cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway Flow Data Support

I thought I asked this before but could not find it.  Is there support for flow (netflow, sflow, jflow, etc) data from MWG 7.x?  We really need this as a troubleshooting tool.

3 Replies
brinkn
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Web Gateway Flow Data Support


OK, I thought this was a pretty cool idea. 

/*Start Disclaimer

I did this with a lab setup, and Im pretty sure it could cause performance impacts, and void you warranty, and potentially bring about the end of the know universe.

End Disclaimer*/

Here is what I did:

Downloaded fprobe from: http://fprobe.sourceforge.net/

I compiled fprobe on a development box and copied the ./src/fprobe file to my webgateway v7.3 box.

I then started fprobe on the webgateway:

./fprobe -i INTERFACE_TO_MONITOR IP_OF_COLLECTOR:9995

Low and behold it started sending netflow.

Im sure there are a lot of other thnigs that can be done such as using fprobe-ulog, configuring fprobe to do multiple interfaces,  other formats, etc, but I figure this may get teh ball rolling any other people can throw out ideas as well.

Re: Web Gateway Flow Data Support

I started to do the same thing, but got sidetracked and never finished. So kudos, Nick, on getting further.

But as i thought about it, wouldn't the actual data that you are capturing only represent one flow from the client to the proxy, and another flow from the proxy to the site?

I suspect John is trying to get the end-to-end relationship between client IP and web server IP. I'm not so sure that  will happen, even in transparent bridge.

i don't know what raw netflow data looks like, so i am speculating.

Highlighted
brinkn
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Web Gateway Flow Data Support

I think you are right.  I have been contemplating this since reading the OP.  I cant see any solution where you can get a Netflow V9 type packet where you know what the NAT translation is.  I am not running a transparent proxy so I dont know how the host is configured in that scenario, but using an explicit proxy I assume the mwg process does the translation from interfaces and does not depend on iptables for the routing.  So in my scenario I am not giving anything more then what you would get from the nearest switch.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community