Web Gateway 7.1.5 Product Guide - McAfee

Product Guide 

McAfee ® 

version 7.1.5 

Web Gateway

COPYRIGHT 

Copyright © 2011 McAfee, Inc. All Rights Reserved. 

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language 

in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. 

TRADEMARK ATTRIBUTIONS 

McAfee, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, Global Threat Intelligence, GroupShield, IntruShield, 

LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, 

SmartFilter, Total Protection, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. 

or its subsidiaries in the United States and other countries. 

LICENSE INFORMATION 

License Agreement 

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU 

PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO 

NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR 

PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS 

PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU 

DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT 

INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL 

REFUND. 

2 McAfee Web Gateway 7.1.5 Product Guide

Contents 

Preface 9 

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 

Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

Find product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 

1 Introduction 13 

Comprehensive web security for your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 

Main functions of the McAfee Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 

Main administrator activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 

Deployment of the McAfee Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Network integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Administration and updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Main components of the McAfee Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 

Appliance subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 

Operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Filtering rules on the McAfee Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Rule sets for filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 

Lists and modules for filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 

Modifying the filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 

Chapters of this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 

2 Setup and logon 21 

Setting up the McAfee Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

Setting up a physical appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

Setting up a virtual appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 

Installing the appliance software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 

Logging on to the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 

Implement a web security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

Import a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 

Working with the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 

Main elements of the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 

Configuration support functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 

Setting up system management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

Platform Confidence Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 

SNMP Subagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 

Remote Management Module and Baseboard Management Controller . . . . . . . . . . . . . . . . . . . . . 34 

Active System Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 

3 Proxies and caching 37 

Intercepting web traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 

Proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 

Web cache settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 

Network modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 

Explicit proxy mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 

Transparent bridge mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 

Transparent router mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 

McAfee Web Gateway 7.1.5 Product Guide 3

Contents 

Common proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Configure common proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Proxies (HTTP(S), FTP, ICAP, and IM) system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Reverse HTTPS proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 

Redirect HTTPS traffic in a transparent bridge or router configuration . . . . . . . . . . . . . . . . . . . . . 60 

Let the appliance listen to requests redirected by DNS entries . . . . . . . . . . . . . . . . . . . . . . . . . . 61 

Handling SSL certificates in a reverse HTTPS proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . 62 

Optional settings for a reverse HTTPS proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 

Providing proxy auto-configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 

Make a .pac file available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 

Make a wpad.dat file available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 

Helix proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 

Preventing data leaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 

Data Leakage Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 

Configure the ICAP server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 

ICAP Client engine settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 

Web caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

Rules for the web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 

Bypass lists for web caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 

Verify the enabling of the web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 

4 Rules and rule sets 81 

Filtering controlled by rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 

About filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 

Modules for delivering filtering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 

About rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 

Main elements of a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 

Rules on the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 

Complex criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 

Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 

Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 

Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 

About rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 

Rules in rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 

Rule set cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 

Rule set criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 

Rule set library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 

Nested rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 

Implementing a rule set system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 

Rule set systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 

Rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 

Rule Sets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 

Adding a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 

Create a sample rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 

Sample rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 

Rule set configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 

Import a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 

Add a new rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 

List maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 

Lists tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 

List types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 

Add a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 

Add list entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 

Inline lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 

Action and engine settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 

Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 

Types of settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 

Add settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 

Access restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 

5 Authentication and access management 119 

Filtering users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 

Authentication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 


Contents 

Standard authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 

Rules for authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 

Module for authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 

Membership in a Windows domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 

Instant messaging authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 

IM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 

Modules for authenticating users of an instant messaging service . . . . . . . . . . . . . . . . . . . . . . . 142 

Cookie authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 

Cookie Authentication (rule set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 

Module for cookie authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 

Quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 

Restricting web usage through quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 

Rules for quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 

Module settings for quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 

Quota system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 

Administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 

Internal management of administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 

Administrator roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 

Configure external account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 

6 Web filtering 169 

Filtering web objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 

Administering the filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 

Functions for filtering web objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 

Virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 

Virus and malware filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 

Rules for virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 

Whitelists for virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 

Module for virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 

URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 

URL filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 

Rules for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 

Whitelist and blocking lists for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 

Extended Lists for blocking URLs per category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 

Module for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 

Different versions of URL category sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 

Media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 

Rules for media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 

Lists for media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 

HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 

Rules for HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 

Sample lists for HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 

Module for opening objects embedded in HTML pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 

Global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 

Rules for global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 

Global whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 

SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 

Rules for SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 

Lists for SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 

Modules for SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 

Supporting functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 

Progress Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 

Bandwidth throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231 

Next-hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 

User messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 

Message templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 

Adapt a user message template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 

Template Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 

Settings for message templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 

7 System configuration 245 

Configuring the appliance system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 

Initial setup system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 


Contents 

System configuration after the initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 

System settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 

Appliances tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 

Configure the system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 

Date and Time system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 

DNS system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 

File Server system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 

License system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 

Network system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 

Network Protection system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 

Port Forwarding system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 

Static Routes system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 

User Interface system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 

System files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 

File Editor tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 

Database updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 

Update database information manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 

Schedule automatic engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 

Automatic Engine Updates system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 

Central management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 

Configure central management settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 

Add an appliance to a central management configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 

Central Management system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 

8 Monitoring 269 

Monitoring the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 

Monitoring functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 

Troubleshooting functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 

Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 

Access the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 

Alerts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 

Charts and Tables tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 

Log file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 

View log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 

Log file handling using rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 

Sample logging rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 

Create a sample logging rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 

Create a log handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 

Use self-configured log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 

Use of a property in a logging rule to record blocking key words . . . . . . . . . . . . . . . . . . . . . . . 283 

Configuring log file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 

Log file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 

Log handler rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 

Performance measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 

View performance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 

Properties for logging performance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 

Using properties in rules to log performance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 

Events for measuring performance in rule set processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 

Using events in rules to measure processing time for rule sets . . . . . . . . . . . . . . . . . . . . . . . . . 299 

Properties for logging rule set processing time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 

Transferring data to an ePO server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 

Configure the data transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 

ePolicy Orchestrator system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 

Bypass ePO Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 

Event monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303 

Configure SNMP monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 

SNMP system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 

Error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 

View the rule sets for error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 

Error handling using error IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 

Error handling using incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 

Rule sets for error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 


Contents 

Create an error handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 

9 Troubleshooting 315 

Troubleshooting appliance problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 

Files for recording appliance behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 

Network tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 

Backup and restore files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 

Create a feedback file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 

Enable the creation of core files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 

Enable the creation of connection tracing files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 

Create a packet tracing file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 

Use network tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 

Back up and restore the appliance configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 

Appendix: Configuration lists 319 

List of actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 

List of error IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 

List of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 

List of incident IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 

List of properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 

Wildcard expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 

Test a wildcard expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 

List of important special glob characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 

List of important special regex characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 

Index 373 


Contents 


Preface 

About this guide 

This Product Guide describes the features and capabilities of McAfee ® 

Web Gateway version 7.1.5, 

providing an overview of the product, as well as detailed instructions on how to set it up, configure, and 

maintain it. 

Audience 

This guide is intended for network and security administrators. It assumes familiarity with system 

administration, operating systems, networks, the Internet, and related terminology. 

Conventions 

When this guide mentions the appliance, this refers to the McAfee Web Gateway appliance. Other 

conventions used in the text are as follows: 

Table i-1 Conventions 

Convention Description 

Monospace bold Identifies commands and key words you type at a system prompt 

Monospace italic Indicates a placeholder for text you type 

Monospace plain Used to show text that appears on a computer screen 

Plain text italics Identifies the names of files and directories 

Also used for emphasis (for example, when introducing a new term) 

Plain text bold Identifies buttons, field names, and tabs that require user interaction 

[ ] Signals conditional or optional text and instructions (for example, instructions that pertain 

only to a specific configuration) 

Note: Used for a helpful suggestion or a reference to material not covered elsewhere in the guide 

Note: The screen captures and graphics used in this guide are for illustration purposes only. They are not 

intended to represent a complete or appropriate configuration for your specific needs. Features may be 

enabled in screen captures to make them clear, however, not all features are appropriate or desirable for 

your setup. 


About this guide 

Acronyms 

Acronyms used in this guide: 

Table i-2 Acronyms 

Acronym Description 

AC Alternating Current 

ASC Active System Console 

BMC Baseboard Management Controller 

BOS Basic OSCAR Service 

CA Certificate Authority 

CGI Common Gateway Interface 

CIDR Classless Inter-Domain Routing 

CLI Command Line Interface 

CN Common Name 

CPU Central Processing Unit 

CRL Certificate Revocation List 

DC Domain Controller 

DLP Data Leakage Prevention 

DHCP Dynamic Host Configuration Protocol 

DN Distinguished Name 

DNS Domain Name Server 

EDH Ephemeral Diffie-Hellman 

EFI Enhanced Firmware Interface 

ePO ePolicy Orchestrator 

FIPS Federal Information Processing Standard 

FTP File Transfer Protocol 

HA High Availability 

HTML Hypertext Markup Language 

HTTP Hypertext Transfer Protocol 

HTTPS Hypertext Transfer Protocol – Secure 

ICAP Internet Content Adaptation Protocol 

ICQ “I seek you” (Network Protocol) 

ID Identity, Identification, Identifier 

IM Instant Messaging/Messenger 

IP Internet Protocol 

ISO International Standards Organization 

JRE Java Runtime Environment 

LAN Local Area Network 

LDAP Lightweight Directory Access Protocol 

LOM Lights Out Management 

LRU Least Recently Used 

MIB Management Information Base 

MIME Multi-Purpose Internet Mail Extension 

MLOS McAfee Linux Operating System 

MTU Maximum Transmission Unit 

NAT Network Address Translation 

NTLM New Technology LAN Manager 


Table i-2 Acronyms (continued) 

Acronym Description 

NTP Network Time Protocol 

OID Object ID 

OSCAR Open System for Communication in Real Time 

PAC Proxy Auto-Configuration 

PCT Platform Confidence Tool 

PD Persistent Database 

PEM Privacy-Enhanced Mail 

RAM Random Access Memory 

Regex Regular Expression 

RFC Request for Comments 

RMM Remote Management Module 

RTSP Real-Time Streaming Protocol 

SB Switchboard 

SMI Structure of Management Information 

SNMP Simple Network Management Protocol 

SSH Secure Socket Shell 

SSL Secure Socket Layer 

TSL Transport Layer Security 

TTL Time to Last 

URI Uniform Resource Identifier 

URL Uniform Resource Locator 

UUID Universal Unique Identifier 

VRRP Virtual Router Redundancy Protocol 

WCCP Web Cache Communication Protocol 

WPAD Web Proxy Auto-Discovery 

Find product information 

You can find additional product information at the following locations: 

Table i-3 Additional product information 


Information Location 

Product Documentation 1 Go to the McAfee Technical Support ServicePortal at: 

(ServicePortal) 

http://mysupport.mcafee.com 

2 Under Self Service, click Product Documentation. 

3 Select a Product, then a Version. 

4 Select a document. 

Product Documentation 1 Go to the Extranet for McAfee Web Gateway at: 

(Extranet) 

https://extranet.webwasher.com/documentation_mwg7 

2 Enter your user name and password. 

3 Select a document. 

KnowledgeBase Answers 1 Go to the McAfee Technical Support ServicePortal at: 

and Articles 

http://mysupport.mcafee.com 

2 Click one of the following: 

• Search the KnowledgeBase for answers to your product questions. 

• Browse the KnowledgeBase for articles listed by product and version. 




1 Introduction 

Contents 

Comprehensive web security for your network 

Deployment of the McAfee Web Gateway appliance 

Main components of the McAfee Web Gateway appliance 

Filtering rules on the McAfee Web Gateway appliance 

Chapters of this guide 


The McAfee ® 

Web Gateway appliance ensures comprehensive web security for your network. It protects 

your network against threats arising from the web, such as viruses and other malware, inappropriate 

content, data leaks, and related issues. It also ensures regulatory compliance and a productive work 

environment. 

The appliance is installed as a gateway that connects your network to the web. Following the 

implemented web security rules, it filters the requests that users send to the web from within your 

network. 

Responses sent back from the web and embedded objects sent with requests or responses are also 

filtered. Malicious and inappropriate content is blocked, while useful matter is allowed to pass through. 

Figure 1-1 Filtering web traffic 


1 

Introduction 


Main functions of the McAfee Web Gateway appliance 

Filtering web traffic is a complex process. The main functions of the appliance contribute to it in 

different ways: 

• Filtering web objects — Special anti-virus and anti-malware functions on the appliance scan and 

filter web traffic and block web objects when they are infected. Other functions filter requested URLs, 

using information from the Global Threat Intelligence system, or do media type and HTML filtering. 

They are supported by functions that do not filter themselves, but do such jobs as counting user 

requests or indicating the progress made in downloading web objects. 

• Filtering users — This is done by the authentication functions of the appliance, using information 

from internal and external databases and methods such as NTLM, LDAP, RADIUS, Kerberos, and 

others. In addition to filtering normal users, the appliance also gives you control over administrator 

rights and responsibilities. 

• Intercepting web traffic — This is a prerequisite for any filtering of web objects or users. It is 

achieved by the gateway functions of the appliance, using different network protocols, such as HTTP, 

HTTPS, FTP, Yahoo, ICQ, and Windows Live Messenger. As a gateway, the appliance can run in explicit 

proxy mode or in transparent bridge or router mode. 

• Monitoring the filtering process — The monitoring functions of the appliance provide a continuous 

overview of the filtering process. They include a dashboard, displaying information on alerts, web 

usage, filtering activities, and system behavior, as well as logging and tracing functions and options 

to forward data to an ePolicy Orchestrator or do event monitoring with an SNMP agent. 

Main administrator activities 

The following are the main activities you need to complete when administering the appliance: 

• Perform the initial setup — You can set up the appliance on a physical hardware platform or on a 

virtual machine. The setup procedure includes the initial configuration of system parameters, such as 

host name and IP address, implementing an initial system of filtering rules, and licensing. 

Two wizards are available in this phase: one for the initial configuration, another for the filtering 

rules. 

• Configure the gateway functions — After the initial setup, explicit proxy mode and the HTTP 

protocol are preconfigured on the appliance. You can modify this and also configure other network 

components that the appliance communicates with. 

• Modify filtering rules — The filtering rules are the building blocks of your web security policy. You 

can review the system of filtering rules that has been implemented during the initial setup and modify 

it. Authentication is not implemented by default. 

Working on the filtering rules includes maintaining the lists that these rules use and configuring 

the settings for rule actions and for the modules involved in the filtering processs. 

• Monitor the appliance — When you have configured the appliance according to your requirements, 

you can monitor it to see how it performs the filtering process. You can also monitor system functions, 

such as CPU and memory usage, number of active connections, and others. 


Deployment of the McAfee Web Gateway appliance 

Introduction 

Deployment of the McAfee Web Gateway appliance 1 

Before you set up the McAfee Web Gateway appliance, consider how you want to use it. There are 

different options regarding the platform on which you can run it and for integrating it into your network. 

You can also set up multiple appliances and administer them as nodes in a central management 

configuration. 

Platform 

You can run the appliance on different platforms. 

