cancel
Showing results for 
Search instead for 
Did you mean: 
itsec
Level 7

WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

Hi,

I have setup webgateway 7.3 to send access logs to webreporter 5.2.

Log import & reporting appears to be working correctly - there are no errors reported in log parser and all logs are completing 100% successful.

The problem I have is that if https is used then there is no auth_user data shown.  I believe this is down to the way that webgateway is configured as if I check the access.log on the webgateway, there is no auth_user data whenever https is used.

Currently only Handle Connect Call > Set Client Context is enabled in the SSL scanner rule set - would this be why there is no auth_user being logged?

I have compared against a v.6.9 webwasher which I have been told does not have SSL scanner enabled however all the options under the SSL Scanner tab are checked such as certifcate verification/ scan encrypted traffic so it would appear that SSL Scanning is enabled.  There is also a custom HTTPS-Access log configured which uses the same fields as the access. log.  This is reporting on auth_users correctly.

thanks for any help

0 Kudos
11 Replies
McAfee Employee

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

Can you post some screenshots of your authentication rules in the MWG?

You are correct in assuming this is an issue with how MWG is configured.

Best,

Jon

0 Kudos
itsec
Level 7

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

Sure, here you are - pretty much out the box I think?  What have I missed....

Auth.jpg

Thanks!

Message was edited by: itsec on 18/12/12 03:57:28 CST
0 Kudos
itsec
Level 7

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

I've examined the v6.9 installation a little more closely and it appears that a cutom https log was created in accordance with a document called "Create a Custom Log for HTTPs CONNECT Requests" which references Support Issue ISS00443240.

Basically I would like to recreate this functionalilty in v7.3.

Thanks

0 Kudos
itsec
Level 7

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

FYI I ave logged a SR for this issue - # 3-2631891911
I've tried a variety of different options with the SSL scanning rules which seem to get the end result except the logs now show https get/ put/ post etc and not connect.  I'm not sure how important this is...?

I'm also not convinced I have the right configuration for the client as they have specified they do not want ssl content scanned.  Hopefully I will resolve this with the SR.

0 Kudos
McAfee Employee

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

I can see the case, it's assigned to my pod-mate, please upload a feedback to that case as well.

I'm guessing there is a stop cycle above the authentication which may be resulting in the behavior you are seeing. The authentciation server rules look good.

Best,

Jon

0 Kudos
jont717
Level 12

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

Are you sure your HTTPS traffic is hitting the gateway?  Do you see the Web Gateway certificate being used in the browser?

0 Kudos
itsec
Level 7

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

I've run a capture, checked the logs and also used fiddler when testing - the traffic is def going to the gateway however your comment about the certificate got me thinking....

Although I created a CA for the SSL Client Context with CA, it doesn't seem to be applying.  If I browse to a https site then the certificate in the browser is the actual webservers (correct) certificate.  I also noticed that the webgateway cert has not been installed into trsuted root so I have amended that but nothing has changed.

As I mentioned, I only have the Handle Connect Call > Set Client Context enabled in the SSL Scanner rule set and it looks like this isn't working..

Will have to investigate further.

thanks

0 Kudos
jont717
Level 12

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

SSL Scanning is not going to work correctly with just Set Client Context turned on. 

You might as well just turn SSL scanning off all together unless you activafe the rest of the rules.

0 Kudos
itsec
Level 7

Re: WebGateway 7.3 & WebReporter 5.2 - missing user in HTTPS

we had planned not to use SSL scanning (content) - the only reason it is enabled with just set client context is so that the block templates can be seen as per numerous posts in this community that suggest this. 

I'd like to recreate the custom log settings in 6.9 as in my earlier post but I'm not sure this is possible.  As I mentioned, I was told that ssl scanning was not used but it turns out it is used so I'm not sure whether auth_user is being populated in the 6.9 custom logs becaus SSL Scanning is enabled or whether it's the custom log settings doing that.

Thanks

0 Kudos