cancel
Showing results for 
Search instead for 
Did you mean: 
aussiewan
Level 7

Making changes to lists programatically from rulesets

Jump to solution

Hi all

We have a large environment with 300 or so sites supported by about a dozen MWG appliances and VMs. With different people supporting different sites, we have AD groups configured to grant permission to edit blacklists and whitelists for each site. The issue with this is that due to the way MWG handles authorisation of admins, only the first group in the list matches, so people have to be added/removed from groups when they want to admin another site. Unfortunately we can not consolidate this to a single blacklist and whitelist for all sites due to differences in management at each site.

I came up with an idea to use block pages to allow the viewing and editing of these wildcard lists. I got the viewing part working well - they go to a particular URL, get a block page that shows all of the lists they have authority to maintain (looks at user group memberships), and can click on any of the lists to see the contents (List.OfWildcard.ToString and some Javascript). However I am having difficulty in getting it to let me edit the lists. There are no events for Rules related to manipulating lists, however there are Properties in the block pages that appear to allow you to do a variety of things. The ones I have been looking at are List.OfWildcard.Append and List.OfWildcard.Erase. I have confirmed with rule tracing that the pages are being hit as I want them to, and I'm fairly sure I haven't got any syntax issues within those pages, but the lists do not appear to get updated. I have looked for a command to trigger Save Changes or the like, with no success. I can't see any debug/troubleshooting tools to help see if the contents of the page are being processed correctly.

Any suggestions would be greatly appreciated. I'm happy to share what I have done so far if anyone is interested.

Cheers.

Philip

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Making changes to lists programatically from rulesets

Jump to solution

All of the list manipulation properties, like append, join, sort, remove, etc, are only used for the life of a single transaction. they dissolve after the request is completed and they cannot store the results of the operation statically back inside the list itself.

What you are suggesting is to have them save the results again back inside the static configuration. This just cannot be done because the lists are read-only from a user's request context.

The only persistent way to store them is by using Persistent Data storage (PDStorage) , which is only temporary over a period of time and multiple transactions. Also, PDStorage is entirely in memory and doesn't re-write the values back into the lists for you to access via policy.

The best way to do this is to move the lists off-box using subscribed lists and writing an off-boxx application to manage the data and post it to a web server. Then MWG will periodically pull the lists and use them.

0 Kudos
10 Replies
aussiewan
Level 7

Re: Making changes to lists programatically from rulesets

Jump to solution

I just found this:

https://community.mcafee.com/message/284240

It says that the block page context will not allow editing lists. In my scenario, we trust the people editing the lists, and I have authorisation checks within the rulesets to help with that. It is possible that the Properties I'm tring to use might be legacy commands that used to exist but has been removed, with some cleanup still required.

Also FYI - we're running 7.3.2.

Any suggestions or comments would still be appreciated.

Thanks.

0 Kudos
eelsasser
Level 15

Re: Making changes to lists programatically from rulesets

Jump to solution

All of the list manipulation properties, like append, join, sort, remove, etc, are only used for the life of a single transaction. they dissolve after the request is completed and they cannot store the results of the operation statically back inside the list itself.

What you are suggesting is to have them save the results again back inside the static configuration. This just cannot be done because the lists are read-only from a user's request context.

The only persistent way to store them is by using Persistent Data storage (PDStorage) , which is only temporary over a period of time and multiple transactions. Also, PDStorage is entirely in memory and doesn't re-write the values back into the lists for you to access via policy.

The best way to do this is to move the lists off-box using subscribed lists and writing an off-boxx application to manage the data and post it to a web server. Then MWG will periodically pull the lists and use them.

0 Kudos
aussiewan
Level 7

Re: Making changes to lists programatically from rulesets

Jump to solution

Thanks eelsasser for your prompt and thorough response.

We are using external lists of some variety (I can't remember specifics at the moment) and it adds a bit of frustration at times due to it being spread across multiple systems. I was hoping to have no dependencies other than MWG being available. I understand the limitations and why they are there, however.

Cheers.