• Hardware-based appliance — On a physical hardware platform 

• Virtual appliance — On a virtual machine 

Network integration 

In your network, the appliance can intercept, filter, and transmit web traffic in different modes. 

• Explicit proxy mode — The clients that the appliance communicates with are aware of it. You must 

configure them “explicitly” to direct their traffic to the appliance. 

• Transparent modes — The clients are not aware of the appliance. 

• Transparent bridge — The appliance acts as an “invisible” bridge between its clients and the 

web. You need not configure the clients for this. 

• Transparent router — The appliance routes traffic according to a routing table, which you need 

to fill out. 

Administration and updates 

You can administer the appliance and have updates distributed in different ways. 

• Standalone — Administer the appliance separately and let it not receive updates from other 

appliances 

• Central management — Set up the appliance as a node in a complex configuration and administer 

other nodes on its user interface, including the distribution of updates 

You can then administer the appliance also on other nodes and let it receive updates from them. 


1 

Introduction 



The McAfee Web Gateway appliance uses several subsystems to provide filtering and other functions, 

based on its operating system. 

Appliance subsystems 

The subsystems of the appliance and their modules do the following: 

• Core subsystem — Provides a proxy module for intercepting web traffic and a rule module for 

processing the filtering rules that make up your web security policy 

This subsystem furthermore provides the modules (also known as engines) that do special jobs for 

the filtering rules and can be configured by you, for example, the Anti-Malware engine, the URL 

Filter engine, or the Authentication engine 

A flow manager module ensures efficient cooperation between the modules. 

• Coordinator subsystem — Stores all configuration data processed on the appliance 

This subsystem also provides update and central management functions. 

• Configurator subsystem — Provides the user interface (internal subsystem name is Konfigurator). 

Figure 1-2 Appliance subsystems and modules 


Operating system 

Introduction 

Filtering rules on the McAfee Web Gateway appliance 1 

The subsystems of the appliance rely on the functions of its operating system, which is MLOS (McAfee 

Linux Operating System) version 1.0. 

The operating system provides functions for executing the actions that the filtering rules trigger, file 

and network reading and writing, and access control. 

A configuration daemon (sysconfd daemon) implements changed configuration settings in the operating 

system. 

Filtering rules on the McAfee Web Gateway appliance 

Rules control the filtering process on the appliance. Reviewing these rules lets you understand what the 

appliance does to ensure web security. You need not set up these rules yourself, a wizard can do this 

for you, according to your instructions, or a default system of rules is implemented. You can then still 

modify every detail of the implemented system. 

It is the job of the filtering rules to look at web objects before users of your network are allowed to 

access them and also at these users. These rules check the properties of objects and users and if, for 

example, an object is virus-infected or a user not in an allowed user group, they block access to the 

object or let the user not complete further activities. 

Rule sets for filtering 

A rule usually works with other rules to do its job. For example, a whitelisting rule can work with a few 

blocking rules to do URL filtering. The whitelisting rule says which URLs are allowed and the blocking 

rules say which are not. Together, these rules are in a URL filtering rule set. 

The implemented system of rule sets is displayed on the Rule Sets tab of the user interface. When you 

review it, you will see rule sets there for URL filtering, virus and malware filtering, media type filtering, 

and other purposes. When you open a rule set, you will see the individual rules that are contained in it. 

Even a rule that works on its own, like a global whitelisting rule might do, is embedded in a rule set. 

Some rule sets have other rule sets nested within them. This way, for example, media type filtering can 

be split up between a nested rule set that filters media type uploads and another nested rule set that 

filters the downloads. 

Lists and modules for filtering 

Rules are interested in the properties of web objects and users. A blocking rule for URLs needs to know 

which categories URLs belong to, so it can block, for example, a URL that is in the online-shopping 

category and prevent the users of your network from accessing it. 

To get at the information they need, rules rely on: 

• Filter lists — A list can, for example, contain URLs of web sites for online shopping. When a user 

requests access to a particular URL, a blocking rule goes through the list to see if that URL is on it. 

• Special modules — Information on URL categories can be retrieved from the Global Threat 

Intelligence system. A module on the appliance communicates with this system and tells the blocking 

rule about its findings. 

Other modules scan web objects for infections, inspect certificates, check user credentials for 

authentication, or perform other activities related to web and user filtering. 


1 

Introduction 


Modifying the filtering process 

You can modify the filtering process by working with the rules and rule sets that control it, as well as 

with the filter lists and the settings of the modules involved in this process. This includes: 

• Modifying filtering rules and rule sets — You can modify blocking, whitelisting, and other rules 

and group them in rule sets as is appropriate for your network. 

• Maintaining filter lists — You can add new items to blocking lists and whitelists, as they emerge, 

and remove others that do not need special attention anymore. 

• Configuring module settings — You can configure settings to determine the way the modules on 

the appliance do their jobs, for example, use particular methods for detecting malware. 

The chapters of this guide provide information on all these activities. They explain general concepts, 

give step-by-step descriptions of key procedures, and inform you about the details of individual rules, 

lists, and module settings. 


The chapters of this guide deal with the main functions of the appliance and related subject matter in 

the following ways: 

• About the McAfee Web Gateway appliance — Introduces the appliance and provides overviews 

of main functions, administrator activities, deployment options, and system architecture 

• Setup and Logon — Explains how you setup the appliance and complete first steps up to the point 

where you configure proxy, authentication, and filtering functions 

This includes information on the installation and the initial configuration of system parameters. 

The chapter goes on to explain how you log on to the appliance and implement an initial system of 

filtering rules. An overview of the user interface is also provided. 

• Proxies and Caching — Explains how you configure the gateway functions of the appliance to let it 

run in explicit proxy or transparent mode, using different network protocols 

This enables the appliance to intercept web traffic and apply authentication and other filtering 

functions to it. Use of the web cache is also explained. 

• Rules and Rule Sets — The authentication and filtering functions that give you control over who 

accesses the web from within your network and what web objects can be accessed, depend on the 

implemented web security rules. 

This chapter explains in general how these rules work. It provides information on the rule sets that 

contain them and the filtering process that they contribute to. It tells you how to modify and 

create rules and rule sets and how to maintain and configure the lists and modules that the rules 

rely on. 

• Authentication and Account Management — Explains how you configure rules, lists, and modules 

for the authentication functions of the appliance 

The options for setting up accounts and privileges for administrators are also explained. 

• Web Filtering— Explains how you configure rules, lists, and modules for filtering web objects on the 

appliance 

The filtering process uses main functions, such as virus and malware or URL filtering, and 

supporting functions like counting user requests or progress indication for downloads. Messages to 

users that inform them about filtering activities of the appliance are also explained. 


Introduction 

Chapters of this guide 1 

• System Configuration — Explains how you configure functions of the appliance system, such as 

domain name services, port forwarding, or static routes 

Some of these are already configured at the initial setup. Functions for running appliance systems 

as nodes in a central management configuration are also explained. 

• Monitoring — Explains how to monitor alerts, web usage, filtering activities, and key system 

parameters, using the dashboard and several log files, as well as external systems, such as the ePolicy 

Orchestrator 

• Troubleshooting — Explains the functions the appliance provides for troubleshooting, such as the 

use of core files or TCP dumps 

The chapter also explains how you create a backup of the appliance configuration. 


1 

Introduction 



2 

Setup and logon 

Contents 

Setting up the McAfee Web Gateway appliance 

Logging on to the user interface 

Working with the user interface 

Setting up system management tools 


You can set up McAfee Web Gateway as a physical or virtual appliance. 

Before setting up the appliance, make sure you read the release notes for the current product version, 

for example, 7.1.5, which provide information on known issues. 

The release notes are available on the McAfee Technical Support ServicePortal at 

http://mysupport.mcafee.com. 

On this portal, proceed as follows: 

1 In the Self Service area, click Product Documentation. 

2 Select Web Gateway and version 7.1. 

3 From the document list that appears, select the current version of the Release Notes. 

Setting up a physical appliance 

When you have chosen to run McAfee Web Gateway as a physical appliance, the appliance software is 

delivered to you on a hardware platform. 

If you do not want to use this software, you can also download a different software version from the 

Extranet for McAfee Web Gateway and install it using a USB drive. 

Check your shipment 

Make sure you received the items needed for the setup: 

• McAfee Web Gateway appliance (models vary) 

• Power cord 

• Network cables 

• USB-PS/2 adapter cable (if you use a PS/2 keyboard for the initial configuration) 


2 



Gather necessary materials 

You must provide the following: 

• Standard VGA monitor and PS/2 keyboard 

or Serial console 

• Administration system with: 

• Windows or Linux operating system 

• Java Runtime Environment (JRE) version 1.6 or later 

• Microsoft Internet Explorer version 6.0 or later 

or Mozilla Firefox version 2.0 or later 

• Network cables 

To perform the installation with: 

• The software that was delivered to you on the hardware platform, continue with Connect and turn on 

the appliance. 

• Software you downloaded from the Extranet, continue with Installing downloaded software using a 

USB drive. 

Connect and turn on the appliance 

To begin with the installation: 

1 Connect the appliance to power and the network. 

2 Connect a monitor and keyboard or a serial console to the appliance. 

3 Turn on the appliance. The installer menu appears. 

Continue with Installing the appliance software. 

Installing downloaded software using a USB drive 

If you do not want to use the software that was shipped to you on the hardware platform for setting up 

the appliance, you can download a different version from the Extranet for McAfee Web Gateway and 

use a USB drive to install it. 

Tools for copying the appliance software to a USB drive 

To copy the appliance software to a USB drive, you can use different tools. 

For example, you can use the dd tool, which is provided with the Linux operating system. The command 

syntax is: 

dd if= of= bs=16k 

where bs is the size of a data chunk that is buffered in memory during the transfer. 

Note: You need to be logged in as root administrator to execute the command. Also be aware that the copy 

operation will completely overwrite everything that was stored on the drive. 

For cygwin (Windows), the syntax of the dd command is the same. You can use the following command 

to find out what the USB device name is for your appliance drive: 

cat /proc/partitions 

If you do not want to use cygwin, you may also obtain dd for Windows from the Intel Software Network 

site. 



Setting up the McAfee Web Gateway appliance 2 

Prepare installation from a USB drive 

To install the appliance software using a USB drive, begin with the following: 

1 Go to the Extranet for McAfee Web Gateway and download a USB-format version of the appliance 

software. 

2 Copy the appliance software to a USB drive. 

For more information, see Tools for copying the appliance software to a USB drive. 

Install the appliance software from a USB drive 

When you have the appliance software on your USB drive ready for installation, continue as follows: 

1 Connect the appliance to power and the network. 

2 Connect a monitor and keyboard or a serial console to the appliance. 

3 Insert the USB drive into the appliance. 

4 Turn on the appliance. The installation starts. 

5 During the start phase, select the installation device: 

• If your appliance model is WG4500B, WG5000B, or WG5500B, press F6 to enter the Boot Manager 

and select USB Drive. The appliance software is installed on the appliance. 

• If your appliance model is WG4000B: 

a Press F2 to enter the BIOS setup menu. 

b Go to Boot Options. 

c Select Hard Disk Order and then the option that assigns the USB drive the highest priority. 

d Select the Exit tab. 

e Select Discard Changes. 

Note: Do not use Discard Changes and Exit here. 

f Go to Boot Manager. 

g Select USB Drive. The appliance software is installed on the appliance. 

• If your appliance model is not one of those specified above, press F11 to enter the Boot Manager and 

select USB Drive. The appliance software is installed on the appliance. 

Continue with Logging on to the user interface. 


2 



Setting up a virtual appliance 

To run McAfee Web Gateway as a virtual appliance, you need to obtain an ISO image of the appliance 

system and install it on a virtual machine. 

Requirements for setting up a virtual appliance 

To set up McAfee Web Gateway as a virtual appliance, you need the following: 

• One of the following VMware ® 

types: 

• VMware ESX ® 

• VMware ESXi ® 

• VMware workstation version 5.5 or later 

• Virtual machine host system with the following requirements: 

• CPU: 64-bit capable 

• Virtualization extension: VT-x/AMD-V 

• Virtual machine with the following requirements: 

• Memory: 4 GB 

• Hard-disk space: 200 GB 

• CPU cores: 2 (minimum) 

Set up a new virtual machine 

When you have obtained the ISO image of the appliance system, you can install it on a virtual machine. 

1 Start VMware. 

2 Set up a new virtual machine. 

The procedures for setting up a virtual machine differ for each VMware type. When setting up 

McAfee Web Gateway as a virtual appliance, make sure you configure the settings listed in the 

following table. 

Note: For parameters that are not listed, use the default values given in the procedures. Parameter names 

can also differ in each procedure. 

Table 2-1 Virtual machine settings 

Parameter Value 

Configuration type Typical | Advanced (recommended for virtual appliance setup) 

Installation mode Install from disk | ISO image (required for virtual appliance setup) | Install later 

Operating system Linux (64 bit) version 2.6 

Memory 4 GB (recommended) 

Hard-disk space 200 GB (recommended) 

Number of processors 1 | 2 (minimum requirement) | 4 | ... 

Note: The number of processors provided for selection depends on the equipment 

of the host system that is used for setting up the virtual appliance. 

Network connection mode Bridged (recommended) | NAT | ... 

CD/DVD drive with assigned 

ISO image 

/ 

SCSI controller (for some 

ESX versions) 

BusLogic Controller (recommended) | LSI Logic Controller 

3 Turn on the virtual machine. The installer menu appears. 

Continue with Installing the appliance software. 


Installing the appliance software 


Setting up the McAfee Web Gateway appliance 2 

After turning on the appliance, the installer menu appears. It includes an option for using a wizard to 

implement your own initial configuration settings. 

Before you select an installation mode, review the default settings. They are implemented on the 

appliance if you do not use with the wizard. 

The following table shows these settings: 

Table 2-2 Default settings for the initial configuration 

Parameter Value 

Primary network interface eth0 

Autoconfiguration with DHCP yes 

Host name mwgappl 

Root password webgateway 

Remote root logon with SSH off 

Default gateway 

DNS server 

Select a mode and install the appliance software 

The installer menu allows you to select a mode for installing the appliance software. 

The following table explains the menu options: 

Table 2-3 Installer menu 

Option Definition 

1 – serial console 

System output is displayed on a serial console. 

(with configuation wizard) When the appliance software is successfully installed in standard mode, the 

appliance restarts and displays a wizard for implementing the initial configuration 

settings. 

2 – video console 

System output is displayed on a video console. 

(with configuration wizard) When the appliance software is successfully installed in standard mode, the 

appliance restarts and displays a wizard for implementing the initial configuration 

settings. 

3 – serial console System output is displayed on a serial console. 

When the appliance software is successfully installed in standard mode, the 

appliance restarts and waits for your confirmation to complete the installation. 

4 – video console System output is displayed on a video console. 

When the appliance software is successfully installed in standard mode, the 

appliance restarts and waits for your confirmation to complete the installation. 


2 



Table 2-3 Installer menu (continued) 


5 – FIPS 140-2 level 2 Opens a submenu for installing the appliance software in FIPS compliant mode: 

1 – FIPS 140-2 level 2 (serial) 

Installation in this mode disables logon to the appliance using SSH or from a 

console and implements other features required for FIPS compliance. System 

output is displayed on a serial console. 

When the appliance software is successfully installed, the appliance waits for 

your confirmation to complete the installation. 

2 – FIPS 140-2 level 2 (Configuration Wizard/serial) 

As option 1, but with configuration wizard. 

