Policy tracing is used in Symantec ProxySG when debugging access to websites, such as:
In this article, we will cover how to enable policy tracing, and how to examine the debug file generated by policy tracing.
Caution: Symantec recommends using policy tracing for troubleshooting only. Tracing is best used temporarily. If tracing is enabled in a production setting, the ProxySG appliance performance degrades. After you complete troubleshooting, be sure to remove policy tracing.
Note: Although you can recreate the rule via CPL and add it to the local policy file via command line, you cannot view the output of the debug file.
You can enable policy tracing globally or by setting up a specific rule. While the global option is quick and easy to enable, it can generate a lot of data very quickly. Therefore, the global option is not recommended, although it can be a valid option on a proxy with a small amount of traffic.
CAUTION: Tracing all policy execution requires a lot of CPU resources, and will also generate a large trace file. Symantec does not recommend this option for ProxySG appliances that are under medium or heavy load.
WARNING: Follow these instructions very carefully; any mistake could cause a service interruption. The trace rule has to be in its own layer so that other policy rules are not bypassed. Also, by default, creating a new web access rule sets the action for that rule to "Deny." If this is not changed to "None," the proxy wlll block all traffic.
The rule should look like this when done properly.
start transaction ------------------- (1) CPL Evaluation Trace: transaction ID=659540 (2) miss : time.utc=1800..2000 miss : category=(Alcohol, Auctions, Gambling) DENY (3) MATCH: ALLOW (4) connection: service.name=HTTP client.address=10.1.1.10 proxy.port=8080 (5) time: 2009-06-15 16:38:02 UTC GET http://www.google.com/ (6) Referer: http://www.google.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/2009060215 Firefox/3.0.11 (7) user: unauthenticated (8) url.category: Search Engines/[email protected] Coat (9) DSCP client outbound: 65 DSCP server outbound: 65 stop transaction -------------------- (1)
You can also review checkpoint timing to discover possible proxy or network latency issues. For more information, see Understanding Policy Trace checkpoint timing.
For some connections, instead of seeing "match" or "miss", the proxy will report "n/a" which means the rule did not apply to that connection. In most cases, it is because the rule is specific to a protocol and the connection was not using that protocol. Another typical scenario is a user or group specific rule where a connection goes by unauthenticated.
CAUTION: Remember to turn off policy tracing after debugging is complete. Policy tracing (especially enabling tracing for all policy evaluation) generates a lot of logs, so it should be turned off when not in use.