Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1 2 Previous Next

Web Gateway

18 Posts tagged with the gateway tag
0

Respecting Privacy

Posted by michael_schneider Mar 5, 2014

In the last year, I have been asked multiple times about Web Gateway and how it handles information that is deemed private, confidential, protection worthy such as usernames/IP to url mappings. How it handles cloud lookups and what data it sends and how customers can influence the behaviour of the product and how they can protect sensitive information that the product deals with.

The attached document is a response on several of these questions and should give guidance on avoiding data privacy issues ot leaving confidential data untouched.

 

Thanks,

Michael

 

--

Michael Schneider

Sr. Product Manager

0

I have seen posts on this forum that will include a feedback, a backup, a full policy and the like.

While this clearly helps to solve the issue and enables a larger crowd to understand your issue - think about what you are doing!

 

The feedback is a snapshot of your entire McAfee Web Gateway including all aspect depending of what level your have chosen (If done via UI, this will be the full scope and all info of your installation incl. license, etc.).

Based on the above sentence, I strongly encourage you - if not begging you: DON'T POST THIS INFORMATION HERE!

You wouldn't post your credit card info to a public forum, wouldn't you? Think about the feedback as the same!!! Only send this to trusted McAfee employees, when asked for it or to support proactively when opening a case via the support portal. Don't give that info to aynbody else!!!

The biggest implication for your is that you are opening up your internal secrects to the public and are creating a data loss incident for your company.

On the contractual side, you are opening a licensing compliance issue, as the EULA states:

2) License Grant.

Subject to the terms and conditions of this Agreement, McAfee hereby grants to you a non-exclusive, non-transferable right to use the Software (for the purpose of this Agreement, use of the Software means to access, install, download, copy or otherwise benefit from using the Software) listed in the Grant Letter solely for your own internal business operations. You acknowledge that the Software and all related information are proprietary to McAfee and its suppliers. You are not granted rights to Updates and Upgrades unless you have purchased Support or a service subscription.

With posting the license to the public (as part of the backup of feedback), you are actually transferring the license. The least that can happen is a termination of the license and the creation of a new one. I will not avenge this incident with any legal action, but can't predict what happens in case somebody else reads this.

 

As simple rule:

 

DONT'T post any such infromation here - a single rule is fine, but already think about SSL Scanning rules, Encryption rules etc. as they will include certificates and passwords.

 

Trusted McAfee Employees can be identified by the SME tag in their profile - make sure to check that before sending anything to sombody via PM or only send to @mcafee.com adresses.

sme.jpg

0

MWG 7.3.1 is BETA

Posted by michael_schneider Dec 20, 2012

Hello Community,

 

MWG 7.3.1 has been released into Beta state this week! Feel free to start downloading and testing this version.

Amongst other great features, it offers support for offline update, where admins can download patterns from a McAfee Portal and apply them to the product.

This is helpful in case you are operating MWG in an environment without Internet access, or want to stage or test an update prior to using it.

 

To get access to this version, please download it from the content & cloud security portal

 

Enjoy our new version,

Michael

2
Web Gateway 7.3.0 is now available.

This controlled release offers several new features and usability enhancements including:

 

  • Updated Gateway Anti Malware Engine (v 2012): More intensive emulation of web content, new behavioral exploit detection including heap spray buffer overflow attacks, protection against bot net traffic and detection improvements for PDF malware and FakeAV.
  • Application control engine update:  Detects more sub functionality
  • Redesigned rule library
  • Setup wizard to guide administrators through the setup and install process.
  • McAfee Cloud Identity Manager (MCIM) support: Cloud Identity Manager uses the identity obtained during user authentication on Web Gateway to perform single sign on operations.
  • IFP (Internet Filtering Protocol) support
  • Operating system update to MLOS 2.1

3

As you might know YouTube offers a feature specifically designed for schools in order to only allow access to videos that were approved for the schools usage.

Find more details here: https://www.youtube.com/education.

Interestingly, McAfee Web Gateway has the ability eversince to enable your school to participate in this service! Specific instruction are provided by google on this page.

 

Here is how McAfee Web Gateway can help making your school's YouTube a better learing experience:

 

 

Environment

McAfee Web Gateway 7.x
McAfee Web Gateway 6.x

 

 

Summary

YouTube offers an educational site that allows schools to access YouTube EDU content. This allows the administrator to control which videos are viewable in their network. Each school is given a unique HTTP header and value that must be added to a user's request to access *.youtube.com.

 

 

Problem

How do I add a specific HTTP header to all requests destined for YouTube For Schools?

 

 

Solution  1

Web Gateway 7.x

 

  1. In the Web Gateway GUI, navigate to Policy, Rule Sets.
  2. Click Add and Add a Top-Level Ruleset.
       
           
    1. Apply this Rule Set only to Requests.
    2. Place criteria on this ruleset so that this Rule Set is only matched if the URL.Host matches *.youtube.com
  3. Add a Rule to Add a header.
       
           
    1. Click the Add Rule button.
    2. Give the Rule a descriptive Name.
    3. Apply this rule Always. (Use Always because you already put criteria for *.youtube.com on the rule set.)
    4. Set the Action to Continue.
    5. Add an Event. Choose Header.Add (String, String).
    6. Click the Parameter button and set the following:
      • Parameter 1: Header Name (String)
                    Value: X-YouTube-Edu-Filter
      • Parameter 2: Header Value (String)
                    Value: MD8S2VmzxPZdyL4QB-EvKP
                   
                    NOTE: Type your own unique Header ID given to you by YouTube For Schools in the Header Value field.
                   
                    
    7. Click OK to finish adding your rule.
  4. Save changes.
The X-YouTube-Edu-Filter header should now be added to each request destined for the host youtube.

 

 

Solution  2

Web Gateway 6.x

  1. In the Web Gateway GUI, navigate to Common, Generic Header Filter.
  2. Ensure the Generic Header Filter setting is enabled. (To enable, select the checkbox next to it.)
  3. Select the Policy you want to apply it to. (If you want to add this to more than one policy, select Add to all policies when adding the rule.)
  4. Add the Rule:
    • Select the box for HTTP Request.
    • Condition Header: Host
              Condition Value: *.youtube.com
    • Result Header: X-YouTube-Edu-Filter
              Result Value: MD8S2VmzxPZdyL4QB-EvKP
             
              NOTE: Type your own unique Header ID given to you by YouTube For Schools in the Result Value field.
  5. Select Add or Add to all policies.
  6. Apply Changes.
The X-YouTube-Edu-Filter header should now be added to each request destined for the host youtube.

 

This solution is available as official KB article from: https://kc.mcafee.com/corporate/index?page=content&id=KB73790

 

 

For your ceonvenience, McAfee is offering a complete rule set for this solution on the Content & Cloud Security Portal to be used with MWG 7.

 

 

#

 

0

McAfee Web Gateway 7.2.0 release announcement

McAfee Web Gateway 7.2.0 is available for download and update

  • Do you need to apply Data Leakage Prevention controls to your web traffic?
  • Do you need to import your own list into web gateway?
  • Would you like to use ePO to administrate the policy content?
  • Are you looking for an easier way to create your rules?
  • Do you need to secure your road warriors' web traffic?
  • Do you need to control the SaaS and on premise policy from within a single console?

 

 

McAfee Web Gateway has great success by satisfying our customer needs due to its unmatched feature set, including GTI enabled Gateway Antimalware, GTI enabled URL Filtering, SSL Scanning, and flexible deployment options.

 

With the release of McAfee Web Gateway 7.2.0 McAfee is releasing functionality on Web Gateway to apply DLP controls to web traffic. The product includes a specialized Data Leakage Prevention (DLP) engine, which is allowing for categorizing content into predefined Categories. It furthermore allows for creating custom dictionaries.

 

The concept of Subscribed Lists allows our customer to import their own lists into Web Gateway based on a schedule, similar to our URL Filter updates. McAfee also provides a collection of predefines lists to customers introducing a service in which we manage commonly used list data, such as Windows update servers, Citrix GoTo Meeting, etc. for our customers to be used in their policy.

 

The Common Catalog enables Web Gateway to retrieve list data from ePO. This allows to create a common set of lists between products and technology using Common Catalo and simply enables our customer to use ePO to manage aspects of the MWG policy content.

 

To ease the policy creation version 7.2 introduces a new rule criteria builder to allow for an in context editing and creation of rules including guidance to best properties, operators and values or lists.

 

With release of McAfee Web Gateway 7.2, McAfee releases a concept known as Web Hybrid, which enables our customers to secure their web traffic regardless of location. It combines Web Reporter, the Web Protection Service (WPS) and McAfee Web Gateway into a single solution. McAfee Client Proxy (MCP) is enabling organization of all sizes to detect that a corporate laptop is operating outside the corporate network and the protection by Web Gateway is no longer available. MCP will redirect traffic to WPS in this case.

 

As part of Web Hybrid, McAfee Web Gateway now allows administration of the SaaS policy from within the Web Gateway console and, as additional benefit, allows creating a common policy between SaaS and on premise appliances.

 

The release of Web Gateway 7.2 concludes a project known as Titanium, which includes all features of its previous iterations MWG 7.1.5 and MWG 7.1.6.

