Terminate a client connection using a CLI command

Last updated
Save as PDF

You can terminate a client connection using a command on the command line interface (CLI) that is provided when you connect to Web Gateway from a system console.

A reason for terminating a connection between Web Gateway and any of its clients might be that the bandwidth consumed by the traffic that goes on over this connection is excessively high.

When a client sends a request for access to the web, this request is redirected to Web Gateway, which forwards it to the web if it is found to comply with your web protection policy. Eventually a response from the web is passed on to the client. This process as a whole is considered as one transaction each time.

To terminate a connection that is used for requests and responses during a transaction, you identify the current transaction and terminate it.

You can run another CLI command to identify a transaction and at the same time review the amount of data that has already been sent and received on the connection used for this transaction.

Task

From a system console, connect as an administrator with root privileges to the Web Gateway appliance where you want to terminate a client connection.
On the command line interface, run this command to see the connections that are currently going on between the appliance and its clients:

  /opt/mwg/bin/mwg-core -S connections

This will result, for example, in the following output:

        There are currently 1 client connections (2022-01-06 04:47:32)
  Transaction|Creation Time|Protocol|Cust ID|User Name|Client IP|Client Side MWG IP
  |Server Side MWG IP|Server IP|CL Bytes Received|CL Bytes Sent|SRV Bytes Received
  |SRV Bytes Sent|Trxn Index|Age(Seconds)|Status|In Use|URL
  30028|2022-01-06 04:47:28|HTTP|<Customer ID>|<User name>|10.2.13.28:37264|10.5.6.5:9090
  |10.5.6.5:47112|10.5.60.13:443|96|0|166166528|207|2|4|ReadResponseBody|3367
  |https://www.skyhigh.com/url/sample.zip

You can direct the output to a file to account for a large number of connections that might be going on at the same time.

Identify a connection with high bandwidth consumption that you want to terminate. Review the output fields with bytes received and sent for this.

When the connection is an HTTP2 connection that has streams under it, an entry for the main connection is shown with H2 in the protocol field while an entry for a stream has \_ (backslash with underscore) instead.

You can only terminate the main connection together with all its streams.

Run the following command to terminate a client connection. Be sure to include the transaction number in the last field of the command, for example, like this:

/opt/mwg/bin/mwg-core -k 30028

This will, for example, result in:

Connection Terminated Successfully
    Transaction|Creation Time|Protocol|Cust ID|User Name|Client IP|Client Side MWG IP
    |Server Side MWG IP|Server IP|CL Bytes Received|CL Bytes Sent|SRV Bytes Received
    |SRV Bytes Sent|Trxn Index|Age(Seconds)|Status|In Use|URL
   30028|2022-01-06 04:47:28|HTTP|<Customer ID>|<User name>|10.2.13.28:37264|10.5.6.5:9090
   |10.5.6.5:47112|10.5.60.13:443|96|0|166166528|207|2|4|ReadResponseBody|3367
    |https://www.skyhigh.com/url/sample.zip

You have now terminated a client connection. Repeat the command to terminate more.

If the specified transaction cannot be found, the output is: 
Transaction not found

To log and troubleshoot termination activities, you can do the following:

When a connection is terminated, an error with 20002 as value for the Error.ID property is generated. The Error Handler on Web Gateway includes a default rule that blocks on all errors. You can rely on this default or create an error handling rule of your own.

You can add Error.ID to the entries in the access.log that is provided as a default log by the Log Handler on Web Gateway. Instead you can also create a log of your own.

To enable writing of the numerical error value to a log, use the Number.ToString(Error.ID) property.

What is shown above as output when a connection has been successfully terminated is also logged each time by the appliance system under /opt/mwg/log/mwg-errors/mwg-core.errors.log.

When a client requests access to a web page that is already stored in the browser cache, the termination command described here might not work because establishing a connection to transfer the web page data would not trigger a new transaction.

The command will work, however, if the browser behavior is such that after recognizing an attempted termination of a connection, the browser tries to retrieve a web page from the web again instead of from the cache.