ProxySG & Advanced Secure Gateway

 View Only

 Is there a way to see when was a rule matched last time. I mean a rule in a layer in the Policy

Jump to Best Answer
Wasfi Bounni's profile image
Broadcom Knight Wasfi Bounni posted Nov 19, 2020 09:45 AM
Hi;

Is there a way to see when was a rule matched last time. I mean a rule in a layer in the Policy. I know policy coverage statistics under advanced statistics tell you how many times a rule was a match but they don't tell you when was the last time this rule was matched by a transaction.


Kindly
Wasfi
Jacob Miles's profile image
Broadcom Employee Jacob Miles posted Nov 19, 2020 06:44 PM Best Answer
Hi Wasfi,

There is nothing that does that at this time. There are a couple of things that you could do moving forward to try and narrow in on the time frame. 

As you may know, the policy coverage statistics are reset on every reboot, and also on policy install for versions earlier than 7.3. Keeping that in mind, you could create a snapshot of the policy coverage statistics, and then compare different snapshots to see between which snapshots a value changed for a particular rule. This KB can walk you through how to set it up. In the example, the KB uses 5 minutes as the snapshot interval. I would customize that based on how narrow of a time interval you want.

For example, if you are trying to see if certain rules are hit during a given week, I would probably move the snapshot to be just once a day. Again, remember that if there is a reboot, or if you are on a version earlier than 7.3 and have a policy push, those statistics will be reset.

The second option(s) I was thinking of is going to be more for if there is a particular rule, or just a handful of rules, that you are worried about the frequency of getting hit. Aside from setting a policy trace in policy, you have other track objects as well that you could configure policy to track.

The most ideal is probably to use Policy ID. This will allow you to create an ID for a particular rule, and if you add the x-bluecoat-reference-id field to your access logs, it will display that ID in the access logs. You can then search the access logs by the policy ID to see when the last occurrences were.

Another couple options would be to either use the Event Log, or Email track objects, that would send the event to the event log, or send an email, respectively. These have the potential to make a lot of unnecessary noise, if a rule is hit all the time, and so you would have to make a determination if either seemed feasible to you. Typically I would reserve an email track object to a rule where you know you may need to get involved legally - such as someone accessing an illegal site. 

Hopefully that gives you some good ideas!