cancel
Showing results for 
Search instead for 
Did you mean: 
itsec
Level 7

Explanation of Default policy in Webgateway 6.x.x

Hi,

This sounds like a daft question but can someone provide an explanation as to what the Default policy is used for (in the scenario below)?

The reason I ask is that there are 6 policies configured on the webgateway (6.9.x) which use webmapping rules.  The webmapping rules use Active Directory groups to map to the one of the 6 policies.

(The parameter "group name" extracted from standard (ICAP) header (X-Authenticated-Groups))

There are 5 specific policies that map to 5 specific AD groups (e.g. "unrestricted" policy mapped to AD group "unrestricted internet access")

Should a user not be a member of any of the 5 specfic groups, then they are mapped to the "standard" policy.  The rule entry maps policy "Standard" to *.

My understanding is that any user accesses will be logged under one of the 6 policies and this seems to be supported by analysis of the raw log files.

My query is that under Home tab > Traffic Volume, there is traffic for that policy so where is this coming from?

To see why the traffic is not using one of the 6 policies, I have created reports (destinations/ source IP & users) under Reporting > Live Reporting > default policy.

The users reports shows only user-agent strings

The destinations are valid as are the source IPs but if I examine the log files, then the source IPs are using one of the 6 policies...

Can someone explain what I'm missing?

thanks

0 Kudos
6 Replies
eelsasser
Level 15

Re: Explanation of Default policy in Webgateway 6.x.x

It's hard to visualize what exactly you are describing. The policy mapping has always been challenging to determine the sequence.

One thing that helps me visualize the order of events is built into the list converter tool:

https://community.mcafee.com/docs/DOC-1621

Make a backup of the configuration and see if you can load it into the tool. once it's loaded, there is a policy report icon you can click:

Capture.png

And it will display a sequenced list of policies;

Mapping Method

Mapping Options

Policy

Source

IP map directly IP-Direct-1
REQMOD/RESPMOD

Location: X-Client-IP

policy1

192.168.110.150

policy2

192.168.110.192

policy2

192.168.110.24-192.168.110.26

policy2

192.168.68.1-192.168.68.254

policy3

192.168.67.1-192.168.67.254

policy3

192.168.66.1-192.168.66.254

policy3

192.168.69.1-192.168.69.254

Group Name map directly Group-Direct-1
REQMOD/RESPMOD

Location: Transparent Authentication (Group)
AcceptedAuthenticationMethod: Any
Input Value Must Exist
Add domain name to username

Policy4

DOMAIN\wg-group1

Policy5

DOMAIN\wg-group2

policy1

DOMAIN\wg-group3

Policy7

DOMAIN\wg-group4

policy6

DOMAIN\wg-group5

Policy9

DOMAIN\wg-group6

Policy8

DOMAIN\wg-group7

User Name map directly User-Direct-1
REQMOD/RESPMOD

Location: Transparent Authentication (User)
AcceptedAuthenticationMethod: Any
Input Value Must Exist
Add domain name to username

policy2

DOMAIN\user1

policy1

DOMAIN\user2

Policy10

DOMAIN\user3

policy2

DOMAIN\user4

policy1

DOMAIN\user5

policy2

DOMAIN\user6

policy1

DOMAIN\user7

policy1

DOMAIN\user8

policy1

DOMAIN\user9

policy1

DOMAIN\user10

policy1

DOMAIN\user11

policy1

DOMAIN\user12

policy1

DOMAIN\user13

policy1

DOMAIN\user14

policy1

DOMAIN\user15

Facebook

DOMAIN\user16

Facebook

DOMAIN\user17

Facebook

DOMAIN\user18

Facebook

DOMAIN\user19

Facebook

DOMAIN\user20

Facebook

DOMAIN\user21

default

*

MappingOptions
REQMOD/RESPMOD

Block request

*Block*

Always

See if this gives you any insigth into the mapping.

0 Kudos
itsec
Level 7

Re: Explanation of Default policy in Webgateway 6.x.x

Thanks, I've used that a few times but am none the wiser - the default policy is not listed under any of the webmapping rules.  I would post an image but it would contain sensitve information - although I can erase the source fields and keep the policy field...

0 Kudos
McAfee Employee

Re: Explanation of Default policy in Webgateway 6.x.x

What about under your proxy options? Do you have a policy defined on the proxy port?

Best,

Jon

0 Kudos
itsec
Level 7

Re: Explanation of Default policy in Webgateway 6.x.x

Hi Jon,

Thank you for your reply.  There is no policy defined under the proxy port so according to the help "the policy that was configured for the ICAP server will be used".

When I check the ICAP server settings, I cannot see anywhere that defines a policy. 

Don't worry too much about this as I am migrating to V7 anyway.  I was just curious as to why there was traffic showing on the policy.

Thanks

0 Kudos
McAfee Employee

Re: Explanation of Default policy in Webgateway 6.x.x

It could just be the authentication requests perhaps. They would not have group information or user information to match on the above rules.

Unless the default dominates your traffic graphs, that theory wouldnt be correct.

Best,

Jon

0 Kudos
itsec
Level 7

Re: Explanation of Default policy in Webgateway 6.x.x

Hi Jon,

Thanks for your answer although I'm not entirely clear as to whether you mean that high default traffic means that they could be auth requests or not?

I've done some very basic/ rough calculations and the default traffic is generally about 2-3% of the 'standard' policy traffic so it's very minimal.

thanks

0 Kudos