Best practices - Working with the Error Handler

Last updated
Save as PDF

Working with the rules in the Error Handler rule sets gives you control over what happens when errors occur with processing web traffic on Web Gateway.

There are two main strategies of responding to errors:

Fail-closed — When an error occurs, the request that a user sent to the web and that is being processed on Web Gateway is not allowed to proceed. A block message is shown to the user.
This strategy is the default for error handling on Web Gateway.
Fail-open — When an error occurs, the request that a user sent to the web and that is being processed on Web Gateway is allowed to proceed.
In addition to this, logging activities and notifications can be triggered.
This strategy is widely used within the web security policies of enterprise organizations.

The following are benefits of adopting a fail-open strategy for your network:

Prevents business interruptions, as unimpeded web access is one of the most critical aspects for many jobs today.
Avoids unnecessary calls to help desks, as you might consider it sufficient if the Web Gateway administrator is aware and can fix the problem. There is no need then to alert users.

A fail-open strategy can also be appropriate if failed components are compensated within your network while internal alerts are triggered and action is taken.

The flexibility of the Error Handler allows you to create rules to implement the main strategies in various ways, for example, as follows:

Strict fail-closed strategy on all errors
Broad fail-open strategy to prevent any user impact
Notifications to the Web Gateway administrator as part of a fail-closed or fail-open strategy
Exceptions for requests from particular users and clients
For example, a fail-open strategy is configured for executives and a fail-closed strategy for other users.

The default rule set for error handling includes the Block on All Errors rule set. This nested rule set is placed at the end of the default rule set. It blocks requests in all error situations that are not covered by the other nested rule sets.

When you configure a fail-open rule, make sure that this rule set is disabled or the rule set with the fail-open rule is placed before it.

Configure a general fail-open strategy

Configure a general fail-open strategy to let processing continue after any processing error that occurs.

Select Policy | Rule Sets.
Select Error Handler and expand the Default error handling rule set.
For all rules in the nested rule sets:
1. Select a rule and click Edit for this rule.
2. In the Edit Rule window, select Action, then select Continue as the rule action.
3. Click Finish.
Click Save Changes.

Processing of requests that users send to the web now continues on Web Gateway even when errors occur.

Configure a fail-open strategy with a notification

Configure a fail-open strategy with a notification to notify the administrator or another recipient when a particular error has occurred.

For the notification, you add an event to a rule that handles a particular error.

Locate an existing rule:
1. Select Policy | Rule Sets.
2. Select Error Handler and expand the Default error handling rule set.
3. Select a nested rule set, for example, Block on Anti-Malware Engine Errors. Then select one of its rules, for example, Block if anti-malware engine is overloaded, and click Edit for this rule.
In the Edit Rule window, select Action, then select Stop Rule Set as the rule action instead of Block.
Configure an event for notifying someone:
1. Select Events and click Add.
2. Select Event, then select Email.Send and click Parameters
3. Type values for the three string parameters, for example, as follows:
  - Recipient (an email address): anyrecipient@samplecompany.com
    To configure more recipients, add their email addresses, separated by semicolons.
  - Subject (message name): Anti-Malware Overload
  - Body (message text): The anti-malware engines are overloaded, please inspect the mwg-antimalware-errors-log for more information.
4. Click OK twice, then click Finish.
Click Save Changes.

When the error that is handled by this rule occurs, a notification is sent to the configured recipient. You can also configure multiple notification events for different recipients with varying message texts.

NOTE: Make sure that the Block on All Errors set is disabled or the rule set with the fail-open rule is placed before it.

Configure a fail-open strategy for user groups

Configure a fail-open strategy with a notification that is only sent for errors with processing requests from users belonging to a particular user group.

Locate the rule that you configured a fail-open strategy with a notification for:
1. Select Policy | Rule Sets.
2. Select Error Handler and expand the Default error handling rule set.
3. Select the Block on Anti-Malware Engine Errors nested rule set, then select the Block if anti-malware engine is overloaded rule and click Edit for this rule.
Configure an additional part for the rule criteria:
1. In the Edit Rule window, select Rule Criteria, then select the criteria of the rule and click Add.
2. Select User/Group criteria, then select:
  - Authentication.UserGroups as the property
  - at least one in list as the operator
3. At the bottom of the right column, click Add List of String to add a list of user groups, and in the Add List window:
  - Name the list Groups to bypass on anti-malware overloads, then click OK.
  - Click Edit List and under List content, add the following string to the list (without quotes): Executives, then click OK twice.
4. In the Edit Rule window, select AND as the Boolean operator for this additional criteria part, then click Finish.
Click Save Changes.

When the error that is handled by this rule occurs, processing continues and a notification is sent to the configured recipient. It is only sent, however, if a user from the configured user group submitted the request that was processed when the error occurred.

NOTE: Make sure that the Block on All Errors set is disabled or the rule set with the fail-open rule is placed before it.