That would be extremely helpful to say the least!
1 of 1 people found this helpful
Rule tracing is a pain to wade through. What I like to do instead is use a troubleshooting log that lists all the rules that have fired for a request.
If you create a troubleshooting log that uses the propertyList.OfString.ToString (Rules.FiredRules.Names)
By doing this, you can get a log that you can see just the rule names that it walked through and at least see the path it took through the rules. I would do this before i had to resort to doing a full rule trace that shows the all the details of each condition. It can at least zero it down to which rules you have to look closer at.
Keep in mind that this joins the Request cycle, response cycle and logging cycle, so you'll usually see it go through the list twice. So in this example, the first rule set is Housekeeping rules and it goes through my rules sequentially, once for request and once for response.
[08/Feb/2012:00:09:48 -0500] Logging 192.168.2.2 "eelsasser" "" "http://www.google.com/images/modules/buttons/g-button-chocobo-basic-2.gif" Housekeeping Rules, Content-Type, Remove Via and X-Forwarded-For Header, Remove Via: Header, Remove X-Forwarded-For: Header, Experimental Rules, Geolocation Rules, Lookup Geolocation, Force old-style thumbnail searches in google, SSL Scanner, Global Whitelist, Global Block, Authentication Rules, Direct Proxy Authentication, Application Control, Category Content Filter, Enable SafeSearchEnforcer, Common Rules, Web Cache, Read From Cache, Enable Web Cache, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Upload Media Types, Gateway Anti-Malware, Remove Partial Content for HTTP(s) Requests, Antimalware.Scanned, Housekeeping Rules, Content-Type, Experimental Rules, Global Whitelist, Common Rules, Handle Special Sites, Web Cache, Write to Cache, Enable Web Cache, Progress Indication, Enable Data Trickling, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Download Media Types, Gateway Anti-Malware, Antimalware.Scanned, Default
we have heard that request several times. Unfortunately the first steps we made into the direction were dumped but as far as I know we still want to build something. But at the moment we do not have a way to visualize the rule traces, so basically they are most helpful for support or engineering, but hard to read for customers.
I hope we can provide something in the near future.
1 of 1 people found this helpful
i always use this debug logging. It is easier to read. We just fixed the most problems at customer with it.
The Output looks like this:
Date: [08/Feb/2012:09:19:32 +0100]
Authenticated User: MYDOMAIN\username
Client IP: 10.x.x.x
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Firefox/9.0.1
URL Request Header first line: GET http://video.skoda.at/flash/banner/twenty_sitebar_2012/animation.swf HTTP/1.1
URL HOST: video.skoda.at
URL Categories: Motor Vehicles
URL Reputation: Minimal Risk
MediaType from HTTP Header: application/x-shockwave-flash
Other Media Type Information: <Enshured Media Type: application/x-shockwave-flash> <From File Extension:> <Not Enshured Media Type: >
Body Filename: animation.swf
Content/Archive Information: <Supported by Opener: false> <Encrypted: false> <Multipart: false> <Corrupted: false>
HTTP Status Code: 200
Security Engine Information:
Stream Detector: Flash-based videos
Body changed by any engine: false
Current/Last Rule: Policy Rules Finished
Fired Rules: Show als the fired rules from the Ruleset
Rule Set Processing Time: 53ms / 53163micro sec.
Nachricht geändert durch Troja on 08.02.12 09:19:03 MEZ
Thanks for this, I'm going to give it a shot! The more we can self diagnose and troubleshoot the less we have to call support
Thanks again for the McAfee employee input as well, it is appreciated that you guys are so active on this forum!
I know this is an old thread, but I just wanted to say thanks for sharing this policy of yours. It's really helpful for determining which rule is allowing or blocking a certain site.
Also, if there's a way that you can determine the rule sets that were processed, that would be helpful as well.
Have you checked out rule tracing central in 7.3.2? This allows you to run rule tracing and visually see what happened.
Web Gateway 188.8.131.52 build 15306 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24492
Current release: Web Gateway 184.108.40.206 build 15726 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24654
Or are you looking at a post mortem analysis, rather than active debugging?
is there a plan expanding Rule tracing central over a whole MWG cluster?
At the moment we are implementing a POC with MWG where 30 virtual appliances will be in a HA cluster. This makes it not really easy doing some investigation with Rule Tracing Central. :-)
Btw, the benefit of the Debug.log is, you don´t have to take care which proxy is assigned to the user by HA cluster. Also you know which property is in which state. This makes it also easier to implement a neccessary exclusion ruleset.
Thanks for the tip! I loaded it on our test machine it looks good. Makes troubleshooting a lot easier.