cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication bypass IP’s active on our Proxy Devices in last one month

Hi Team, is there any command/way to find the Authentication bypass Active IP's on our McAfee web gateway proxies from last one month. OR How to get the authentication bypass IP’s active on our McAfee Web gateway Proxy Devices in last one month.
3 Replies

Re: Authentication bypass IP’s active on our Proxy Devices in last one month

please share the steps how to get the active Authentication Bypass IP's.

McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Authentication bypass IP’s active on our Proxy Devices in last one month

Hello,

 

if I correctly understand your question you are trying to find a way to get all authentication-bypassed IP addresses from last month? (sorry if I am wrong)

 

At first, there is no list or command available on MWG which shows bypassed requests based on a specific rule (e.g. in authentication rule set).

 

By default, an access log line looks like:
[07/Jan/2020:15:30:08 +0000] "" <clientIP> 200 "GET http://mwginternal.com/ HTTP/1.1" "Business, Software/Hardware" "Minimal Risk" "text/html" 575 356 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0" "" "0" ""

 

Between the timestamp at the beginning and the clientIP you see a "" which is the placeholder for the username (if authenticated). So if I get authentication, it would look like:
[07/Jan/2020:15:30:08 +0000] "Marcel" <clientIP> 200 "GET http://mwginternal.com/......"

 

So you can use your reporting solution to check for empty username but still you would NOT know where it was bypassed in the policy, so could be globally bypassed, in SSL scanning or in Authentication.

 

Further, there are 2 options I think.
Option1: Some users are manually setting an username.
Example:
<Authentication rule set start>
URL.Host equals www.google.com, Action: Stop Rule Set, Event: Set Authentication.Username = "Authentication Bypass"
...<authentication rules>
<Authentication rule set end>

 

So, logging line would look like:
[07/Jan/2020:15:30:08 +0000] "Authentication Bypass" <clientIP> 200 "GET http://www.google.com.com/......"

 

If they now create a query/report with CSR (Content Security Reporter) or any other reporting solution, you can filter for the timerange and for the username = "Authentication Bypass" and you will get a list with all matching entries. In each line behind the username you will see the client IP address (so in your query/report you also need to display client IP address column of course).

 

Option2: MWG has a statistics DB but this does not contain information like "request A to website abc.com was bypassed in <rulename>".
Only logging is done in access log in above default logline format.
But it is also possible to create a new self-made log other than the default access log.
In authentication rule set you would configure something like:
<Criteria>, Action: Stop Rule Set, Event: <name of User-Defined-property> = Rules.CurrentRule.Name (e.g. "Bypassed IPs for Authentication") and Authentication.username = "Authentication Bypass"

 

In self-created log you would store any property/value information as you want. So you would log timestamp, username, client IP, URL, <name of User-Defined-property> and the log would look like:
[07/Jan/2020:15:30:08 +0000] "Authentication Bypass" <clientIP> "GET http://mwginternal.com/ "Bypassed IPs for Authentication"
If you have multiple bypass rules, a second log line could look like:
[07/Jan/2020:15:30:08 +0000] "Authentication Bypass" <clientIP2> "GET https://www.google.com/ "Bypassed IPs for Authentication 2"
and so on...

 

With this, you have a dedicated log which shows some basic information about authentication bypassed URL's only with the client IP addresses and requested URL's. This log can be hold and rotated/deleted on MWG or you can configure pushing to a share or FTP server as you probably do it with the access log.

 

In my opinion, first option (manually set username in bypass rule and then create a query/report filtered for time range and this username) should be enough and the easiest solution but you need to decide what you really need and whether it is worth the effort or not. Globally bypassed URL's have anyway no username, so if you manually set the username in authentication bypass rule only, it would be quit easy to identify them in a query/report.

 

Please let us know if you have further questions. I hope I did not make any mistake and my description is easy to understand! 😁

 

Regards,
Marcel

Regards,
Marcel Kutrieba
Technical Support Engineer
Highlighted
Reliable Contributor AaronT
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Authentication bypass IP’s active on our Proxy Devices in last one month

If you are running CSR, you can run a report there too.  You can either use where there is no user name (user name does not exist) or a specific name if you set one for authentication bypass.  Just run the report to show the Client IP and any other fields you want

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community