3 – FIPS 140-2 level 2 (Enforce Self Failed Test/serial) 

Recovers the appliance when a FIPS self-test has failed after starting 

option 1 or 2. After the recovery, use one of these options to repeat the 

installation. 

4 – FIPS 140-2 level 2 (video) 

As option 1, but with system output on a video console. 

5 – FIPS 140-2 level 2 (Configuration Wizard/video) 

As option 4, but with configuration wizard. 

6 – FIPS 140-2 level 2 (Enforce Self Failed Test/video) 

Recovers the appliance when a FIPS self-test has failed after starting 

option 4 or 5. After the recovery, use one of these options to repeat the 

installation. 

9 – Boot from hard disk The appliance restarts with software that is already installed on a hard disk of the 

appliance. 

To install the appliance software: 

1 Select a mode and press ENTER. The appliance software is installed on the appliance. 

2 Complete the installation: 

• If you have selected a mode without configuration wizard, confirm when prompted to complete the 

installation. The appliance runs with default initial configuration settings. 


• If you have selected a mode with configuration wizard, continue with Implement your own initial 

configuration settings. 

Implement your own initial configuration settings 

If you have selected an installation mode with configuration wizard to implement your own initial 

configuration settings, the wizard appears after the appliance software is installed. 

To implement your own settings: 

1 Use the wizard windows to configure the following: 

• Primary network interface 

• IP address, entered manually or configured dynamically by DHCP 

• Host name 

• DNS server 


2 Review the summary that is displayed after configuring the host name. 


Logging on to the user interface 2 

• If you approve of the summary, confirm and configure the remaining settings: 

• Root password 

Note: In a FIPS-compliant mode, this option is not available. 

• Remote logon with SSH 

Note: In a FIPS-compliant mode, this option is not available. 

The initial configuration is completed with your settings and the IP address is displayed. 


• If you need to make changes, click Cancel and return to step 1. 


You log on to the user interface and administer the appliance through a browser on an administration 

system. 

The first time you log on, you also need to implement a web security policy and import a license. 

To log on to the user interface: 

1 Open the browser of your administration system and go to: 

http://:4711 

or https://:4712 

using the address configured during the initial configuration. 

Note: Under HTTPS, accept the self-signed certificate that appears. 

A logon window opens. 

2 Enter admin as the user name and webgateway as the password. 

After a successful logon, proceed as follows: 

Note: While being logged on, you should not use your browser to log on to the same appliance again. 

Continue with Implement a web security policy. 


2 



Implement a web security policy 

The first time you log on to the user interface after the initial configuration of the appliance, a policy 

creation wizard appears. You can use this wizard to create a web security policy for your network, 

according to your selections. 

You can also choose not to make any selections and have a default policy implemented. 

In the wizard window, do one of the following to implement a policy: 

• Select values for organization, location, and a level of permission or restriction. Then click OK. A web 

security policy is implemented accordingly. 

Note: Your location and organization selections are used to implement standard whitelists and 

recommended blocking lists. Your selection regarding permission or restriction is used to implement 

filtering rules. 

• Click Default. A default web security policy is implemented. 

Figure 2-1 Policy creation wizard 

Continue with Import a license. 


Import a license 


Logging on to the user interface 2 

The first time you log on to the user interface after the initial configuration of the appliance, you also 

need to import a license. This is done after implementing a web security policy. 

To import a license: 

1 On the user interface, go to Configuration | Appliances and select License. Settings for importing 

a license appear on the settings pane. 

2 Under Import License, click end user license agreement and review the agreement. Then select 

the checkbox in the same line. The License File input field and the Browse button become available. 

3 Click Browse and browse to the location where your license file is stored. Select the file and click 

Activate. The license is imported and license information appears below the input field. 

An automatic update of important information for the appliance modules, for example, virus signatures, 

is started after the initial configuration. It can take several minutes. 

Note: During this update, you cannot use the appliance as a proxy to access the web from the user interface. 

Attempts to do so will lead to an error message stating that a module, for example, the Anti-Malware engine, 

cannot be loaded (because updated information is needed for this). 

For more information on how to administer the appliance on the user interface, see Working with the 

user interface. 


2 




The main elements of the user interface are the system information line, several bars and buttons, the 

navigation pane, and the settings pane. 

System — 

information line 

Top-level — 

menu bar 

Tab bar — 

Toolbar (on tab) — 

Navigation pane — 

(on tab) 

Figure 2-2 Main elements of the user interface 

30 McAfee Web Gateway 7.1.5 Product Guide 

— Logout and 

Help buttons 

— Search and 

Save 

Changes 

buttons 

— Settings 

pane 

(on tab)

Main elements of the user interface 

The following table describes the main elements of the user interface. 

Table 2-4 Main elements of the user interface 


System information 

line 

Displays system and user information 

Top-level menu bar Lets you select one of the following menus: 


Working with the user interface 2 

Dashboard — Provides an overview of alerts, web usage, filtering activities, 

and system behavior 

For more information, see Dashboard. 

Policy — For configuring your web security policy 

For more information, see Rule Sets tab, Lists tab, and Settings tab. 

Configuration — For configuring the system settings of the appliance 

For more information, see System configuration. 

Accounts — For managing administrator accounts 

For more information, see Administrator accounts. 

Troubleshooting — For solving problems on the appliance 

For more information, see Troubleshooting. 

Tab bar Provides the tabs of the currently selected top-level menu 

Toolbar (on tab) Provides varying tools (depending on the selected tab) 

Navigation pane Provides tree structures of configuration items, such as rules, lists, and settings 

Settings pane Provides the settings of the item currently selected on the navigation pane for editing 

Logout Lets you log off from the user interface 

Opens the online help 

The chapters and sections of this Product Guide are provided there. You can browse through 

its pages or navigate on a tree structure and perform a full text search or search for index 

terms. 

Search Opens the Search window with the following options: 

• Search for objects — Lets you search for rule sets, rules, lists, and settings. Typing a 

search term in the input field displays all objects with names matching the search term. 

• Search for objects referring to — Lets you select a list, property, or settings and 

displays all rules that use the selected item. 

Save Changes Lets you save your changes. 

For more information, see Configuration support functions. 


2 



Configuration support functions 

The user interface provides several functions to support your configuration activities. 

Table 2-5 Configuration support functions 


Input reminder 

Appears attached to the name of a list that is still empty and needs to be filled by you 

Some filter lists are created, but not filled by the wizard because they are too 

sensitive. 

Input information 

Yellow text insert Appears when you move your mouse pointer over an item on the user interface 

providing information on the meaning and usage of the item 

Input responses 

Appears in a window when the input you entered is valid 


Appears in a window when the input you entered is invalid 

Message text Appears with the red symbol providing information on your invalid input 

Light red color of input field 

Change reminders 

An input field is filled out in light red if you enter invalid input. 

Save Changes The button turns red when you change an item. It turns gray again when you have 

saved your changes. 

Appears attached to tabs, icons, and list entries when you have changed an item and 

not yet saved 

For example, when you have changed a rule, the small red triangle appears: 

• In the row of the rule entry 

• On the symbol of the rule set 

• On the projection of the rule sets tab 

• On the Policy icon of the top-level menu bar 

Unsaved Changes message Appears if you attempt to log out without having saved your changes 

You have two options then: 

• Yes — Log out without saving 

• No — Acknowledge and save



Setting up system management tools 2 

When setting up a physical appliance, you can also set up several tools for managing the appliance 

system: 

• Platform Confidence Test (PCT) 

• Simple Network Management Protocol (SNMP) Subagent 

Additionally available for the WG5000B and WG5500B appliance models are: 

• Remote Management Module (RMM) 

• Baseboard Management Controller (BMC) 

• Active System Console (ASC) 

Platform Confidence Test 

The Platform Confidence Test tool (PCT) assists you in detecting hardware errors. For each appliance 

model, there is a particular version of the tool. 

Set up PCT 

To set up the Platform Confidence Test tool: 

1 Download the appropriate tool version from the McAfee Extranet for Web Gateway. 

Note: Tool versions are available there in zipped format. 

2 Extract the content of the downloaded zip file into the root directory of a USB drive. The drive must 

be formatted in Microsoft DOS mode. 

3 Attach the USB drive to your appliance. 

4 Restart the appliance. 

5 When prompted, press F2 to enter the setup menu. 

6 Go to Server Management | Console Redirection and make sure Console Redirection is disabled. 

7 Go to Boot Manager and select EFI Shell. 

The appliance is restarted in EFI shell mode. EFI runs the startup.nsh procedure from the USB 

drive and displays a diagnostics menu. 

To terminate the diagnostic cycle, press F10. 

Retrieve diagnostic information with PCT: 

To retrieve diagnostic information with the Platform Confidence Test tool: 

1 From the diagnostics menu of the tool, select a test type. 

Note: The network test requires that the appliance is not plugged in to any network. To test the network 

interface ports, you can connect any port to another port in the same system using a cross-over cable. 

The test is executed and the result written into a log file on a RAM disk. The name of the log file is 

result.log. 

It is recommended that after the comprehensive or comprehensive looping test you do a full AC 

power cycle (by removing power from the system) before you continue. This resets all controllers 

and ensures they are running in an expected mode. 


2 



2 Copy the result.log file to the USB drive: 

a Run the map command. 

b Identify your USB drive in the list that is displayed. Then enter the following command: 

cp result.log blk0: 

In the above command, blk0 is a device parameter that is required when using a USB drive. 

Different device parameters can be be specified here in some cases. 

SNMP Subagent 

When SNMP (Simple Network Management Protocol) monitoring is implemented on your appliance, you 

can use the SNMP Subagent to retrieve additional information on hardware parameters, such as 

general status and sensor values. 

The SNMP Subagent provides object IDs (OIDs) that belong to a MIB (Management Information Base) 

tree structure for hardware items. These can be queried using the SNMP functions on your appliance. 

To enable the subagent, run the following command from a system console: 

snmpsa-enable 

Note: Running this command can cause the appliance to stop processing web traffic for a few seconds. 

To disable the subagent, use the snmpsa-disable command. 

For more information on SNMP monitoring, see Event monitoring with SNMP. 

Remote Management Module and Baseboard Management Controller 

The Remote Management Module (RMM) is available on the WG5000 and WG5500 appliances. Its 

current version is RMM3. The tool provides functions for remote access to the appliance system and 

monitoring key functions. 

Together with this tool, you can set up the Baseboard Management Controller (BMC), which delivers 

information that is used both by the Remote Management Module and the Active Console System. 

The user interface of the Remote Management Module includes tabs for system overview, server health, 

and other monitoring functions. 

On the Remote Console tab, you find a remote access console, which you can use for completing 

remote jobs, for example, LOM (Lights Out Management) jobs. The console also allows you to mount 

local drives remotely or distribute ISO images. 

The console is completely Java-based. It works well on Micorosoft Windows and Linux operating 

systems, but not on the Apple MAC OSX. The systems you want to access from the console must have 

Java Runtime Environment (JRE) version 1.6 installed. 

Set up the RMM and BMC tools 

To set up the Remote Management Module and Baseboard Management Controller: 

1 Connect the RMM and BMC on the rear panel of your appliance box to the network. 

2 Restart the appliance. 

3 During the start phase, press F2. The setup menu appears. 

4 Go to Server Management and select BMC LAN Configuration. 

5 Under Baseboard LAN configuration, configure an IP address, a subnet mask, and a gateway IP 

address. 

6 Under Intel (R) RMM3 LAN configuration, configure an IP address, a subnet mask, and a gateway 

IP address. 



Setting up system management tools 2 

7 Under User configuration, configure a user name and password to allow an initial user access to 

the Remote Management Module. 

8 Press F10 and in the dialog window that appears, click Yes to save your changes. 

The Remote Management Module is now available for system management activities. You can access 

the tool through the IP address you configured. 

For information on where the RMM and BMC interfaces are located on the rear panels of the WG5000 

and WG5500 appliance boxes, see the McAfee Web Gateway Port Identification Guide. 

For more information on the Remote Management Module, refer to: http://www.intel.com/products 

/server/software/rmm/rmm-overview.htm. 

Active System Console 

The Active System Console (ASC) is a web-based debugging tool. It provides information on hardware 

errors involving chassis, storage, cooling, processors, memory, power supply, and other functions. 

Errors are detected by the BMC (Baseboard Management Controller) through accessing the system 

event log and sensor data records on your appliance. 

The tool also enables you to send hardware data to the McAfee support team. Furthermore, it allows 

you to configure some BMC functions, such as the IP address or trap and email communication. 

Set up ASC 

To set up the Active System Console tool: 

1 On a system console, run the following command: 

asc-enable 

2 When prompted, create an administrator password. 

Note: If a message on strong password setting is displayed, respond according to your requirements. 

After the password has been set, the Active System Console is started. 

3 Use a web browser to access the ASC user interface under: 

https://:9393 

When the appliance is started next time, the Active System Console is automatically started with 

it. 

To disable the Active System Console, use the asc-disable command. 

For more information, see the help information on the ASC user interface and the user documentation 

that is provided with the new hardware platforms. 

Information on the Active System Console and other system management tools for use on your 

appliance is also available at: http://www.intel.com/Products/Server/Software/sysmgmt 

/sysmgmt-overview.htm. 


2 




3 

Proxies and caching 

Contents 

Intercepting web traffic 

Network modes 

Common proxy settings 

Reverse HTTPS proxy configuration 

Providing proxy auto-configuration files 

Helix proxy configuration 

Preventing data leaks 

Web caching 

Intercepting web traffic 

The McAfee Web Gateway appliance is installed as a gateway that intercepts and filters web traffic to 

ensure web security for your network. It does this in explicit proxy mode or in transparent mode, using 

particular network protocols. 

The sections of this chapter tell you how to configure the use of network modes and protocols. They 

also tell you how to configure the web cache, which stores frequently requested objects locally to speed 

up browsing. 

Proxy settings 

You can review and modify the settings for the proxy functions on the Appliances tab of the 

Configuration top-level menu under Proxies (HTTP(S), FTP, ICAP, and IM). 

After the initial setup, these settings have preconfigured values. The most important are: 

• Network mode — Explicit proxy 

• Network protocol — HTTP 

If you keep the explicit proxy mode, you need to configure the clients of the appliance, so that they 

direct their requests for web access to it. This applies also to a proxy-chain configuration when the 

appliance is not immediately connected to a client. 

If you modify the preconfigured settings, you might not need to configure clients in this way, but other 

network components that are then involved. 

For more information, see Network modes and Common proxy settings. 


3 


Network modes 

Network modes 

Web cache settings 

The web cache settings are part of the proxy settings. You can review and modify both on the same tab 

of the user interface. 

The web cache is by default enabled after the initial setup, but its use is controlled by web security 

rules. A web cache rule set must be implemented with rules for writing to the cache and reading from 

it. 

You can review the implemented rule sets on the Rule Sets tab of the Policy top-level menu. If no 

web cache rule set is implemented, you can import one from the rule set library or create a web cache 

rule set with rules of your own. 

For more information, see Web caching. 

The appliance can operate in different network modes to intercept and filter web traffic. This section 

explains these modes and tells you how to configure them. 

• Explicit proxy mode — In this mode, the clients of the appliance are generally aware of its 

existence. You can use one of the following options to implement this mode: 

• Proxy — This is the explicit proxy mode proper. It is preconfigured on the appliance. 

Optionally, you can configure this mode to let it use several transparent features. 

For example, you can configure the use of WCCP services. Requests sent from clients can then 

be directed to the appliance by these services and back from web servers to the appliance. The 

clients are not aware of these redirections. 

