How To Use X-Ray Rules To Troubleshoot The Security Policy


  • Description

    How To Use X-Ray Rules to Troubleshoot The Security Policy


  • Symptoms

    Since making changes to a security policy can affect all of your users, blocking an important page in a production environment could bring the "wrath of the people" starting from the office secretaries to the big bosses themselfs.

    By understanding the mechanism introduced by X-Ray Rules, you - the system administrator - can fine-tune the policy and test it without affecting the user experience.


  • Cause

  • Solution

    X-Ray Rules are policy rules that will not affect the way the policy behaves, but will provide data if the rule is matched.
    The data that will be provided can be used in two different ways:

    Logging according to logging policy. Although not actually blocking or allowing, the logging policy is matched the same as a regular rule.

      1. Directly to the user’s browser, in the form of two HTTP headers:
        • X-Response-Info: This header will list a sequence of Rule behavior that matched
        • X-Response-Desc: This header will list the End-User Message selected for the matching rules.

    NOTE: Since X-Ray rules do not skip the rest of the policy when matched, it is typical to get more than one Rule Behavior in the X-Response-Info header.
    All the values listed in both headers are matched by order.

    So whenever you want to check a new Rule, to see if it will behave the way you intend it to, run in X-Ray mode and start checking the logs to see how users would be affected.

    Or alternatively,you can test it yourself with an HTTP/LAN traffic analyzer like (for example, Wireshark, HTTPFox addon for Firefox or Fiddler2).

    With an HTTP traffic analyzer you can examine the response headers and understand in real-time how the policy is affecting browsing through the page you are currently browsing to.

    A simple example using HTTPFox add-on for Firefox

    Given a simple policy with 2 X-Ray rules:

    • Block Known Viruses
      • X-Ray: Checked
      • Action: Block
      • End-User Message: Virus Detected
      • Condition: Anti-Virus
        • Virus Detected: Checked
    • Block All URL Categorization Categories
      • X-Ray: Checked
      • Action: Block
      • End-User Message: Blocked URL Category
      • Condition: URL Filtering
        • Everything but… – nothing checked


    Example Screenshot

    Install HTTPFox in Firefox, restart Firefox and open it (click the small icon on the status bar):

    Clear all browser local data: Cache, Cookies, Offline Website Data and Authenticated Sessions. (In FF3 go to Tools -> Clear Private Data… or hit the Ctrl+Shift+Del key combination)

    NOTE: Make sure Firefox is browsing through the Finjan Scanner(s).

    In HTTPFox click Start to start recording, and now browse to a URL you would like to check the policy’s behavior.

    When you check the first HTTP Request (and any other request after that) you’ll see two HTTP headers, which come from the Finjan Scanner.

    For each keyword in X-Response-Info you have a phrase taken from the End-User Messages in X-Response-Desc.

    In this example www.google.com returned the following:

    X-Response-Info: Blocked
    X-Response-Desc: Forbidden URL. URL Category is Search Engines. Transaction ID is …..

    That’s how it works. But then the obvious question pops up: How can this help you - the security administrator?

    X-Ray rules and Troubleshooting Security Policies

    A typical troubleshooting scenario that this technique could help you with is whenever you are not sure if a rule is being matched as it should.

    Create a duplicate rule for the rule you want to troubleshoot at the top of the rule list, mark it as X-Ray, and assign it to the Blocked behavior.

    NOTE: It must be set to the Blocked behavior since, only Block shows an End-User Message.

    Now using an HTTP analyzer browse through the scanner and see if the rule is matched, and what is displayed in the End-User Message.

    You can also create a customized End-User Message that contains relevant information for your troubleshooting.

    In Conclusion

    This article introduced you to the power behind X-Ray "magic". A feature that is not only a “dormant” off-line analysis tool, but a real-world real-time troubleshooting accessory that can give you great insight, even while under pressure.


  • Software Version
    8.4.6
    8.5.0
    9.0
    9.2

  • This article applies to:
    NG 1000
    NG 5000
    NG 6000
    NG 8000
    This article was previously published as:
    Finjan KB 1812

    Last Modified 3/23/2009.
    https://support.trustwave.com/kb/KnowledgebaseArticle13554.aspx