cancel
Showing results for 
Search instead for 
Did you mean: 
marduk
Level 9

rule tracing translation tool

Is anyone aware of any tools that would help with making the output from rule tracing a bit more easy to understand ?

Thanks

0 Kudos
10 Replies

Re: rule tracing translation tool

That would be extremely helpful to say the least!

0 Kudos
eelsasser
Level 15

Re: rule tracing translation tool

Rule tracing is a pain to wade through. What I like to do instead is use a troubleshooting log that lists all the rules that have fired for a request.

If you create a troubleshooting log that uses the property

List.OfString.ToString (Rules.FiredRules.Names)

By doing this, you can get a log that you can see just the rule names that it walked through and at least see the path it took through the rules. I would do this before i had to resort to doing a full rule trace that shows the all the details of each condition. It can at least zero it down to which rules you have to look closer at.

Keep in mind that this joins the Request cycle, response cycle and logging cycle, so you'll usually see it go through the list twice. So in this example, the first rule set is Housekeeping rules and it goes through my rules sequentially, once for request and once for response.

[08/Feb/2012:00:09:48 -0500] Logging 192.168.2.2 "eelsasser" "" "http://www.google.com/images/modules/buttons/g-button-chocobo-basic-2.gif"  Housekeeping Rules, Content-Type, Remove Via and X-Forwarded-For Header, Remove Via: Header, Remove X-Forwarded-For: Header, Experimental Rules, Geolocation Rules, Lookup Geolocation, Force old-style thumbnail searches in google, SSL Scanner, Global Whitelist, Global Block, Authentication Rules, Direct Proxy Authentication, Application Control, Category Content Filter, Enable SafeSearchEnforcer, Common Rules, Web Cache, Read From Cache, Enable Web Cache, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Upload Media Types, Gateway Anti-Malware, Remove Partial Content for HTTP(s) Requests, Antimalware.Scanned, Housekeeping Rules, Content-Type, Experimental Rules, Global Whitelist, Common Rules, Handle Special Sites, Web Cache, Write to Cache, Enable Web Cache, Progress Indication, Enable Data Trickling, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Download Media Types, Gateway Anti-Malware, Antimalware.Scanned, Default

0 Kudos
asabban
Level 17

Re: rule tracing translation tool

Hi Mike,

we have heard that request several times. Unfortunately the first steps we made into the direction were dumped but as far as I know we still want to build something. But at the moment we do not have a way to visualize the rule traces, so basically they are most helpful for support or engineering, but hard to read for customers.

I hope we can provide something in the near future.

Best,

Andre

0 Kudos
Troja
Level 14

Re: rule tracing translation tool

Hi,

i always use this debug logging. It is easier to read. We just fixed the most problems at customer with it.

The Output looks like this:

Client Information:

  Date: [08/Feb/2012:09:19:32 +0100]

  Authenticated User: MYDOMAIN\username

  Client IP: 10.x.x.x

  User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Firefox/9.0.1

URL Information:

  URL Request Header first line: GET http://video.skoda.at/flash/banner/twenty_sitebar_2012/animation.swf HTTP/1.1

  URL HOST: video.skoda.at

  URL Categories: Motor Vehicles

  URL Reputation: Minimal Risk

Content Information:

  MediaType from HTTP Header: application/x-shockwave-flash

  Other Media Type Information: <Enshured Media Type: application/x-shockwave-flash> <From File ExtensionSmiley Embarassed <Not Enshured Media Type: >

  Body Filename: animation.swf

  Content/Archive Information: <Supported by Opener: false> <Encrypted: false> <Multipart: false> <Corrupted: false>

  HTTP Status Code: 200

  CacheStatus: TCP_HIT

Application Information:

  Application Name:

  Application Reputation:

Security Engine Information:

  Antimalware Result:

  BlockID: 0

  Stream Detector: Flash-based videos

  Body changed by any engine: false

Debug Information:

  Current/Last Rule: Policy Rules Finished

  Fired Rules: Show als the fired rules from the Ruleset

  Rule Set Processing Time: 53ms / 53163micro sec.

-----------------------------------------------------------------------------------------------------

Cheers,

Thorsten

Nachricht geändert durch Troja on 08.02.12 09:19:03 MEZ

Nachricht geändert durch Troja on 08.02.12 09:22:48 MEZ
0 Kudos

Re: rule tracing translation tool

Thorsten,

Thanks for this, I'm going to give it a shot!  The more we can self diagnose and troubleshoot the less we have to call support  

Thanks again for the McAfee employee input as well, it is appreciated that you guys are so active on this forum!

0 Kudos
bragot
Level 7

Re: rule tracing translation tool

I know this is an old thread, but I just wanted to say thanks for sharing this policy of yours.  It's really helpful for determining which rule is allowing or blocking a certain site.

Also, if there's a way that  you can determine the rule sets that were processed, that would be helpful as well.

0 Kudos
McAfee Employee

Re: rule tracing translation tool

Hi Bragot!

Have you checked out rule tracing central in 7.3.2? This allows you to run rule tracing and visually see what happened.

Web Gateway 7.3.2.0 build 15306 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24492

Current release: Web Gateway 7.3.2.2 build 15726 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24654

Or are you looking at a post mortem analysis, rather than active debugging?

Best,

Jon

0 Kudos
Troja
Level 14

Re: rule tracing translation tool

Hi Jon,

is there a plan expanding Rule tracing central over a whole MWG cluster?

At the moment we are implementing a POC with MWG where 30 virtual appliances will be in a HA cluster. This makes it not really easy doing some investigation with Rule Tracing Central. :-)

Btw, the benefit of the Debug.log is, you don´t have to take care which proxy is assigned to the user by HA cluster. Also you know which property is in which state. This makes it also easier to implement a neccessary exclusion ruleset.

Cheers,

Thorsten

0 Kudos
McAfee Employee

Re: rule tracing translation tool

Hi Thorsten,

Maybe eventually it will be done over the whole cluster.

At first it was estimated that it would be too complex (over the cluster), and there would be a large delay. Usually people want to see things in real-ish-time (otherwise they think something is wrong).

You can still use the old way of rule tracing which will allow you to trace over all nodes.

You can then go to the node where you see the traces, and select all of them, then click the "Analyze" button.

Best,

Jon

0 Kudos