6.9 Understanding Rule Actions

Each WebMarshal Rule includes one or more actions. Not all actions are available for all WebMarshal Rule types.

6.9.1 Rule Actions

The complete list of actions includes:

Permit Access

Permit Access after displaying Warning Page

Permit access and inspect content

Permit access and do not inspect content

Block the connection and return a 503 service unavailable return code.

Block Access and display blocked page

Display Warning page once per period and continue processing rules

Strip cookies from this site

Rewrite headers

Classify the domain as classification

Classify the file as classification

Add the User to User Group

Add the URL to a Category

Send a notification to the administrator

Exclude the request from reporting (do not log browsing)

Apply Quota to the user

Stop processing quota rules.

Skip any remaining rules in this container

6.9.1.1 Permit access

The web page, download, or upload is delivered.

6.9.1.2 Permit access after displaying warning page

WebMarshal displays a Notification Page in the user’s browser. The page asks the user to accept a note or warning. If the user accepts, the original web page, download, or upload will be delivered.

Click Warning Page to open the Select Web Page window.

1.Select a web page to display from the list

2.Click OK to return to the parent Wizard.

You can create custom notification pages. See “Notifying Users with Notification Pages”.

6.9.1.3 Permit access and inspect content

This action is available in Connection rules and HTTPS rules. When this action applies, WebMarshal continues processing the web page, download, or upload. Quota, Standard, and Content Analysis rules are evaluated.

Tip 

Tip: Use of this action in Connection rules is intended to support inspection of WebSocket content.

 

6.9.1.4 Permit access and do not inspect content

This action is available in Connection rules and HTTPS rules. When this action applies, WebMarshal delivers the web page, download, or upload. Quota, Standard and Content Analysis rules are not applied.

6.9.1.5 Block Access and display blocked page

The web page, download, or upload is not delivered. A WebMarshal Notification Page is shown instead.

Click Blocked Page to open the Select Web Page window.

console-rule-display2.PNG 

1.Select a web page to display from the list

2.Click OK to return to the parent Wizard.

For rules with a malware scanning action, you can choose a second notification page used for aborted downloads. This page only displays if WebMarshal begins to return the download and then stops it due to a rule condition. The “aborted” page is shown the next time the user makes a web request. To choose the page that will be shown, in the rule description (lower pane) click File Aborted Page and select a web page to show for aborted downloads, using the Select Web Page window as above.

6.9.1.6 Block the connection and return a 503 service unavailable return code

When this action is selected, WebMarshal will return a 503 Service Unavailable HTTP response, and the web request will be terminated. This action is available in Connection Rules. Typically it would be used if you do not want to allow an Instant Messaging, Streaming Media, or WebSocket application to connect through WebMarshal.

6.9.1.7 Display warning page once per period and continue processing rules

If this rule has not been triggered for this user during the time configured, a WebMarshal Notification Page is displayed in the user’s browser.

Click Warning Page to open the Select Web Page window.

console-rule-display.PNG 

1.Select a web page to display from the list.

2.Select the period during which this Rule action will not display the page again. Available periods include the current browsing session, day, week, or month.

3.Click OK to return to the parent Wizard.

The user will be asked to accept a note or warning. If the user accepts, the original web page, download, or upload will be delivered to the user. After the user accepts, this action will not display this warning page again for the period selected.

6.9.1.8 Strip cookies from this site

HTTP cookies returned with the response are removed.

Information 

Note: This action is only effective for responses (setting of cookies by server-side action). WebMarshal does not currently block cookies sent with a request. WebMarshal cannot block cookies set on the client by JavaScript or other client side action.

 

6.9.1.9 Rewrite headers

One or more HTTP headers are added, deleted, replaced, or modified using Regular Expressions. Header rewriting can apply to request headers (sent by the client), response headers (sent by the server), or both.

Information 

Notes:

Header rewriting is not available for HTTPS CONNECT.

Header rewriting is not available for response headers in the Websocket protocol.

Some rule conditions do not affect request header rewriting, because the required information is not available at the time this action is applied. See Help for details.