You can also configure a method for using client IP addresses that is known as IP address 

spoofing (IP spoofing). Client requests that are intercepted on the appliance are then passed on 

to web servers with their original source addresses, not with that of the appliance. 

• Proxy HA — The appliance operates as an explicit proxy that is configured as a part of a 

high-availability configuration. 

• Transparent bridge mode — Clients are unware of the appliance, which serves as an (invisible) 

bridge between a firewall and the rest of your network. 

• Transparent router mode — Clients are unware of the appliance, which serves as a router in your 

network, directing web traffic according to a routing table. 


Explicit proxy mode 


Network modes 3 

This section explains the explicit proxy mode and how to configure it on the appliance and its clients. 

In this mode, the clients that have their web traffic filtered by the appliance “know” they are connected 

to it. They must explicitly be configured to direct their web traffic to the appliance. 

If this is ensured, it is less important where the appliance is deployed within your network. Typically, it 

is placed behind a firewall and connected to its clients and the firewall by a router. 

The following diagram shows a configuration in explicit proxy mode: 

Figure 3-1 Explicit proxy mode 

Configure the explicit proxy mode 

This section tells you how to configure the explicit proxy mode for the appliance. 

1 Go to Configuration | Appliances. 

2 On the appliances tree, go to the appliance you want to configure settings for and select Proxies 

(HTTP(S), FTP, ICAP, and IM). 

3 Under Network Setup, select one of the options for the explicit proxy mode: 

• Proxy — For the explicit proxy mode proper 

Note: This option is preconfigured after the initial setup. When it is selected, specific settings for 

configuring a proxy mode with transparent features appear below the Network Setup settings. 

• Proxy HA — For an explicit proxy mode with high-availability functions 

Note: After selecting this option, specific Proxy HA settings appear below the Network Setup settings. 

4 Configure specific and common settings for the selected option as needed. 

5 Click Save Changes. 

For more information, see Transparent Proxy and Common proxy settings. 


3 


Network modes 

Transparent Proxy 

Settings for configuring a proxy mode with transparent features 

Supported client redirection methods — Methods for intercepting web traffic and directing it to the 

appliance 

• WCCP — When selected, client requests sent to web servers under the IPv4 protocol are intercepted 

by an additional network device and directed to the appliance using the WCCP protocol. In the same 

way responses from web servers are directed back to the appliance. The clients are not aware of this 

redirection, it remains transparent for them. 

Note: WCCP version 2 must be used on the appliance. 

To use the WCCP redirection method, you need to configure one or more WCCP services on the 

appliance. You also need to configure the network device that intercepts the client requests and 

server responses. This device can be configured as a switch or router. 

After selecting this option, the following list is displayed for configuring and adding WCCP services: 

• WCCP Services — List of services for directing web traffic to the appliance under the WCCP 

protocol 

Note: Version 2 of the WCCP services must be used on the appliance. 

IP addresses of clients that have their requests directed to the appliance must be “visible” 

there. They must not be converted using the NAT (Network Address Translation) method. 

The following table describes the list entries. For information on maintaining a list of this type, 

see Inline lists. 

Table 3-1 WCCP Services list 


Service ID ID of a service that directs web traffic to the appliance under the WCCP protocol 

WCCP router 

Multicast IP address and DNS name of a router (or switch with routing functions) that 

definition 

uses a WCCP service to direct web traffic to the appliance 


Note: You can configure multiple routers here, separating entries by commas. 

Ports to be redirected Ports on web servers that data packets must have in their destination addresses to 

be redirected 

Note: You can specify up to eight port numbers here, separated by commas. 

Ports to be redirected 

are source ports 

Proxy listener IP 

address 

Displays whether the ports that are to be redirected are source ports 

IP address of the appliance when running in explicit proxy mode with WCCP services 

and listening to client requests 

Proxy listener port Port for listening to client requests 

MD5 authentication 

key 

Note: The default port number is 9090. 

Password used under the MD5 algorithm for signing and verifying control data 

packets 

The Set button opens a window for setting the password. 

Note: The password can have up to eight characters.

Table 3-1 WCCP Services list (continued) 


Input for load 

distribution 



This main item does not appear in the list, but is visible in the Add and Edit windows. 

The following four elements are related to it, specifying what is used in a data packet 

as the criteria for load distribution. 

When running multiple appliances, load distribution can be configured for the proxies 

on them. Data packets can be distributed to these proxies based on the masking of 

source or destination IP addresses and port numbers or on a hash algorithm. 

• Source IP — When selected, load distribution relies on the masking of source IP 

addresses 

• Destination IP — When selected, load distribution relies on the masking of 

destination IP addresses 

• Source port — When selected, load distribution relies on the masking of source 

port numbers 

• Destination port — When selected, load distribution relies on the masking of the 

destination port numbers 

Assignment method This main item does not appear in the list, but is visible in the Add and Edit windows. 

The following elements are related to it, specifying the method used for load 

distribution. 

• Assignment by mask — When selected, masking of the parameter specified above 

is used for load distribution 

• Assignment by hash — When selected, a hash algorithm is used for load 

distribution 

Assignment weight Value determining how much load is assigned to a proxy 

Use this value to assign more load to a proxy on an appliance that has more CPU 

capacity. 0 means no load is distributed to a proxy. 

Forwarding method This main item does not appear in the list, but is visible in the Add and Edit windows. 

The following two elements are related to it, specifying the forwarding method. 

• GRE-encapsulated — When selected, data packets are encapsulated by the router 

before being redirected 

• L2-rewrite to local NIC — When selected, data packets are redirected to the 

appliance by replacing the MAC address of the next device (on the route to the 

web server) with that of the appliance 

This is done on layer two (L2) of the standard communication model. 

L2-redirect target Network interface on an appliance that data packets are redirected to 

Magic (Mask 

Setting to assign a mask for use in redirecting web traffic 

assignment) 

Comment Plain-text comment on the WCCP service 

• L2 transparent — When selected, client requests sent to a web server under the IPv4 and IPv6 

protocols are intercepted by an additional network device and directed to the appliance using the 

Layer 2 redirection method 

Under this method, client requests are accepted on the appliance even if their destination IP 

addresses are not addresses of the appliance. The redirection is transparent to the clients. 

You need to enter the original ports for those client requests that are to be intercepted and 

redirected in a list on the appliance together with the ports that these requests are redirected to. 

The additional network device must be configured accordingly. 

Note: When this option is selected, requests can not be transmitted using a connection in active FTP 

mode. Only the passive FTP mode is then available. 


3 


Network modes 

After selecting this option, the following list is displayed for entering ports: 

• Port Redirects — List of ports that are involved in the redirection using the Layer 2 method 

The following table describes the list entries. For information on maintaining a list of this type, 

see Inline lists. 

Table 3-2 Port Redirects list 


Original destination 

port 

Port that the data packets belonging to a client request were originally directed to 

Destination proxy 

port 

Port that data packets are redirected to 

Comment Plain-text comment on the port 

Advanced Outgoing Connection Settings 

Settings specifying methods for handling information contained in client requests sent to web servers 

that are requirements for the network environment of the appliance 

IP spoofing (HTTP, HTTPS, FTP) — When selected, the appliance keeps the client IP address that is 

contained in a client request as the source address and uses it in communication with the requested 

web server under various protocols 

When WCCP services are used for intercepting web traffic and directing it to the appliance, you need to 

configure two services for each port on the appliance that listens to client requests: one for the 

requests that come in from the clients, and one for responses to these requests that are sent by the 

web servers. 

When this option is not selected, the appliance chooses a source port and uses it in this communication. 

• IP spoofing for explicit proxy connections — When selected, client addresses are kept in explicit 

proxy communication, in which web traffic is not intercepted by an additional device 

• Use same source port as client for IP spoofing — When selected, client source ports are kept 

and used in addition to client source addresses for communication with web servers 

When this option is not selected, the appliance chooses a random source port and uses it in this 

communication. 

HTTP(S): Host header has priority over original destination address (transparent proxy) — 

When selected, the appliance uses the destination address that is included in the host header of a client 

request under the HTTP or HTTPS protocol for communication with the requested web server 

For more information on the WCCP services needed to perform IP spoofing, see WCCP service settings 

for IP spoofing. 




WCCP service settings for IP spoofing 

You can use IP spoofing in a configuration with WCCP services that intercept web traffic and direct it to 

the appliance. In this case, you need to configure two services for all ports on the appliance that listen 

to client requests. 

One of these services is for the requests that come in from the clients and another one for responses to 

these requests that are sent by the web servers. 

The table below shows sample parameters for two services. 

Table 3-3 WCCP services for IP spoofing 

Option Service for incoming requests Service for web server responses 

Service ID 51 52 

WCCP router 

definition 

10.150.107.254 10.150.107.254 

Ports to be redirected 80, 443 80, 443 

Ports to be redirected 

are source ports 

false true 

Proxy listener IP 

address 

10.150.107.251 10.150.107.251 

Proxy listener port 9090 9090 

MD5 authentication 

key 

�� 

Input for load 

This main item does not appear in the settings list, but is visible in the Add and Edit 

distribution 

windows. The following four elements are related to it 

Source IP false false 

Destination IP true true 

Source port false false 

Destination port false false 

Assignment method This main item does not appear in the settings list, but is visible in the Add and Edit 

windows. The Assignment by mask and Assignment by hash elements are related to 

it. 

Assignment by mask true true 

Assignment by hash false false 

Assignment weight 100 100 

Forwarding method This main item does not appear in the settings list, but is visible in the Add and Edit 

windows. The GRE-encapsulated and L2-rewrite to local NIC elements are related to 

it. 

GRE-encapsulated false false 

L2-rewrite to local 

NIC 

true true 

L2-redirect target eth1 eth1 

Magic (Mask 

assignment) 

Comment 

-1 -1 


3 


Network modes 

Proxy HA 

Settings for the appliance when running as a proxy in a high-availability configuration 

Port Redirects — List of ports that requests sent by users are redirected to 

The following table describes the list entries. For information on maintaining a list of this type, see 

Inline lists. 



Protocol name Name of the protocol used for data packets coming in when a user sends a request 


ports 

Ports that redirected data packets were originally sent to 


port 

Port that data packets sent to the above ports originally are redirected to 


Director priority — Priority (ranging from 0 to 99) an appliance takes in directing data packets 

The highest value prevails. 0 means the appliance never directs data packets, but only filters them. 

In a high-availability configuration, two appliances are typically configured as director nodes with a 

priority higher than zero to direct data packets, providing fail-over functions for each other. The 

remaining nodes are configured with zero priority (also known as scanning nodes). 

The priority value is set on a slider scale. 

Management IP — Source IP address of the appliance that directs data packets when sending 

heartbeat messages to other appliances 

Virtual IPs — List of virtual IP addresses 


Inline lists. 

F 

Table 3-5 Virtual IPs list 


Virtual IP address Virtual IP address (in CIDR notation) 

Network interface Network interface on the appliance that data packets with the virtual IP address are routed 

through 

Comment Plain-text comment on the virtual IP address 

Virtual router ID — ID of a virtual router 

VRRP interface — Network interface on the appliance for sending and receiving heartbeat messages 

Configure the appliance as a proxy on a client 

This section tells you how to configure the appliance as a proxy on each of its clients, so that they direct 

their web traffic to it. You need to do this when running the appliance in explicit proxy mode. 

1 From the menu system of the client browser, select the Network/Connection tab. 

2 On this tab, add an HTTP, HTTPS, or FTP proxy, according to the protocol you want to use for 

communication between the client and the appliance. 

3 Configure an IP address and port number for connecting to the appliance. Use the values 

configured during the initial setup of the appliance. 

Note: If you use the Microsoft Internet Explorer on your clients and a Windows Active Directory to administer 

them, you can configure the appliance as a proxy on all your clients in a single procedure. 


Transparent bridge mode 



This section explains the transparent bridge mode and tells you how to configure it on the appliance. 

In this mode, the clients of the appliance are unaware that they are connected to it. They need not be 

configured to direct their web traffic to the appliance. The appliance is placed between a firewall and a 

router, where it serves as an (invisible) bridge. 

The following diagram shows a configuration in transparent bridge mode: 

Figure 3-2 Transparent bridge mode 

Configure the transparent bridge mode 

This section tells you how to configure the transparent bridge mode for the appliance. 


2 On the appliances tree, go to the appliance you want to configure the transparent bridge mode for 

and select Proxies (HTTP(S), FTP, ICAP, and IM). 

3 Under Network Setup, select Transparent Bridge. 

Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup 

settings. 

4 Configure specific and common settings for this mode as needed. 


For more information, see Transparent Bridge settings and Common proxy settings. 

For a sample configuration, see Sample configuration – Director and scanning nodes in transparent 

bridge mode. 


3 


Network modes 

Transparent Bridge settings 

Settings for the appliance when running in transparent bridge mode 



Inline lists. 





ports 



port 




The highest value prevails. 0 means an appliance never directs data packets, but only filters them. 

The value for this priority is set on a slider scale. 

Management IP — Source IP address of the appliance that directs data packets when sending 

heartbeat messages to other appliances 

IP spoofing (HTTP, HTTPS) — When selected, the appliance keeps the client IP address that is 



The appliance does not verify whether this address matches the host name of the request. 

IP spoofing (FTP) — When selected, the appliance communicates with a web server under the FTP 

protocol in the same way as under the HTTP or HTTPS protocol to perform IP spoofing 

Note: For active FTP, this option must be enabled. 




Sample configuration – Director and scanning nodes in transparent bridge mode 

This section describes a procedure for setting up two appliances in transparent bridge mode. 

One of them is configured as a director node that directs data packets, the other as a scanning node 

that only filters data packets, but does not direct them. 

Set up a director node 

To configure an appliance as a director node in transparent bridge mode, you need to enable this mode 

and configure at least one network interface for the transparent bridge functions. The director role is 

configured by giving the node an appropriate priority value. 

Complete the following procedure to set up a director node: 

1 Go to Configuration | Appliance. 

2 On the appliances tree, go to the appliance you want to set up as a director node and select Network. 

3 Select a still unused network interface of the appliance to use it as an interface of the transparent 

bridge. However, do not enable it yet. 

4 On the Advanced tab, select Bridge enabled for this interface. 

5 In the Name field, type ibr0 as the name of the interface. 

6 On the IPv4 tab, under IP Settings, select Disable IPv4. 

7 Click Save Changes. You are logged out and logged on to the appliance again. 

8 Go to Configuration | Appliances and select Network again. An additional network interface 

named ibr0 is now available. Select this interface. 

9 On the IPv4 tab, configure an IP address, a subnet mask, and a default route for ibr0. Then select 

the checkbox next to ibr0 to enable this interface. 

10 Select the interface that is currently used to access the appliance to assign it to ibr0. 

11 On the Advanced tab, select Bridge enabled. 

12 In the Name field, type ibr0 as the name of the interface. 

13 On the IPv4 tab, under IP Settings, select Disable IPv4. 

14 Enable the network interface you assigned to ibr0 in step 3. 

15 Select Central Management. 

16 In the Central Management Settings section, add the IP address you configured for ibr0 to the 

list provided under IP address for Central Management communication. 

17 Select Proxies (HTTP(S), FTP, ICAP, and IM). 



settings. 

19 Set Director priority to a value > 0. 

20 Configure proxy ports and port redirects for HTTP and FTP as needed. 

21 Configure also IP spoofing as needed. 

22 In the Management IP field, type the IP address you configured for ibr0. 


If you are going to configure another appliance as a director node, be sure to configure the same proxy 

ports and port redirects as for the initial director node and to add the port redirects in the same order 

as for that node. 


