The 'Trace Request' window is best used for diagnostics and troubleshooting of the entire policy processing framework. It returns both category information and verdict information on a per client, per IP, per group and/or per policy basis.
When Lenovo NetFilter denies the client browser, the browser will follow the 302 Redirect to the deny page content. This request is also intercepted and processed by Lenovo NetFilter.
In the input section of the window enter the URL you wish to test. You can filter by Client Name, Client IP Address, Group Name, and Policy Name. You can also test lists that lookup entries by ‘Request Part’ which includes Destination IP (e.g. GeoIP list), User Agent, Referrer, Client Module Name, and Event Type. An autocomplete option can be used for the Destination IP Address field.
There are two tools that are helpful in verifying categorization and filtering. They are the Tools > Trace Request window and the Logs > Request Logs page. Once you have implemented your Policy settings, you can use these tools to verify filtering and categorization.
When you enter information in the window and click the Send Request button, the output displays three columns. Additional rows will also display for denied requests to indicate what deny pages are delivered and allowed.
· Step: The list or the other processing step that affected the request. i.e. the Master List, CNS, Category Custom Mapping, etc.
· List URL / Keyword: The entry that was matched in the processing step. i.e. http://*.youtube.com/* could be the list entry that would match requests for YouTube.
· Result: This displays the Category and Decision for the requested URL. For denied decisions, a ‘Replace URL’ displays the link to the associated deny page.
Below is a Trace Request for the URL sex.com.
Step 1: Protocol CNS List:
Category: The Trace Request looked for the protocol in the CNS Category List and determined that it was an http request and assigned the Category of ‘Hypertext Transfer’. The Protocol List, by default, has two protocol entries: http and https. If it is determined that it is https, it will be categorized as Hypertext Transfer Secure.
System Lists Lookup
The System-Wide, Shared and Categorization Lists can also display in the Trace Request window along with the List item. See below.
Master List Lookup
Category: It was determined that the request was categorized as ‘Pornography’.
Policy Categories Check
Decision: It is the decision that the determined Category is denied. Please note that if the request belongs to multiple Categories and one of these Categories is denied, the request will be denied.
Response URL Test
Category: Host is an IP
Replace URL: It is determined that a replacement URL with a Deny Page will be served.
Filter Bypass List Lookup
Filter Bypass List is used to allow the deny page that is to be served and bypass the Policy Server’s filtering decision.
In this example, the request for google is allowed and no deny page is served.
However, if google is denied by a System List, that information will display in the Results section.
The System-Wide, Shared and Categorization Lists display in the Trace Request window along with the List item. In this example, a site Categorized as 'Pornography' has been blocked by a 'System List'.
The System, Shared and Categorization Lists will display in the Trace Request window along with the List item.
In this example, the FTP Protocol Category is not being blocked, the Processing Step is Protocol List and the Category assigned is File Transfer.
The ‘Policy Categories Check’ processing step determines that the ‘File Transfer’ Category is Allowed.
A 'Category Custom Mapping' Step will display when the Policy Server has mapped the Category.
'Show All Steps' checkbox option displays all policy processing steps for a request until processing stops. It will show all steps even if there is no data.