 

As this release combines all features of the project into a single release, it offers:

 

  • DLP based on predefined categories and the ability to create customer dictionaries to control traffic for confidential data or to enforce regulatory
  • Subscribed Lists to import lists from external sources based on a schedule to enable customers to manage these lists in different systems.
  • Common Catalog to share list data with other products and enabling administrators to manage the policy content of MWG within ePO
  • New rule creation dialog for in context creation and editing of rules.
  • Web Hybrid to enable our customer to apply we security to their traffic regardless of location, including common policy and common management from a single administration console.
  • All other features from the previous iteration of the Titanium project
  • Application Control based on the AppPrism database, with over 700 unique applications and functions, grouped into 28 categories including dashboard representation of Application statistics. With Application Control, administrators can elect to deny specific applications, such as uploading photos to Facebook, communicating via instant messaging on Yahoo! or updating a personal profile on LinkedIn, while still allowing access to the primary websites for business purposes. 
  • External Lists to connect to and retrieve policy list content from outside of Web Gateway during runtime.
  • REST interface as XML based API to tie Web Gateway into external management systems such as policy automation tools, help desk systems, etc. and to create additional functionality around Web Gateway if needed.
  • ICAPS to secure ICAP connections with SSL encryption.
  • Avira as native integration into Web Gateway with optimized data flow between McAfee Gateway Antimalware and the Avira 3rd party engine. Previously Avira was part of the GWAM SDK, whereas now this is integrated as 3rd party engine directly into Web Gateway. The implementation is now corresponding to the one in MWG 6.9.
  • Several usability enhancements:
  • 'User Preferences' to set options for the current admin user and to change the password
  • 'Discard Changes' to discard all changes since the last save of the policy
  • 'Reset Dashboard' to clean all dashboards
  • XMPP Proxy to intercept and monitor chat communication for XMPP enabled applications, such as Facebook Chat or Google Talk.
  • Web Gateway NTP service to ease the setup of new appliances in clusters by making sure that all new installations using this version and later are set up with the correct time to avoid central management and logging issues.
  • Hardware support for the M3, M7 chassis and G6, G6.5 blades.
  • Proxy Tunnel Event to enable non RFC compliant but business critical sites to send data through Web Gateway.
  • Administrator and user authentication with client certificates to allow user to use smart cards, tokens or any other source of certificates to access the administration console.
  • McAfee Client Proxy authentication support for user identification while MCP redirects traffic to Web Gateway.
  • Security of mobile devices, which provides a secure access from devices running iOS (Apple’s iPhone/iPad) and Android to the Internet and to selected Intranet sites.
  • Bandwidth throttling to enable MWG to control the rate at which it accepts data, in order to control via policy the download and upload speed of different types of web content.
  • Timers in the product to measure delays on all stages, which enhances MWG's functionality with timers, which measure delay on all stages and allow to analyze where delays happen and improve troubleshooting.
  • IP-spoofing to support retention of the original client ip on the outgoing connection for explicit proxy modes.

 

Note:

 

Customers on the main release branch (MWG 7.1.0.x) are advised to wait until 7.2 becomes GA in one of the next maintenance releases and is available as direct upgrade from within the main release branch. Customers on the controlled release branch (MWG 7.1.5.x/7.1.6.x) will receive this update as part of their chosen controlled release branch.

 

An announcement via SNS will be sent on May 3rd.


Best regards,

The McAfee Web Gateway product team


0
McAfee Web Gateway 7.1.6 has been released

 


McAfee Web Gateway 7.1.6 is available for download and update

 

 

  • Do you need to identify and control Web 2.0 applications?
  • Do you need to manage policy content at an external source?
  • Do you need to automate policy content changes using another system outside MWG?
  • Do you need a the power of 16 2HU appliances in just 10HU?

 

 

McAfee Web Gateway has great success by satisfying our customer needs due to its unmatched feature set, including GTI enabled Gateway Antimalware, GTI enabled URL Filtering, SSL Scanning, and flexible deployment options.

 

With the release of McAfee Web Gateway 7.1.6. we are going a step further an provide the ability to identify Web 2.0 applications and their sub functions as easy as doing URL Filtering. Web Gateway uses the AppPrism database as a comprehensive list of over 700 Web 2.0 applications and sub functions grouped into 28 categories.

 

In this release Web Gateway introduces External Lists, which provide McAfee Web Gateway with the capability to consume policy list data hosted on servers outside of McAfee Web Gateway and to  dynamically query these resources at runtime while processing the policy for a transaction. External Lists allow customers to use web services, locally stored files and LDAP servers as resources for policy data.

 

As a powerful feature behind the scenes, McAfee Web Gateway is now equipped with a REST interface, which provides a XML based API to connect other systems to Web Gateway. These APIs allow control of Web Gateway functionality, such as list creation, list deletion, list modification, log file access, log file operations, system control, etc. By utilizing this API, a customer can control Web Gateway from within other systems, such as policy automation tools, help desk system, etc. and can create additional functionality around Web Gateway if needed.

 

As new hardware platform, McAfee Web Gateway 7.1.6 now supports the Content Security Blade Server as hardware platform and allows installation of the MWG image through the built-in ILO interface .

 

This new release offers:

 

  • Application Control based on the AppPrism database, with over 700 unique applications and functions, grouped into 28 categories including dashboard representation of Application statistics. With Application Control, administrators can elect to deny specific applications, such as uploading photos to Facebook, communicating via instant messaging on Yahoo! or updating a personal profile on LinkedIn, while still allowing access to the primary websites for business purposes. 
  • External Lists to connect to and retrieve policy list content from outside of Web Gateway during runtime.
  • REST interface as XML based API to tie Web Gateway into external management systems such as policy automation tools, help desk systems, etc. and to create additional functionality around Web Gateway if needed.
  • ICAPS to secure ICAP connections with SSL encryption.
  • Avira as native integration into Web Gateway with optimized data flow between McAfee Gateway Antimalware and the Avira 3rd party engine. Previously Avira was part of the GWAM SDK, whereas now this is integrated as 3rd party engine directly into Web Gateway. The implementation is now corresponding to the one in MWG 6.9.
  • Several usability enhancements:
  • 'User Preferences' to set options for the current admin user and to change the password
  • 'Discard Changes' to discard all changes since the last save of the policy
  • 'Reset Dashboard' to clean all dashboards
  • XMPP Proxy to intercept and monitor chat communication for XMPP enabled applications, such as Facebook Chat or Google Talk.
  • Web Gateway NTP service to ease the setup of new appliances in clusters by making sure that all new installations using this version and later are set up with the correct time to avoid central management and logging issues.
  • Hardware support for the M3, M7 chassis and G6, G6.5 blades.
  • Proxy Tunnel Event to enable non RFC compliant but business critical sites to send data through Web Gateway.
  • Administrator authentication with client certificates
  • McAfee Client Proxy authentication support user identification while MCP redirects traffic to Web Gateway.*

*McAfee Client Proxy MCP is a technology that is currently in Beta and is to be released early next year.

 


 

Thanks to all who participated in the release and made this possible.

 

Best regards,

The McAfee Web Gateway product team


0

This post if from Jeff, who put it into our discussion board, but it is so good, that it just makes sense to be in the blog. Thanks to Jeff for putting this info together:

 

 

 

I've had a couple customers ask me how to enhance/automate their troubleshooting when an end user observes a block that they weren't expecting. The Site Review ruleset that is posted here: Re: Block Page - Email Link - add URL and other good info is a good start, but if an administrator follows the link in the received email they might not get the same rules applied (because the administrator is using a different username and is a member of different groups) and the site might behave differently through MWG. The attached zip contains rulesets to help with this challenge. Note that the impersonation ruleset currently only resets the usernames and user groups. If there are other criteria (for example source IP) used in your rulesets to determine action, you will need to modify the rulesets accordingly.

 

 

This ruleset 1) allows authenticated users that match the Impersonation Users list (administrators) to impersonate any other user (and get the same reaction from MWG) without needing the end user's password and 2) automatically generates a rule trace of the request. The rulesets are designed for an AD/NTLM environment but could be adapted for straight LDAP, or Kerberos. Users in the Impersonation Users list can impersonate another user for 2 minutes following a request that adds the parameter impersonate=<username> to any URL.

 

The ruleset is supplemented by a logging rule that preserves the integrity of the access log and creates a separate log that includes the original user name and the impersonated user name. Also included in the zip is a modified version of the Site Review ruleset that adds the requesting user's email address, and groups, as well as a link already configured to enable impersonation. Zip file also includes README.txt with installation instructions.Note that the readme is still pretty rough and may contain errors. If anyone uses it to install, I’d like feedback on how it could be improved.

