cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Rule Tracing Central with Application Control

Hi everyone
This is only my 2nd post in these forums so please bear with me! I've been figuring out Application Control with the assistance of some great people here. I was trying to check today that my Application Control rules are being hit using Rule Tracing Central, but they don't seem to be being logged there. Is this by design?

Example:
Rule 1: If user is in Dropbox AD Group and Application = Dropbox, Stop ruleset
Rule 2: If URL category Is At Least 1 In List "Personal Network Storage", block

I see it hit various other rules like the 'enable composite opener' one, and the one telling it to use an upstream proxy, but nowhere is a 'stop ruleset' action listed.

Contrast this with my old ruleset:
Rule 1: If user is in Dropbox AD Group and URL Matches In List <dropbox URLs>, Stop ruleset
Rule 2: If URL category Is At Least 1 In List "Personal Network Storage", block

I can clearly see the 'Stop ruleset' action when I enable this ruleset and test.

I *know* the App Control rule is being hit because when I disable it the Dropbox user is blocked from Dropbox. So why is rule tracing more comprehensive for URL filtering rulesets than it is for Appplication Control rulesets?

Thanks in advance!

5 Replies
McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Rule Tracing Central with Application Control

Hi,

I am not 100% sure what exactly the issue is but I understand this like you are talking about the small icon (continue, stop cycle, stop rule set, etc.) in front of the requests in the rule traces in the left list?

If yes, the icon of the last matched rule of the response cycle is here shown. Means, even if 5 rules with stop rule set have been triggered and matched, the request will be shown with a continue if another rule after the 5 others is matching with a continue action.

I apologize in case I misunderstood this and you meant something completely else.

Maybe it would be helpful to post screenshots of both cases and mark the relevant part that we exactly know what you are talking about. But please check that those do not contain sensitive information.

Regards,
Marcel Kutrieba
Technical Support Engineer

Re: Rule Tracing Central with Application Control

Hi, thanks for your response.  I'll try and get some screenshots tomorrow to illustrate.  When I use the URL filtering ruleset (with nothing else altered) I clearly see the 'stop ruleset' action on the left hand side.  The only thing I changed is that i disabled this ruleset and enabled the App Control ruleset, so this is why I am confused as to why more events seem to be being logged when the App Controls are not in use.  I hope this makes sense!

Re: Rule Tracing Central with Application Control

Hopefully these screenshots will help me explain:

Rule tracing with App Control rules:

AppCtrl1.png

AppCtrl2.png

Lots of 'continue' actions.

Rule tracing with the URL Filtering ruleset enabled instead:

URLF1.png

URLF2.png

Here it's telling me clearly which URL filtering rule is being hit.

All I am doing here is disabling my App Control ruleset and enabling my old (but very similar) URL Filtering ruleset.  No other changes are being made.  So why does the rule tracing look so different?

McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Rule Tracing Central with Application Control

Okay so we talk about left side bar icons as I thought. As mentioned before, so far I know, the icon from last hit/matching rule is shown. At least it was so when I was testing in lab.

I would need the rule traces to manually navigate and check where the rules in both cases are located and which rules have been triggered and matched.

So far I can see, debug data cannot be sent via private message here in the community. I think it might be necessary if you could open a SR via support portal and tell me the number that I can take over the SR. Then attach a rule trace for case 1 and for case 2. Make sure that same URL's/GET request are used/shown in the rule traces.

I can then check for the reason and difference. Is this possible?
You can write into ticket description that this should be assigned to Marcel Kutrieba. Also tell me SR number via private message.

Regards,
Marcel Kutrieba
Technical Support Engineer

Re: Rule Tracing Central with Application Control

Thank you Marcel, I have created an SR and will send you the number via private message

Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community