LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Secure Web Gateway » Reports

Filter Entrapper block transactions in the Web Log

ofer Kalef — Sun, 24 Nov 2013 01:52:52 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Is there a filter option to show Entrapper blocks only?

Procedure:

The Malware Entrapment engine, also known as Entrapper, was first introduced with SWG OS 10.1.

1. Go to Logs and Reports > Audit Logs, right-click the selected view and choose View Settings.

2. In the Filter tab, use the settings below to show only Entrapper blocks out of all the log transactions available in the system:

This filter relies on the actual text of the user response action specified for this rule in your policy.

Below is a snapshot of the default End User Message as defined in the Default Security Policy:

And here is the snapshot of the actual text in the message:

If these settings are modified with custom settings make sure to update the suggested filter to reflect the custom settings.

Reports output does not match the defined filter

Rudolf Kessler — Mon, 17 Sep 2012 05:28:12 GMT

This article applies to:

SWG 10.0

Question:

Running or scheduling a report with a filter produces a report with data that should have been filtered out.

Reply:

This can be due to a bug that is fixed in 10.1.

If the Authenticated User filter is the first filter it causes this issue. If the transaction time filter is the first one, everything is ok. So to resolve the issue please delete the date range filter, in the report filter itself, and re-add it, it will be added first and now it should be fine.

Also do it in the schedules or re-create the schedules with the date range as first filter line.

Saving reports in CSV format with VSR 2.1

Eric Hanson — Thu, 24 Jun 2010 12:57:00 GMT

This article applies to:

VSR 2.1

Question:

Can Vital Security Reporter (VSR) 2.1 save report data in Comman Separated Values (CSV) format?

Reply:

VSR 2.0 allows saving generated reports in various formats, including CSV. The CSV output format is available in VSR 2.1, but this parameter is now specified via the report scheduling options. Bellow are the steps for saving a report in CSV format.

Navigate to the web interface of the VSR server and open the Report Folders tab.
Right-click the report that you wish to run (for this example, "Most Visited Websites by Client IP" was selected) and choose the Schedule Once option:

Please note that there is also a Recurring Scheduling option in this menu. These steps are also applicable for recurring instances of a report if configured via this option.
In the right pane, which displays the options for this report, click on the Report Format tab. Choose the "Comma Separated Values (CSV)" option from the View As list and proceed with any further report parameters.
Save the changes for this report to run it.

Permissions for Viewing Logs with Users or Groups other than Super Administrators

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

Question
When I create an administrators group in addition to the Super Administrators Group, what are the requirements in order to view all the logs?

Answer
The minimum permissions in order to view the logs for all users are as follows:

Create the new relevant administrator:

Please note that user transactions can be viewd only by the memers of the administrator group which created the users in the first place. For example: Log transactions made by users that were imported from LDAP by 'admin' which belongs to the 'Super Administrators' group can only be viewd by members of the 'Super Administrators' group.
Give the new administrator Write Permissions to all Users or Groups which are meant to be viewed by the new Administrator:
Modify the Logs Permissions for the Administrator (View-Only permissions needed):
Modify the Reports Permissions as well for viewing. (View-Only permissions needed) |* Users who will be creating custom reports will need Write Permissions:

After applying the permissions discussed above, the new administrator should be able to log in and view logs and reports.

Please note that any log entries made prior to the change above will remain with the same permissions they were inserted to the logs. The change of permissions applies to new log entries only.

Software Version
8.3.x
8.4.x

This article applies to:: NG 1000; NG 5000; NG 8000

This article was previously published as:: Finjan KB 1300

How to log HTML Repaired transactions?

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

Question
One of the most valuable services provided by Finjan Vital Security for Web appliances is the ability to track the processed information in the logs.
By default, VSOS 8.5.0 and above provides the following logging policies:
- Log All Protective Actions;
- Log All Protective Actions and Web Pages;
- Logging everything except Image files;
The extended logging policy, logging everything except Image files, provides detailed information. However, it has very important constraint causing huge I/O load to the system.
The HTML Repair feature causes malicious scripts on an HTML page to be automatically detected and repaired, and the HTML page is sent on to the end-user in a transparent manner.
Note: The HTML Repair feature is enabled by default.

Ability to log HTML repaired transcations is one of the reasons users might consider using this logging policy instead of any other alternative.

This article describes how to create new logging policy that combines the flexibility of the data being logged with the minimal load caused to the system.

Answer
1. Browse to the Policies section of the management console of Finjan VSOS 8.5.0 and expand the logging policies node.
2. Highlight the default, Log All Protective Actions, logging policy and click Duplicate button on the top as shown below:
3. Set Log Defaults and HTML Repaired Transactions for this new logging policy:
4. Highlight new logging policy and click New Rule button:
5. Rule editor windows pops up. Set this rule conditions as shown below and click OK.
(Set send to archive/log/report/syslog options according to your preferrences)
5. Decide what should be the place/priority of this rule and move it down with the up/down icons.
Save the policy before you commit these changes.
6. Commit these changes.
7. Browse to the Users section and set this logging policy for specific user(s) or group(s):
8. Apply and commit the changes.

Software Version
8.5.0

This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1742

Database Granularity and Scheduled Reports

support finjan — Mon, 23 Mar 2009 00:00:00 GMT

Question
Vital Security for Web provides a flexible system to create scheduled reports, whereby each report can be set to run on a daily, weekly, or monthly basis.
Administrators generally choose to schedule weekly reports, but this weekly schedule may result in duplicate reports being generated on a specific day.
The following is an example of a duplicate report in VSOS 8.5.0:

A duplicate report in VSOS 9.0 (9.2):

The screenshots displayed above show that two reports were generated on the same day for two different time periods: February 2009 and March 2009.

Answer
The duplicate report behavior is related directly to the Log Database Granularity.
In the example below, the system is set to maintain ogs and reports databases on a monthly basis:

As a result, when a report is scheduled to run for the first time in any month, it will create the report based on two separate reports databases:
One report is created for the last few days (from day 6 to 1) of the previous month, and another report is created for the first few days (from day 1 to 6) of the current month.

Software Version
8.5.0
9.0
9.2

This article applies to:
NG 1000
NG 5000
NG 6000
NG 8000
This article was previously published as:
Finjan KB 1869