7 Replies Latest reply on Sep 24, 2012 6:46 AM by fschulte

    MWG7 - Flash Site not displaying properly

    jspanitz

      We are trying to access a site which uses a lot of flash.  The site gets blocked and the only way we have found to let it through is to whitelist it, which is not what we want.  In MWG6 we could create a whitelist entry and exempt the URL from certain MWG features.  Hopefully someone can point out to us how to do that in MWG7.

      SIte: http://virtualoffice.8x8.com/uc/

       

      Side note: Thinking out load - It's to bad there isn't a ruleset debugger that you could run a URL through and it would display which rules a site hits.

       

      BTW - this is MWG 7.2.0.2 b13603

       

      Message was edited by: jspanitz on 9/14/12 11:04:10 AM CDT
        • 1. Re: MWG7 - Flash Site not displaying properly
          btlyric

          Here are two options for the side note:

           

          1) Create a rule set up at the top of the rules with an action of Continue that has the event Enable RuleEngine Tracing. Make sure that you set specific criteria in the rule criteria so that it doesn't fire on all connections.

           

          This will give you all the gory details.

           

          2) Create a debug log that is activated when specific criteria are matched and have the log write out the property List.OfString.ToString(Rules.FiredRules.Names)

           

          This will give you the names of every rule that fired.

          1 of 1 people found this helpful
          • 2. Re: MWG7 - Flash Site not displaying properly
            fschulte

            To implement a whitelist, use the first rule "Allow URLs That Match in URL WhiteList" in rule set "URL Filtering" as an example.

            If you are not already using this rule set, you can import it from the rule set library. (<right click in rule tree view> --> "Add..." --> "Rule Set from Library")

            • 3. Re: MWG7 - Flash Site not displaying properly
              jspanitz

              btlyric - thanks, that should help.

               

              fschulte - as stated, we already can whitelist.  But it whitelists everything.  MWG6 had what appears to be much more granular whitelisting.  I'm probably wrong on that, but it was much more obvious in MWG6 and since no one has responded otherwise, I'm not sure where it may live in MWG7.

              • 4. Re: MWG7 - Flash Site not displaying properly
                Regis

                With support's help, I created a separate entry in ruleset>log handler      that writes out log entries when Response.StatusCode equals 403 OR block.ID does not equal 0 with an action of continue and an event of setting User-Define.logLine  to  

                DateTime.ToWebReporterString
                " ""
                String.ReplaceIfEquals (System.HostName, "", "-")
                "" ""
                String.ReplaceIfEquals (Authentication.UserName, "", "-")
                "" "
                String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-")
                " "
                String.ReplaceIfEquals (IP.ToString (URL.Destination.IP), "", "-")
                " ""
                String.ReplaceIfEquals (URL.Host, "", "-")
                "" "
                String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-")
                " ""
                String.ReplaceIfEquals (MediaType.ToString (MediaType.FromHeader), "", "-")
                "" "
                String.ReplaceIfEquals (Number.ToString (BytesFromClient), "", "-")
                " "
                String.ReplaceIfEquals (Number.ToString (BytesFromServer), "", "-")
                " ""
                String.ReplaceIfEquals (Request.Header.FirstLine, "", "-")
                "" ""
                String.ReplaceIfEquals (List.OfCategory.ToString (URL.Categories), "", "-")
                "" ""
                String.ReplaceIfEquals (URL.ReputationString, "", "-")
                "" "
                String.ReplaceIfEquals (Number.ToString (URL.Reputation), "", "-")
                " ""
                String.ReplaceIfEquals (Rules.CurrentRuleSet.Name, "", "-")
                "/"
                String.ReplaceIfEquals (Rules.CurrentRule.Name, "", "-")
                "" "
                String.ReplaceIfEquals (Number.ToString (Block.ID), "", "-")
                " ""
                String.ReplaceIfEquals (Block.Reason, "", "-")
                "" "
                String.ReplaceIfEquals (Boolean.ToString (Antimalware.Infected), "", "-")
                " ""
                String.ReplaceIfEquals (List.OfString.ToString (Antimalware.VirusNames), "", "-")
                "" "
                String.ReplaceIfEquals (Boolean.ToString (Body.Modified), "", "-")
                " ""
                String.ReplaceIfEquals (Application.Reputation, "", "-")
                "" ""
                String.ReplaceIfEquals (Application.ToString (Application.Name), "", "-")
                "" ""
                String.ReplaceIfEquals (Header.Request.Get ("Referer"), "", "-")
                "" ""
                String.ReplaceIfEquals (Header.Request.Get ("User-Agent"), "", "-")
                """
                

                 

                 

                And then something setting FileSystemLogging.WriteLogEntry ...  to such and such...

                 

                 

                 

                I kind like the way Bluecoat does this better--where every request goes in the log by default, including denials.

                • 5. Re: MWG7 - Flash Site not displaying properly
                  jspanitz

                  Isn't "ruleset>log handler that writes out log entries when Response.StatusCode equals 403 OR block.ID does not equal 0 with an action of continue and an event of setting User-Define.logLine" logging access denied entries?  What does "block.ID does not equal 0" do?

                   

                  I'm not sure how this helps troubleshoot a flash issue.  Again, it would be REALLY nice if we could just feed a URL into the stream detector and anti malware engine via a debugging interface and have it create a debug log which we could then submit to support if the URL doesn't display properly.

                   

                  Another side note - I find what one has to go through to create a log pretty tedious, borderline ridiculous.  Shouldn't all the fields be presented and we would just select them and reorder them as needed?  The fact that you have to create the entries in two different places in some cases is nuts.

                  • 6. Re: MWG7 - Flash Site not displaying properly
                    fschulte
                    fschulte - as stated, we already can whitelist.  But it whitelists everything.  MWG6 had what appears to be much more granular whitelisting.  I'm probably wrong on that, but it was much more obvious in MWG6 and since no one has responded otherwise, I'm not sure where it may live in MWG7.

                    There was a misunderstanding: I did not mean that you should put the URL into the global white list. I meant: Take the white list rule as an example and put a similar rule directly in front of the rule that breaks something. You can e.g. copy paste the white list rule but use a new list which contains only those URLs that need to be white-listed for the feature.

                     

                    I'm not sure how this helps troubleshoot a flash issue.  Again, it would be REALLY nice if we could just feed a URL into the stream detector and anti malware engine via a debugging interface and have it create a debug log which we could then submit to support if the URL doesn't display properly.

                     

                    How to trouble shoot rules: Use the "Enable Rule Tracing" event. Here you can learn how to use it: https://kb.mcafee.com/corporate/index?page=content&id=KB75532&actp=search&viewlo cale=en_US&searchid=1348486101184

                    The output will be trace files. Access them e.g. via the GUI under "Troubleshooting" --> "Rule tracing". You can give them to support and they can tell you then what is going wrong.

                     

                    Edit:

                    Another side note - I find what one has to go through to create a log pretty tedious, borderline ridiculous.  Shouldn't all the fields be presented and we would just select them and reorder them as needed?  The fact that you have to create the entries in two different places in some cases is nuts.

                    I agree, creating log rules is a bit tedious. But you can copy/paste rules; so you can copy/paste the "Write access.log" rule and then just reorder, add, or delete the properties you (do not) need. That should make things much easier.

                     

                    Ciao

                    Felix

                     

                    Message was edited by: fschulte on 9/24/12 6:53:45 AM CDT
                    • 7. Re: MWG7 - Flash Site not displaying properly
                      fschulte
                      I kind like the way Bluecoat does this better--where every request goes in the log by default, including denials.

                      By default, MWG logs every request. No matter if allow, block, connection error, HTTPS connect, etc. It is done by default by the rule "Write access.log". One way to access these files is to use the GUI. Go to "Troubleshooting" --> "Log files" --> "user-defined-logs" --> "access.log".

                      The format is compatible to what McAfee Web Reporter expects.

                      If you need so many details as you listed in your post, you will need to create you own logging rule (as you already did).

                       

                      Ciao

                      Felix