6 Replies Latest reply: Jan 15, 2013 4:51 AM by itsec RSS

    Explanation of Default policy in Webgateway 6.x.x

    itsec

      Hi,

      This sounds like a daft question but can someone provide an explanation as to what the Default policy is used for (in the scenario below)?

      The reason I ask is that there are 6 policies configured on the webgateway (6.9.x) which use webmapping rules.  The webmapping rules use Active Directory groups to map to the one of the 6 policies.

      (The parameter "group name" extracted from standard (ICAP) header (X-Authenticated-Groups))

       

      There are 5 specific policies that map to 5 specific AD groups (e.g. "unrestricted" policy mapped to AD group "unrestricted internet access")

      Should a user not be a member of any of the 5 specfic groups, then they are mapped to the "standard" policy.  The rule entry maps policy "Standard" to *.

       

      My understanding is that any user accesses will be logged under one of the 6 policies and this seems to be supported by analysis of the raw log files.

       

      My query is that under Home tab > Traffic Volume, there is traffic for that policy so where is this coming from?

       

      To see why the traffic is not using one of the 6 policies, I have created reports (destinations/ source IP & users) under Reporting > Live Reporting > default policy.

       

      The users reports shows only user-agent strings

      The destinations are valid as are the source IPs but if I examine the log files, then the source IPs are using one of the 6 policies...

       

      Can someone explain what I'm missing?

      thanks

        • 1. Re: Explanation of Default policy in Webgateway 6.x.x
          eelsasser

          It's hard to visualize what exactly you are describing. The policy mapping has always been challenging to determine the sequence.

           

          One thing that helps me visualize the order of events is built into the list converter tool:

          https://community.mcafee.com/docs/DOC-1621

           

          Make a backup of the configuration and see if you can load it into the tool. once it's loaded, there is a policy report icon you can click:

          Capture.png

           

          And it will display a sequenced list of policies;

          Mapping Method

          Mapping Options

          Policy

          Source

          IP map directly IP-Direct-1
          REQMOD/RESPMOD

          Location: X-Client-IP

          policy1

          192.168.110.150

          policy2

          192.168.110.192

          policy2

          192.168.110.24-192.168.110.26

          policy2

          192.168.68.1-192.168.68.254

          policy3

          192.168.67.1-192.168.67.254

          policy3

          192.168.66.1-192.168.66.254

          policy3

          192.168.69.1-192.168.69.254

          Group Name map directly Group-Direct-1
          REQMOD/RESPMOD

          Location: Transparent Authentication (Group)
          AcceptedAuthenticationMethod: Any
          Input Value Must Exist
          Add domain name to username

          Policy4

          DOMAIN\wg-group1

          Policy5

          DOMAIN\wg-group2

          policy1

          DOMAIN\wg-group3

          Policy7

          DOMAIN\wg-group4

          policy6

          DOMAIN\wg-group5

          Policy9

          DOMAIN\wg-group6

          Policy8

          DOMAIN\wg-group7

          User Name map directly User-Direct-1
          REQMOD/RESPMOD

          Location: Transparent Authentication (User)
          AcceptedAuthenticationMethod: Any
          Input Value Must Exist
          Add domain name to username

          policy2

          DOMAIN\user1

          policy1

          DOMAIN\user2

          Policy10

          DOMAIN\user3

          policy2

          DOMAIN\user4

          policy1

          DOMAIN\user5

          policy2

          DOMAIN\user6

          policy1

          DOMAIN\user7

          policy1

          DOMAIN\user8

          policy1

          DOMAIN\user9

          policy1

          DOMAIN\user10

          policy1

          DOMAIN\user11

          policy1

          DOMAIN\user12

          policy1

          DOMAIN\user13

          policy1

          DOMAIN\user14

          policy1

          DOMAIN\user15

          Facebook

          DOMAIN\user16

          Facebook

          DOMAIN\user17

          Facebook

          DOMAIN\user18

          Facebook

          DOMAIN\user19

          Facebook

          DOMAIN\user20

          Facebook

          DOMAIN\user21

          default

          *

          MappingOptions
          REQMOD/RESPMOD

          Block request

          *Block*

          Always

           

           

          See if this gives you any insigth into the mapping.

          • 2. Re: Explanation of Default policy in Webgateway 6.x.x
            itsec

            Thanks, I've used that a few times but am none the wiser - the default policy is not listed under any of the webmapping rules.  I would post an image but it would contain sensitve information - although I can erase the source fields and keep the policy field...

            • 3. Re: Explanation of Default policy in Webgateway 6.x.x
              Jon Scholten

              What about under your proxy options? Do you have a policy defined on the proxy port?

               

              Best,

              Jon

              • 4. Re: Explanation of Default policy in Webgateway 6.x.x
                itsec

                Hi Jon,

                 

                Thank you for your reply.  There is no policy defined under the proxy port so according to the help "the policy that was configured for the ICAP server will be used".

                 

                When I check the ICAP server settings, I cannot see anywhere that defines a policy. 

                 

                Don't worry too much about this as I am migrating to V7 anyway.  I was just curious as to why there was traffic showing on the policy.

                Thanks

                • 5. Re: Explanation of Default policy in Webgateway 6.x.x
                  Jon Scholten

                  It could just be the authentication requests perhaps. They would not have group information or user information to match on the above rules.

                   

                  Unless the default dominates your traffic graphs, that theory wouldnt be correct.

                   

                  Best,

                  Jon

                  • 6. Re: Explanation of Default policy in Webgateway 6.x.x
                    itsec

                    Hi Jon,

                     

                    Thanks for your answer although I'm not entirely clear as to whether you mean that high default traffic means that they could be auth requests or not?

                    I've done some very basic/ rough calculations and the default traffic is generally about 2-3% of the 'standard' policy traffic so it's very minimal.

                    thanks