cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Re: Application Control configuration

Jump to solution

That's what I've done.  But as you pointed out, because that URL is used for all google properties, this rule will affect other sites like youtube.com.

Would the URL.ParametersString property be any use here?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 32

Re: Application Control configuration

Jump to solution
Honestly, I've never used that property
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 13 of 32

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

 

Request header:-

 

:authority: accounts.google.com
:method: GET
:path: /ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
referer: https://mail.google.com/mail/u/0/
sec-fetch-mode: navigate
sec-fetch-site: same-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
x-chrome-connected: mode=0,enable_account_consistency=false,consistency_enabled_by_default=false
x-chrome-id-consistency-request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=73300007-257e-4017-bdd6-46d66e379f7d,sync_account_id=101765331579103537331,signin_mode=all_accounts,signout_mode=show_confirmation
x-client-data: CJS2yQEIo7bJAQjEtskBCKmdygEI4qjKAQjLrsoBCM6wygEI57HKAQj3tMoBGKukygE=

 

 

referer: https://mail.google.com/mail/u/0/

 

 

So say you are doing SSL Scanning on MWG and need to allow accounts.google.com while login into gmail only.

You already have a rule to block accounts.google.com.

 

 

You can create 2 rules as below in order to allow accounts.google.com while login into gmail only

 

First rule use below criteria:-

 

(Command.Name equals CONNECT or Command.Name equals CERTVERIFY) AND URL.host equals accounts.google.com   and  set action as Stop Rule Set/ Stop Cycle accordingly.

 

Second rule will use below criteria:-

 

URL matches *accounts.google.com/*mail.google.com*  and  set action as Stop Rule Set/ Stop Cycle accordingly.

 

 

You can also make use of  Referer field.

 

Second Rule will be URL matches *https://accounts.google.com/ServiceLogin*  AND Header.Request.Get(Referer) matches *mail.google.com*

 

 

Regards

Alok Sarda

Highlighted

Re: Application Control configuration

Jump to solution

Wow, thanks!

I will give this a go as soon as I get the opportunity, will probably then be back with questions if I can't get it working!

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 15 of 32

Re: Application Control configuration

Jump to solution
The problem with *mail.google.com* is that "fakemail.google.com.badsite.com" matches. Why not jsut have a rule that if the url matches "https://accounts.google.com/*" and Header.Request.Get(Referer) matches https://mail.google.com/*
If this fires before the block for accounts.google.com, then everything should work fine

Will that be more secure and still work.
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 32

Re: Application Control configuration

Jump to solution

Hi,

 

Yes you can make use of Referer field as mentioned in my last reply.

 

You first need to allow CONNECT and CERTVERIFY for accounts.google.com, so that SSL is done successfully  and thus after this you can see GET/POST request flowing inside SSL channel.

 

 

So in general accounts.google.com will still be getting blocked in the GET/POST  request being received by MWG not having referrer as mail.google.com

 

Regards

Alok Sarda

Highlighted

Re: Application Control configuration

Jump to solution

Could I do all of this within the same rule?

So I am thinking of the following::

Application.Name is in list Gmail

OR

Header.Request.Get(String) matches https://mail.google.com/*

AND

Authentication.UserGroups contains <Gmail AD Group Name>

Would that work?  (As a reminder I am trying to allow a specific Gmail AD Group to access Gmail and block it as a Webmail Category for everyone else)

Any requirement now to make any reference to accounts.google.com?

Also when I select the Header.Request.Get property, there is a drop-down box at the bottom right that says 'parameters'.  I have the option of putting a parameter value there.  Do I need to do that?  I've already specified the mail.google.com URL in the criteria section of this rule.  I am confused as to what value this parameter requires.  Please can you advise?

thanks!

Highlighted

Re: Application Control configuration

Jump to solution

Hi everyone

I tried configuring gmail as outlined using the referrer header and it didn't work - my test user in the gmail AD group was then blocked.  I will try and upload a picture to illustrate what I configured as I probably did it wrong! 

gmail2.jpg

I notice there were property parameter options for the Header Name but I left it blank:

header.png

Should I have put something in here?

This is what I originally had configured which worked but required a custom category that included accounts.google.com:

gmail1.jpg

Any thoughts and guidance would be hugely appreciated

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 19 of 32

Re: Application Control configuration

Jump to solution
Yes, "referer" (without quotes)... that tells the name of the header to use
Highlighted

Re: Application Control configuration

Jump to solution

Oh yes LOL i knew it would be something simple, many thanks!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community