Specifies the actions
to be taken when communication between ICAP endpoints within this
Content Filtering Server Group (CFSG) fail.
Privilege:
Security Administrator,
Administrator
Syntax
failure-action { allow | content-insertion content_string | discard
| redirect-url url | terminate-flow }
{ default | no } failure-action
default
Configures the default
setting of terminate-flow.
no
Removes previously
configured failure action.
allow
For static content
filtering, this option allows the request for content. In dynamic
content filtering, it allows the content itself.
content-insertion content_string
Specifies the content
string to be used for failure action.
For static content
filtering, the specified text is used to create a response to the
subscriber’s attempt to get content. In dynamic content
filtering, the specified text replaces the content returned by a
server.
content_string must
be an alphanumeric string of 1 through 128 characters.
discard
For static content
filtering, this option discards the packet(s) requested. In dynamic
content filtering, it discards the packet(s) that contain(s) the
content.
redirect-url url
Redirects the subscriber
to the specified URL.
url must
be an alphanumeric string of 1 through 128 characters in the following
format: http://search.com/subtarg=#HTTP.URL#
terminate-flow
For TCP, gracefully
terminates the connection between the subscriber and external server, and
sends a TCP FIN to the subscriber and a TCP RST to the server.
For WAP-Connection
Oriented, the WSP session is gracefully terminated by sending WTP Aborts
for each of the outstanding requests, and WSP Disconnect to the
client and the server. For WSP-Connectionless, only the current
WSP request is rejected.
Usage:
Use this command to
set the actions on failure for server connection.
ICAP rating is enabled
for retransmitted packets when the default ICAP failure action was taken
on an ICAP request for that flow. ICAP default failure action is
taken on the pending ICAP request for a connection when the connection
needs to be reset and there is no other redundant connection available.
For example, in the ICAP request timeout and ICAP connection timeout
scenarios, the retransmitted packet in the uplink direction is sent
for ICAP rating again.
For
WAP CO, uplink retransmitted packets for the WAP transactions for
which ICAP failure action was taken will be sent for ICAP rating.
The WSP header of the retransmitted packet is not parsed by the
WSP analyzer. The URL received in the previous packet for that transaction
is used for ICAP rating. If failure action was taken on multiple
WTP transactions for the same flow (case: WTP concatenated GET request),
the uplink retransmitted packet for each of the transactions is
sent for rating again.
For
HTTP, uplink retransmitted packets for the HTTP flow on which ICAP
failure action is taken are sent for ICAP rating. The URL present
in the current secondary session (last uplink request) is used for
ICAP rating. However, if there were multiple outstanding ICAP requests
for the same flow (pipelined request), the retransmitted packet
for the URL sent for rating will be that of the last GET request.
Retransmission in
various cases of failure-action taken on retransmitted packets when
the ICAP response is not received for the original request and the
retransmitted request comes in:
- WSP CO:
- Permit: The uplink
packet is sent for ICAP rating and depending on the ICAP response
the WTP transaction is allowed/blocked. It is possible
that the WAP gateway sends the response for the permitted GET request.
Hence, there is a race condition and the subscriber may be able
to view the web page even thought the rating was redirect or content insert.
- Content Insert: The
retransmitted packet is not sent for ICAP rating.
- Redirect: The retransmitted
packet is not sent for ICAP rating.
- Discard: The uplink
packet is sent for ICAP rating and depending on the ICAP response
the WTP transaction is allowed/blocked.
- Terminate flow: The
uplink packet is sent for ICAP rating and depending on the ICAP
response the WTP transaction is allowed or blocked. The WAP gateway
may send an Abort transaction for this GET request if the WSP disconnect
packet sent while terminating the flow is received by the WAP gateway.
- HTTP:
- Permit: The uplink
packet is sent for ICAP rating and depending on the ICAP response
the last HTTP GET request. It is possible that the HTTP server sends
the response for the permitted GET request. Hence there is a race
condition and the subscriber may be able to view the web page even
thought the rating was redirect or content insert.
- Content Insert: Retransmitted
packets are dropped and not charged.
- Redirect: Retransmitted
packets are dropped and not charged.
- Discard: The uplink
packet is sent for ICAP rating and depending on the ICAP response
the WTP transaction allowed/blocked.
- Terminate flow: Retransmitted
packets will be dropped and not charged.
Example:
The following command
sets the failure action to terminate:
failure-action terminate-flow