A website is blocked or not displaying properly and you would like to troubleshoot why and unblock the website.
Web pages are composed of many different components that may be served from a variety of domains and URLs. If a page is not displaying correctly or part of a site is blocked, it can be difficult to troubleshoot the exact issue.
The site / application could be blocked for many reasons, and it is not always obvious why. If the end user is presented with a blockpage, all the information needed to unblock the site will be on the blockpage:
This will tell you the categories the site is classed as, what group the user is picked up as, their IP address and the reason it is blocked. This should give you the information necessary to unblock the site for the right group.
To help you further with this, you can also use the policy tester tool to tell you what policies apply to a certain domain / URL (under Guardian > Quick links > Policy Tester). This tool will also return HTTP codes which are useful in identifying pages or page components that are not working correctly or require additional actions to be taken (such as adding the URL to Authentication Exceptions, or disabling HTTP Strict mode).
If the end user is not presented with a blockpage, or unblocking the URL on the blockpage didn't help, another very useful tool that will show any additional sites blocked that are not immediately obvious, are the real time web filter logs (Reports > Realtime > Web filter). These logs will tell you what sites are blocked and are extremely useful in situations where only partial content is displayed, flash is blocked or you have unblocked the URL displayed on the blockpage but users still report it blocked).
Unblocking the Sites
Once you have found which sites are blocked, it is important that the site is placed in the correct category. You can find your policy table under Guardian > Web filter > Manage policies. Policies are processed top to bottom, and the first policy matched in the table is taken into effect (use the policy tester to double check you have entered the website into the correct category and the correct policy applies). If there is no policy that would currently be suitable to match the site you want to unblock, follow the below steps:
- Create a new category containing the relevant website, see our help topic, Creating custom categories.
- Create a web filter policy containing:
- Newly created category from step 1.
- Any relevant groups.
- Action Allow.
See our help topic on Creating web filter policies.
- Drag and drop the policy in the correct place (Allow would normally be on top of Block policies, and the more specific the policy, the higher up it should be). The change might take a minute to take effect while the configuration writer restarts. See our help topic, Managing web filter policies.
- Double check the correct policy is applied with the policy tester, see our help, Testing policies.
You can also watch the video on YouTube: https://youtu.be/1WRCzopSKDQ.
Few things worth noting:
Allow vs Whitelist
The allow action allows the user to access the site, but any HTTPS inspection rules and content modification rules will still be applied.
With a whitelist action, the site will be allowed. It won't be inspected if it is an HTTPS site, and no content modification will be applied.
Site Having Issues with Authentication Exceptions
If you are using NTLM or Kerberos (you can check under Web proxy > Authentication > Manage policies), and notice a high number of 407 codes against the website not working, make sure the site is listed in a category listed under Web proxy > Authentication > Exceptions. Also be careful when doing this, that this site is not blocked as Unauthenticated IPs.