Rule Sets
Impersonate_v2
[This ruleset allows users in the Impersonation Users list to impersonate other users for a time period determined by the Impersonate PDStorage settings. Default is 2 minutes. Impersonation is triggered by adding the URL parameter impersonate=<username> to the URL, where <username> is the username to be impersonated. If you wish to reset the impersonation prior to the end of the PDStorage setting, simply add the parameter with the username set to "clearimp" (without quotes). This ruleset is designed to work with MS AD LDAP. Don't forget to customize the Authentication Engine settings (Get LDAP Groups for Username) to match your environment. Ruleset designed and tested with AD only, many rules will need to be tweaked for other environments.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: Authentication.IsAuthenticated equals true
2: AND Authentication.UserName is in list Impersonation Users
3: AND (URL.HasParameter("impersonate") equals true
4: OR PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage> does not equal "")
Set Up Impersonation
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledTurn Rule Tracing On by Default
1: (URL.HasParameter("tracing") equals false
2: AND PDStorage.GetUserData.String("ImpTracing")<Impersonate PDStorage> matches on)
3: OR URL.GetParameter("tracing") does not match off
ContinueEnable RuleEngine Tracing
PDStorage.AddUserData.String("ImpTracing","on")<Impersonate PDStorage>
Turn on rule tracing unless URL parameter tracing equals off
EnabledClear Impersonation
1: URL.HasParameter("impersonate") equals true
2: AND URL.GetParameter("impersonate") equals "clearimp"
Stop Rule SetSet User-Defined.Impersonate = false
PDStorage.DeleteUserData("ImpUser")
PDStorage.DeleteUserData("ImpGroups")
PDStorage.DeleteUserData("ImpTracing")
Set boolean flag and clear PDStorage
EnabledSet Impersonation Equal True
Always
ContinueSet User-Defined.Impersonate = trueSet boolean flag for easy use elsewhere and for logging and troubleshooting
EnabledSet Impersonate User From URL Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.ImpersonateUser = URL.GetParameter("impersonate")
PDStorage.AddUserData.String("ImpUser",User-Defined.ImpersonateUser)<Impersonate PDStorage>
Pull user to impersonate from URL Parameter and save to PDStorage
EnabledSet Impersonate User From PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet User-Defined.ImpersonateUser = PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage>Get user to impersonate from PDStorage
EnabledSave Original User and Set New Username
Always
ContinueSet User-Defined.OriginalUser = Authentication.UserName
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Save the original user and impersonated user for use in logging. Set Authentication.Username and Authentication.RawUserName for use in impersonation.
EnabledSet New Groups from PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet Authentication.UserGroups = PDStorage.GetUserData.List.String("ImpGroups")<Impersonate PDStorage>If the impersonate parameter does not exist, then groups must be stored in PDStorage. Get them!
EnabledSet New Groups from Base64 Encoded Groups Parameter
1: URL.HasParameter("groups") equals true
ContinueSet Authentication.UserGroups = String.ToStringList(String.Base64Decode(URL.GetParameter("groups")),",","")The modified site review ruleset will send the original groups base64 encoded as part of the impersonate URL. This can be used to make sure you are using the exact same groups as the original request.
EnabledSet New Groups by LDAP lookup
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
ContinueSet Authentication.UserGroups = Authentication.GetUserGroups<Get LDAP User Groups For Username>
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Set Authentication.Usergroups by looking up groups in LDAP. LDAP settings use samaccountname=%u for a filter and %u comes from Authentication.RawUsername. This process has the undesired effect of replacing Authentication.Username with the LDAP fully qualified username. To correct that, Authentication.Username is reset to User-defined.ImpersonateUser
EnabledAdd Group From addgroup Parameter
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND URL.HasParameter("addgroup") equals true
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,URL.GetParameter("addgroup"))Edit and enable this rule if you want to add a group to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
DisabledAdd Domain Users to LDAP Group List if No Group Match in Service Group List
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND Authentication.UserGroups none in list Service Groups List
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,"Domain Users")Edit and enable this rule if you want to conditionally add groups to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
EnabledSet PDStorage ImpGroups if Impersonate Parameter Present
1: URL.HasParameter("impersonate") equals true
ContinuePDStorage.AddUserData.List.String("ImpGroups",Authentication.UserGroups)<Impersonate PDStorage>Set PDStorage ImpGroups to match groups so that all requests that are part of the page will also be handled as if they were made by the user being impersonated. Length of time for impersonation is determined by the PDStorage setting (Impersonation PDStorage). Default is two minutes for ruleset.
Clear URL Parameters
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledRemove Tracing Parameter
1: URL.HasParameter("tracing") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("tracing"),regex((\S+)),"tracing=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the tracing parameter so that site operation is unaffected.
EnabledRemove Groups Parameter
1: URL.HasParameter("groups") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("groups"),regex((\S+)),"groups=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the groups parameter so that site operation is unaffected.
EnabledRemove addgroup Parameter
1: URL.HasParameter("addgroup") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("addgroup"),regex((\S+)),"addgroup=\1 ")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the addgroup parameter so that site operation is unaffected.
EnabledRemove Impersonate Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("impersonate"),regex((\S+)),"imperson ate=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the impersonate parameter so that site operation is unaffected.

 


 

 

 

Impersonate Log ruleset creates an impersonate.log logfile and fills it with entries that look like this:

[11/Mar/2011:15:33:00 +0000] "Administrator_as_jebeling" 192.168.197.112 403 "GET http://www.playboy.com/ HTTP/1.1" "Pornography" "Minimal Risk" "" 0 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15" "" "10"

 

Rule Sets

Impersonate Log

Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1: User-Defined.Impersonate equals true

Enabled

Rule

Action

Events

Comments

Enabled

Write Impersonate Log and Reset Original Username
Always

Continue

Set User-Defined.logLine =
     DateTime.ToWebReporterString +
     " "" +
     User-Defined.OriginalUser +
     "_as_" +
     Authentication.UserName +
     "" " +
     String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
     " " +
     String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
     " "" +
     Request.Header.FirstLine +
     "" " +
     """ +
     List.OfCategory.ToString(URL.Categories(MostRecent)) +
     "" "" +
     URL.ReputationString(MostRecent) +
     "" "" +
     MediaType.ToString(MediaType.FromHeader) +
     "" " +
     String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
     " "" +
     Header.Get("User-Agent") +
     "" "" +
     List.OfString.ToString(Antimalware.VirusNames(MostRecent)) +
     "" "" +
     Number.ToString(Block.ID) +
     """ +
     String.CRLF
FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Impersonate Log Configuration>
Set Authentication.UserName = User-Defined.OriginalUser

Track impersonations in separate log. Access log should report original username for accuracy

 

Modified Site Review


 

Rule Sets
Impersonate_v2
[This ruleset allows users in the Impersonation Users list to impersonate other users for a time period determined by the Impersonate PDStorage settings. Default is 2 minutes. Impersonation is triggered by adding the URL parameter impersonate=<username> to the URL, where <username> is the username to be impersonated. If you wish to reset the impersonation prior to the end of the PDStorage setting, simply add the parameter with the username set to "clearimp" (without quotes). This ruleset is designed to work with MS AD LDAP. Don't forget to customize the Authentication Engine settings (Get LDAP Groups for Username) to match your environment. Ruleset designed and tested with AD only, many rules will need to be tweaked for other environments.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: Authentication.IsAuthenticated equals true
2: AND Authentication.UserName is in list Impersonation Users
3: AND (URL.HasParameter("impersonate") equals true
4: OR PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage> does not equal "")
Set Up Impersonation
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledTurn Rule Tracing On by Default
1: (URL.HasParameter("tracing") equals false
2: AND PDStorage.GetUserData.String("ImpTracing")<Impersonate PDStorage> matches on)
3: OR URL.GetParameter("tracing") does not match off
ContinueEnable RuleEngine Tracing
PDStorage.AddUserData.String("ImpTracing","on")<Impersonate PDStorage>
Turn on rule tracing unless URL parameter tracing equals off
EnabledClear Impersonation
1: URL.HasParameter("impersonate") equals true
2: AND URL.GetParameter("impersonate") equals "clearimp"
Stop Rule SetSet User-Defined.Impersonate = false
PDStorage.DeleteUserData("ImpUser")
PDStorage.DeleteUserData("ImpGroups")
PDStorage.DeleteUserData("ImpTracing")
Set boolean flag and clear PDStorage
EnabledSet Impersonation Equal True
Always
ContinueSet User-Defined.Impersonate = trueSet boolean flag for easy use elsewhere and for logging and troubleshooting
EnabledSet Impersonate User From URL Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.ImpersonateUser = URL.GetParameter("impersonate")
PDStorage.AddUserData.String("ImpUser",User-Defined.ImpersonateUser)<Impersonate PDStorage>
Pull user to impersonate from URL Parameter and save to PDStorage
EnabledSet Impersonate User From PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet User-Defined.ImpersonateUser = PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage>Get user to impersonate from PDStorage
EnabledSave Original User and Set New Username
Always
ContinueSet User-Defined.OriginalUser = Authentication.UserName
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Save the original user and impersonated user for use in logging. Set Authentication.Username and Authentication.RawUserName for use in impersonation.
EnabledSet New Groups from PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet Authentication.UserGroups = PDStorage.GetUserData.List.String("ImpGroups")<Impersonate PDStorage>If the impersonate parameter does not exist, then groups must be stored in PDStorage. Get them!
EnabledSet New Groups from Base64 Encoded Groups Parameter
1: URL.HasParameter("groups") equals true
ContinueSet Authentication.UserGroups = String.ToStringList(String.Base64Decode(URL.GetParameter("groups")),",","")The modified site review ruleset will send the original groups base64 encoded as part of the impersonate URL. This can be used to make sure you are using the exact same groups as the original request.
EnabledSet New Groups by LDAP lookup
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
ContinueSet Authentication.UserGroups = Authentication.GetUserGroups<Get LDAP User Groups For Username>
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Set Authentication.Usergroups by looking up groups in LDAP. LDAP settings use samaccountname=%u for a filter and %u comes from Authentication.RawUsername. This process has the undesired effect of replacing Authentication.Username with the LDAP fully qualified username. To correct that, Authentication.Username is reset to User-defined.ImpersonateUser
EnabledAdd Group From addgroup Parameter
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND URL.HasParameter("addgroup") equals true
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,URL.GetParameter("addgroup"))Edit and enable this rule if you want to add a group to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
DisabledAdd Domain Users to LDAP Group List if No Group Match in Service Group List
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND Authentication.UserGroups none in list Service Groups List
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,"Domain Users")Edit and enable this rule if you want to conditionally add groups to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
EnabledSet PDStorage ImpGroups if Impersonate Parameter Present
1: URL.HasParameter("impersonate") equals true
ContinuePDStorage.AddUserData.List.String("ImpGroups",Authentication.UserGroups)<Impersonate PDStorage>Set PDStorage ImpGroups to match groups so that all requests that are part of the page will also be handled as if they were made by the user being impersonated. Length of time for impersonation is determined by the PDStorage setting (Impersonation PDStorage). Default is two minutes for ruleset.
Clear URL Parameters
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledRemove Tracing Parameter
1: URL.HasParameter("tracing") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("tracing"),regex((\S+)),"tracing=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the tracing parameter so that site operation is unaffected.
EnabledRemove Groups Parameter
1: URL.HasParameter("groups") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("groups"),regex((\S+)),"groups=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the groups parameter so that site operation is unaffected.
EnabledRemove addgroup Parameter
1: URL.HasParameter("addgroup") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("addgroup"),regex((\S+)),"addgroup=\1 ")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the addgroup parameter so that site operation is unaffected.
EnabledRemove Impersonate Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("impersonate"),regex((\S+)),"imperson ate=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the impersonate parameter so that site operation is unaffected.
4

Intel's Active System Console provide a nice graphical way of obtaining further bebug output and to get more control over your appliance.

