLine =
           "Present(Uncat):" +
           DateTime.ToWebReporterString +
           " "" +
           Authentication.Realm +
           "\" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories<Default>) +
           "" "" +
           String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           Number.ToString(Block.ID) +
           "" "" +
           Cache.Status +
           "" "" +
           User-Defined.Geolocation +
           """
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Coaching Access Log Config>
      [✔] EnabledBlock if Coaching Session Exceeded and Write Coaching Present Log
      1: Quota.Coaching.SessionExceeded<Uncategorized Configuration> equals true
      Block<ActionCoachingBlocked>Set User-Defined.logLine =
           "Access(Uncat):" +
           DateTime.ToWebReporterString +
           " "" +
           Authentication.Realm +
           "\" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories<Default>) +
           "" "" +
           String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           Number.ToString(Block.ID) +
           "" "" +
           Cache.Status +
           "" "" +
           User-Defined.Geolocation +
           """
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Coaching Present Log Config>
      Coaching With IP Configuration
      [✘] Disabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: Client.IP is in list IP Blocklist for Coaching°
      2: OR Quota.Coaching.IsActivationRequest.Strict<IP Configuration> equals true
      EnabledRuleActionEventsComments
      [✔] EnabledRedirecting After Starting New Coaching Session
      1: Quota.Coaching.IsActivationRequest equals true
      Redirect<Redirection After Coaching Session Activation>This rule redirects the user back to the requested url after the user started a new session by pushing the button in the HTML Session template.
      [✔] EnabledCheck If Coaching Session Has Been Exceeded
      1: Quota.Coaching.SessionExceeded<IP Configuration> equals true
      Block<ActionCoachingBlocked>This rule shows a block html site for Coaching after the session for Coaching has been exceeded and the ip is in the ip blocklist.
      Coaching With Authenticated User Configuration
      [✘] Disabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: Authentication.RawUserName is in list User Blocklist for Coaching°
      2: OR Quota.Coaching.IsActivationRequest.Strict<Authenticated User Configuration> equals true
      EnabledRuleActionEventsComments
      [✔] EnabledRedirecting After Starting New Coaching Session
      1: Quota.Coaching.IsActivationRequest equals true
      Redirect<Redirection After Coaching Session Activation>This rule redirects the user back to the requested url after the user started a new session by pushing the button in the HTML Session template.
      [✔] EnabledCheck If Coaching Session Has Been Exceeded
      1: Authentication.UserName is in list User Blocklist for Coaching°
      2: AND Quota.Coaching.SessionExceeded<Authenticated User Configuration> equals true
      Block<ActionCoachingBlocked>This rule shows a block html site for Coaching after the Coaching session has been exceeded and one of the user is in the user blocklist.