6 Replies Latest reply on Aug 5, 2014 8:07 AM by elfrank0

    Questions on McAfee Web Gateway

    hdkothari

      Hi Team,

       

      As I am working on McAfee Web Gateway, I have below few questions:

       

      1.     Can i configure my web gateway not to scan or filter my intranet websites

      2.     Admin Logs: How to check what all policy changes super administrator had done through McAfee GUI

      3.     How to check real time access logs through GUI e.g. currently how many users are browsing mcafee.com or gmail.com or yahoo.com. or who is downloading what. If yes then how

      4.     In case if we can see the information asked in point no. 3 then can we terminiate the session of a particular user.If yes then how

      5.     Web cache feature : what are the feature avilable with McAfee webgateway

      6.     How we can block a single character in single policy ( candy word  need to be blocked )

       

      Early response would be great help.

       

      Thanks.

        • 1. Re: Questions on McAfee Web Gateway
          sroering

          1) You can put a criteria on your scanning ruleset to prevent local addresses from entering, OR put a "white list" rule somewhere above your scanning that applies to the request cycle, and does a stop cycle on for internal addresses.

           

          2) Check the Audit log under Troubleshooting > Log files

           

          3) Send access log data to Content Security Reporter via SYSLOG.  https://community.mcafee.com/docs/DOC-5206

           

          4) what do you mean terminate a session?  when you open your browser to www.mcafee.com, the connection only lives while content is being downloaded.  There isn't a session that exists in a live connection for most of web traffic.  What is your end goal or use case?

           

          5) Page 302 of the product gude:  http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/2 4000/PD24752/en_US/mwg_740_pg_product_a_en-us.pdf

           

          6) I don't know what you are asking.

          • 2. Re: Questions on McAfee Web Gateway
            hdkothari

            Hi,

             

            Thanks for your response. Kindly find my question below:

             

            1.     I tried this but it was not sucessful. Can you please post a sample ruleset for the same.

            2.     Apart from the audit log can we see the logs in dashboard or in GUI.

            3.     I understand from your response that we have to transfer real time logs to content reporter which will allow us to have brief look at it. But are you sure that it would be a           real time as we are transferring the same.

            4.     Terminating session means if 10 users are browsing facebook.com and if i can see it online through logs or content security reporter, can i end or terminate their           sessions.

            5.      I will go through the document. Thanks.

            6.     If i want to block any character like candy..meaning if for e.g. somebody browse candy.com or search for candy word in google it should be block. Some kind of content/character base blocking.

             

            Thanks.

            • 3. Re: Questions on McAfee Web Gateway
              Regis

              4) what do you mean terminate a session?  when you open your browser to www.mcafee.com, the connection only lives while content is being downloaded.  There isn't a session that exists in a live connection for most of web traffic.  What is your end goal or use case?

               

              This sounds like hdkothari may have been a Bluecoat user.   :-)   One nice thing Bluecoat proxies have (and maybe one of the few only nice things) is a nice way to view current connections through the proxy and sort by size/time of the session... so if some jackhole is streaming the  $bigSportingEvent and has been doing so in HD for the past 3 hours while you have a high CPU issue on the proxy....   with 2 clicks you can terminate that connection that may be sitting in the background of his computer being unwatched.    Or downloading every iso on the planet from a given site, etc.  

               

              I haven't found analogous functionality in MWG to this very nice feature of the Bluecoat proxies.       I'm in the 7.3 branch... is there anything new on this real time "who's sucking up all my proxy bandwidth and CPU"  viewing in later versions?

               

              on 2/27/14 9:15:00 AM CST
              • 4. Re: Questions on McAfee Web Gateway
                elfrank0

                In reply to Item 6
                I have managed to do something similar.
                I had a requirement to block the content from a webpage if it contained a word - such as flippetyflop

                 

                I created a rule that allowed you to do that. It is basic, but it works.
                Feel free to try it, I would appreciate if you would let me know if it works for you, or if you can make it better.

                 

                 

                Hope this helps

                 

                ElFranko

                • 5. Re: Questions on McAfee Web Gateway
                  asabban

                  Simple, but effective. Please note that this rule causes MWG to parse every (readable) body that walks through. If you call such a rule for every URL that is requested by users you may see some performance impact, so you may want to restrict such rules to only be called after "cheaper" tests. For example you can execute such a check only for websites in a specific category or when its reputation is bad.

                   

                  You can also tie the check to criteria like MediaType equals text/html to only search in HTML objects.

                   

                  As usual there are multiple ways to find a solution.

                   

                  Best,

                  Andre

                  • 6. Re: Questions on McAfee Web Gateway
                    elfrank0

                    You are correct, I did have some criteria in mine to restrict it back to a subset of users coming from an IP range. But to make the rule "anonymous" so I could share it, I removed the criteria details from it.

                    *I also forgot to add that in my setup, this rule is below all of the Authentication and Category filters

                    Slightly off topic, but my next attempt is to see if I can get it to change the word from for example 'flippetyflop' to 'floppetyflip'

                     

                    But alas work has got in the way.

                     

                    Regards

                     

                    Frank