 

3

As you might have noticed, new versions of MWG are released as so called controlled releases.

 

extranet.PNG

 

I just want to add a bit more color on what you can expect to happen in future.

 

 

  • Most existing customers don't want to receive too many updates. They want to stay on a stable release branch for a longer time.
  • If they run into a bug and get a fix, they appreciate to receive a patch that does not introduce new features; they only want bug fixes.
  • We are helping those customers with our "one main release approximatly once a year" approach now.
  • 7.1 came out about a year after 7.0 and you can expect a 7.2 about a year after 7.1
  • In the meantime we are doing fourth digit changes and will provide more 7.1.0.x releases to fix bugs that are found on that release branch. You will see those releases throughout the year
  • Customers not modifying their yum repositories on the box receive those minor updates when they check for new versions throughout the year.
  • At the same time some existing customers and many new customers may be very interested to receive new features as soon as possible.
  • Some deals may depend on a new feature and we don't want those to wait a year
  • This may also be true for some product improvements that require architectural changes that are too big for a minor maintenance release
  • Therefore we are providing intermediate feature releases, expect 2-3 between two main releases.
  • You can see those as iterations on the way to the next main release.
  • We call those "controlled release".
  • They are fully supported though and there is no restriction or special qualitfication for somebody to take such a release
  • But customers need to change their yum repository on the boxes and understand that they are dealing with new technology.

 

And to note - both lines of releases, controlled and main, are fully supported.

 

Please also read the poll on MWG controlled releases, where you are asked to vote if they are supporting your business or if they are not supporting your business, given that you have read the above explanation. https://community.mcafee.com/polls/1090

 

thanks,

 

Michael

1

With the introduction of the Alerts in MWG 7.1, we have introduced a product wide incident reporting and management system. Sounds a little scientific, but is a great benefit for the product. This allow you to build detailed alerting around MWG to receive emails and Traps, write special logs in case something goes wrong on MWG. Incidents are part of the rule engines properties and consist of:

 

Incident.AffectedHost

Incident.Description

Incident.ID

Incident.Origin

Incident.OriginName

Incident.Severity

 

Below, you have the description of the Properties

 

Description of the Incident Fields

 

Each of the following fields is put into a property and can be requested in the Log Handler.

 

IncidentID

 

The ID of the incident (unique).

Incidents:

  • From mwg-logmanager (origin 5) 
    • 501 LogFilePushFailed
  • From System (origin 1) 
    • 5 Monitor incident

Reason

 

A string describing the reason (no special format).

 

OriginID

 

The ID of the origin (unique).

Origins:

  • 1 System
  • 2 mwg-core
  • 3 mwg-coordinator
  • 4 mwg-antimalware
  • 5 mwg-logmanager
  • 6 sysconf daemon
  • 7 mwg-ui
  • 9 reserved for unidentified origins

OriginName

 

The name of the origin (should be something the admin knows from the UI, for example "Log File Manager" and not mwg-logmanager)

 

AffectedHost

 

A IP address describing the host that is affected

Examples:

  • a machine that downloads a lot of viruses
  • the fpt server that refuses the login credentials
  • any other machine that should be mentioned by the event

Severity

 

The severity of the event.

(Syslog severities)

  • 0 Emergency
  • 1 Alert
  • 2 Critical
  • 3 Error
  • 4 Warning
  • 5 Notice
  • 6 Informational
  • 7 Debug

 

The biggest one is the collection of properties inside the product, as they span across all diferent product areas:

 

IncidentID

Description

When Fired

Reason

OriginID

OriginName

Severity

System

1-199

5

Monitor incident for cyclic execution of incident rules


Monitor Incident

1

system

7

20

RAID

mwg-monitor checks RAID and RAID reports critical and/or failed disks

RAID reports N critical disks and N failed disks.

1

health monitor

4 (3 if "failed disks")

21

S.M.A.R.T.

mwg-monitor calls smartctl -H and finds an error

S.M.A.R.T. health check reported an error on hard disk HDD.

1

health monitor

4

22

Filesystem usage

mwg-monitor detected a filesystem usage beyond a certain threshold

Filesystem usage on PART exceeds selected limit.

1

health monitor

4

23

Memory usage

mwg-monitor detected a dirty-pages to total mem ratio beyond a certain limit

Memory usage ratio of N processes exceed selected limit.

1

health monitor

4

24

Load

mwg-monitor detected a load beyond a certain limit

5 minute load average exceeds selected limit.

1

health monitor

4

Core

200-299

! MWG-7.1.5: 211

Proxy attempts to store too many values in TopN report

More than 20000 entries

Maximimum number of entries reached for dashboard report <name>

2

Statistic

4

298

Update of product x succeeded on local core (obsolete)

Update succeeded for product x on local core

Info about product x

2

Core

6

299

Update of product x failed on local core (obsolete)

Info about product x

Update failed for product x on local core

2

Core

3

200

Check for license expiration


The license expire date has been checked

2

Core

6

201

Started

Started in FIPS 140-2 mode

The Webgateway has successfully passed all FIPS 140-2 selftests

2

Core

6

Proxy

700-799

700

Overload

Entered overload state

Connection limit of {0_connections} simultaneous connections has been exceeded. Delaying accepts

2

Proxy

2

701

Overload

MWG is in overload state longer > 30 sec (after sending the last incident)

Overload: The Webgateway is still overloaded and delays accepts

2

Proxy

2

702

Overload

Left overload state

Overload: Left overload handling. Accepts will be done immediately again

2

Proxy

4

703

Highload

Entered high load

Highload: {0_percent}% of the limit for simultaneous connections ({1_connections}) has been exceeded

2

Proxy

4

704

Highload

MWG has still a lot of connections for longer > 30 sec (after sending the last incident)

Highload: The Webgateway still serves more than {0_percent}% of the maximum connection number ({1_connections})

2

Proxy

4

705

Highload

Connection number below 85% of max value

Number of connections droped below {0_percent}% of the maximum value ({1_connections})

2

Proxy

6

710

Next Hop Proxy

Next Hop will be marked as down and not use for x seconds

Next hop proxy {0_dnsname} has been marked as down for {1_seconds} seconds

2

Proxy

4

711

Next Hop Proxy

Failure to connect to next hop proxy

Connection to next hop proxy {0_dnsname} failed

2

Proxy

4

712

Next Hop Proxy

Next hop proxy will be moved from error state back to normal operation

The next hop proxy {0_dnsname} will be used again

2

Proxy

6

720

Listener

Can't open listener

The listener on {0_ipandport} could not be started

2

Proxy

2

730

Reboot required after configuration change

mfend driver in inconsistent state after changing proxy mode

Proxy mode changes require the appliance to be rebooted.

6

Proxy

2

Antivirus

800-899

850

Update Success

If AV filter update was successful.

Anti-Malware filter update was successful. New version identifier is '{0_identifier}'.

2

Anti-Malware Filter

6

851

Update Failed

If AV filter update failed.

Anti-Malware filter update failed. Broken version identifier is '{0_identifier}'.

2

Anti-Malware Filter

3

852

Download Failed

When the download or the verification of the Anti-Malware Filter update files failed.

Download or verification of Anti-Malware Filter update files failed.

2

Anti-Malware Filter

3

853

Up to date

When Anti-Malware Filter is up to date.

Anti-Malware Filter is up to date.

2

URL Filter

6

Authentication

900-999

901

NTLM server connection

Account update

Connected to {nn} server(s) in domain {domain name}.

2

NTLM Auth-Filter

6

902

NTLM server connection

Account update

Can't connect to {nn} server(s) in domain {domain name}.

2

NTLM Auth-Filter

4

903

NTLM server connection

Account update

The following domain(s) can't be contacted: {domain names}.

2

NTLM Auth-Filter

3

910

LDAP server connection

Connect to LDAP Server

Connected to LDAP server (Configuration ID {nn}).

2

LDAP Auth-Filter

6

912

LDAP server connection

Disconnect from LDAP Server

Disconnected from LDAP server (Configuration ID {nn}).

2

LDAP Auth-Filter

4

913

LDAP server connection

Connect to LDAP Server

Can't connect to any LDAP server (Configuration ID {nn}).

2

LDAP Auth-Filter

3

920

RADIUS server connection

Radius server responds

Authentication request sent to the RADIUS server '{server name}' has been responded.

