cancel
Showing results for 
Search instead for 
Did you mean: 
gsr_privado
Level 8

Skip host from autentication rule set

Jump to solution

Hello

I need to connect from the internal network to Internet , a web services IMED, through the web gateway 7 in brige transparent mode.

The requirement for are
200.0.156.42 (Port 80 without content filters) (Autentia Services)
200.0.156.45 (port 80 unfiltered content) (Reports)
200.0.156.52 (Ports 10241 to 10249 without content filters) (electronic voucher)
200.0.156.55 (Ports 10241 al10249 unfiltered content) (load balancer address)
200.0.156.75 (Port 7003 without content filters) (business cards)
190.54.28.211 (port 80 unfiltered content) (IMED service monitor)
200.0.156.141 (Ports 10540 unfiltered content) (Test Environment)

I tried to create a rule set tu bypass the request but didn't work with url.host, url.destinationip only worked when create a criteria by client.ip for a one  internal ipaddress, i can't do this with a destination ip.

We need not use authentication for IMED services.

thanks for any help

0 Kudos
1 Solution

Accepted Solutions
gsr_privado
Level 8

Re: Skip host from autentication rule set

Jump to solution

Hi,

The problem was a bad packet format:

No.     Time        Source                Destination           Protocol Length Info                                                            Destination Port

    355 6.603447    172.21.23.62          200.0.156.42          HTTP     348    POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1  (text/plain)        http

Frame 355: 348 bytes on wire (2784 bits), 348 bytes captured (2784 bits)

    Arrival Time: Sep 30, 2011 03:18:16.744702000 Hora verano Sudamérica Pacífico

    Epoch Time: 1317363496.744702000 seconds

    [Time delta from previous captured frame: 0.001432000 seconds]

    [Time delta from previous displayed frame: 0.001876000 seconds]

    [Time since reference or first frame: 6.603447000 seconds]

    Frame Number: 355

    Frame Length: 348 bytes (2784 bits)

    Capture Length: 348 bytes (2784 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:tcp:http:data-text-lines]

    [Coloring Rule Name: HTTP]

    [Coloring Rule String: http || tcp.port == 80]

Ethernet II, Src: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a), Dst: Cisco_b2:20:cd (08:17:35:b2:20:cd)

    Destination: Cisco_b2:20:cd (08:17:35:b2:20:cd)

        Address: Cisco_b2:20:cd (08:17:35:b2:20:cd)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a)

        Address: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol Version 4, Src: 172.21.23.62 (172.21.23.62), Dst: 200.0.156.42 (200.0.156.42)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

    Total Length: 334

    Identification: 0x6b4f (27471)

    Flags: 0x02 (Don't Fragment)

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: TCP (6)

    Header checksum: 0x66dc [correct]

        [Good: True]

        [Bad: False]

    Source: 172.21.23.62 (172.21.23.62)

    Destination: 200.0.156.42 (200.0.156.42)

Transmission Control Protocol, Src Port: unicontrol (2499), Dst Port: http (80), Seq: 1, Ack: 1, Len: 294

    Source port: unicontrol (2499)

    Destination port: http (80)

    [Stream index: 12]

    Sequence number: 1    (relative sequence number)

    [Next sequence number: 295    (relative sequence number)]

    Acknowledgement number: 1    (relative ack number)

    Header length: 20 bytes

    Flags: 0x18 (PSH, ACK)

        000. .... .... = Reserved: Not set

        ...0 .... .... = Nonce: Not set

        .... 0... .... = Congestion Window Reduced (CWR): Not set

        .... .0.. .... = ECN-Echo: Not set

        .... ..0. .... = Urgent: Not set

        .... ...1 .... = Acknowledgement: Set

        .... .... 1... = Push: Set

        .... .... .0.. = Reset: Not set

        .... .... ..0. = Syn: Not set

        .... .... ...0 = Fin: Not set

    Window size value: 65535

    [Calculated window size: 65535]

    [Window size scaling factor: -2 (no window scaling used)]

    Checksum: 0x99ab [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [SEQ/ACK analysis]

        [Bytes in flight: 294]

Hypertext Transfer Protocol

    POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n

        [Expert Info (Chat/Sequence): POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n]

            [Message: POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n]

            [Severity level: Chat]

            [Group: Sequence]

        Request Method: POST

        Request URI: /cgi-bin/autentia3-tran.fcgi

        Request Version: HTTP/1.1

    Host: localhost\r\n

    Content-Type: text/plain; charset=utf-8\r\n

    Date: Fri Sep 30 03:18:16 2011\r\n

    CONTENT-LENGTH:       132\r\n

        [Content length: 132]

    \r\n

    [Full request URI: http://localhost/cgi-bin/autentia3-tran.fcgi]

Line-based text data: text/plain

    *\235=IØ\206H¯=`dg&:Ö\016䢸)õ\032RU\037·}<S·Î¶\201AJ3Ã\037}\231ÔJã\025º\227Ì}Ç ÍD{\217zP¶y½ßrùÊ=`N\025whe\006Ýï\021O,ða\020ÂÞ07Y\032\233Ewq\034?\224ãK\201\216\ 217ÚÅÀÑÍzIY}\210\225ò×+C\026(\203ÆW=@Ó\221Á©ð\022_\036\205\005)\212õF

I defined the 127.0.0.1 in the Bypass request and works fine

Thanks

0 Kudos
6 Replies
ittech
Level 13

Re: Skip host from autentication rule set

Jump to solution

You would have to have a stop rule before your Authentication rule.

Something along the lines of:

If Client.IP is in list YOUR LIST (I find lists work better in these situations)

Stop Cycle

If you still want it to be filtered through the AV, that can be accomplished. Let me know, I'll give you a more detailed example.

