LevelBlue Named Official Cybersecurity Advisor of the PGA of America. Learn more

Government
Contact Us
Login

USM Anywhere Login

Fusion Platform Login

Support Downloads/Forums Login

MailMarshal Cloud Login
Incident Response
Experiencing a security breach?

Access immediate incident response support, available 24/7

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Government
Contact Us
Login

login

USM Anywhere Login

Fusion Platform Login

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Incident Response
Experiencing a security breach?

Access immediate incident response support, available 24/7

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

LevelBlue Named Official Cybersecurity Advisor of the PGA of America. Learn more

Cyber Advisory

Managed Cloud Security

Data Security

Managed Detection & Response

Email Security

Managed Network Infrastructure Security

Exposure Management

Security Operations Platforms

Incident Readiness & Response

SpiderLabs Threat Intelligence

View All Services

BY INDUSTRY

BY REGULATION

BY TOPIC

Offensive Security

Solutions to maximize your security ROI

Operational Technology

End-to-end OT security

Microsoft

Unlock the full power of Microsoft Security

Securing the IoT Landscape

Test, monitor and secure network objects

About Us

We reduce cyber risk and build resilience

Awards and Accolades

The most recognized cybersecurity leader

LevelBlue SpiderLabs

Elite global threat experts and intelligence

PGA of America Partnership

Cybersecurity at the championship level

Secure What's Next

Future-proof your organization

LevelBlue Security Operations Platforms

Unprecedented security visibility and control

Security Colony

Cybersecurity threat protection resources

Microsoft

Unlock the full power of Microsoft Security

Technology Alliance Partners

Key alliances who align and support our ecosystem of security offerings

BLOGS

UPCOMING

MEDIA & ASSETS

NOTICES

HELP

LevelBlue Knowledge Base

KB Home Search Latest Additions Most Popular

Knowledgebase

Home » Knowledgebase » WebMarshal » FAQ: WebMarshal behavior with blocked URLs and requests

FAQ: WebMarshal behavior with blocked URLs and requests

Show/Hide Article Tools

This article applies to:

WebMarshal 6.X and 7.X

Question:

Why does WebMarshal download material from URLs that are blocked by rules?
Why do my firewall logs show WebMarshal accessed blocked sites?
Why does WebMarshal cache blocked material?
Why does WebMarshal scan upload data that should be blocked?

Information:

WebMarshal rules and site blocking are designed to deny blocked material as configured, for both downloads and uploads. Browsing results for end users are fully controlled by the rules.

Administrators may notice log records that indicate WebMarshal has retrieved or cached some blocked material. This is a result of designed behavior as described below.

Download from blocked URLs

When WebMarshal receives a user download request, the Proxy service retrieves response headers and a small initial portion of the file before calling the Engine to process Standard rules.

This behavior has the following benefits:

It allows the Standard rules to evaluate conditions such as the file name, file type, data size, and presence of cookies. The rule interface and product behavior is simpler to understand because fewer rule types are required.
It helps to improve product performance by reducing the number of calls to the rule processing Engine.

Files or pages are never returned to a user until Standard rules have been fully run. Connection to the external server does not indicate that content was returned to any user. Material blocked by Standard rules will not consume an appreciable amount of bandwidth.

Caching of blocked material

The WebMarshal proxy cache can contain material that was blocked for some or all users. Material is cached when it is retrieved from external sites. Files could be cached even though they are blocked for all users.

WebMarshal rules are flexible and permission to fulfill a request can depend on the user, time of day, or browsing quota.
Each request from a user invokes a full check of rules that apply to the user at the time.
The cache is used only to reduce the need for access to external sites. Presence of a file in the cache does not indicate that it was served to any user.

Scanning of uploaded material

WebMarshal unpacks and scans uploaded material before processing any upload rules. As with downloads, this behavior optimizes the selection and processing of upload rule conditions.

To contact LevelBlue about this article or to request support: