1 2 Previous Next 10 Replies Latest reply on Aug 22, 2013 6:22 PM by Jon Scholten

    rule tracing translation tool

      Is anyone aware of any tools that would help with making the output from rule tracing a bit more easy to understand ?



        • 1. Re: rule tracing translation tool

          That would be extremely helpful to say the least!

          • 2. Re: rule tracing translation tool

            Rule tracing is a pain to wade through. What I like to do instead is use a troubleshooting log that lists all the rules that have fired for a request.


            If you create a troubleshooting log that uses the property

            List.OfString.ToString (Rules.FiredRules.Names)


            By doing this, you can get a log that you can see just the rule names that it walked through and at least see the path it took through the rules. I would do this before i had to resort to doing a full rule trace that shows the all the details of each condition. It can at least zero it down to which rules you have to look closer at.


            Keep in mind that this joins the Request cycle, response cycle and logging cycle, so you'll usually see it go through the list twice. So in this example, the first rule set is Housekeeping rules and it goes through my rules sequentially, once for request and once for response.



            [08/Feb/2012:00:09:48 -0500] Logging "eelsasser" "" "http://www.google.com/images/modules/buttons/g-button-chocobo-basic-2.gif"  Housekeeping Rules, Content-Type, Remove Via and X-Forwarded-For Header, Remove Via: Header, Remove X-Forwarded-For: Header, Experimental Rules, Geolocation Rules, Lookup Geolocation, Force old-style thumbnail searches in google, SSL Scanner, Global Whitelist, Global Block, Authentication Rules, Direct Proxy Authentication, Application Control, Category Content Filter, Enable SafeSearchEnforcer, Common Rules, Web Cache, Read From Cache, Enable Web Cache, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Upload Media Types, Gateway Anti-Malware, Remove Partial Content for HTTP(s) Requests, Antimalware.Scanned, Housekeeping Rules, Content-Type, Experimental Rules, Global Whitelist, Common Rules, Handle Special Sites, Web Cache, Write to Cache, Enable Web Cache, Progress Indication, Enable Data Trickling, Enable Opener, Enable Composite Opener, Global Media Type Filtering, Download Media Types, Gateway Anti-Malware, Antimalware.Scanned, Default

            1 of 1 people found this helpful
            • 3. Re: rule tracing translation tool

              Hi Mike,


              we have heard that request several times. Unfortunately the first steps we made into the direction were dumped but as far as I know we still want to build something. But at the moment we do not have a way to visualize the rule traces, so basically they are most helpful for support or engineering, but hard to read for customers.


              I hope we can provide something in the near future.




              • 4. Re: rule tracing translation tool


                i always use this debug logging. It is easier to read. We just fixed the most problems at customer with it.


                The Output looks like this:


                Client Information:

                  Date: [08/Feb/2012:09:19:32 +0100]

                  Authenticated User: MYDOMAIN\username

                  Client IP: 10.x.x.x

                  User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Firefox/9.0.1

                URL Information:

                  URL Request Header first line: GET http://video.skoda.at/flash/banner/twenty_sitebar_2012/animation.swf HTTP/1.1

                  URL HOST: video.skoda.at

                  URL Categories: Motor Vehicles

                  URL Reputation: Minimal Risk

                Content Information:

                  MediaType from HTTP Header: application/x-shockwave-flash

                  Other Media Type Information: <Enshured Media Type: application/x-shockwave-flash> <From File Extension:> <Not Enshured Media Type: >

                  Body Filename: animation.swf

                  Content/Archive Information: <Supported by Opener: false> <Encrypted: false> <Multipart: false> <Corrupted: false>

                  HTTP Status Code: 200

                  CacheStatus: TCP_HIT

                Application Information:

                  Application Name:

                  Application Reputation:

                Security Engine Information:

                  Antimalware Result:

                  BlockID: 0

                  Stream Detector: Flash-based videos

                  Body changed by any engine: false

                Debug Information:

                  Current/Last Rule: Policy Rules Finished

                  Fired Rules: Show als the fired rules from the Ruleset

                  Rule Set Processing Time: 53ms / 53163micro sec.

                -------------------------------------------------------------------------------- ---------------------






                Nachricht geändert durch Troja on 08.02.12 09:19:03 MEZ


                Nachricht geändert durch Troja on 08.02.12 09:22:48 MEZ
                1 of 1 people found this helpful
                • 5. Re: rule tracing translation tool



                  Thanks for this, I'm going to give it a shot!  The more we can self diagnose and troubleshoot the less we have to call support  


                  Thanks again for the McAfee employee input as well, it is appreciated that you guys are so active on this forum!

                  • 6. Re: rule tracing translation tool

                    I know this is an old thread, but I just wanted to say thanks for sharing this policy of yours.  It's really helpful for determining which rule is allowing or blocking a certain site.


                    Also, if there's a way that  you can determine the rule sets that were processed, that would be helpful as well.

                    • 7. Re: rule tracing translation tool
                      Jon Scholten

                      Hi Bragot!


                      Have you checked out rule tracing central in 7.3.2? This allows you to run rule tracing and visually see what happened.


                      Web Gateway build 15306 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24492

                      Current release: Web Gateway build 15726 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD24654


                      Or are you looking at a post mortem analysis, rather than active debugging?




                      • 8. Re: rule tracing translation tool

                        Hi Jon,

                        is there a plan expanding Rule tracing central over a whole MWG cluster?


                        At the moment we are implementing a POC with MWG where 30 virtual appliances will be in a HA cluster. This makes it not really easy doing some investigation with Rule Tracing Central. :-)


                        Btw, the benefit of the Debug.log is, you don´t have to take care which proxy is assigned to the user by HA cluster. Also you know which property is in which state. This makes it also easier to implement a neccessary exclusion ruleset.




                        • 9. Re: rule tracing translation tool

                          Thanks for the tip!  I loaded it on our test machine it looks good.  Makes troubleshooting a lot easier.

                          1 2 Previous Next