2 Replies Latest reply: Feb 27, 2013 12:54 PM by robert.messing RSS

    What are the best practices to a rule which allow's all client IP's to be unfiltered to report activity?

    robert.messing

      I am new to McAfee Web Security and was looking for the best way to report all activity for diffrent client Ip subnets.

        • 1. Re: What are the best practices to a rule which allow's all client IP's to be unfiltered to report activity?
          Regis

          You definitely don't want to generate email on every request.

           

          You might consider creating a separate log for them under the log handler   ... add a new one with a criteria of   client.ip matches in list   [list of whitelisted ip's].  And then deep in there is some magic to do FileSystemLoggin.WritelogEntry (User-definedloglinesomething or ther)   and within there a log configuration can be made to autmatically push that log out to Web Reporter at certain intervals.        I strongly recommend getting support's help with this because I can never do it on my own despite having done it twice before with their help.

             

          Or, if you have the web reporter,   you could possibly to it on that end based on stock access logs.  I'm not sure though as web reporter is ... not the greatest in terms of its query flexibility.  

           

          Or, you could deal with raw logs and do an zfgrep -f textfileoftheiripaddresses.txt  /path/to/your/archived/logs/accessYYMMDD*  >  whitelisters_reviewme_somehow.txt  

           

          The first one is probably the cleanest.

           

          Getting web reporter to send you a daily summary based on a log file source of those with that privilege is probably the way to go.

          • 2. Re: What are the best practices to a rule which allow's all client IP's to be unfiltered to report activity?
            robert.messing

            Thank You regis for reply,

            I was more looking for best way to configure a rule to allow all access to web (not blocking anything) for a few subnets, to generate report of all there activity and what users access.

            The report answer was a help

             

            currently i have a ruleset allow URL custom, under rule I have client IP Range:destinationIPRange and criteria  client IP in in  range list or URL  destination IP is in range list Url allow

            Client Subnets are added

            Action: continue

            Events: set client.IP=Client.IP

             

            not sure if i need anything else in rules to record data

            Thanks