Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
988 Views 6 Replies Latest reply: Jan 15, 2013 4:51 AM by itsec RSS
itsec Apprentice 65 posts since
Oct 24, 2012
Currently Being Moderated

Jan 9, 2013 8:33 AM

Explanation of Default policy in Webgateway 6.x.x

Hi,

This sounds like a daft question but can someone provide an explanation as to what the Default policy is used for (in the scenario below)?

The reason I ask is that there are 6 policies configured on the webgateway (6.9.x) which use webmapping rules.  The webmapping rules use Active Directory groups to map to the one of the 6 policies.

(The parameter "group name" extracted from standard (ICAP) header (X-Authenticated-Groups))

 

There are 5 specific policies that map to 5 specific AD groups (e.g. "unrestricted" policy mapped to AD group "unrestricted internet access")

Should a user not be a member of any of the 5 specfic groups, then they are mapped to the "standard" policy.  The rule entry maps policy "Standard" to *.

 

My understanding is that any user accesses will be logged under one of the 6 policies and this seems to be supported by analysis of the raw log files.

 

My query is that under Home tab > Traffic Volume, there is traffic for that policy so where is this coming from?

 

To see why the traffic is not using one of the 6 policies, I have created reports (destinations/ source IP & users) under Reporting > Live Reporting > default policy.

 

The users reports shows only user-agent strings

The destinations are valid as are the source IPs but if I examine the log files, then the source IPs are using one of the 6 policies...

 

Can someone explain what I'm missing?

thanks

  • eelsasser McAfee SME 843 posts since
    Mar 24, 2010
    Currently Being Moderated
    1. Jan 9, 2013 10:06 AM (in response to itsec)
    Re: Explanation of Default policy in Webgateway 6.x.x

    It's hard to visualize what exactly you are describing. The policy mapping has always been challenging to determine the sequence.

     

    One thing that helps me visualize the order of events is built into the list converter tool:

    https://community.mcafee.com/docs/DOC-1621

     

    Make a backup of the configuration and see if you can load it into the tool. once it's loaded, there is a policy report icon you can click:

    Capture.png

     

    And it will display a sequenced list of policies;

    Mapping Method

    Mapping Options

    Policy

    Source

    IP map directly IP-Direct-1
    REQMOD/RESPMOD

    Location: X-Client-IP

    policy1

    192.168.110.150

    policy2

    192.168.110.192

    policy2

    192.168.110.24-192.168.110.26

    policy2

    192.168.68.1-192.168.68.254

    policy3

    192.168.67.1-192.168.67.254

    policy3

    192.168.66.1-192.168.66.254

    policy3

    192.168.69.1-192.168.69.254

    Group Name map directly Group-Direct-1
    REQMOD/RESPMOD

    Location: Transparent Authentication (Group)
    AcceptedAuthenticationMethod: Any
    Input Value Must Exist
    Add domain name to username

    Policy4

    DOMAIN\wg-group1

    Policy5

    DOMAIN\wg-group2

    policy1

    DOMAIN\wg-group3

    Policy7

    DOMAIN\wg-group4

    policy6

    DOMAIN\wg-group5

    Policy9

    DOMAIN\wg-group6

    Policy8

    DOMAIN\wg-group7

    User Name map directly User-Direct-1
    REQMOD/RESPMOD

    Location: Transparent Authentication (User)
    AcceptedAuthenticationMethod: Any
    Input Value Must Exist
    Add domain name to username

    policy2

    DOMAIN\user1

    policy1

    DOMAIN\user2

    Policy10

    DOMAIN\user3

    policy2

    DOMAIN\user4

    policy1

    DOMAIN\user5

    policy2

    DOMAIN\user6

    policy1

    DOMAIN\user7

    policy1

    DOMAIN\user8

    policy1

    DOMAIN\user9

    policy1

    DOMAIN\user10

    policy1

    DOMAIN\user11

    policy1

    DOMAIN\user12

    policy1

    DOMAIN\user13

    policy1

    DOMAIN\user14

    policy1

    DOMAIN\user15

    Facebook

    DOMAIN\user16

    Facebook

    DOMAIN\user17

    Facebook

    DOMAIN\user18

    Facebook

    DOMAIN\user19

    Facebook

    DOMAIN\user20

    Facebook

    DOMAIN\user21

    default

    *

    MappingOptions
    REQMOD/RESPMOD

    Block request

    *Block*

    Always

     

     

    See if this gives you any insigth into the mapping.

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Jan 10, 2013 4:47 PM (in response to itsec)
    Re: Explanation of Default policy in Webgateway 6.x.x

    What about under your proxy options? Do you have a policy defined on the proxy port?

     

    Best,

    Jon

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Jan 11, 2013 4:12 PM (in response to itsec)
    Re: Explanation of Default policy in Webgateway 6.x.x

    It could just be the authentication requests perhaps. They would not have group information or user information to match on the above rules.

     

    Unless the default dominates your traffic graphs, that theory wouldnt be correct.

     

    Best,

    Jon

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points