2

RADIUS Auth-Filter

6

921

RADIUS server connection

Radius server responding again

Authentication request sent to the RADIUS server '{server name}' has been responded again.

2

RADIUS Auth-Filter

6

923

RADIUS server connection

Request timed out

Authentication request sent to the RADIUS server '{server name}' has timed out.

2

RADIUS Auth-Filter

3

931

NTLM-Agent server connection

Reconnect to Server

Connected to NTLM-Agent '{server name}'.

2

NTLM-Agent Auth-Filter

6

932

NTLM-Agent server connection

Disconnect fromServer

Disconnected from NTLM-Agent '{server name}'.

2

NTLM-Agent Auth-Filter

3

933

NTLM-Agent server connection

Connect to Server

Can't connect to NTLM-Agent '{server name}'.

2

NTLM-Agent Auth-Filter

3

940 (MWG 7.1.5)

CRL Update Success

If a CRL was downloaded and could be loaded

{0_number} CRLs for the authentication filter have been updated

2

Authentication Filter

6

941 (MWG 7.1.5)

CRL Update Failed

If a downloaded CRL could not be loaded

{0_number} of the recently updated CRLs for the authentication filter can not be loaded

2

Authentication Filter

4

942 (MWG 7.1.5)

CRL Download Failed

????

?????

2

Authentication Filter

?

943 (MWG 7.1.5)

CRLs are Up to date

If no CRL needs to be updated

All CRLs used for the authentication filter are up to date

2

Authentication Filter

6

URL

1000-1099

1050

Update Success

When the URL Filter update was successful.

URL Filter update was successful. New version identifier is '{0_identifier}'.

2

URL Filter

6

1051

Update Failed

When the URL Filter update failed.

URL Filter update failed. Broken version identifier is '{0_identifier}'.

2

URL Filter

3

1052

Download Failed

When the download or the verification of the URL Filter update files failed.

Download or verification of URL Filter update files failed.

2

URL Filter

3

1053

Up to date

When URL Filter is up to date.

URL Filter is up to date.

2

URL Filter

6

Quota + BucketMaps

1100-1199

Certificate Filter

1200-1299

ICAP Client Filter

1300-1399

MediaType

1400-1499

Openers

1500-1599

Certificate Chain Filter

1600-1699

1650

Update Success

If a CRL was donwnloaded and could be loaded

{0_number} CRLs for the certificate chain filter have been updated

2

Certificate Chain Filter

6

1651

Update Failed

If a downloaded CRL could not be loaded

{0_number} of the recently updated CRLs for the certificate chain filter can not be loaded

2

Certificate Chain Filter

4

1652

Download Failed



2

Certificate Chain Filter

?

1653

Up to date

If no CRL needs to be updated

All CRLs used for the certificate chain filter are up to date

2

Certificate Chain Filter

6

mwg-ui

1700-1799

1700

login successful

if user login was successful

login and user client informations

6

mwg-ui

4

1701

login blocked

if user login failed

login and user client informations

7

mwg-ui

4

1702

ip changed

users ip changed to another value

login and user client informations

7

mwg-ui

4

1710

saving successful

user saved changed successfully

name of user

7

mwg-ui

6

1711

saving failed

saving changes failed

name of user

7

mwg-ui

3

                                                                                                                                                                                                                             

[Enter your subsystem here

[XXXX-YYYY]

Coordinator / Updater

300-399

301

Disk space less than 1 GB, stopped update process on nodex

Not enough disk space to download update files

Description why update stopped

3

Updater

3

302

Download of product x failed for node y

Download failed for product from update server

Info about the product x that should be downloaded for a node y

3

Updater

3

303

Update for product x failed on node y (obsolete)

Updater reports, that an update was not successful on node y

Info about the product,node and update status

3

Updater

3

304

Product x for node y is up to date

Update server reports the updater, that product x is up to date

Version of product x from node equals version on update server

3

Updater

3

305

Connect to Server failed

Updater cannot connect to server

Reports connection error code

3

Updater

3

321

Download of product x succeeded for node y (obsolete)

Download succeeded for product x

Info about product x and node y

3

Updater

6

322

Update of product x succeeded on node y (obsolete)

Info about produxt x and node y

Updater reports, that an update was successful on node y

3

Updater

6

anti-malware

400-499

mwg-logmanager

500-599

501

Log manager push failed

The server that did not provide the requested service. (e.g. the FTP server, or the proxy)

Description why the log file push failed.

5

Log File Manager

3

sysconfd

600-699

600

Reboot required after yum update


Update contained packages which require the appliance to be rebooted to take effect!

6

mwg-update

4

666

FIPS Self Check


FIPS Self Check failed. Node is running in non-compliant FIPS mode

1

FIPS

0

Coordinator / Centralized Management

3000-3200

3000

Synchronization

At least one node is detected to be out of sync (regarding storage / configuration) and the number of out-of-sync nodes changes, triggered only on the root node

how many and which nodes

3

Centralized Management

3

3001

Synchronization

All nodes are synchronized again (storage / configuration), 3000 was triggered before


3

Centralized Management

6

3005

Synchronization

At least one node did not respond propperly when shared data is send out and the number of out-of-sync nodes changes, triggered only on the root node, triggered only if the shared data should go to all nmodes in shared date group (in opposite to a specific node) because only then a decision can be made if the count of error nodes changes

how many and which nodes

3

Centralized Management

3

3006

Synchronization

All nodes did accept shared data again, 3005 was triggered before, triggered only if the shared data should go to all nmodes in shared date group (in opposite to a specific node) because only then a decision can be made if the count of error nodes changes


3

Centralized Management


 

 

 

 

 

 

As these are available via properties, you can use the in the error handler, to create several helpful alters in conjunction with the product's syslog, snmp and email capabilties. Good examples are already part of the predefined error handler:

 

 

 

 

                                                                 
                Error Handlers              
                                                                                                                                     
Log File Manager Incidents
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1:     Incident.ID greater than or equals 501
2:     AND Incident.ID less than or equals 600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
EnabledRuleActionEventsComments
EnabledCreate Notification Message
1:     Incident.ID equals 501
ContinueSet User-Defined.notificationMessage =   "A log file cannot be pushed. Please have a look at the mwg-logfilemanager errors log (/opt/mwg/log/mwg-errors/mwg-logmanager.errors.log)."
                   
DisabledSend SNMP Trap
1:     Incident.ID equals 501
ContinueSet SNMP.Trap.Additional =   User-Defined.notificationMessage
SNMP.Trap.Send.User(Incident.ID,"Log file pushing failed")
                   
DisabledCreate Syslog Entry
1:     Incident.ID equals 501
ContinueSyslog(Incident.ID,User-Defined.notificationMessage)
                   
DisabledSend Email for Notification
1:     Incident.ID equals 501
ContinueEmail.Send("enter valid email","Message from McAfee Web Gateway",User-Defined.notificationMessage)<Default>
                   
DisabledWrite Log File Manager Incidents Into Log
1:     Incident.ID equals 501
ContinueFileSystemLogging.WriteLogEntry(User-Defined.notificationMessage)<Log File Manager Incident Log>
                   
             
         
       
 

 

 

best,

Michael

0

I am proud to announce that McAfee Web Gateway 7.1 was released to the download sites today, March 30, 2011. This closes a one year long project known as 'Scandium'.

 

 

 

Key Features Summary for project 'Scandium':

 

 

  • FIPS 140-2 – McAfee Web Gateway is currently in the process of being certified under the Cryptographic Module Validation Program for FIPS 140-1 and FIPS 140 –2; please see http://csrc.nist.gov/groups/STM/cmvp/inprocess.html for further detail. The FIPS mode is already available today on every Web Gateway Appliance - For more information on the installation procedure, see the McAfee Web Gateway Quick Start Guide and the Setup and Logon chapter of the McAfee Web Gateway Product Guide.

 

  • SSL Reverse Proxy – SSL connection can now be accepted not only for proxied connections but also for SSL connections, which are redicreted to the proxy. This allows to apply all market leading security controls also to any kind of inbound SSL traffic in addition to plain http only traffic.

 

  • Status and Alerts – As a new feature, this release allows cluster wide monitoring and incident reporting from a single view in the administration interface.

 

  • Kerberos authentication with load balancing– With this release load-balanced Kerberos authentication is possible. Authentication tickets can be issued for the load balancer and validated using the Kerberos authentication method.

 

  • Load balancing for authentication with Windows Domain Controllers – McAfee Web Gateway now measures the responsiveness of AD Controllers and will automatically select the fastest one.

 

  • Proxy Configuration Files – By providing one or more proxy auto-configuration (PAC) files on the appliance, you can support web browsers on clients in finding proxies that enable access to particular web sites.

 

  • Localized end-user messages – End user error messages in different languages are available for upload into MWG 7.1 and can notify users in their local language. In addition to the shipping templates in English language, message texts are available in localized versions, for French, Spanish, German, Japanese, simplified Chinese.

 

Notes: For a detailed  list of all new functionality and enhancements, please consult the release notes.

The update repositories for appliances are updated and are hosting MWG 7.1. Existing Customers requiring access to this release need to add the repository to their update sources. Please consult the release notes for details on this procedure.

 

With best regards,

Michael Schneider, CISSP

Senior Product Manager – Web Security

Content & Cloud Security

2

Hello,

 

as some of you might have noticed, McAfee Web Gateway 7.0.2 offered a new feature - the ability to act as SSL enabled reverse proxy.

