cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
McAfee Employee

Using Subscribed Lists for MCP Bypass

Jump to solution

Many customers have asked if it is possible to use subscribed lists for creating MCP bypasses. It is possible and can be done currently. New! Updating the Common Catalog (tied to the MCP policy) can now be automated with Common Catalog 2.0.3. See reply to this article below.

Getting the subscribed list you want and updating the source:

Configure a list to reference the subscribed lists in the MWG GUI under Policy > Lists. Select Subscribed Lists  and right-click and select Add

pastedImage_23.png

Name your list, add comments if desired, then select List Content is managed remotely, then choose McAfee Supplied list, then click on Choose. Choose your list from the drop down list. Then click on OK in the Choose List Content dialog and then OK in the Add List dialog.

Save your changes in the MWG GUI if you haven't already done so.

Your new list will be added to the appropriate type group. Select the list and click on export

 pastedImage_25.png

Save the exported list and then open it with a file editor. The export will not be the contents of the list but will give you the filename/id that you will need in the next step.

pastedImage_26.png

Save your changes in the MWG GUI if you haven't already done so.

Converting the subscribed list:

Two types of subscribed lists are supported by Common Catalog and the conversion program. IP Range and String/Domain. The attached java program can be put on your MWG and executed via cron job on a periodic basis. It is recommended that you create the output files in \opt\mwg\files so that they can easily be retrieved via URL (without authentication) or from the GUI. New version of ConvertSList now posted below. If original list is string type or regex type it will remove "*." from any entries to make it compatible with a domain list type in MCP bypass. (e.g. "*.mcafee.com" is converted to "mcafee.com"). Also since I discovered that ePO common catalog does not like duplicate entries, duplicate entries are removed during conversion.

Move the java program to \usr\bin\ConvertSList.jar

Set up a cron job to execute the following command on a periodic basis (You will have a cron entry for each list you want to have available for Common Catalog import)

java -jar \usr\bin\ConvertSList.jar /opt/mwg/storage/subscribed_lists/update_server/com.scur.type.<list type>.<list ref #>.xml> > /opt/mwg/files/<dest filename>

Examples:

java -jar ConvertSList.jar /opt/mwg/storage/subscribed_lists/update_server/com.scur.type.string.166.xml > /opt/mwg/files/string166.xml would convert subscribed string list com.scur.type.string.166.xml to a file named string166.xml

java -jar ConvertSList.jar /opt/mwg/storage/subscribed_lists/update_server/com.scur.type.iprange.4148.xml > /opt/mwg/files/iprange4148.xml would convert subscribed string list com.scur.type.iprange.4148.xml to a file named iprange4148.xml

Getting the converted subscribed list from MWG:

If you've put the files in /opt/mwg/files you can get them from the MWG GUI by going to Troubleshooting > <ApplianceName> > Files:

pastedImage_31.png

Or you can enable the file server for HTTP or HTTPS through the MWG administrative GUI under Configuration > File Server. Default ports are 4713 for HTTP and 4714 for HTTPS.

pastedImage_27.png

Converted files can then be retrieved via URL in browser.

https://<mwgaddress>:<fileserverport>/files/<filename>

Examples:

http://192.168.1.222:4713/files/string166.xml

https://192.168.1.222:4714/files/iprange4148.xml

 

Importing the subscribed list into the Common Catalog: 

Log into your ePO server and select Common Catalog under Common Catalog in the Main Menu.

Select the Common Catalog that matches the MCP Policy you want to add the subscribed list to, then select Actions > Import From > File.

pastedImage_33.png

Choose your downloaded converted subscribed list file then find it and select it in the Import Catalog Dialog and click OK

pastedImage_34.png

That's it. If you've set up the cron job the list on MWG will automatically update as the subscribed list changes. 

List updates in ePO (and by extension MCP Policy) can now be fully automated see reply below

Comments and suggestions welcome as always. Please note that this is not an officially supported McAfee solution. The java code isn't pretty but has been successfully implemented in several environments. Please post here if you encounter any issues and I will attempt to assist.

1 Solution

Accepted Solutions
McAfee Employee

Re: Using Subscribed Lists for MCP Bypass

Jump to solution

Automation is now possible! You need the 2.0.3 updates to Common Catalog in ePO. 

Update Common Catalog in ePO Software Manager to 2.0.3. There are two extensions that need to be updated. The two extensions are Catalog Framework and Core Catalog. You may need to refresh software manager to see them (button in top left).

Create cron jobs on MWG to periodically convert the new list and update it in ePO. 

Identify name of MWG subscribed list to synch by process provided in original article above.

Example crontab to convert the list on the hour every hour

0 * * * * java -jar /usr/bin/ConvertSList.jar /opt/mwg/storage/subscribed_lists/update_server/com.scur.type.string.166.xml > /opt/mwg/files/string166.xml

Example crontab to push the list to epo at 192.168.11.136 5 minutes after every hour

5 * * * * curl -X POST -n -k -F overwrite=true -F catalogId=155886d4-d616-485b-9f71-af6254841240 -F data=@/opt/mwg/files/string166.xml  https://192.168.11.136:8443/remote/catalogFramework.importCatalog.do

Credentials for epo are stored in a netrc file on mwg (see -n option for curl) so that they aren’t visible in the crontab entry itself.

Overwrite=true was the feature not available in previous common catalog.

Only other trick is identifying the catalog ID. You need to do that one time through the ePO Common Catalog API.

curl -X POST -n -k https://192.168.11.136:8443/remote/catalogFramework.getCatalogList.do this can be run from MWG itself and again I’ve used -n to get creds from netrc file

If I have time later, I will provide more detail. Reply to this post if you have questions, corrections or enhancements.

 

 

 

0 Kudos
1 Reply
McAfee Employee

Re: Using Subscribed Lists for MCP Bypass

Jump to solution

Automation is now possible! You need the 2.0.3 updates to Common Catalog in ePO. 

Update Common Catalog in ePO Software Manager to 2.0.3. There are two extensions that need to be updated. The two extensions are Catalog Framework and Core Catalog. You may need to refresh software manager to see them (button in top left).

Create cron jobs on MWG to periodically convert the new list and update it in ePO. 

Identify name of MWG subscribed list to synch by process provided in original article above.

Example crontab to convert the list on the hour every hour

0 * * * * java -jar /usr/bin/ConvertSList.jar /opt/mwg/storage/subscribed_lists/update_server/com.scur.type.string.166.xml > /opt/mwg/files/string166.xml

Example crontab to push the list to epo at 192.168.11.136 5 minutes after every hour

5 * * * * curl -X POST -n -k -F overwrite=true -F catalogId=155886d4-d616-485b-9f71-af6254841240 -F data=@/opt/mwg/files/string166.xml  https://192.168.11.136:8443/remote/catalogFramework.importCatalog.do

Credentials for epo are stored in a netrc file on mwg (see -n option for curl) so that they aren’t visible in the crontab entry itself.

Overwrite=true was the feature not available in previous common catalog.

Only other trick is identifying the catalog ID. You need to do that one time through the ePO Common Catalog API.

curl -X POST -n -k https://192.168.11.136:8443/remote/catalogFramework.getCatalogList.do this can be run from MWG itself and again I’ve used -n to get creds from netrc file

If I have time later, I will provide more detail. Reply to this post if you have questions, corrections or enhancements.

 

 

 

0 Kudos