3 


Network modes 

Set up a scanning node 

To configure an appliance as a scanning node in transparent bridge mode, you need to enable this 

mode and configure an IP address that allows the node to access the network interface of the director 

node. The scanning role is configured by giving the node 0 as a priority value. 

Complete the following procedure to set up a scanning node: 

1 Go to Configuration | Appliance. 

2 On the appliances tree, go to the appliance you want to set up as a scanning node and select Proxies 




settings. 

4 Set Director priority to 0. 

5 Configure the same HTTP and FTP proxy ports and port redirects as for the director node. 

6 Configure also IP spoofing in the same way as for the director node. 



Transparent router mode 



This section explains the transparent router mode and tells you how to configure it on the appliance. 

This is also a transparent mode, so the clients are unware of the appliance and need not be configured 

to direct their web traffic to it. 

The appliance is placed as a router immediately behind a firewall. It can use a switch for connecting to 

its clients. A routing table is used to direct the traffic. 

The following diagram shows a configuration in transparent router mode: 

Figure 3-3 Transparent router mode 

Configure the transparent router mode 

This section tells you how to configure the transparent router mode for the appliance. 




3 Under Network Setup, select Transparent Router. 

Note: After selecting this option, specific Transparent Router settings appear below the Network Setup 

settings. 

4 Configure specific and common settings for this mode as needed. 


For more information, see Transparent Router settings and Common proxy settings. 

For a sample configuration, see Sample configuration – Director and scanning nodes in transparent 

router mode. 


3 


Network modes 

Transparent Router settings 

Settings for the appliance when running in transparent router mode 



Inline lists. 





ports 



port 




The highest value prevails. 0 means an appliance never directs data packets, but only filters them. 

The value is set on a slider scale. 

Management IP — Source IP address of the appliance that directs data packets in a given 

high-availaibility configuration when sending heartbeat messages to other appliances 

Virtual IPs — List of virtual IP addresses 


Inline lists. 

Table 3-8 Virtual IPs list 


Virtual IP address Virtual IP address (in CIDR notation) 

Network interface Network interface on the appliance used for heartbeats under VRRP (Virtual Router 

Redundancy Protocol) 

Comment Plain-text comment on the virtual IP address 

Virtual router ID — ID of a virtual router 

VRRP interface — Network interface on the appliance for sending and receiving heartbeat messages 

IP spoofing (HTTP, HTTPS) — When selected, the appliance keeps the client IP address that is 



The appliance does not verify whether this address matches the host name of the request.. 

IP spoofing (FTP) — When selected, the appliance communicates with a web server under the FTP 

protocol in the same way as under the HTTP or HTTPS protocol to perform IP spoofing. 

Note: For active FTP, this option must be enabled. 




Sample configuration – Director and scanning nodes in transparent router mode 

This section describes a procedure for setting up two appliances in transparent router mode. 

One of them is configured as a director node that directs data packets, the other as a scanning node 

that only filters data packets, but does not direct them. 

Set up a director node 

To configure an appliance as a director node in transparent router mode, you need to enable this mode 

and configure network interfaces for inbound and outbound web traffic. The director role is configured 

by giving the node an appropriate priority value. 

Complete the following procedure to set up a director node: 


2 On the appliances tree, go to the appliance you want to set up as a director node and select Network. 

3 Configure network interfaces as is suitable for your network. You need at least one interface for 

inbound and one for outbound web traffic. 



6 On the appliances tree, go to the appliance you are setting up as a director node and select Proxies 



Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup 

settings. 

8 Set Director priority to a value > 0. 

9 Configure proxy ports and port redirects for HTTP and FTP as needed. 

10 Configure virtual IP addresses for the inbound and outbound network interfaces, using free IP 

addresses for this purpose. 

11 In the Management IP field, type an IP address for reaching the scanning node. 

12 Leave the number under Virtual router ID as it is. 

13 From the VRRP interface list, select the interfaces for heartbeats under this protocol. 

14 Configure IP spoofing as needed. 


16 Configure the clients of your network to let them direct their web traffic to the virtual IP addresses 

you configured for the inbound network interfaces. 

If you are going to configure another appliance as a director node, be sure to configure the same virtual 

IP addresses as for the initial director node. The proxy ports and port redirects and the order of the port 

redirects must also be the same as for that node. 


3 


Network modes 

Set up a scanning node 

To configure an appliance as a scanning node in transparent router mode, you need to enable this 

mode and configure at least one network interface for outbound web traffic. The scanning role is 

configured by assigning the node 0 as its priority value. 

Complete the following procedure to set up a scanning node: 


2 On the appliances tree, go to the appliance you want to set up as a scanning node and select 

Network. 

3 Configure network interfaces as is suitable for your network. You need at least one interface for 

outbound web traffic. 



6 On the appliances tree, go to the appliance you want to set up as a scanning node and select Proxies 



Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup 

settings. 

8 Set Director priority to 0. 

9 Configure the same HTTP and FTP proxy ports and port redirects as for the director node. 

10 Configure also IP spoofing in the same way as for the director node. 





Common proxy settings 3 

You can configure settings for the proxy functions of the appliance and use them in all network modes. 

This section describes these settings and the procedure for configuring them. 

Configure common proxy settings 

This section tells you how configure the proxy settings of the appliance that are common to all network 

modes. 




3 Configure these settings as needed. 

• Network Setup — Settings for selecting a network mode 

• HTTP Proxy, FTP Proxy (and other settings) — Settings for the network protocols 

• Web Cache — Setting for enabling or disabling the web cache 

• Timeouts for HTTP(S), FTP, ICAP — Settings for timeouts applying to some protocols 

• Advanced Settings — Settings for advanced proxy functions 


For more information on these settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system settings. 

Proxies (HTTP(S), FTP, ICAP, and IM) system settings 

This section describes the Proxies (HTTP(S), FTP, ICAP, and IM) system settings. You can configure 

these settings to modify the proxy functions of the appliance. 

Note: These settings are configured on the Appliances tab of the Configuration top-level menu. 

Network Setup 

Settings for selecting a network mode 

Proxy (optional WCCP) — When selected, the explicit proxy mode proper is used and WCCP services 

can redirect web traffic to the appliance 

Proxy HA — When selected, the explicit proxy mode with high-availability features is used 

Transparent router — When selected, the transparent router mode is used 

Transparent bridge — When selected, the transparent bridge mode is used 

In addition to the settings that are common to all these modes, specific settings exist for each of them, 

except for the explicit proxy mode proper. 

For more information, see Transparent Proxy, WCCP service settings for IP spoofing, Transparent 

Bridge settings and Transparent Router settings. 


3 



HTTP Proxy 

Settings for the appliance when running as a proxy under HTTP 

This protocol is used for transferring web pages and other data (providing SSL-encryption for enhanced 

security). 

Enable HTTP proxy — When selected, the appliance runs as a proxy under the HTTP protocol 

HTTP Port Definition list — List of ports on the appliance that listen to client requests 


Inline lists. 

Table 3-9 HTTP Port Definition list 


Listener address Local IP address of the appliance running as an HTTP proxy and port for listening to client 

requests 

Serve transparent When selected, the HTTP proxy processes also client requests sent in transparent mode 

requests 

Ports treated as SSL Ports on destination servers indicating to the HTTP proxy that requests with these numbers 

are SSL-secured 

Note: It can be necessary to specify these numbers when the appliance processes 

requests in transparent mode since there is then no CONNECT header to indicate a request 

is SSL-secured. 

Transparent common 

name handling for 

proxy requests 

McAfee Web Gateway 

uses passive FTP over 

HTTP connections 

Anonymous login for FTP over HTTP — User name for logging on as an anonymous user when 

requests are transmitted to an FTP server by the appliance running as an HTTP proxy 

Password for anonymous login for FTP over HTTP — Password for the above user name 


When selected, the HTTP proxy does not use the destination IP address of a request to 

create a common name for the certificate it issues 

Instead, it copies the common name of the certificate that the destination server delivered. 

This might cause a problem if there is a common name mismatch in this certificate. 

When selected, the HTTP proxy uses connections in passive mode for transmitting requests 

to an FTP server 

Note: The passive mode might be required for the data connection (used under FTP in 

addition to the control connection). In some cases, an FTP server is not allowed to use the 

data connection in active mode, for example, when a firewall rule enforces this in a 

company network. 

Comment Plain-text comment on the HTTP proxy port



FTP Proxy 

Settings for the appliance running as a proxy under FTP 

This protocol is used for transferring files, using separate connections for control functions and data 

transfer. 

Enable FTP proxy — When selected, the appliance runs as a proxy under the FTP protocol 

FTP Port Definition list — List of ports on the appliance that listen to client requests 


Inline lists. 

Table 3-10 FTP Port Definition List 


Listener address Local IP address of the appliance running as an FTP proxy and port for listening to client 

requests 

Data port Port number sent with the source IP address of the FTP proxy when it opens a data 

connection to a client 

Port range for client Range of numbers for the ports on the FTP proxy that listen to client requests 

listener 

Port range for server Range of numbers for the ports on the FTP proxy that listen to responses from web servers 

listener 

Allow clients to use 

passive FTP 

connections 


uses passive FTP 

connections 

When selected, clients can send requests to the FTP proxy in passive mode, which is an 

option of the FTP protocol 

Note: The passive mode can be required for the data connection (used under FTP in 

addition to the control connection). In some cases, FTP clients are not allowed to use the 

data connection in active mode, for example, when a firewall rule has been implemented 

in a company network to enforce this. 

When selected, the FTP proxy uses connections in passive mode for transmitting requests 

to an FTP server 

Note: The passive mode can be required for the data connection (used under FTP in 

addition to the control connection). In some cases, the FTP server is not allowed to use the 

data connection in active mode, for example, when a firewall rule has been implemented 

in a company network to enforce this. 

Comment Plain-text comment on the FTP proxy port 


3 



ICAP Server 

Settings for the appliance when running as an ICAP server that modifies requests and responses in 

communication with ICAP clients 

Enable ICAP server — When selected, the appliance takes the role of an ICAP server 

ICAP Port Definition list — List of ports on the appliance that listen to requests from ICAP clients 


Inline lists. 

Table 3-11 ICAP Port Definition list 


Listener address Local IP address of the appliance running as an ICAP server and port for requests from ICAP 

clients 

Send early 204 

responses 

Wait for complete 

ICAP request 

Maximal concurrent 

REQMOD connections 

Maximal concurrent 

RESPMOD 

connections 

Web Cache (setting) 

Setting for enabling the appliance web cache 

Enable cache — When selected, the web cache is enabled 

You can then use by an appropriate rule set to control reading from and writing to the cache. 

For more information, see Web caching. 


When selected, the appliance sends 204 responses early to clients before a request is fully 

transferred 

Note: Some clients do not support early 204 responses. 

(The main item does not appear in the table, but is visible in the Add and Edit windows. The 

following four elements in the table are related to it, specifying when the ICAP server should 

wait until a request is complete.) 

Waiting for the complete request can be necessary when clients are not capable of receiving 

parts of the filtered data in response while other parts of the request are still being sent to 

the server. The normal behavior for the ICAP server is to try to filter and send back data 

chunk by chunk to reduce latency time. 

• Never — When selected, the ICAP server never waits 

• Only for REQMOD requests — When selected, the ICAP server waits if the mode for 

modifying requests is used 

• Only for REQMOD requests — When selected, the ICAP server waits if the mode for 

modifying requests is used 

• Always — When selected, the ICAP server always waits 

Maximum number of connections the ICAP server can use simultaneously when modifying 

requests 

Maximum number of connections the ICAP server can use simultaneously when modifying 

responses 

Preview size Size (in bytes) of the portion of a request sent by a client to the ICAP server at the beginning 

of the communication 

The server asks for more data or lets the rest of the data pass through unmodified. 

Comment Plain-text comment on the ICAP server port



Timeouts for HTTP(S), FTP, ICAP 

Settings for timeouts on connections under the HTTP(S), FTP, and ICAP protocols 

Initial connection timeout — Time (in seconds) to elapse before a newly opened connection is 

closed if no request is received 

Connection timeout — Time (in seconds) to elapse before a connection is closed if a client or server 

remains inactive during an uncompleted request communication 

Client connection timeout — Time (in seconds) to elapse before a connection from the appliance 

running as a proxy to a client is closed between one request and the next 

Maximum idle time for unused HTTP server connections — Time (in seconds) to elapse before a 

connection from the appliance running as a proxy to a server is closed between one request and the 

next 

DNS settings 

Settings for communication with a domain name server 

IP protocol version preference — Information on the version of the IP protocol that is used for the 

communication 

• (Version options:) 

• Same as incoming connection — When selected, the protocol version is used that is already in 

use on the incoming connection 

• IP4 — When selected, version 4 of the IP protocol is used 

• IP6 — When selected, version 6 of the IP protocol is used 

• Use other protocol version as fallback — When selected, the other protocol version is used if one 

of the two versions is not available 

Minimal TTL for DNS cache — Minimum time (in seconds) to elapse before data stored in the cache 

is deleted 

Maximal TTL for DNS cache — Maximum time (in seconds) to elapse before data stored in the cache 

is deleted 

Yahoo 

Settings for instant messaging under the Yahoo! ® 

protocol 

Enable Yahoo proxy — When selected, the appliance runs as a proxy for instant messaging under the 

Yahoo protocol 

Listener address — IP address of the proxy and number of the port for listening to client requests 

Support file transfer over 0.0.0.0:80 — When selected, requests for file transfers can use this IP 

address and port 

Login server — Host name and port number of the server that users log on to before sending requests 

Relay server (Japan)— Host name and port number of the server used as a relay station when 

transferring files 

Yahoo client connection timeout — Time (in seconds) to elapse before an inactive connection from 

the appliance running as a proxy to a client is closed 

Yahoo server connection timeout — Time (in seconds) to elapse before an inactive connection from 

the appliance running as a proxy to a server is closed 


3 



ICQ 

Settings for instant messaging under the OSCAR (Open System for Communication in Real Time) 

protocol 

Enable ICQ proxy — When selected, the appliance runs as a proxy for instant messaging under 

OSCAR 

Login and file transfer proxy port — IP address of the appliance running as a proxy and number of 

the port for handling logon and file transfer 

• Enable additional file transfer proxy port — When selected, the an additional port can be used 

for handling file transfers 

• Additional file transfer proxy port — Additional IP address and port number for handling file 

transfers 

BOS listener port — IP address of the proxy and number of the port for listening to BOS (Basic 

OSCAR Service) requests, which include chat messages, as opposed to, for example, file transfers 

ICQ login server — Host name and port number of the server that users log on to before sending 

requests 

ICQ service request server — Host name and port number of the server that handles requests 

ICQ file transfer proxy — Host name and port number of the server that handles file transfers 

ICQ client connection timeout — Time (in seconds) to elapse before an inactive connection from the 

appliance running as a proxy to a client is closed 

ICQ server connection timeout — Time (in seconds) to elapse before an inactive connection from 

the appliance running as a proxy to a server is closed 

Windows Live Messenger 

Settings for instant messaging under the Windows Live Messenger protocol 

Enable Windows Live Messenger proxy — When selected, the appliance runs as a proxy for instant 

messaging under Windows Live Messenger 

Windows Live Messenger NS proxy listener 1 — IP address of the appliance running as a proxy 

and number of the first port that listens to client requests 

Windows Live Messenger NS proxy listener 2 — IP address of the appliance running as a proxy 

and number of the second port that listens to client requests 

Windows Live Messenger SB proxy port — IP address of the appliance running as a proxy and 

number of the port that listens to client requests sent in SB (Switchboard) mode 

Windows Live Messenger client connection timeout — Time (in seconds) to elapse before an 

inactive connection from the appliance running as a proxy to a client is closed 

Windows Live Messenger server connection timeout — Time (in seconds) to elapse before an 

inactive connection from the appliance running as a proxy to a server is closed 




Advanced Settings 

Settings for advanced proxy functions 

Maximal number of client connections — Maximum number of connections from the appliance 

running as a proxy to its clients 

Specifying 0 means no maximum number is configured. 