Historically, MWG has been used as reverse proxy for http already, as basically a reverse proxy is not much different from a forward proxy, which most of you know as this is the standard deployment for MWG. The only difference is the location in the network - it sits close to the server, rather than close to the clients. The ability to accept transparent traffic for http existed eversince, as we required it historically for certain deployments and it got more importance when starting to implement some transparent modes, such as WCCP, bridge or router.

 

The major ability we added in release 7.0.2 is the ability to deliver predefined server certificates for SSL Connections and to send webserver requests to an upstream server rather than proxy requests only. Having these two features in place, we have a prefect solution not only to relay traffic for your clients, but also can protect portals, such as Sharepoint servers, Outlook WebAccess or Intranets.

 

This solution has been tested already by customers as solution to apply the security filters of MWG to traffic directed to Sharepoint servers including antimalware scanning, proactive scanning, mediatype filtering.

Other customers have used MWG as security layer to their Outlook Web Access (OWA) to prevent malicious uploads with antimalware scanning and proactive scanning. They have also applied mediatype filtering to make sure that just renaming a file wouldn't allow you to send it. Additionally we have a deployment that utilizes GTI (http://www.mcafee.com/us/mcafee-labs/technology/gti-reputation-technologies.aspx) to check the GEO location of a client's IP to block access to OWA based on this criteria.

 

A whitepaper about the solution is currently under preparation, so stay tuned for more details on this interesting topic.

 

best,

Michael

1

Most customers I am talking to operate some sort of enterprise management system, which is picking up statuses from their environment using either SNMP or syslog. Many have approached me with question on possible integration between MWG 7 and this kind of system.

Since MWG 7 we have changed the internal structure of processes. On MWG based appliances, we had a SNMP agent built into the (MWG-)application. This has changed! In MWG 7 we are running snmpd as part of the OS, which gives us additional benefitial information as we are closer to the hardware due to being in the OS rather than in the application. The same applies to syslog. On MWG 6 the appliances were running the standard unix syslogd, whereas on MWG 7 the appliances are running rsyslogd which gives us other interesting opportunities, which I will elaborate on in the following. If you are looking for some network management software, http://www.simpleweb.org is a great recourse.

 

SNMP

 

Generally MWG 7 supports all of the following snmp MIBs (lengthy list ) :

 

  • mcafee/mcafeeGATEWAY/mwg
  • dell/server3 (if dell rpm installed)
  • dell/storage (if dell rpm installed)
  • mibII
  • ucd_snmp
  • snmpv3mibs
  • notification
  • notification-log-mib
  • target
  • agent_mibs
  • agentx
  • disman/event-mib
  • disman/schedule
  • utilities
  • host
  • mibII/ipv6
  • smux
  • ucd-snmp/diskio
  • tcp-mib
  • udp-mib
  • mibII/mta_sendmail
  • ip-mib/ipv4InterfaceTable
  • ip-mib/ipv6InterfaceTable
  • ip-mib/ipAddressPrefixTable/ipAddressPrefixTable
  • ip-mib/ipDefaultRouterTable/ipDefaultRouterTable
  • ip-mib/ipv6ScopeZoneIndexTable
  • ip-mib/ipIfStatsTable
  • sctp-mib
  • rmon-mib
  • etherlike
  • ucd-snmp/lmSensors
  • mibII/system_mib
  • mibII/sysORTable
  • mibII/at
  • mibII/ifTable
  • mibII/ip
  • mibII/snmp_mib
  • mibII/tcp
  • mibII/icmp
  • mibII/udp
  • mibII/vacm_vars
  • mibII/setSerialNo
  • ip-mib
  • if-mib
  • ip-forward-mib
  • ucd-snmp/memory
  • ucd-snmp/vmstat
  • ucd-snmp/proc
  • ucd-snmp/versioninfo
  • ucd-snmp/pass
  • ucd-snmp/pass_persist
  • ucd-snmp/disk
  • ucd-snmp/loadave
  • ucd-snmp/extensible
  • agent/extend
  • ucd-snmp/errormib
  • ucd-snmp/file
  • ucd-snmp/dlmod
  • ucd-snmp/proxy
  • ucd-snmp/logmatch
  • snmpv3/snmpEngine
  • snmpv3/snmpMPDStats
  • snmpv3/usmStats
  • snmpv3/usmConf
  • snmpv3/usmUser
  • notification/snmpNotifyTable
  • snmp-notification-mib/snmpNotifyFilterTable
  • notification/snmpNotifyFilterProfileTable
  • notification-log-mib/notification_log
  • target/snmpTargetAddrEntry
  • target/snmpTargetParamsEntry
  • target/target
  • target/target_counters
  • agent/nsTransactionTable
  • agent/nsModuleTable
  • agent/nsDebug
  • agent/nsCache
  • agent/nsLogging
  • agentx/master
  • agentx/subagent
  • disman/event
  • disman/schedule/schedCore
  • disman/schedule/schedConf
  • disman/schedule/schedTable
  • utilities/override
  • utilities/execute
  • utilities/iquery
  • host/hr_system
  • host/hr_storage
  • host/hr_device
  • host/hr_other
  • host/hr_proc
  • host/hr_network
  • host/hr_print
  • host/hr_disk
  • host/hr_partition
  • host/hr_filesys
  • host/hr_swrun
  • host/hr_swinst
  • mibII/var_route
  • mibII/route_write
  • util_funcs
  • smux/smux
  • tcp-mib/tcpConnectionTable
  • tcp-mib/tcpListenerTable
  • udp-mib/udpEndpointTable
  • ip-mib/ipv4InterfaceTable/ipv4InterfaceTable
  • ip-mib/ipv6InterfaceTable/ipv6InterfaceTable
  • ip-mib/ipAddressTable/ipAddressTable
  • ip-mib/ipAddressPrefixTable/ipAddressPrefixTable_interface
  • ip-mib/ipAddressPrefixTable/ipAddressPrefixTable_data_access
  • ip-mib/data_access/defaultrouter
  • ip-mib/ipDefaultRouterTable/ipDefaultRouterTable_interface
  • ip-mib/ipDefaultRouterTable/ipDefaultRouterTable_data_access
  • ip-mib/ipDefaultRouterTable/ipDefaultRouterTable_data_get
  • ip-mib/ipv6ScopeZoneIndexTable/ipv6ScopeZoneIndexTable
  • ip-mib/data_access/systemstats
  • ip-mib/ipIfStatsTable/ipIfStatsTable
  • ip-mib/ipIfStatsTable/ipIfStatsTable_interface
  • ip-mib/ipIfStatsTable/ipIfStatsTable_data_access
  • sctp-mib/sctpScalars
  • sctp-mib/sctpTables
  • rmon-mib/etherStatsTable
  • etherlike-mib/dot3StatsTable
  • if-mib/ifTable
  • mibII/kernel_linux
  • mibII/ipAddr
  • mibII/tcpTable
  • mibII/udpTable
  • mibII/vacm_context
  • mibII/vacm_conf
  • ip-mib/ipAddressTable
  • ip-mib/inetNetToMediaTable
  • ip-mib/ipSystemStatsTable
  • ip-mib/ip_scalars
  • if-mib/ifXTable
  • ip-forward-mib/ipCidrRouteTable
  • ip-forward-mib/inetCidrRouteTable
  • hardware/memory
  • hardware/cpu
  • header_complex
  • snmp-notification-mib/snmpNotifyFilterTable/snmpNotifyFilterTable
  • agentx/protocol
  • agentx/client
  • agentx/master_admin
  • agentx/agentx_config
  • disman/event/mteScalars
  • disman/event/mteTrigger
  • disman/event/mteTriggerTable
  • disman/event/mteTriggerDeltaTable
  • disman/event/mteTriggerExistenceTable
  • disman/event/mteTriggerBooleanTable
  • disman/event/mteTriggerThresholdTable
  • disman/event/mteTriggerConf
  • disman/event/mteEvent
  • disman/event/mteEventTable
  • disman/event/mteEventSetTable
  • disman/event/mteEventNotificationTable
  • disman/event/mteEventConf
  • disman/event/mteObjects
  • disman/event/mteObjectsTable
  • disman/event/mteObjectsConf
  • tcp-mib/data_access/tcpConn
  • tcp-mib/tcpConnectionTable/tcpConnectionTable
  • tcp-mib/tcpListenerTable/tcpListenerTable
  • udp-mib/udpEndpointTable/udpEndpointTable
  • if-mib/data_access/interface
  • if-mib/ifTable/ifTable_interface
  • if-mib/ifTable/ifTable_data_access
  • if-mib/ifTable/ifTable
  • ip-mib/ipv4InterfaceTable/ipv4InterfaceTable_interface
  • ip-mib/ipv4InterfaceTable/ipv4InterfaceTable_data_access
  • ip-mib/ipv6InterfaceTable/ipv6InterfaceTable_interface
  • ip-mib/ipv6InterfaceTable/ipv6InterfaceTable_data_access
  • ip-mib/data_access/ipaddress
  • ip-mib/ipAddressTable/ipAddressTable_interface
  • ip-mib/ipAddressTable/ipAddressTable_data_access
  • ip-mib/data_access/defaultrouter_common
  • ip-mib/data_access/defaultrouter_linux
  • ip-mib/data_access/ipv6scopezone
  • ip-mib/ipv6ScopeZoneIndexTable/ipv6ScopeZoneIndexTable_interface
  • ip-mib/ipv6ScopeZoneIndexTable/ipv6ScopeZoneIndexTable_data_access
  • ip-mib/data_access/systemstats_common
  • ip-mib/data_access/systemstats_linux
  • ip-mib/ipIfStatsTable/ipIfStatsTable_data_get
  • sctp-mib/sctpScalars_common
  • sctp-mib/sctpScalars_linux
  • sctp-mib/sctpTables_common
  • sctp-mib/sctpAssocRemAddrTable
  • sctp-mib/sctpAssocLocalAddrTable
  • sctp-mib/sctpLookupLocalPortTable
  • sctp-mib/sctpLookupRemPortTable
  • sctp-mib/sctpLookupRemHostNameTable
  • sctp-mib/sctpLookupRemPrimIPAddrTable
  • sctp-mib/sctpLookupRemIPAddrTable
  • sctp-mib/sctpAssocTable
  • sctp-mib/sctpTables_linux
  • rmon-mib/data_access/etherstats
  • rmon-mib/etherStatsTable/etherStatsTable
  • rmon-mib/etherStatsTable/etherStatsTable_data_get
  • rmon-mib/etherStatsTable/etherStatsTable_data_set
  • rmon-mib/etherStatsTable/etherStatsTable_data_access
  • rmon-mib/etherStatsTable/etherStatsTable_interface
  • etherlike-mib/data_access/dot3stats
  • etherlike-mib/dot3StatsTable/dot3StatsTable
  • etherlike-mib/dot3StatsTable/dot3StatsTable_data_get
  • etherlike-mib/dot3StatsTable/dot3StatsTable_data_set
  • etherlike-mib/dot3StatsTable/dot3StatsTable_data_access
  • etherlike-mib/dot3StatsTable/dot3StatsTable_interface
  • ip-mib/data_access/arp
  • ip-mib/inetNetToMediaTable/inetNetToMediaTable
  • ip-mib/inetNetToMediaTable/inetNetToMediaTable_interface
  • ip-mib/inetNetToMediaTable/inetNetToMediaTable_data_access
  • ip-mib/ipSystemStatsTable/ipSystemStatsTable
  • ip-mib/ipSystemStatsTable/ipSystemStatsTable_interface
  • ip-mib/ipSystemStatsTable/ipSystemStatsTable_data_access
  • ip-mib/data_access/scalars_common
  • if-mib/ifXTable/ifXTable
  • ip-forward-mib/ipCidrRouteTable/ipCidrRouteTable
  • ip-forward-mib/inetCidrRouteTable/inetCidrRouteTable
  • hardware/memory/memory_linux
  • hardware/memory/hw_mem
  • hardware/cpu/cpu_linux
  • hardware/cpu/cpu
  • snmp-notification-mib/snmpNotifyFilterTable/snmpNotifyFilterTable_interface
  • snmp-notification-mib/snmpNotifyFilterTable/snmpNotifyFilterTable_data_access
  • tcp-mib/data_access/tcpConn_common
  • tcp-mib/data_access/tcpConn_linux
  • tcp-mib/tcpConnectionTable/tcpConnectionTable_interface
  • tcp-mib/tcpConnectionTable/tcpConnectionTable_data_access
  • tcp-mib/tcpListenerTable/tcpListenerTable_interface
  • tcp-mib/tcpListenerTable/tcpListenerTable_data_access
  • udp-mib/data_access/udp_endpoint
  • udp-mib/udpEndpointTable/udpEndpointTable_interface
  • udp-mib/udpEndpointTable/udpEndpointTable_data_access
  • if-mib/data_access/interface_linux
  • if-mib/data_access/interface_ioctl
  • ip-mib/data_access/ipaddress_common
  • ip-mib/data_access/ipaddress_linux
  • ip-mib/data_access/ipv6scopezone_common
  • ip-mib/data_access/ipv6scopezone_linux
  • rmon-mib/data_access/etherstats_linux
  • etherlike-mib/data_access/dot3stats_linux
  • ip-mib/data_access/arp_common
  • ip-mib/data_access/arp_linux
  • ip-mib/data_access/scalars_linux
  • if-mib/ifXTable/ifXTable_interface
  • if-mib/ifXTable/ifXTable_data_access
  • ip-forward-mib/data_access/route
  • ip-forward-mib/ipCidrRouteTable/ipCidrRouteTable_interface
  • ip-forward-mib/ipCidrRouteTable/ipCidrRouteTable_data_access
  • ip-forward-mib/inetCidrRouteTable/inetCidrRouteTable_interface
  • ip-forward-mib/inetCidrRouteTable/inetCidrRouteTable_data_access
  • udp-mib/data_access/udp_endpoint_common
  • udp-mib/data_access/udp_endpoint_linux
  • ip-mib/data_access/ipaddress_ioctl
  • ip-forward-mib/data_access/route_common
  • ip-forward-mib/data_access/route_linux
  • ip-forward-mib/data_access/route_ioctl

