Rule tracing is a pain to wade through. What I like to do instead is use a troubleshooting log that lists all the rules that have fired for a request.
If you create a troubleshooting log that uses the propertyList.OfString.ToString (Rules.FiredRules.Names)
By doing this, you can get a log that you can see just the rule names that it walked through and at least see the path it took through the rules. I would do this before i had to resort to doing a full rule trace that shows the all the details of each condition. It can at least zero it down to which rules you have to look closer at.
Keep in mind that this joins the Request cycle, response cycle and logging cycle, so you'll usually see it go through the list twice. So in this example, the first rule set is Housekeeping rules and it goes through my rules sequentially, once for request and once for response.
[08/Feb/2012:00:09:48 -0500] Logging 192.168.2.2 "eelsasser" "" "http://www.google.com/images/modules/buttons/g-button-chocobo-basic-2.gif" Housekeeping Rules, Content-Type, Remove Via and X-Forwarded-For Header, Remove Via: Header, Remove X-Forwarded-For: Header, Experimental Rules, Geolocation Rules, Lookup Geolocation, Force old-style thumbnail searches in google, SSL Scanner, Global Whitelist, Global Block, Authentication Rules, Direct Proxy Authentication, Application Control, Category Content Filter, Enable SafeSearchEnforcer, Common Rules, Web Cache, Read From Cache, Enable Web Cache, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Upload Media Types, Gateway Anti-Malware, Remove Partial Content for HTTP(s) Requests, Antimalware.Scanned, Housekeeping Rules, Content-Type, Experimental Rules, Global Whitelist, Common Rules, Handle Special Sites, Web Cache, Write to Cache, Enable Web Cache, Progress Indication, Enable Data Trickling, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Download Media Types, Gateway Anti-Malware, Antimalware.Scanned, Default
we have heard that request several times. Unfortunately the first steps we made into the direction were dumped but as far as I know we still want to build something. But at the moment we do not have a way to visualize the rule traces, so basically they are most helpful for support or engineering, but hard to read for customers.
I hope we can provide something in the near future.
i always use this debug logging. It is easier to read. We just fixed the most problems at customer with it.
The Output looks like this:
Date: [08/Feb/2012:09:19:32 +0100]
Authenticated User: MYDOMAIN\username
Client IP: 10.x.x.x
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Firefox/9.0.1
URL Request Header first line: GET http://video.skoda.at/flash/banner/twenty_sitebar_2012/animation.swf HTTP/1.1
URL HOST: video.skoda.at
URL Categories: Motor Vehicles
URL Reputation: Minimal Risk
MediaType from HTTP Header: application/x-shockwave-flash
Other Media Type Information: <Enshured Media Type: application/x-shockwave-flash> <From File Extension <Not Enshured Media Type: >
Body Filename: animation.swf
Content/Archive Information: <Supported by Opener: false> <Encrypted: false> <Multipart: false> <Corrupted: false>
HTTP Status Code: 200
Security Engine Information:
Stream Detector: Flash-based videos
Body changed by any engine: false
Current/Last Rule: Policy Rules Finished
Fired Rules: Show als the fired rules from the Ruleset
Rule Set Processing Time: 53ms / 53163micro sec.
Nachricht geändert durch Troja on 08.02.12 09:19:03 MEZNachricht geändert durch Troja on 08.02.12 09:22:48 MEZ
Thanks for this, I'm going to give it a shot! The more we can self diagnose and troubleshoot the less we have to call support
Thanks again for the McAfee employee input as well, it is appreciated that you guys are so active on this forum!
I know this is an old thread, but I just wanted to say thanks for sharing this policy of yours. It's really helpful for determining which rule is allowing or blocking a certain site.
Also, if there's a way that you can determine the rule sets that were processed, that would be helpful as well.
Have you checked out rule tracing central in 7.3.2? This allows you to run rule tracing and visually see what happened.
Web Gateway 18.104.22.168 build 15306 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24492
Current release: Web Gateway 22.214.171.124 build 15726 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24654
Or are you looking at a post mortem analysis, rather than active debugging?
is there a plan expanding Rule tracing central over a whole MWG cluster?
At the moment we are implementing a POC with MWG where 30 virtual appliances will be in a HA cluster. This makes it not really easy doing some investigation with Rule Tracing Central. :-)
Btw, the benefit of the Debug.log is, you don´t have to take care which proxy is assigned to the user by HA cluster. Also you know which property is in which state. This makes it also easier to implement a neccessary exclusion ruleset.
Maybe eventually it will be done over the whole cluster.
At first it was estimated that it would be too complex (over the cluster), and there would be a large delay. Usually people want to see things in real-ish-time (otherwise they think something is wrong).
You can still use the old way of rule tracing which will allow you to trace over all nodes.
You can then go to the node where you see the traces, and select all of them, then click the "Analyze" button.