6 Replies Latest reply on Aug 14, 2012 8:31 AM by ittech

    Tracking Overrides in Web Repoter

    ittech

      Is there any way to track what sites or even just categories a user visits after an override occurs?

       

      Haven't upgraded to 7.2 yet, still on 7.1.5.1

       

      Please forgive me if this has already been asked.

        • 1. Re: Tracking Overrides in Web Repoter
          ittech

          I suppose a better question would be this:

           

          What event will make the Override or Bypass counters increase ine the Web Reporter?

           

          override.png

          • 2. Re: Tracking Overrides in Web Repoter
            sroering

            First of all, Web Reporter only has logic to map Web Gateway logs into allow or block.  By default all requests are assumed allowed, there are a few conditions (HTTP Status and/or block_res) that will cause requests to show as blocks.

             

            For overrides, there are several requests sent by the user.

            1) Initial request, the likely response is HTTP 407 auth redirect

            2) Authentication complete and second request. This will be a block which displays the override block page

            3) Override is accpeted and request is finally allowed.

             

             

            Web Reporter filters the 407 so we don't double-log those requests.

            The override page should show as a block in your reports

            The last request would show as allowed.

             

            Probably the best way to report on overrides is to use a custom block_res on the 3rd leg, log block_res a second time under a new header such as "custom_block_res", then map that column into a user defined column on your log source.  You can even use the custom rules in Web Reporter to map the block codes to a human friendly value.  The reason for double-logging the block_res is that block_res is a special case on the log parser and isn't available for custom columns.  If you just rename your existing block_res, then your blocks won't show correctly.  So the solution is to double log.

             

            I hope this makes sense.  Perhaps Elsasser or some of the people more familair with block codes can elaborate some good methods to get the right codes logged at the right time.

            • 3. Re: Tracking Overrides in Web Repoter
              ittech

              Here's what I have done.

              override.png

              Basically, in the MWG7 I've inserted a rule between the redirect and verification of if the override has expired. If my thinking is correct everytime it verifies to see if the override time has expired, my new rule will up the counter in the events by 1. Instead of 'BlockedbyURL' I changed the string into 'AllowedByOverride'.

               

              In the Web Reporter can I replace the 'AllowedByOverride' with something so that it can show as the Bypass or Override like in the image from my previous post?

              • 4. Re: Tracking Overrides in Web Repoter
                sroering

                As I said, the log parser for Web Reporter doesn't have the ability to map data into anything other than block for allow.  There is nothing you can do to get the traffic to map into any other action.  The only option is to use user defined columns in Web Reporter.  Since block_res isn't avaiailable to user defined columns, you need to double-log it under a custom header name.  If you want to use something other than bock_res values, such as policy names, etc., there is no difference in the Web Reporter configuration.

                 

                I submitted a feature modification request with engineering asking to reserve and document block_res codes for each of the actions so that you would have the flexability to have your report actions be anything you want.  I cannot promise that it would be implemented, but I'll see how convincing I can be. Seems like a pretty simple change to me.

                • 5. Re: Tracking Overrides in Web Repoter
                  ittech

                  BTW - Thanks for helping me out, this is definitely a little over my head.

                   

                  Where or how would I set up the "block_res a second time under a new header such as "custom_block_res", then map that column into a user defined column on your log source" scenario?

                  • 6. Re: Tracking Overrides in Web Repoter
                    ittech

                    Thanks for this, too!

                     

                    "I submitted a feature modification request with engineering asking to reserve and document block_res codes for each of the actions so that you would have the flexability to have your report actions be anything you want. I cannot promise that it would be implemented, but I'll see how convincing I can be. Seems like a pretty simple change to me."

                     

                    If they can't or won't, though, maybe they can just remove the Warn, Monitor, Bypass, and Override graphics to keep people like me from getting ideas, lol