6.5 Understanding Rule Types

WebMarshal rules are divided into five types: Connection Rules, HTTPS Rules, Quota Rules, Standard (Site) Rules, and Content Analysis Rules. Within each type you can create Rules and Rule Containers.

Information 

Note: Rule Containers allow you to set a single group of conditions for several rules. For instance, you can have one Quota Rule container for rules that apply on weekends, and another Quota Rule container for rules that apply on weekdays. A Rule Container can include any of the conditions that are available for the rule type.

 

6.5.1 Connection Rules

Connection Rules are evaluated when WebMarshal receives a request from a user. Connection Rules allow you to implement policy based control of HTTP connections from many Instant Messaging and Streaming Media applications such as Windows Live Messenger or Real Media, as well as the WebSocket protocol. 

Information 

Note: For Connection Rules to be effective, you must ensure that other ports used by these applications are blocked at the firewall. For more information, see Trustwave Knowledge Base article Q12021.

Before you can use Connection Rules, you must enable this functionality in the WebMarshal Global Settings. For more information, see “Configuring Connection Rule Processing”.

 

6.5.2 HTTPS Rules

HTTPS rules are evaluated when a user connects to a website that uses HTTPS (Secure HTTP). HTTPS Rules allow you to implement policy based on the encryption protocol and the security certificate used. HTTPS Rules also allow you to scan the content of selected HTTPS traffic. HTTPS traffic to be scanned is decrypted, and then re-encrypted for transfer to the destination. 

Information 

Note: Before you can use HTTPS rules, you must configure the HTTPS functionality. See “Configuring HTTPS Content Inspection”.

When HTTPS rules are enabled, content is always secured when transmitted over the network.

HTTPS traffic that does not match a rule requiring scanning is not decrypted.

 

6.5.3 Quota Rules

Quota rules are evaluated when WebMarshal receives a request for a Web resource from a browser session, and if necessary after the response has been returned from the Web. These rules allow users specific amounts of web browsing time and/or volume for a period such as a day or week. Quota rules can have conditions based on time of day or day of the week, file type, URL category, and the protocol or application. For information about managing Quotas, see “Configuring Access Using Quotas”. For a full list of conditions and actions, see Help for the Quota Rules window in the WebMarshal Console.

6.5.4 Standard Rules

Standard rules are evaluated when WebMarshal receives a request from a browser session. Standard rules allow you to permit or deny access to URL categories by user groups. Standard rules also allow you to match or rewrite the headers of a web request or response.

Standard rules can have conditions based on time of day or day of the week, file name, file type, presence of cookies, and the request direction (upload or download).

Depending on the outcome of rule evaluation, WebMarshal can permit or deny access to the resource, and optionally require the user to acknowledge a warning.

Information 

Note: WebMarshal only grants access by explicit standard rules. The default action is to block access. If your organizational policy is to allow most requests, you should set up a permissive Standard rule that is evaluated last. The WebMarshal default rules include rules that accomplish this.

 

6.5.5 Content Analysis Rules

Content Analysis rules are evaluated when WebMarshal receives the content of the Web request. This type of rule allows you to base policy on the actual results of a specific request, including new or dynamically generated files.

Information 

Notes:

Some Content Analysis rules require WebMarshal to fully scan the response files before returning them to the user. If you configure complex rules and scripts, the user may experience a delay during scanning. To minimize the delay, in most cases a TextCensor rule that blocks a request should also add the URL to a category. WebMarshal can then use a standard rule to block future requests for the URL quickly, using a Standard rule.

To reduce the delay due to processing, in some cases WebMarshal begins to return a file to the user. A small part of the file is held back from the user until WebMarshal has completely received and processed the file. If the page triggers the rule, the download is aborted. For information about configuring this feature, see “Configuring Download Options”.

 

Content Analysis rules can check for many conditions, including:

Request direction (upload or download)

Transfer size

File type

Content type (based on MIME type, such as MPEG)

Text content (TextCensor lexical analysis)

Malware scanning results

Content Analysis can also check items unpacked from archive files and OLE documents in many cases.

Content Analysis rules can apply a number of actions, including:

Permit or block the request

Display a warning page and require the user to acknowledge

Write a log classification for the file or the request domain

Add the user to a group

Add the request URL to a URL category

Notify the administrator

WebMarshal User Guide October 2023
< Previous Section   |   Next Section >
Full document: see WebMarshal Documentation.