cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway: SSL Scanner Rule Examples

Disclaimer

This document is meant to be used in conjunction with the McAfee TechTalk, which can be found here:  

Please closely read through that article first, before considering the rule examples below.  If you have questions, please 'ask' them on the SNS article above, or feel free to contact technical support.

Where should the SSL Scanner be 'located' in the rule sets?

Typically, it is recommended that the SSL Scanner be placed near the top of the rule set list.  We usually recommend placing it just below your 'Global Whitelist' (if you've chosen to use it), and just above the Global Blocklist (allowing proper block pages to display if needed).  See below:

How do I limit the SSL scanner to a particular client IP, or a particular category?

You can limit who/what the SSL scanner is applied to by adding some rule set criteria.   Below (as an example), you can limit the SSL Scanner to apply to just the particular client IP, or a particular category.

 

NOTE: In general, you will NOT be able to limit the SSL Scanner to a particular username or usergroup.  The reason is that the SSL Scanner rule set occurs above where authentication occurs (which is expected/recommended).  At the time the SSL Scanner ruleset is called, we do not yet have the username.  You would need to move portions of the SSL Scanner 'after' authentication in order to limit to user or group.  If you have a need, it is strongly recommended you work with support for assistance.

 

 

How do I enable the Handle CONNECT Call step, but not do Certificate Verification or Content Inspection?

1. Starting with the default SSL Scanner rule set, you can select to disable the Certificate Verification rule set, the Content Inspection rule set, and the 'Verify Common Name (Transparent Setup) rule set.

2. Next, within the 'Handle CONNECT Call' rule set, click to disable the rule 'Enable Certificate Verification.

 

How do I enable Certificate Verification, but NOT Content inspection?

 

Explicit proxy:

1. Within the 'Handle CONNECT Call rule set, enable the 'Enable Certificate Verification' rule.

2. Click to 'enable' the 'Certificate Verification' rule set.  Here, you can determine a variety of elements you may to filter.

3. The 'Verify Common Name (Proxy Setup)' rule set should also be enabled.

 

certVerify-explicit-proxy.png

 

Transparent proxy:

1. Within the 'Handle CONNECT Call rule set, enable the 'Enable Certificate Verification' rule.

2. Click to 'enable' the 'Certificate Verification' rule set.

3. The 'Verify Common Name (Proxy Setup)' rule set should also be disabled.

4. The 'Verify Common Name (Transparent Setup) rule set should be enabled.

 

certVerify-transparent.png

 

How do I enable Content Inspection without Certificate Verification? - (Illustration ONLY - not recommended)

 

**NOTE: This is for illustrative purposes only.  In a production environment, it is NOT recommended that Content Inspection be performed if Certificate Verification is not also performed.  This could potentially leave your environment vulnerable to phishing of sensitive data.

 

Option 1

1. Within the 'Handle CONNECT Call rule set, disable the 'Enable Certificate Verification' rule.

2. Disable the 'Certificate Verification', 'Content Inspection', and 'Verify Common Name (Transparent Setup)' rule sets.

3. Within the 'Content Inspection' rule set (which is now disabled, click to select the 'Enable Content Inspection' rule, and click 'Copy'.

4. Paste that rule within the 'Handle CONNECT Call', just below the disabled 'Enable Certificate Verification' rule.

content-inspection_NO-certVerify-option1.png

 

Option 2

1. Within the 'Handle CONNECT Call rule set, disable the 'Enable Certificate Verification' rule.

2. Disable the 'Certificate Verification' rule set, and the 'Verify Common Name (Transparent Setup) rule set.

3. The 'Content Inspection' rule set should be enabled.

4. Update the 'Content Inspection' rule set criteria to be "Command.Name equals CONNECT"

content-inspection_NO-certVerify-option2.png

Labels (1)
Comments

Hi,

Can you shed some light on the 'fix hostname' issue when using it in the transparent mode? may be some senarios where it will work and it will not will be nice

Thanks

Regards,

Rukmal

Hello Rukmal-

We have a another article here that explains this situation in more detail:

"HTTPS in transparent deployments and how SNI can help"

https://community.mcafee.com/docs/DOC-4923

Feel free to ask additional questions as needed!

-Steve

Great article. Good place to point out that the connection.protocol property is different for each cycle. CONNECT is HTTP, CERTVERIFY is SSL, and after the connection is fully established all others are HTTPS.

For those interested in monitoring potential certificate verification issues before fully enabling cert verification or SSL scanning please see https://community.mcafee.com/message/258209#258209 where there is a ruleset for monitoring certificate errors in your environment.

https://community.mcafee.com/docs/DOC-5276

 

I cannot access this document.  Any idea why???

Just seeing this now, sorry for extreme delay. That article was probably archived. It was just an SNS journal entry which talked about the webinar done back in 2013. I updated the article removing the reference, but added the actual webinar video link.

Contributors
Version history
Revision #:
2 of 2
Last update:
‎03-20-2018 01:13 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community