Number of working threads — Number of threads used when the appliance is running as a proxy for 

filtering and transmitting web objects 

Number of threads for AV scanning — Number of threads used when the appliance is running as a 

proxy to scan web objects for infections by viruses and other malware 

Use TCP no delay — When selected, delays on a proxy connection are avoided by not using the Nagle 

algorithm to assemble data packets 

This algorithm enforces that packets are not sent before a certain amount of data has been collected. 

Maximal TTL for DNS cache in seconds — Maximum time (in seconds) for storing host name 

information in the DNS cache 

Timeout for errors for long running connections in minutes — Time (in minutes) to elapse 

before a long running connection that is inactive due to an error is closed 

Check interval for long running connections — Time (in minutes) to elapse between check 

messages sent on long running connections 

Internal path ID — ID of the path the appliance uses to forward internal requests (not requests 

received from clients), for example, requests for style sheets to display error messages 

Bypass RESPmod for responses that must not contain a body — When selected, responses sent 

in communication under the ICAP protocol are not modified according to the RESPMOD mode if they do 

not include a body 

Call log handler for progress page updates and objects embedded in error templates — 

When selected, the rules in the log handler rule set that is implemented on the appliance are processed 

to deal with the specified updates and objects 

Allow connections to use local ports using proxy — When selected, local ports can be used for 

requests on the appliance that is running as a proxy 

HTTP(S): Remove all hop-by-hop headers — When selected, hop-by-hop headers are removed 

from requests received on the appliance that is running as an HTTP or HTTPs proxy 

HTTP(S): Inspect via headers to detect proxy loops — When selected, via headers in requests 

received on the appliance that is running as an HTTP or HTTPS proxy are inspected to detect loops 

HTTP(S): Host from absolute URL has priority over host header — When selected, the host 

names corresponding to absolute URLs in requests received on the appliance that is running as an HTTP 

or HTTPS proxy are preferred to the host names contained in the request headers 

Proxy-Generated Error Messages 

Settings for a template used to send messages about proxy errors to users 

Language — Settings for selecting the language of a user message 

• Auto (Browser) — When selected, the message is in the language of the browser request that 

caused a proxy error was sent from 

• Force to — When selected, the message is in the language chosen from the list provided here 

Collection — List for selecting a template collection 

• Add — Opens the Add Template Collection window for adding a template collection 

• Edit — Opens the Template Editor for editing a template collection 


3 




You can use a reverse HTTPS proxy configuration to prevent clients from uploading unwanted data, 

such as malware or particular media types, to particular web servers under the HTTPS protocol. This 

section explains such a configuration and tells you how to set it up. 

In a reverse HTTPS proxy configuration, HTTPS traffic is redirected to the appliance, which serves as a 

proxy that inspects the traffic and eventually forwards or blocks it, according to the rules that are 

implemented. 

You can configure this in the following ways: 

• A transparent bridge or router configuration 

• A DNS configuration that points directly to the appliance when access to a particular web server is 

requested 

Note: The redirection to the appliance can also be achieved by configuring proxy-aware connections relying 

on the use of CONNECT headers. 

However, this method would require an additional network device to assemble these headers for incoming 

requests, so it is not recommended and further explained here. 

In addition to configuring your network in one of these ways, you need to configure the handling of SSL 

certificates. Optionally, you can configure some additional settings that are not SSL-related to ensure a 

smooth operation of the reverse HTTPS proxy configuration. 

Redirect HTTPS traffic in a transparent bridge or router configuration 

In a transparent bridge or router configuration, you can use a port redirect rule to direct HTTPS traffic 

to the proxy port on the appliance. 

Note: The term port forwarding rule is also used for a port redirect rule. 

Furthermore, you need to ensure that the redirected requests are treated as SSL-secured 



2 On the appliances tree, go to the appliance you want to redirect traffic to and select Proxies 


3 In the Network Setup section, select Transparent bridge (or Transparent router). The section 

with the transparent bridge (or router) settings appears. 

4 Under Port redirects, click Add. The Add Port Redirects window opens. 

5 Configure the following for the new port redirect rule: 

• Protocol name — http 

Note: This setting covers connections under both the HTTP and HTTPS protocols. 

• Original destination ports — 443 

Note: If the web servers that are the destinations for requests can be reached under the HTTP protocol 

as well, you can add port 80 here (separated by a comma). This type of traffic is then also directed to 


• Destination proxy port — 9090 

Note: This is by default the proxy port on the appliance. 

6 Click OK. The window closes and the new port redirect rule is added to the list. 

7 Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add. The Add HTTP 

Proxy Port window opens. 


8 Make sure the following is configured: 

• Serve transparent SSL connections — Selected 

• Ports treated as SSL — 443 


Reverse HTTPS proxy configuration 3 

9 Leave the other settings at their default values and click OK. The window closes and an appropriately 

configured HTTP proxy port is added to the list. 


For more information on setting up a transparent bridge or router configuration, see Transparent bridge 

mode and Transparent router mode. 

Let the appliance listen to requests redirected by DNS entries 

When web server requests under the HTTPS protocol are redirected to the appliance according to DNS 

entries, you can configure the appliance as a proxy that listens directly on the appropriate port. You 

also need to ensure that only SSL-secured connections are served. 

Note: A port redirect rule cannot be applied here since its purpose would be forwarding requests for other 

destinations to the appliance. However, due to the DNS entries, the appliance is already the destination. 

Before you begin to configure the appliance in this way, make sure of the following: 

• The host names of the web servers are not resolved to the appliance when the appliance does a DNS 

lookup. 

You can achieve this by entering the IP adresses of the web servers into the /etc/hosts file on the 

appliance or by using an appropriately configured internal DNS server. 

• A rule set that handles content inspection is implemented on the appliance and enabled. 

This rule set is typically provided as part of an overall SSL Scanner rule set under the default rule 

set system, as well as in the rule set library. 

To let the appliance listen to the redirected requests: 


2 On the appliances tree, go to the appliance that should listen to requests and select Proxies 


3 Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add. The Add HTTP 

Proxy Port window opens. 

4 Configure the following settings: 

• Listener address — 0.0.0.0:443 

This setting lets the appliance listen to requests for any web servers, regardless of their IP 

addresses. You can also specify a particular IP address here and restrict the appliance to 

listening for requests to the server in question. 

If you are running several network interface cards on your appliance, you can specify IP 

addresses (separated by commas) for as many web servers as there are network interface 

cards. 

• Serve transparent SSL connections — Selected 

• Ports treated as SSL — * 

5 Leave the other settings at their default values and click OK. The window closes and an appropriately 

configured HTTP proxy port is added to the list. 

Note: If a web server should also be accessible under the HTTP protocol, you need to add another HTTP 

proxy port with listener address 0.0.0.0:80 or the address of a particular web server. 



3 



Handling SSL certificates in a reverse HTTPS proxy configuration 

For conducting SSL-secured communication with a client in a reverse HTTPS proxy configuration, the 

appliance sends the original SSL certificate of the web server that the client requested. To enable the 

appliance to send this certificate, you need to import it from the web server and add it to the appliance 


SSL-secured communication in a reverse HTTPS proxy configuration 

In a reverse HTTPS proxy configuration, the appliance communicates in SSL-secured mode with its 

clients. The SSL certificate that the appliance sends to the clients during the SSL handshake cannot be 

issued, however, by its SSL Scanner module. Therefore, the appliance uses the original certificates of 

the web servers that the clients of your network request access to. 

A reverse HTTPS proxy configuration is usually set up to protect only a limited number of particular web 

servers against the upload of unwanted data by clients. You need to import certificates for these 

servers and add them to the appliance configuration. 

You can import the web server certificates when configuring the Enable Client Context without CA 

settings, which are part of the SSL Scanner settings. To find out which certificate should be sent in a 

given situation, the appliance scans the list of imported certificates. On this list, certificates are mapped 

to the host names of the web servers they belong to. The appliance will send the certificate that is 

mapped to the name of the host that a client requested access to. 

In an explicit proxy setup, this host name would be transmitted in the header of the CONNECT request. 

In a transparent setup, the appliance uses the following methods to detect the appropriate host names: 

• If the client sends an SNI extension, the host name can be found in a way that is similar to detecting 

it in an explicit proxy configuration. 

• If client requests are redirected to the appliance through DNS entries, the host name is known by the 

IP address that you specified when configuring redirection. 

In this case, you also need to configure a rule set with rules that set the URL.Host property to the 

appropriate value for every IP address the appliance has been configured to listen to. This is to let 

the appliance know where to forward a request to when it has been filtered and allowed. 

• If the transparent setup does not use redirection by DNS entries, the appliance will send a handshake 

message to the web server that a client requested, extract the common name from the certificate it 

receives from the web server, and use this common name to detect the appropriate host name. 

This method requires that the appliance and the web server communicate in SSL-secured mode, 

too. You can configure a setting on the appliance to ensure this mode is used. 




Configure SSL certificate handling in a reverse HTTPS proxy configuration 

When the appliance sends SSL certificates to its clients in a reverse HTTPS proxy configuration, they 

must be the original certificates of the web servers that the clients request access to. You need to 

import these certificates to the appliance to make them available there. 

1 Go to Policies | Settings. 

2 On the Engines branch of the settings tree, select Enable SSL Client Context without CA. 

3 Click Add above the settings tree. The Add Settings window opens. 

4 In the Name field, enter a name for the settings you want to add, for example, Imported web server 

certificates. 

5 In the Define SSL Client Context (Without Certificate Authority) section, click Add under 

Select server certificate by host or IP. The Add Host to Certificate Mapping window opens. 

6 Under Define Mapping, configure settings that map the host name of a web server to its certificate. 

Then click OK. The window closes and the new mapping settings are added to the list. 

Note: Repeat this step to add mapping settings for multiple host names and certificates. 

7 [Optional] Do one of the following to configure the connection from the appliance to the web server: 

• If you do not want the server connection to be SSL-secured, select SSL-Scanner functionality 

applies only to client connection. 

Note: In this case, you also need to set up a rule that changes the network protocol from HTTPS to 

HTTP. 

• If you want the server connection to be SSL-secured, deselect SSL-Scanner functionality 

applies only to client connection. 


Create a rule set for setting the URL.Host property 

To create a rule set with rules that set the URL.Host property to the appropriate value for the IP 

addresses the appliance listens to, proceed as follows: 

1 Go to Policy | Rule Sets. 

2 On the rule sets tree, go to the position where you want to insert the rule set. 

3 Above the tree, click Add and select Rule Set. The Add New Rule Set window opens. 

4 Under Name, enter a suitable name for the new rule set, for example, Set URL.Host property 

according to particular IP addresses. 

5 Make sure Enable is selected. 

6 Under Applies to select Requests and IM. 

7 Under Apply this rule set, select Always. 

8 [Optional] Under Comment, type a plain-text comment on the rule set. 

Click OK. The window closes and the new rule set is inserted in the rule sets tree. 


3 



Create rules for setting the URL.Host property 

To create rules that set the URL.Host property to the appropriate value for the IP addresses the 

appliance listens to, proceed as follows: 


2 On the rule sets tree, select the rule set you have created for the new rules, for example, Set 

URL.Host property according to particular IP addresses. 

3 Click Add Rule. The Add Rule window opens. 

4 Under Name, enter a name for the new rule, for example, Set URL.Host property for IP address 

10.141.101.51. 

5 Under Rule Criteria, select If the following criteria is matched and click Add. The Add Criteria 

window opens. 

6 Configure the rule criteria as follows: 

• From the Property list, select URL.Destination.IP. 

• From the Operator list, select equals. 

• In the Value field under Parameter, type the IP address you want to match to a host name, for 

example, 10.141.101.51l. 

7 Click OK. The window closes and the new criteria appears under Rule Criteria. 

8 Under Action, select Continue and leave the default settings for this action. 

9 Under Events, click Add and then Set Property Value. The Add Set Property window opens. 

10 Set a property as follows: 

• Under Set this property, select URL.Host. 

• Under To concatenation of these strings, click Add. The Please enter a string window opens. 

• In the Value field, type the host name you want the IP address to match. 

11 Click OK. The window closes and the new event appears under Events. 

12 Click Finish. The Add Rule window closes and the new rule is inserted in the rule set you configured 

for it. 

13 [Optional] Repeat Steps 3 to 12 for every other rule you want to add. 





Optional settings for a reverse HTTPS proxy configuration 

In addition to configuring the network setup and the SSL certificate handling, you can complete some 

optional activities to ensure the smooth operation of a reverse HTTPS proxy configuration: 

• Deactivate proxy loop detection 

• Restrict access to appliance ports 

• Restrict access to web servers 

• Address multiple web servers 

Deactivate proxy loop detection 

The appliance can detect proxy loops by evaluating the Via header of a client request. It is 

recommended that you deactivate this detection process in a reverse HTTPS proxy configuration. 


2 On the appliances tree, go to the appliance you want to deactivate proxy loop detection for and select 

Proxies (HTTP(S), FTP, ICAP, and IM). 

3 In the Advanced Settings section, deselect HTTP(S): Inspect Via header to detect proxy 

loops. 


Restrict access to appliance ports 

In a reverse HTTPS proxy configuration, access should be restricted to the proxy ports of the appliance. 

You need to configure the user interface and file server settings accordingly. 


2 On the appliances tree, go to the appliance you want to restrict port access for and select User 

Interface. 

3 Under HTTP Connector Port, enter the appliance proxy port (default: 9090). 

4 Select File Server. 

5 Under HTTP Connector Port, enter the appliance proxy port (default: 9090). 


Restrict access to web servers 

The purpose of a reverse HTTPS proxy configuration is to protect a limited number of particular web 

servers against unwanted data uploads. For this configuration, you should therefore allow access to 

these servers only and block it for others. After access to others servers has been requested and 

blocked, it is also recommended that you let the appliance close these connections. 

To implement this you need to: 

• Create a list of the web servers you want to protect 

• Create a rule set for a blocking rule 

• Create a rule that blocks access to other web servers and closes connections to clients after blocking 

their requests 


3 



Create a list of web servers 

To create a list of the protected web servers in a reverse HTTPS proxy configuration: 

1 Go to Policy | Lists. 

2 Above the lists tree, click Add. The Add List window opens. 

3 Specify the following settings to create a new list: 

• Name — , for example, Protected web servers 

• [Optional] Comment — A plain-text comment on the new list 

• Type — Wildcard Expression 

4 Click OK. The window closes and the new list appears on the lists tree under Custom Lists | Wild Card 

Expression. 

5 To fill the list with entries for web servers, click Add above the settings pane (right side of the user 

interface). The Add Wildcard Expression window opens. 

Note: To add multiple entries at once, click Add Multiple. 

6 Enter one or more URLs for the web servers you want to address. Separate multiple entries by 

commas. 