0 Kudos
McAfee Employee

Re: Making changes to lists programatically from rulesets

Jump to solution

You can also use REST to update the lists on the MWG directly. This removes the need for an external service providing the list, but still requires an external service to perform the on-box maintenance.

There are customer's who have integration with their ticketing systems which update lists as they need to. Pretty cool stuff.

REST is what ePO uses to update lists on the MWG.

Best,

Jon

0 Kudos
aussiewan
Level 7

Re: Making changes to lists programatically from rulesets

Jump to solution

Thanks Jon. I will do some more investigation when time permits.

0 Kudos
aussiewan
Level 7

Re: Making changes to lists programatically from rulesets

Jump to solution

I have been experimenting with a room-based (ie subnet based) Internet blocking rule system, using pdstorage as a key feature. In my research for this, I found this article:

https://community.mcafee.com/thread/54311

Jon, in that discussion you mention that the pdstorage timeout values are based on inactivity, not creation of the entry. This means that any time you even read the data, it's lifetime is reset back to the defaults. I wasn't aware of this before, and it made me think about ways to take advantage of that.

If I re-created all of our whitelists and blacklists in pdstorage with, for example, a 365 day timeout, then the lists would stay there for a year after they have been last used. These lists are easy to modify dynamically, and I have done this several times in the past. This sounds like a fairly ideal method, with the exception of the security of the information. I know that I can initiate a single command and wipe out all PDStorage values. This would obviously be a very bad thing that would be very time-consuming to recover from. Is it possible to protect this data in any way to prevent damage or recover from damage? Note that these lists I want to have people edit are local to sites, and are in addition to our base ruleset which is all we require in general. Quite a lot of those lists are empty.

I imagine that McAfee would not recommend going down this path, but I would be interested in hearing any thoughts.

Cheers.

Philip

0 Kudos
McAfee Employee

Re: Making changes to lists programatically from rulesets

Jump to solution

Hi Philip,

You are correct in that I wouldnt advise going this route. Violtility is the main reason I would not recommend this. PDStorage (at least in my mind) not designed for long term storage. It is meant to store objects in memory for some persistance, but only for temporary situations. So in the case of the room based internet blocking system, it acts as a light switch. You turn it on or off. In your case, you are storing your policy IN pdstorage, this is much more complex and important for PDstorage to handle, so you have much more to lose. So unless you can ensure that your data is safe before you load it into PDstorage I wouldnt advise going this route.

It is also not a good idea to have a large ammount of PDstorage data because it is loaded into memory and could become a bear to load every time.

I think REST is the best way to go here. You can create your own portal for admins to login to, and then simplfy the view they have in order to miniminze the chance for error.

Best,

Jon

0 Kudos
aussiewan
Level 7

Re: Making changes to lists programatically from rulesets

Jump to solution

Thanks Jon, agreed.

eelsasser, I have seen that in the past, but the management of it with 230 rooms was going to be a nightmare. I have implemented my own version utilising:

1 List of String containing a list of comma-separate information about Site, Room, and Subnet, eg Campus1, Room2, 192.168.7.0-192.168.7.127

2 lists of IP ranges (one for Internet, one for Social Networking sites), which contain a list of subnets to block Internet on by default

2 pdstorage lists of IP ranges which will flip the default value of the block to it's other value if an entry exists

2 block pages, one to show a lit of all campuses, and one to show the rooms within a selected campus

When I implement it, it will be a case of having a rule of if (client IP is in a range in list defaultblock and client IP is not in range in list defaultoverride) or (client IP is not in range in list defaultblock and client IP is in range in list defaultoverride) then block.

The logic took me a while, and there is a lot of javascript in the manegement block pages to support it, but it appears to be working well so far in testing. I am happy to send you a copy of the rule set for you to investigate if you like. Unfortunately I haven't commented the javascript as much as I would like yet though.

Cheers.

0 Kudos
eelsasser
Level 15

Re: Making changes to lists programatically from rulesets

Jump to solution

Phillip,

Did you see this post?

https://community.mcafee.com/message/206263

it basically discusses a mechinism to shutdown a classroom via subnet.

0 Kudos