cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution
Hi, We're trying to implement a new ruleset on our Web Gateway proxy for a group of users that belong in a AD Security Group. We've successfully created Rule Sets using the Rule Criteria Authentication.Username with the 'is in list' and entered the AD usernames in the past which works fine. However, we are looking to use AD SG groups to manage rules so we've tried the Rule Criteria Authentication.UserGroups is in list and copy the SG in but after troubleshooting, this condition is never met when it should be. Has anyone created Rule Sets using this criteria and able to shed some light as to why this isn't working for us? Thanks Ben
1 Solution

Accepted Solutions

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution

Solution in this instance was to use the following operators for the ruleset: Authentication.UserGroups  contains at least one match *Name_Of_Security_Group*.

Previously we didn't have the wildcard "* *" entry so the security group wasn't been detected.


View solution in original post

6 Replies
mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution

Hello @User96081845,

what do you mean with SG? Service groups? So we speak about the normal AD groups where the users are member of?
Default rule is:
Authentication.Usergroups none in list <list>, Action: Block

Alternatively you can use "at least one in list" as this property is a list of strings. So "is in list" should not work here at all.

I did not test it but just wanted to share default rule/criteria and thoughts.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution

Thanks for the reply Marcel.

Yes, in this scenario we are wanting to restrict internet access if users are in an AD security group called RestrictedInternet.

The rule logic we have in place is: IF <Authentication.UserGroups> 'at least one in list' (RestrictedInternet) then action = BLOCK but when we trace the rule in the troubleshooting, it doesn't satisfy this condition. i.e. User A is a member of the RestrictedInternet security group but doesn't hit this criteria and therefore no block is applied.

I've attached a screenshot showing the working we currently have in place.

mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution

I cannot see any screenshot but could you please open a SR and attach feedback file + rule trace to it and mention that it should be assigned to me?
You can then also tell me the SR number via personal message here.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution
Thanks Marcel.

I have sent you a PM.
mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution

Sorry for late response, I just started my day (EMEA timezone) and noticed that this SR was already handled by APAC colleagues 🙂

If you have the solution, please share it here and mark it as solved.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: Trying to create ruleset in Web Gateway proxy using Authentication.UserGroups

Jump to solution

Solution in this instance was to use the following operators for the ruleset: Authentication.UserGroups  contains at least one match *Name_Of_Security_Group*.

Previously we didn't have the wildcard "* *" entry so the security group wasn't been detected.


View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community