7 Click OK. The window closes and your entries are added to the list. 


Create a rule set for a blocking rule 

To create a rule set for the rule thats blocks access to web servers in a reverse HTTPS proxy 

configuration: 


2 On the rule sets tree, go to the position where you want to insert the rule set. 

3 Above the tree, click Add and select Rule Set. The Add New Rule Set window opens. 

4 Under Name, enter a name for the new rule set, for example, Block web servers in a reverse 

HTTPS proxy configuration. 

5 Make sure Enable is selected. 

6 Under Applies to, select Requests and IM. 

7 Under Apply this rule set, select If the following criteria is matched, then click Add. The Add 

Criteria window opens. 

8 Configure the rule set criteria as follows: 

• From the Property list, select URL.Protocol. 

• From the Operator list, select equals. 

• Under Operand, type https. 

• [Optional] Under Comment, type a plain-text comment on the new rule set 

9 Click OK. The window closes and the new rule set is inserted in the rule sets tree. 




Create a rule to block access to web servers 

To create a rule for blocking access to web servers when these are not on the list of protected servers 

in a reverse HTTPS proxy configuration, proceed as follows: 


2 On the rule sets tree, select the rule set you have created for the new blocking rule, for example, 

Block web servers in a reverse HTTPS proxy configuration. 


4 Under Name, enter a name for the new rule, for example, Allow access only to protected web 

servers. 

5 Under Rule Criteria, select If the following criteria is matched and click Add. The Add Criteria 

window opens. 


• From the Property list, select URL.Host. 

• From the Operator list, select matches in list. 

• From the Value list under Parameter, select the web server list you configured, for example, 

Protected web servers. 


8 Under Action, select Block and leave the default settings for this action. 

9 Under Events, click Add and then Event. The Add Event window opens. 

10 Configure an event as follows: 

• From the Event list, select Enable Workaround. 

• From the Settings list, select Do not keep connection to client persistent. 


12 Click Finish. The Add Rule window closes and the new rule is inserted in the rule set you configured 

for it. 


Address multiple web servers 

The appliance can forward consecutive requests to different destinations to achieve load balancing and 

ensure redundancy. A rule that triggers the Enable Next Hop Proxy event is used to let the appliance 

behave in this way. 

To implement this, you need to: 

• Import the Next Hop Proxy rule set from the rule set library 

• Create a list of next hop proxies 

• Create a rule that triggers the Enable Next Hop proxy event when a web server from the list of 

protected servers is requested 

Note: You can use the list here that you created to restrict access to these servers. 

For more information, see the following subsections, as well as Import a rule set and Create a list of 

web servers. 


3 



Create a list of next hop proxies 

To create a list of the web servers that are addressed as next hop proxies when a suitable rule triggers 

the Enable Next Hop Proxy event, proceed as follows: 


2 Above the lists tree, click Add. The Add List window opens. 

3 Specify the following settings to create a new list: 

• Name — , for example, Protected web servers as next hop proxies 

• [Optional] Comment — A plain-text comment on the new list 

• Type — NextHopProxy 

4 Click OK. The window closes and the new list is inserted on the lists tree under Custom Lists | 

NextHopProxy. 

5 To fill the list with entries for web servers, click Add above the settings pane (right side of the user 

interface). The Add Wildcard Expression window opens. 

Note: To add multiple entries at once, click Add Multiple. 

6 Enter one or more URLs for the web servers you want to address. Separate multiple entries by 

commas. 

7 Click OK. The window closes and your entries are added to the list. 


Create next hop proxy settings 

To create a list of the web servers that are addressed as next hop proxies when a suitable rule triggers 

the Enable Next Hop Proxy event, proceed as follows: 

1 Go to Policy | Settings. 

2 On the Engines branch of the settings tree, go to Enable Next Hop Proxy and click Add. The Add 

Settings window opens. 

3 Specify the following to create new settings: 

• Name — , for example, Protected web servers 

• [Optional] Comment — A plain-text comment on the new settings 

• Under Next Hop Proxy Servers configure the following: 

• From the List of next hop proxy servers, select the next hop proxy list you created, for 

example, Protected web servers as next hop proxies. 

• Make sure Round Robin is selected. 

• Deselect Proxy style requests. 

4 Click OK. The window closes and the new settings appear on the settings tree under Custom Lists | 

NextHopProxy. 





Create a rule for the Enable Next Hop proxy event 

To create a rule that triggers the Enable Next Hop proxy event when a server from the list of protected 

web servers is requested, proceed as follows: 


2 On the rule sets tree, select the Next Hop Proxy rule set. The rules within this rule set appear on 

the settings pane. 


4 Under Name, enter a name for the new rule, for example, Address protected web servers as next 

hop proxies. 

5 Under Rule Criteria, select If the following criteria is matched, then click Add. The Add Criteria 

window opens. 


• From the Property list, select URL.Host. 

• From the Operator list, select does not match in list. 

• From the Value list under Parameter, select the web server list you configured, for example, 

Protected web servers. 


8 Under Action, leave Continue (default). 

9 Under Events, click Add and then Event. The Add Event window opens. 

10 Configure an event as follows: 

• From the Event list, select Enable Next Hop Proxy. 

• From the Settings list, select the settings you configured, for example, Protected web servers. 


12 Click Finish. The Add Rule window closes and the new rule is added to the rules of the Next Hop Proxy 

rule set. 



3 




You can provide one or more proxy auto-configuration (PAC) files on the appliance. Web browsers on 

the clients can use them to find proxies that enable them to access particular web pages. This section 

tells you how to make these files available to the client browsers. 

A proxy auto-configuration file usually has .pac as its file name extension. There can be several of them 

on the appliance, for example, a proxy.pac and a webgateway.pac. 

When a proxy auto-configuration file follows the WPAD (Web Proxy Auto-Discovery) protocol, it must 

have wpad.dat as its file name. Therefore, it can exist on the appliance only once. 

Make a .pac file available 

To make a .pac file available to a browser on a client: 

1 Store the .pac file in the /opt/mwg/files folder on your appliance. 

2 Start the browser and go to the network configuration settings. For example, on a Mozilla Firefox 

browser, version 3.6, you can find these settings under Edit | Preferences | Advanced | Network. 

3 In the Connection section, click Settings. 

4 Select Automatic proxy configuration URL, then enter the path and file name for the .pac file, for 

example, http://mwgappl.webwasher.com:4711/files/proxy.pac. 

Note: If you want the clients to use a dedicated port for downloading the file, you must first configure this 

port. If no dedicated port is used, clients are directed to the HTTP port for the user interface (default: 

4711, as specified above). 

5 Click OK. 

For more information on configuring a dedicated download port, see File Server system settings. 

Make a wpad.dat file available 

When a wpad.dat file is made available to a browser on a client, the browser uses auto-detection to find 

the host where it is stored. A port forwarding rule enables the browser to go to the appropriate port on 

this host to download the file. 

Before you configure this feature, make sure of the following: 

• The wpad.dat file is stored in the /opt/mwg/files folder on your appliance. 

• The following has been entered as a DNS host or alias name for the appliance: wpad., for example, wpad.domain.com or wpad.subdomain.domain.com. 

• [Conditional] If you want the clients to use a dedicated port for downloading the file, you must first 

configure this port. If no dedicated port is used, clients are directed to the HTTP port for the user 

interface (default: 4711). 

For more information on configuring a dedicated download port, see File Server system settings. 



Providing proxy auto-configuration files 3 

Configure a port forwarding rule for downloading a wpad.dat file 

To enable the download of a wpad.dat file by a client browser, you need to configure a rule that 

forwards the download request to the appropriate port on the appliance. 

1 On the user interface of the appliance, go to Configuration | Appliances. 

2 On the appliances tree, go to the appliance the wpad.dat file is made available on and select Port 

Forwarding. 

3 Under Port Forwarding Rules, click Add. The Add AppliancePortForwarding window opens. 

4 Configure a port forwarding rule as follows: 

• Source Host — 0.0.0.0 

• Target Port — 80 

• Destination Host — 127.0.0.1 

• Destination Port — 

As , enter either the HTTP port for the user interface (default: 4711) or 

the dedicated port you have configured. 

5 Click OK. The window closes and the port forwarding rule is added to the list. 

Configure auto-detection of a wpad host 

To let a browser use auto-detection for finding the appliance as the host where a wpad.dat file is 

stored: 

1 Start the browser and go to the network configuration settings. For example, on a Mozilla Firefox 

browser, version 3.6, you can find these settings under Edit | Preferences | Advanced | Network. 

2 In the Connection section, click Settings. 

3 Select Auto-detect proxy settings for this network. 

4 Click OK. 


3 




The Helix proxy is a third-party proxy for handling real-time streaming data. It is preinstalled on the 

McAfee Web Gateway appliance. This section tells you how to use this proxy on the appliance. 

The Helix proxy is initially not accessed from the user interface of the appliance, but using a command 

line interface, which is, for example, provided by your administration system. Later on, you can 

administer the proxy on its own user interface. 

Complete the following procedure to set up the Helix proxy for use on the appliance: 

1 On the command line interface, enter the activation command, for example, as follows: 

service helix-proxy activate 

You are asked to enter a user name and password for the initial administrator account. 

2 Enter both. The Helix proxy is started. 

Note: After the start, you can find configuration files for the proxy in the /opt/helix-proxy folder on the 

appliance and modify them manually as needed. 

3 Connect to the user interface of the proxy: 

http://:21774/admin/index.html 

The user interface appears and displays a logon window. 

4 Enter the user name and password from step 2. 

After a successful logon, the user interface of the proxy is available. 

5 Configure your real-player application to use the appliance as a proxy, for example, as follows: 

a Start the real player. 

b On its user interface, go to the proxy settings. 

c In the appropriate input field, for example, the RTSP (Real-Time Streaming Protocol) field, enter 

the IP address of the appliance with 554 as the port number. 

For more information, refer to the user documentation of the Helix proxy. 




Preventing data leaks 3 

When you are running the appliance together with a DLP (Data Leakage Prevention) solution that uses 

an ICAP server for the filtering process, you can implement a rule set to ensure the smooth flow of data 

between the appliance and the ICAP server. This section describes the rule set and the settings that are 

implemented with it. 

The DLP solution that you can run together with the appliance is named nDLP. Its purpose is to filter 

data that users want to upload from your network to the web in order to prevent data leaks. An ICAP 

server is used by the solution for the filtering process. The data flow is as follows: 

• Data sent from the client systems of your users is forwarded to the appliance. 

• The appliance provides an ICAP client that sends REQMOD requests with the user data to the ICAP 

server that is part of the DLP solution. 

• The requests are filtered on the server by modifying them according to the ICAP protocol and passed 

on to the web servers that are the destinations of the requests. 

After importing the Data Leakage Prevention rule set from the rule set library, rules are executed on 

the appliance to handle the sending of requests to the ICAP server. 

According to these rules, a request is not forwarded if: 

• The body of the request contains no data and the request does not include URL parameters. 

• The body of the request exceeds a given size (default: 50 MB). 

Together with the rule set, settings are imported that you need to configure. These include a list of the 

ICAP servers that the appliance can forward requests to. You can also configure the ICAP client on the 

appliance not to open more connections for sending requests than a particular ICAP server can handle 

at the same time. 

For more information, see Import a rule set and Data Leakage Prevention. 

Data Leakage Prevention 

This section describes the rules in the Data Leakage Prevention library rule set. 

For general information on understanding and handling rules, see Rules and rule sets. 

Library rule set — Data Leakage Prevention 

Criteria — URL.Host does not equal “ ” 

Cycles — Requests (and IM) and embedded objects 

The rule set criteria specifies that the rule set applies when a host name can be found for a URL that is 

sent in a request to the appliance. 

The rule set contains the following rules: 

Skip requests that do not carry information 

Body.Size equals 0 AND ListOfString.IsEmpty(URL.Parameters) equals true –> Stop Rule Set 

The rule uses the Body.Size property to check whether a request has a body that is empty. It also 

uses the ListOfString.IsEmpty property to check whether a request has URL parameters. If one of 

the two parts of this criteria is matched, processing of the rule set stops and the request is not 

forwarded to the ICAP server. 


3 



Skip body that is greater than 50 MB 

Body.Size greater than 50 –> Stop Rule Set 

The rule uses the Body.Size property to check whether the body of a request does not exceed 50 

MB. If it does, processing of the rule set stops and the request is not forwarded to the ICAP server. 

Call ReqMod server 

ICAP.ReqMod.Satisfaction equals true –> Stop Cycle 

When a request has passed filtering according to the first two rules of the rule set, it is forwarded 

to the ICAP server. If this has been done, the value of the ICAP.ReqMod.Satisfaction property is 

true. The rule checks whether this is the case for a request and eventually stops processing the 

current cycle. 

Configure the ICAP server list 

When running the appliance with a DLP solution such as nDLP that uses ICAP servers for filtering data, 

you need to configure a list of these servers. 

To configure an ICAP server list: 


2 On the Engines branch of the settings tree, go to ICAP Client and select the ReqMod settings. 

3 Configure the the ICAP server list that is provided under these settings as needed. 


For more information, see ICAP Client engine settings. 

ICAP Client engine settings 

The ICAP Client engine settings are used for configuring communication in REQMOD mode between an 

ICAP client on the appliance and ICAP servers. 

Note: These settings are configured under ICAP Client on the Settings tab of the Policy top-level menu. 

Reqmod settings 

Settings for configuring the REQMOD mode of ICAP communication 

ICAP Service 

Settings for sending a request in REQMOD mode to an ICAP server 

List of ICAP servers — List of servers that the ICAP client on the appliance can send requests to in 

REQMOD mode 

The following table describes the list entries. For general information on how to maintain lists, see List 

maintenance. 

Table 3-12 ICAP Servers list 


URI URI of an ICAP server 

Format: ICAP://: 

Respect max concurrent When selected, the ICAP client on the appliance will not open more connections at 

connections limit 

the same time for sending requests than the ICAP server can handle 

Comment Plain-text comment on the ICAP server 




Web caching 3 

A web cache is provided on the appliance for storing web objects to speed up responses to client 

requests. This section explains the handling of this cache. 

Use of the web cache is controlled by rules for reading objects from it or writing them to it. This means 

a rule set must must be implemented that contains such rules. Bypass lists can contain web objects 

that should not be cached. In addition to this, the web cache must be enabled as an option of the 

common proxy settings. 

Rules for the web cache 

Use of the appliance web cache is controlled by rules in a rule set. This section explains the handling of 

a web cache rule set and describes a web cache rule set from the library. 

To find out whether a web cache rule set is implemented on your appliance, review the system of rule 

sets on the Rule Sets tab of the Policy top-level menu. 

If none is implemented, you can import the Web Cache library rule set. After importing this rule set, 

you can review and modify it on the Rule Sets tab to make it suit your network. Alternatively, you can 

create a rule set with rules of your own. 

A web cache rule set typically contains rules for reading objects from the cache and writing them to it. 

Additionally, there can be bypass rules that exclude objects from being read or written. 

For more information, see Import a rule set and Web caching. 

Web Cache 

This section describes the rules in the Web Cache library rule set. 


Library rule set — Web Cache 

Criteria — Always 

Cycle — Requests (and IM) and responses 

The following rule sets are nested in this rule set: 

• Read from Cache 

• Write to Cache 

Read from Cache 

This nested rule set enables the reading of web objects from the cache and forbids it for URLs that are 

on a bypassing list. 