 

Example: host-recourse MIB

The majority of these are standard SNMP MIBs which are generally accessible over the internet.

If it come to hardware monitoring, your best friend usually is the host recource MIBs. It provides you with a lot of access to hardware information. I have found this page which lets you kindly step through the MIB: http://www.simpleweb.org/ietf/mibs/modules/html/?category=IETF&module=HOST-RESOU RCES-MIB


This MIB gives you valuable information about the hardware status of you system. For a basic hardware overview of you system you can poll OID 1.3.6.1.2.1.25.3.2 which is a table containing CPU, NIC, CD and other information. To poll this data, I use the standard unix snmp tools. As this is a table the command of choice is: snmptable -v 2c -c Public 10.150.163.18:9161 1.3.6.1.2.1.25.3.2

-v is the version I am using as configured on the web gateway under Configuration > SNMP; 2c in our case

-c is the community I specified on Web Gateway. Note: This is case sensitive, so Public in this case

10.150.163.18 is the IP of my web gateway appliances

:9161 is the port on which the SNMP daemon listens

1.3.6.1.2.1.25.3.2 is the OID I am polling

 

The result is:

 

michael@michael-desktop:~$ snmptable -v 2c -c Public 10.150.163.18:9161 1.3.6.1.2.1.25.3.2
SNMP table: HOST-RESOURCES-MIB::hrDeviceTable

 hrDeviceIndex                              hrDeviceType                                                 hrDeviceDescr              hrDeviceID hrDeviceStatus hrDeviceErrors
           768   HOST-RESOURCES-TYPES::hrDeviceProcessor GenuineIntel:                   Intel(R) Xeon(TM) CPU 3.00GHz SNMPv2-SMI::zeroDotZero              ?              ?
           769   HOST-RESOURCES-TYPES::hrDeviceProcessor GenuineIntel:                   Intel(R) Xeon(TM) CPU 3.00GHz SNMPv2-SMI::zeroDotZero              ?              ?
           770   HOST-RESOURCES-TYPES::hrDeviceProcessor GenuineIntel:                   Intel(R) Xeon(TM) CPU 3.00GHz SNMPv2-SMI::zeroDotZero              ?              ?
           771   HOST-RESOURCES-TYPES::hrDeviceProcessor GenuineIntel:                   Intel(R) Xeon(TM) CPU 3.00GHz SNMPv2-SMI::zeroDotZero              ?              ?
          1025     HOST-RESOURCES-TYPES::hrDeviceNetwork                                          network interface lo SNMPv2-SMI::zeroDotZero        running              0
          1026     HOST-RESOURCES-TYPES::hrDeviceNetwork                                        network interface eth0 SNMPv2-SMI::zeroDotZero        running              0
          1027     HOST-RESOURCES-TYPES::hrDeviceNetwork                                        network interface sit0 SNMPv2-SMI::zeroDotZero           down              0
          1536 HOST-RESOURCES-TYPES::hrDeviceDiskStorage                                VMware Virtual IDE CDROM Drive SNMPv2-SMI::zeroDotZero              ?              ?
          1552 HOST-RESOURCES-TYPES::hrDeviceDiskStorage                                          SCSI disk (/dev/sda) SNMPv2-SMI::zeroDotZero              ?              ?
          3072 HOST-RESOURCES-TYPES::hrDeviceCoprocessor           Guessing that there's a floating point co-processor SNMPv2-SMI::zeroDotZero              ?              ?

 

I have 4 CPUs, obviously Interl XEONs with 3 GHz each

have 3 network connections: localhost, et0 and sit0, from which the first two ar up and running

There is a VMWare CDRom

and a SCSI disk.

 

Another interesting OID in this MIB is .1.3.6.1.2.1.25.2.3 as it gives you an excellent overview over your disks and usage! I have now switched from command line to a MIB Broswer, which I obtained as 30 day Trial from http://ireasoning.com/. It is the iReasoning MIB Browser Professional.

I simple entered the connection data to my Web Gateway as described before and shown in the screenshot:

ireasoning.jpg

 

Then I selected hrStorage > hrStorageTable from Host-Recourse MIB, right cklicked on it and selected Table View. As result it gave me a nice table of my different partitions and their usage:

 

storage.jpg

 

As you can see with just some monitoring points and SNMP best practises, you will get extremely helpful and interesting results. What to monitor? This is something you should already know when asking about SNMP.

As some guidance, you definately want to monitor CPU:

 

Idle time of the CPU: .1.3.6.1.4.1.2021.11.11.0

Percentage spent on processes in the user space: .1.3.6.1.4.1.2021.11.9.0

Percentage spent on process in the system space: .1.3.6.1.4.1.2021.11.10.0

 

Memory:

Total Free: .1.3.6.1.4.1.2021.4.11.0

Total Real: .1.3.6.1.4.1.2021.4.5.0

Avail. Swap: .1.3.6.1.4.1.2021.4.4.0 (should never be 0 )

 

All other monitoring points for hardware are depending on your requirement and should be accievable with the onboard tools, simply talk to your SNMP admin what he expects.