 

Click headers to open the Rewrite Headers window.

console-rule-headerrewrite.png 

To begin choosing headers for rewriting, click Add. On the Add Item window, select the header name and define the action to perform.

 editheader.png

To change or remove the header rewriting actions, on the Rule Action window select an item and then click Edit or Delete. For more information, see Help.

6.9.1.10 Classify the domain as classification

A Domain Classification is logged in the WebMarshal database (if database logging is enabled). This record shows that the user browsed to a URL which met the Rule conditions. For instance the URL could be in a specific category, or it could be a page with content matching a TextCensor script.

Select one or more Domain classifications for this request by checking the boxes in the Select Logging Classification window.

console-rule-classifydomain.PNG 

To create a new classification, click New. To review and edit an existing classification, click Properties.

For more information about adding and editing classifications, see “Logging Activity with Classifications”.

6.9.1.11 Classify the file as classification

A File Classification is logged in the WebMarshal database (if database logging is enabled). This record shows that the user uploaded or downloaded a file which met the Rule conditions. For instance the file could be large or could contain a virus. A file classification applies to a specific upload or download request.

Select one or more File Classifications for this request by checking the boxes in the Select Logging Classification window.

To create a new classification, click New. To review and edit an existing classification, click Properties.

For more information about adding and editing classifications, see “Logging Activity with Classifications”.

6.9.1.12 Add the user to a user group

The user who triggered a Rule is added into one or more WebMarshal Groups.

Select an existing WebMarshal Group or new WebMarshal Group using the Select User Groups window.

Information 

Note: You can use this action to place users who attempt to access banned sites into a “watch” group.

 

To create a new group, click New. To review and edit an existing group, click Properties. See “User Management” for more information on User Groups.

6.9.1.13 Add the URL to a category

The URL domain or path of a request is added to a WebMarshal URL category. For instance, if a URL triggered an offensive language TextCensor script, you may want to add the URL to a permanent block list.

1.Click Category to open the Select URL Categories window.

console-rule-addurltocategory.PNG 

2.Choose one or more categories into which this site should be placed by checking the boxes.

3.To create a new category, click New. To review and edit an existing category, click Properties. See “Understanding URL Categories” for more information on URL categories.

4.Click URL to choose whether to add the entire domain, or only the subdomain (path) to the category.

Information 

Note: You cannot add filename or query string parts automatically. You can add URLs containing these parts manually. See “Adding URLs to a URL Category”.

 

console-rule-addurlorpath.PNG 

6.9.1.14 Send a notification to the administrator

A notification email is sent to the administrator email address as configured on the Email Notifications page of Global Settings.

Information 

Note: You should be selective in applying this action. If you apply it for content block actions, the administrator will receive a large number of email messages.

 

6.9.1.15 Exclude the request from reporting

Any request that matches the rule conditions is completely exempted from logging (including aggregate browsing time and bandwidth records).

For instance, you can use this action:

With a User Matching condition to allow unmonitored Web access for the corporate executive group.

With a URL Category condition to allow unmonitored access for all users to a company extranet site.

Information 

Note: A typical site visit includes requests for many files of many different types. Therefore, if you use this action with content analysis or file type rule conditions, it is likely that traces of user activity will be logged. Also, where HTTPS content is not processed by Content Analysis rules an exclusion might not apply.

To completely exclude a site visit from logging, Trustwave recommends you use this action in a Standard rule with User Matching or URL conditions.

This action functions differently from the “exclude the site from reporting” action in earlier versions of WebMarshal.

 

6.9.1.16 Apply quota to user

A time or volume browsing quota is applied to the user. Select one or more quotas from the Apply Quotas to User window.

console-rule-quota.PNG 

To create a new quota, in the window click New to start the Quota Wizard. To review and edit an existing quota, click Properties. For more information on Quotas and the New Quota Wizard, see “Configuring Access Using Quotas”.

6.9.1.17 Stop processing quota rules

Any Quota rules that would be evaluated after this rule are not evaluated. The intended user of this action is to avoid charging a browsing action against more than one quota.

6.9.1.18 Skip any remaining rules in this container

Any additional rules in the container (or in sub-containers) are not evaluated. This action allows conditional checking of groups of rules.

WebMarshal User Guide October 2023
< Previous Section   |   Next Section >
Full document: see WebMarshal Documentation.