cancel
Showing results for 
Search instead for 
Did you mean: 

Basic question: Blocking/Whitelisting IP addresses

Jump to solution

Hi,

I am wondering how to whitelist or block IP addresses. There is a property for Client.IP but I do not find a Destination.IP. There is one called URL.Destination.IP but this is for IPs that result from a DNS lookup (e.g. user enters hostname).

What if the user does not enter a hostname but an IP address? Would I use the URL.Host property for this and just put the IP address in a list?

Thanks

1 Solution

Accepted Solutions
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

The property will trigger MWG to perform a lookup on the requesed resource...

So, if you request www.mcafee.com, MWG will lookup the IP for www.mcafee.com (12.234.113.129).

If you requested a non-existant domain like "www.mcafee123def.com" it would return 255.255.255.255 because it doesnt exist in DNS.

Yes, URL.Host would be the IP address if an IP was requested. However if you're intention is to block a specific IP, then you should use URL.Destination.IP, because URL.Host would only contain the IP if it was requested in that manner.

i.e. I want to block 12.234.113.129

If I used URL.Host equals 12.234.113.129, with action block.

Result: I could access the site by using www.mcafee.com

If I used URL.Destination.IP equals 12.234.113.129, with action block

Result: I cannot access the site by name or IP

Best,

Jon

10 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

URL.Destination.IP is what you are looking for.

URL.Destination.IP is the IP of the requested URL, or in the case it's requested by IP, it's the IP.

Best,

Jon

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

Thanks Jon.

What does the description of the property really mean? It says "does DNS lookup, 255.255.255.255 if failed".

Also just to make sure: If I use this property with a block action, IP addresses I used in a corresponding list will be blocked?

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

Oh, and one more (sorry): If I use URL.Host and use a string list and put an IP address in there, does that match as well?

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

The property will trigger MWG to perform a lookup on the requesed resource...

So, if you request www.mcafee.com, MWG will lookup the IP for www.mcafee.com (12.234.113.129).

If you requested a non-existant domain like "www.mcafee123def.com" it would return 255.255.255.255 because it doesnt exist in DNS.

Yes, URL.Host would be the IP address if an IP was requested. However if you're intention is to block a specific IP, then you should use URL.Destination.IP, because URL.Host would only contain the IP if it was requested in that manner.

i.e. I want to block 12.234.113.129

If I used URL.Host equals 12.234.113.129, with action block.

Result: I could access the site by using www.mcafee.com

If I used URL.Destination.IP equals 12.234.113.129, with action block

Result: I cannot access the site by name or IP

Best,

Jon

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

Awesome, thank you Jon!

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

Hi Jon,

I have to revisit this question:

Say I want to exclude certain hosts and IPs from SSL scanning. I did something like this:

http://d.pr/i/HDHj+

As you can see, I referenced the same wildcard list for both properties. Is this valid or should I use a separate IP list for the URL.Destination.IP property?

Thanks

Sascha

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

It's valid, but I wouldnt do it because it could be confusing. Do I add a host or do I add an IP address? Plus it means that MWG will have to evaluate all the hosts you have in the list against the IP address, which will never match.

There is no need to use wildcards with IP addresses, when you can use ranges or single IPs.

Ranges can be specified in formats like: 10.1.1.1-10.1.1.255, 10.1.1.0/24

I would use a separate list for the IP related items.

Best,

Jon

Highlighted
eelsasser
Level 15
Report Inappropriate Content
Message 9 of 11

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

...and don't forget, IP Ranges can be a single IP like 10.1.1.1/32

I hate it when you use an IP list as opposed to an IP range list for these things. Personal pet peeve.

Re: Basic question: Blocking/Whitelisting IP addresses

Jump to solution

eelsasser wrote:

...and don't forget, IP Ranges can be a single IP like 10.1.1.1/32

I hate it when you use an IP list as opposed to an IP range list for these things. Personal pet peeve.

Good point. Will be using IP Ranges.

I just thought I could make life easier by only having to maintain one list instead of two.

Thanks!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community