 

There is of course the McAfee Web Gatway unique MIB, which can be downloaded from the UI under Configuration > SNMP.

 

It contains product version information as part of .1.3.6.1.4.1.1230.2.7.1.1.0

 

kProductName.0McAfee Web GatewayOctetString
kCompanyName.0McAfee Inc.OctetString
kProductVersion.07.0.1.3.0OctetString
kMajorVersion.07Integer
kMinorVersion.00Integer
kMicroVersion.01Integer
kHotfixVersion.00Integer
kCustomVersion.00Integer
kRevision.023272OctetString
pAMEngineVersion.07001.1001.1500OctetString
pAMSignatureVersion.02708OctetString
pMFEEngineVersion.05400OctetString
pMFEDATVersion.06155OctetString
pAMProactiveVersion.0366OctetString
pTSDBVersion.025566OctetString

 

Information on pattern and engine update status as part of .1.3.6.1.4.1.1230.2.7.1.20.1.0

 

pAMEngineVersion.07001.1001.1500OctetString
pAMSignatureVersion.02708OctetString
pMFEEngineVersion.05400OctetString
pMFEDATVersion.06155OctetString
pAMProactiveVersion.0366OctetString
pTSDBVersion.025566OctetString

 

You have access to ALL statistics which are available in the dashboards under .1.3.6.1.4.1.1230.2.7.2.1.1.0 :

 

stBadReputation.00Counter64
stMalwareDetected.019Counter64
stConnectionsLegitimate.062958Counter64
stBlockedByAntiMalware.019Counter64
stConnectionsBlocked.059495Counter64
stBlockedByMediaFilter.00Counter64
stBlockedByURLFilter.057493Counter64
stMimeType.00Counter64
stCategories.0220381Counter64
stCategoryName.1ChatOctetString
stCategoryName.2GamesOctetString
stCategoryName.3NudityOctetString
stCategoryName.4SportsOctetString
stCategoryName.5TravelOctetString
stCategoryName.6TobaccoOctetString
stCategoryName.7Web AdsOctetString
stCategoryName.8BusinessOctetString
stCategoryName.9PharmacyOctetString
stCategoryName.10PhishingOctetString
stCategoryName.11Web MailOctetString
stCategoryName.12ProfanityOctetString
stCategoryName.13Spam URLsOctetString
stCategoryName.14Blogs/WikiOctetString
stCategoryName.15AnonymizersOctetString
stCategoryName.16PornographyOctetString
stCategoryName.17Real EstateOctetString
stCategoryName.18General NewsOctetString
stCategoryName.19Portal SitesOctetString
stCategoryName.20Web MeetingsOctetString
stCategoryName.21EntertainmentOctetString
stCategoryName.22Media SharingOctetString
stCategoryName.23Parked DomainOctetString
stCategoryName.24Stock TradingOctetString
stCategoryName.25Content ServerOctetString
stCategoryName.26Fashion/BeautyOctetString
stCategoryName.27Motor VehiclesOctetString
stCategoryName.28Personal PagesOctetString
stCategoryName.29Search EnginesOctetString
stCategoryName.30Finance/BankingOctetString
stCategoryName.31Malicious SitesOctetString
stCategoryName.32Online ShoppingOctetString
stCategoryName.33Streaming MediaOctetString
stCategoryName.34Dating/PersonalsOctetString
stCategoryName.35Sexual MaterialsOctetString
stCategoryName.36Incidental NudityOctetString
stCategoryName.37Internet Radio/TVOctetString
stCategoryName.38Internet ServicesOctetString
stCategoryName.39Social NetworkingOctetString
stCategoryName.40Software/HardwareOctetString
stCategoryName.41Public InformationOctetString
stCategoryName.42Recreation/HobbiesOctetString
stCategoryName.43Shareware/FreewareOctetString
stCategoryName.44Education/ReferenceOctetString
stCategoryName.45Auctions/ClassifiedsOctetString
stCategoryName.46Information SecurityOctetString
stCategoryName.47Visual Search EngineOctetString
stCategoryName.48Forum/Bulletin BoardsOctetString
stCategoryName.49Game/Cartoon ViolenceOctetString
stCategoryName.50Technical InformationOctetString
stCategoryName.51Marketing/MerchandisingOctetString
stCategoryName.52Non-Profit/Advocacy/NGOOctetString
stCategoryName.53Professional NetworkingOctetString
stCategoryName.54Personal Network StorageOctetString
stCategoryName.55Residential IP AddressesOctetString
stCategoryName.56Spyware/Adware/KeyloggersOctetString
stCategoryName.57Technical/Business ForumsOctetString
stCategoryName.58Potential Illegal SoftwareOctetString
stCategoryName.59Interactive Web ApplicationsOctetString
stCategoryName.60Potential Criminal ActivitiesOctetString
stCategoryCount.15Counter64
stCategoryCount.258447Counter64
stCategoryCount.319Counter64
stCategoryCount.444Counter64
stCategoryCount.5267Counter64
stCategoryCount.63Counter64
stCategoryCount.71480Counter64
stCategoryCount.85413Counter64
stCategoryCount.987Counter64
stCategoryCount.101Counter64
stCategoryCount.115Counter64
stCategoryCount.122Counter64
stCategoryCount.13147Counter64
stCategoryCount.14373Counter64
stCategoryCount.1523Counter64
stCategoryCount.16674Counter64
stCategoryCount.17221Counter64
stCategoryCount.183115Counter64
stCategoryCount.191541Counter64
stCategoryCount.206Counter64
stCategoryCount.21979Counter64
stCategoryCount.2299Counter64
stCategoryCount.233Counter64
stCategoryCount.2470Counter64
stCategoryCount.252794Counter64
stCategoryCount.261Counter64
stCategoryCount.275Counter64
stCategoryCount.28208Counter64
stCategoryCount.291038Counter64
stCategoryCount.30586Counter64
stCategoryCount.31133Counter64
stCategoryCount.32236Counter64
stCategoryCount.33638Counter64
stCategoryCount.342Counter64
stCategoryCount.3527Counter64
stCategoryCount.361244Counter64
stCategoryCount.3784Counter64
stCategoryCount.382009Counter64
stCategoryCount.3958404Counter64
stCategoryCount.404600Counter64
stCategoryCount.41238Counter64
stCategoryCount.42151Counter64
stCategoryCount.4334Counter64
stCategoryCount.441076Counter64
stCategoryCount.45114Counter64
stCategoryCount.4635Counter64
stCategoryCount.4777Counter64
stCategoryCount.48171Counter64
stCategoryCount.4957657Counter64
stCategoryCount.502134Counter64
stCategoryCount.51201Counter64
stCategoryCount.527Counter64
stCategoryCount.53499Counter64
stCategoryCount.549604Counter64
stCategoryCount.5513Counter64
stCategoryCount.563Counter64
stCategoryCount.573284Counter64
stCategoryCount.5845Counter64
stCategoryCount.592Counter64
stCategoryCount.603Counter64
stHttpRequests.0259598Counter64
stHttpTraffic.01100133919Counter64
stHttpBytesFromClient.0171080546Counter64
stHttpBytesFromServer.01062287639Counter64
stHttpBytesToClient.01129926052Counter64
stHttpBytesToServer.037846280Counter64
stHttpsRequests.013753Counter64
stHttpsTraffic.0112400857Counter64
stHttpsBytesFromClient.019907878Counter64
stHttpsBytesFromServer.094078027Counter64
stHttpsBytesToClient.0142130758Counter64
stHttpsBytesToServer.018322830Counter64
stFtpTraffic.0872066246Counter64
stFtpBytesFromClient.00Counter64
stFtpBytesFromServer.0872065091Counter64
stFtpBytesToClient.00Counter64
stFtpBytesToServer.01155Counter64

 

 

In addition to all these POLL values, MWG has the ability to send out traps as an Even in every rule! Thus you not only passivly poll info but can let MWG send out information based on a rule criteria, which could be a unwanted category or in case a virus has been detected. Below is an example rule set and the output on a SNMP trap sink. For the rule you need to have trap sinks configured under Configuration > SNMP.

 

 

rule.jpg

 

 

The trap sink then shows:

 

trap.jpg

0

MWG 7 in VMWare

Posted by michael_schneider Oct 21, 2010

Hello,

 

I got some questions this week on VMWare and where the virtual appliance is.

 

All  Webwasher related downloads reside on this portal:  https://extranet.webwasher.com, to gain access it is suggested to  contact customer service to set up an account for you.

In the portal you need to navigate to Software > McAfee Web Gateway 7 > Download to download the .iso.

The ISO can be mounted in VMWare to act as installation source.

 

extranet.jpg

 

For a VM to just test the product, you should setup the VM to have

2 CPUs

min. 4096GB of Ram

200+ GB of disk space

no soundcard

floppy is optional

USB is optional

min. one NIC

 

If you need a sizing for your virtual environment, please request assistance through your account manager/sales engineer.

 

It  is notable, that copying a VMWare with MWG will corrput the  installation, due to a change of the UUID inside the BIOS. MWG uses the  UUID as unique identifier for the machine.

If you want to create a  default one to spawn new instance from, just install an instance. After  the install of the packages, you will be asked if you want to reboot,  halt, or shell. At this point, select halt. After the VM has halted (message on the console) shut it down and use this VM as template.

Make  sure you attend the initial startup from a VSphere console to enter the  initial config wizard and setup up basic connectivity.

 

thanks,

Michael

1 2 Previous Next