cancel
Showing results for 
Search instead for 
Did you mean: 
jspanitz
Level 7

MWG7 SSL - Incident Manager?

Is there an Incident Manager in MWG7 like what was available in MWG6?  If not, is there some way to log the SSL certs and the reasons they were blocked?  Also, if not, is it on the radar to add some type of Incident Manager functionality?

0 Kudos
3 Replies
jspanitz
Level 7

Re: MWG7 SSL - Incident Manager?

So, I searched on a bunch of SSL terms, but not on "Incident Manager" before I posted.  After I posted, I went back and did a search on Incident Manager and came up with this thread:

https://community.mcafee.com/message/168286#168286

Has there been any movement on this or is there a tracking method that can be implemented until Incident Manager returns?

0 Kudos
asabban
Level 17

Re: MWG7 SSL - Incident Manager?

Hello,

you could modify the rules that block the requests, such as the rule for blocking acceses to sites which have not been signed by a known CA, and add an event to the rules. I - for example - would add a log event which writes an SSL_Incident.log listing the timestamp, the requested URL, and the reason why access was blocked (simply by adding the rule name).

By doing so you will gather a list of blocked requests. You can look through the list to find out who, why and how often was blocked when trying to access an SSL site.

Best,

Andre

McAfee Employee

Re: Re: MWG7 SSL - Incident Manager?

The attached rulesets can be used to determine what certificates might cause issues when you enable cert verification and SSL scanning. SSL Incident goes in the Log Manager ruleset the other ruleset goes in your main policy rules. The log manager ruleset will write a user-defined log with the information on URLs that would have been blocked and why. Use and modify at your own risk.

0 Kudos