Solution
X-Ray Rules are policy rules that will not affect the way the policy behaves, but will provide data if the rule is matched.
The data that will be provided can be used in two different ways:
Logging according to logging policy. Although not actually blocking or allowing, the logging policy is matched the same as a regular rule.
- Directly to the user’s browser, in the form of two HTTP headers:
- X-Response-Info: This header will list a sequence of Rule behavior that matched
- X-Response-Desc: This header will list the End-User Message selected for the matching rules.
NOTE: Since X-Ray rules do not skip the rest of the policy when matched, it is typical to get more than one Rule Behavior in the X-Response-Info header.
All the values listed in both headers are matched by order.
So whenever you want to check a new Rule, to see if it will behave the way you intend it to, run in X-Ray mode and start checking the logs to see how users would be affected.
Or alternatively,you can test it yourself with an HTTP/LAN traffic analyzer like (for example, Wireshark, HTTPFox addon for Firefox or Fiddler2).
With an HTTP traffic analyzer you can examine the response headers and understand in real-time how the policy is affecting browsing through the page you are currently browsing to.
A simple example using HTTPFox add-on for Firefox
Given a simple policy with 2 X-Ray rules:
- Block Known Viruses
- X-Ray: Checked
- Action: Block
- End-User Message: Virus Detected
- Condition: Anti-Virus
- Block All URL Categorization Categories
- X-Ray: Checked
- Action: Block
- End-User Message: Blocked URL Category
- Condition: URL Filtering
- Everything but… – nothing checked
Example Screenshot
Install HTTPFox in Firefox, restart Firefox and open it (click the small icon on the status bar):
Clear all browser local data: Cache, Cookies, Offline Website Data and Authenticated Sessions. (In FF3 go to Tools -> Clear Private Data… or hit the Ctrl+Shift+Del key combination)
NOTE: Make sure Firefox is browsing through the Finjan Scanner(s).
In HTTPFox click Start to start recording, and now browse to a URL you would like to check the policy’s behavior.
When you check the first HTTP Request (and any other request after that) you’ll see two HTTP headers, which come from the Finjan Scanner.
For each keyword in X-Response-Info you have a phrase taken from the End-User Messages in X-Response-Desc.
In this example www.google.com returned the following:
X-Response-Info: Blocked
X-Response-Desc: Forbidden URL. URL Category is Search Engines. Transaction ID is …..
That’s how it works. But then the obvious question pops up: How can this help you - the security administrator?
X-Ray rules and Troubleshooting Security Policies
A typical troubleshooting scenario that this technique could help you with is whenever you are not sure if a rule is being matched as it should.
Create a duplicate rule for the rule you want to troubleshoot at the top of the rule list, mark it as X-Ray, and assign it to the Blocked behavior.
NOTE: It must be set to the Blocked behavior since, only Block shows an End-User Message.
Now using an HTTP analyzer browse through the scanner and see if the rule is matched, and what is displayed in the End-User Message.
You can also create a customized End-User Message that contains relevant information for your troubleshooting.
In Conclusion
This article introduced you to the power behind X-Ray "magic". A feature that is not only a “dormant” off-line analysis tool, but a real-world real-time troubleshooting accessory that can give you great insight, even while under pressure.
