Enabling audit mode – Amer Networks E5Web GUI User Manual
Page 452

1.
On a workstation on the lan_net network, launch a standard web browser.
2.
Try to browse to a search site. For example, www.google.com.
3.
If everything is configured correctly, the web browser will present a web page that informs
the user about that the requested site is blocked.
Dynamic Web Content Filtering with HTTPS
It is possible in the HTTP ALG to have either the ALG apply to either HTTP or HTTPS traffic or both.
If filtering of HTTPS traffic is to work then the Service object associated with the ALG should be
one that allows the appropriate port numbers.
For example, the predefined service http-all could be used when both HTTP (port 80) and HTTPS
(port 443) traffic are allowed. A custom service may need to be defined and used if an existing
pre-defined service does not meet the requirements of the traffic.
A further point to note with dynamic content filtering over an HTTPS connection is that if access
to a particular site is denied, the HTTPS connection is automatically dropped. This means that the
browser will not be able to display the usual cOS Core generated messages to indicate that the
dynamic WCF feature has intervened and why. Instead, the browser will only display its own
message to indicate the connection is broken.
The Fail Mode setting can also affect HTTP connections. If no hostname is found in either the
ClientHello from the client or the ServerHello from the server in the initial HTTPS handshake
session before encrypted packets are sent then the connection is dropped if the Fail Mode action
is Deny and not dropped if the action is Allow.
Audit Mode
In Audit Mode, the system will classify and log all surfing according to the content filtering policy,
but restricted web sites will still be accessible to the users. This means the content filtering
feature of cOS Core can then be used as an analysis tool to analysis what categories of websites
are being accessed by a user community and how often.
After running in Audit Mode for some period of time, it is easier to then have a better
understanding of the surfing behavior of different user groups and also to better understand the
potential impact of turning on the WCF feature.
Introducing Blocking Gradually
Blocking websites can disturb users if it is introduced suddenly. It is therefore recommended that
the administrator gradually introduces the blocking of particular categories one at a time. This
allows individual users time to get used to the notion that blocking exists and could avoid any
adverse reaction that might occur if too much is blocked at once. Gradual introduction also
makes it easier to evaluate if the goals of site blocking are being met.
Example 6.17. Enabling Audit Mode
This example is based on the same scenario as the previous example, but now with audit mode
enabled.
Chapter 6: Security Mechanisms
452