Message was edited by: ittech on 9/30/11 9:00:01 AM EDT
0 Kudos
gsr_privado
Level 8

Re: Skip host from autentication rule set

Jump to solution

thanks ittech

We need filter with destination ip, is not an option filter with Client ip.

We need that this ipaddress pass directly to internet without authentication and proxy.

The trafic is not http. Could you show me any example to do that?

Regards

0 Kudos
McAfee Employee

Re: Skip host from autentication rule set

Jump to solution

Same as above but...

If URL.Destination.IP is in list YOUR LIST (I find lists work better in these situations)

Stop Cycle

I have reservations for this working, as the traffic is not HTTP though..

~jon

Message was edited by: jscholte, changed property from URL.IP.Destination to URL.Destination.IP on 9/30/11 8:56:27 AM CDT
0 Kudos
ittech
Level 13

Re: Skip host from autentication rule set

Jump to solution

Okay, first things first. Sorry if I misread your post.

Now, I'm wondering why your URL.Dest.Ip rule didn't work.

Shouldn't the MWG7 only filter port 80 and 443, assuming your only filtering HTTP and HTTPS?

Like this

1.png

0 Kudos
asabban
Level 17

Re: Skip host from autentication rule set

Jump to solution

Hello,

in this transparent bridge mode all packets which come from a client and have a destination port of 80 or 443 are intercepted by Web Gateway and sent into the proxy port 9090 for inspection. All other packets (which do have a different destination port) will simply be passed from A to B.

Best,

Andre

0 Kudos
gsr_privado
Level 8

Re: Skip host from autentication rule set

Jump to solution

Hi,

The problem was a bad packet format:

No.     Time        Source                Destination           Protocol Length Info                                                            Destination Port

    355 6.603447    172.21.23.62          200.0.156.42          HTTP     348    POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1  (text/plain)        http

Frame 355: 348 bytes on wire (2784 bits), 348 bytes captured (2784 bits)

    Arrival Time: Sep 30, 2011 03:18:16.744702000 Hora verano Sudamérica Pacífico

    Epoch Time: 1317363496.744702000 seconds

    [Time delta from previous captured frame: 0.001432000 seconds]

    [Time delta from previous displayed frame: 0.001876000 seconds]

    [Time since reference or first frame: 6.603447000 seconds]

    Frame Number: 355

    Frame Length: 348 bytes (2784 bits)

    Capture Length: 348 bytes (2784 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:tcp:http:data-text-lines]

    [Coloring Rule Name: HTTP]

    [Coloring Rule String: http || tcp.port == 80]

Ethernet II, Src: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a), Dst: Cisco_b2:20:cd (08:17:35:b2:20:cd)

    Destination: Cisco_b2:20:cd (08:17:35:b2:20:cd)

        Address: Cisco_b2:20:cd (08:17:35:b2:20:cd)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a)

        Address: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol Version 4, Src: 172.21.23.62 (172.21.23.62), Dst: 200.0.156.42 (200.0.156.42)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

    Total Length: 334

    Identification: 0x6b4f (27471)

    Flags: 0x02 (Don't Fragment)

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: TCP (6)

    Header checksum: 0x66dc [correct]

        [Good: True]

        [Bad: False]

    Source: 172.21.23.62 (172.21.23.62)

    Destination: 200.0.156.42 (200.0.156.42)

Transmission Control Protocol, Src Port: unicontrol (2499), Dst Port: http (80), Seq: 1, Ack: 1, Len: 294

    Source port: unicontrol (2499)

    Destination port: http (80)

    [Stream index: 12]

    Sequence number: 1    (relative sequence number)

    [Next sequence number: 295    (relative sequence number)]

    Acknowledgement number: 1    (relative ack number)

    Header length: 20 bytes

    Flags: 0x18 (PSH, ACK)

        000. .... .... = Reserved: Not set

        ...0 .... .... = Nonce: Not set

        .... 0... .... = Congestion Window Reduced (CWR): Not set

        .... .0.. .... = ECN-Echo: Not set

        .... ..0. .... = Urgent: Not set

        .... ...1 .... = Acknowledgement: Set

        .... .... 1... = Push: Set

        .... .... .0.. = Reset: Not set

        .... .... ..0. = Syn: Not set

        .... .... ...0 = Fin: Not set

    Window size value: 65535

    [Calculated window size: 65535]

    [Window size scaling factor: -2 (no window scaling used)]

    Checksum: 0x99ab [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [SEQ/ACK analysis]

        [Bytes in flight: 294]

Hypertext Transfer Protocol

    POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n

        [Expert Info (Chat/Sequence): POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n]

            [Message: POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n]

            [Severity level: Chat]

            [Group: Sequence]

        Request Method: POST

        Request URI: /cgi-bin/autentia3-tran.fcgi

        Request Version: HTTP/1.1

    Host: localhost\r\n

    Content-Type: text/plain; charset=utf-8\r\n

    Date: Fri Sep 30 03:18:16 2011\r\n

    CONTENT-LENGTH:       132\r\n

        [Content length: 132]

    \r\n

    [Full request URI: http://localhost/cgi-bin/autentia3-tran.fcgi]

Line-based text data: text/plain

    *\235=IØ\206H¯=`dg&:Ö\016䢸)õ\032RU\037·}<S·Î¶\201AJ3Ã\037}\231ÔJã\025º\227Ì}Ç ÍD{\217zP¶y½ßrùÊ=`N\025whe\006Ýï\021O,ða\020ÂÞ07Y\032\233Ewq\034?\224ãK\201\216\ 217ÚÅÀÑÍzIY}\210\225ò×+C\026(\203ÆW=@Ó\221Á©ð\022_\036\205\005)\212õF

I defined the 127.0.0.1 in the Bypass request and works fine

Thanks

0 Kudos