Nested library rule set — Read from Cache 


Cycles — Requests (and IM) 


Skip caching URLs that are in Web Cache URL Bypass List 

URL matches in list Web Cache URL Bypass List –> Stop Rule Set 

The rule uses the URL property to check for requested URLs whether they are on the specified 

bypass list. If they are, processing of the rule set stops. The rule that enables writing to the cache 

is then not processed. Processing continues with the next rule set. 

Note: The rule is not enabled by default. 


3 



Enable Web Cache 

Always –> Continue — Enable Web Cache 

The rule is always processed unless it is skipped because the bypassing rule placed before it in the 

rule set applies. It enables the web cache, so objects stored in it can be read. Processing continues 

with the next rule set. 

Write to Cache 

This nested rule set enables the writing of web objects to the cache and forbids it for large objects, as 

well as for URLs and media types on particular bypassing lists. 

Nested library rule set — Write to Cache 


Cycles — Responses 


Skip caching URLs that are in Web Cache URL Bypass List 

URL matches in list Web Cache URL Bypass List –> Stop Rule Set 

The rule uses the URL property to check for a URL sent from the web whether it is on the specified 

bypass list. 

If it is, processing of the rule set stops. The rule that enables writing to the cache is then not 

processed. Processing continues with the next rule set. 


Skip caching objects that are larger than X bytes 

String.ToNumber (Header.ResponseGet (“Content-Length”)) greater than 8388608 

–> Stop Rule Set 

The rule uses the String.ToNumber property to convert a string in a response header that is sent 

with an object to indicate its content length into a numerical value. Then it checks whether this 

value is greater than the number specified here. 

If it is, processing of the rule set stops and the writing rule of the rule set is not processed. 

Processing continues with the next rule set. 


Skip caching media types that are in Web Cache Media Type Blocklist 

MediaType.FromHeader is in list Web Cache Media Type Blocklist –> Stop Rule Set 

The rule uses the MediaType.FromHeader property to check for media whether the type they 

belong to is on the specified bypass list. The type is taken from the header information of the 

request sent for accessing the media. 

If the media type is on the list, processing of the rule set stops. The writing rule of the rule set is 

then not processed. Processing continues with the next rule set. 

Note: This rule is not enabled by default. 

Enable web cache 

Always –> Continue — Enable Web Cache 

The rule is always processed unless it is skipped because the rules preceding it it in the rule set 

apply. It uses an event to enable the web cache, so objects can be written to it. Processing 

continues with the next rule set. 


Bypass lists for web caching 



You can fill bypass list with entries for web objects, such as URLs, media types, and others, to exclude 

these objects from caching. This section tells you how to work with these lists and describes some 

sample lists. 

There must be rules in a web cache rule set that use bypass lists and let the rules for reading from and 

writing to the cache not be processed. 

Note: This means that when you edit a bypass list, you also modify the rule that uses it. You should therefore 

make sure you know which rule uses a list that you edit. You can do this, for example, by reviewing the rules 

of the web cache rule set to see which list names appear in rule names and criteria. 

When you import a web cache rule set from the library, bypass lists are implemented with the rule set. 

You can edit these lists and also create lists of your own. 

The procedures used to maintain bypass lists differ according to the list type. For example, you can add 

wildcard expressions to a whitelist for URLs by typing them into the list. For example, you can add URLs 

to a bypass list for URLs by typing them into the list. When adding media types, however, you select 

them from folders with media type groups. 

For more information one the sample lists, see Sample lists for web caching. 

For the list activities, see Add a wildcard expression for URLs to a web cache bypassing list, and Add a 

media type to a web cache bypassing list. 

Sample lists for web caching 

This section describes two sample bypass lists for use with the web cache rules. 

When you import the Web Cache rule set from the library, these lists are also imported. You can find 

them on the Lists tab of the Policy top-level menu, sorted by their types and names. 

For general information on how to maintain lists, see List maintenance. 

Web Cache URL Bypass List 

Library list of wildcard expressions for URLs that should not be read to or written from the web cache. 

Type: Wildcard Expression 

The list is initially empty. 

The following table describes the list entries. 

Table 3-13 Web Cache URL Bypass List 


Wildcard Expression Wildcard expresssion for URLs that should not be cached 

Comment Plain-text comment on the wildcard expression 

Web Cache Media Type Blocklist 

Library list of media types that should not be read to or written from the web cache. 

Type: Media type 

Initial entries: application/mpegurl — MP3 Playlist File 

application/x-pn-realaudio — RealMedia streaming file 

video/x-la-asf — Streaming Audio/Video File 


Table 3-14 Web Cache Media Type Blocklist 


Media type Media type that should not be cached 

Comment Plain-text comment on the media type 


3 



Add a wildcard expression for URLs to a web cache bypassing list 

You can add a wildcard expression to a bypassing list in a web cache rule to exclude URLs from web 

caching. 


2 On the rule sets tree, select the rule set that contains rules for web caching , for example Web Cache. 

The rules appear on the settings pane. 

3 Find the rule that uses a bypassing list to exclude URLs from caching, for example, Skip caching 

URLs that are in Web Cache URL Bypass List, and click on the list name. 

Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries. 

The Edit List (Wildcard Expression) window opens. 

4 Click Add. The Add Wildcard Expression window opens. 

5 In the Wildcard expression field, type a wildcard expression. 

Note: To add multiple wildcard expressions at once, click Add multiple and type every wildcard 

expression in a new line. 

6 [Optional] In the Comment field, type a comment on the wildcard expression. 

7 Click OK. The window closes and the wildcard expression appears on the whitelist. 


For more information on how to maintain a list, see List maintenance. For the types of wildcard 

expressions that are allowed in the list, see Wildcard expressions. 

Add a media type to a web cache bypassing list 

You can add a media type to a bypassing list used in a web cache rule to exclude web objects of this 

type from web caching. 


2 On the rule sets tree, select the rule set that contains rules for web caching , for example Web Cache. 

The rules appear on the settings pane. 

3 Find the rule that uses a bypassing list to exclude web objects that belong to a particular media type 

from caching, for example, Skip caching media types that are in Web Cache Media Type 

Blocklist, and click on the list name. 

The Edit List (MediaType) window opens. 

4 Click Edit. And Edit window opens. It displays a list of group folders with media types. 

5 Expand the group folder with the media type you want to add, for example, Document, and select 

the media type, for example, application/vnd/ms-excel. 

Note: To add multiple media types at once, select multiple media types or one or multiple group folders. 

6 Click OK. The window closes and the media type appears on the whitelist. 


For more information on how to maintain a list, see List maintenance. 


Verify the enabling of the web cache 



This section tells you how to verify whether the web cache is enabled. The relevant setting is a part of 

the common proxy settings. 


2 On the appliances tree, go to the appliance you want to verify the enabling for and select Proxies 


3 Scroll down to the Web Cache section and see whether Enable Cache is selected. If necessary, 

enable this option. 

4 If necessary, click Save Changes. 

5 For more information on the proxy settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system 

settings. 


3 




4 

Rules and rule sets 

Contents 

Filtering controlled by rules 

About rule elements 

About rule sets 

Rule configuration 

Rule set configuration 

List maintenance 

Action and engine settings 

Access restrictions 


Whenever the appliance takes a filtering action to ensure web security for your network, it is executed 

according to a rule. The sections of this chapter explain how you can work with these rules. They 

describe the filtering process they are used in, their elements, and the rule sets that contain them. 

They also explain how to work with the lists and modules that rules rely on for retrieving filter 

information. 

About filtering 

This section explains some basic concepts of the filtering process that goes on when the implemented 

rules are processed on the appliance. 

In this process, the appliance “filters” web traffic. It blocks some objects and lets others pass through, 

like a tea sieve or strainer that catches the tea leaves and allows the liquid to flow through its 

perforations. 

So how does the appliance tell the tea leaves from the liquid? The tea strainer obviously uses dimension 

as a key concept. If something is too big, it cannot pass through. 

Similarly, the appliance uses all kinds of properties that web objects can have or that are related in 

some way to web objects to make its filtering decisions. 

Properties of filtered objects 

Properties of web objects checked in the filtering process are, for example, “being virus-infected” or 

“belonging to a URL category” or “having a particular IP address”. 

The following can then be asked about these properties: 

• For a given web object, what value does property p have? 

• And: If this value is x, what action is required? 


4 



Giving an answer to the second question leads to a rule: 

If the value of property p is x, action y is required. 

A property is a key element in every rule on the appliance. Understanding the property is essential to 

understanding the rule. 

When you are creating a rule, begin by thinking about the property you want to use. Using a property 

of an already existing rule as an example, you might consider something like the following: 

I want to filter viruses and other malware. I use the property “being virus-infected” and build a rule 

around it. I let this rule require a blocking action to be taken if a given object has this property. 

This rule could look as follows: 

If “being virus-infected” has the value “true” (for a given object), block this object. 

The object could, for example, be a file that a web server has sent because a user of your network 

requested it and that is intercepted and filtered on the appliance. 

Properties can be related to web objects, but also to the users that request them. For example, a rule 

could use the property “user groups that user is member of” to block requests sent by users who are 

not in an allowed group: 

If “user groups that user is member of” (for a given user) are not on the list of allowed groups, 

block requests sent by this user. 

Note: Properties and rules are explained in this section using normal language. However, the format they 

have on the user interface of the appliance does not differ from this very much. 

Filtering cycles 

The filtering process on the appliance has three cycles: the request cycle, the response cycle, and the 

embedded objects cycle. Only one of these can go on at a given moment. 

The request cycle is used for filtering requests that users of your network send to the web (1), the 

response cycle is for the responses received upon these requests from the web (2). 

Figure 4-1 Filtering requests and responses 



Filtering controlled by rules 4 

When embedded objects are sent with requests or responses (3), the embedded objects cycle is used 

as an additional cycle of processing. 

Figure 4-2 Filtering embedded objects 

An embedded object could, for example, be a file sent with a request to upload a file and embedded in 

this file. The filtering process begins with the request cycle, filtering the request and checking the file 

that is requested for uploading. Then the embedded objects cycle is started for the embedded file. 

Similarly, the response cycle and the embedded objects cycle are started one after another for a file 

that is sent in response from a web server and has another file embedded in it. 

For every rule on the appliance, it is specified in which cycle it is processed. However, the cycle is not 

specified individually for a rule, but for the rule set that contains it. A rule set can be processed in just 

one cycle or in a combination of cycles. 

Process flow 

In the filtering process, the implemented rules are processed one after another, according to the 

positions they take in their rule sets. The rule sets themselves are processed in the order of the rule set 

system, which is shown on the Rule Sets tab of the user interface. 

In each of the three cycles, the implemented rule sets are looked up one after another to see which 

must be processed in this cycle. 

When a rule is processed and found to apply, it triggers an action. The action executes a filtering 

measure, such as blocking a request to access a web object or removing a requested object. In addition 

to this, an action has an impact on the filtering process. It can specify that the filtering process must 

stop completely, or skip some rules and then continue, or simply continue with the next rule. 

Processing also stops after all implemented rules have been processed. 

Accordingly, the process flow can be as follows: 

All rules have been processed for 

each of the cycles and no rule has 

been found to apply. 

–> Processing stops. 

In the request cycle, the request is allowed to pass 

through to the appropriate web server. 

In the response cycle, the response sent from the web is 

forwarded to the appropriate user. 

In the embedded objects cycle, the embedded object is 

allowed to pass through with the request or response it 

was sent with. 

Processing begins again when the next request is 

received. 


4 



A rule applies and specifies that 

processing must stop completely. 


processing must stop for the current 

rule set. 


processing must stop for the current 

cycle. 


processing continues with the next 

rule. 


–> Processing stops. 

An example of a rule that stops processing completely is a 

rule with a blocking action. 

If, for example, a request is blocked because the 

requested URL is on a blocking list, it is no use to process 

anything else. No response is going to be received 

because the request was blocked and not passed on to the 

appropriate web server. Filtering an embedded object that 

might have been sent with the request is also not needed 

because the request is blocked anyway. 

A message is sent to the user who is affected by the 

action, for example, to inform this user that the request 

was blocked and why. 

Processing begins again when the next request is 

received. 

–> Processing stops for this rule set. The rules that follow the 

stopping rule in the rule set are skipped. 

An example of a rule that stops the processing of a rule set 

is a whitelisting rule followed by a blocking rule in the 

same rule set. When a requested object is found on a 

whitelist, the request is allowed to pass through without 

further filtering. Therefore the rule set is not processed 

any further and the rule that eventually blocks the object 

is skipped. 


The next rule set can contain rules that, for example, 

block a request, although it was allowed to pass through 

the preceding rule set. 

–> Processing stops for this cycle. The rules and rule sets that 

follow the stopping rule in the cycle are skipped. 

An example of a rule that stops the processing of a cycle is 

a global whitelisting rule. When a requested object is found 

on a global whitelist, the request is allowed to pass through 

to the appropriate web server. To ensure the request is not 

blocked eventually by any of the following rules and rule 

sets, the request cycle is not processed any further. 

Processing continues with the next cycle. 

–> Processing continues with the next rule. 

This can be the next rule in the current rule set or the first 

rule in the next rule set or cycle. 

An example of a rule that lets the filtering process 

continue unimpeded is a statistics rule. This rule just 

counts requests by increasing a counter and does 

otherwise nothing.

Modules for delivering filtering information 


About rule elements 4 

This section explains what special modules do for rules in the filtering process. 

Before a rule can trigger a particular action, it needs to know what the value of a particular property is. 

Consider, for example, a rule that blocks virus-infected objects: 


The rule needs to know what the value for “being virus-infected” is for a given object. Only then can it 

block access to the object. How does the rule get this information? 

It gets the information by calling a special module. This module scans the object and tells the rule what 

value the property has for the object, for example, if “being virus-infected” is true for it or not. 

For a virus and malware filtering rule, the special module is the Anti-Malware module (also known as 

Anti-Malware engine). It can run with different settings and accordingly use different methods for 

completing its scanning job. For example, it can evaluate only virus signatures or use also proactive 

methods that are suitable for detecting viruses and other malware for which no signatures are known 

yet. 

Although the scanning module is used in the filtering process, it is not a filtering module in a strict 

sense. The filtering is not done by the module, but by the corresponding rule, based on the delivered 

information. 


This section explains the elements of a web security rule. 

The general structure of a rule can be rendered very simply as follows: 

If a is the case, then do b. 

For web security rules on the appliance, this simple structure can be filled with a little more detail: 

If property p has the value x, do y. 

The property mentioned in the rule is the property of a web object or a user. It is checked, for example, 

when a user requests access to an object. 

An example of a rule like this is (in normal language): 


or paraphrased even more simply: 

If an object is virus-infected, block it. 

Other examples are: 

If “category that a URL belongs to” has the value “on list x”, block the URL. 

If “user groups that user is member of” has the value “not on allowed groups list x”, block 

requests from this user. 

paraphrased more simply as: 

If the category of a URL is on a particular list, block the URL. 

If a user is not a member of an allowed user group, block requests from this user. 


4 



Main elements of a rule 

A web security rule on the appliance has three main elements: 

(1) Criteria: 

If the category of a URL is on list x, ... 

Note: Instead of criteria, the term condition is used in other rule syntaxes. 

(2) Action that is executed if the criteria is matched: 

... block the URL 

The third element is optional: 

(3) Event (or more than one) that is to happen if the criteria is matched. 

... and log this action. 

Criteria 

If the category of a 

URL is on list x, ... 

Rule 

–> 

The criteria has again three elements: 

(a) Property (of a web object or user) 

the category of a URL ... 

(b) Operator that links the property to an operand 

... is on list 

(c) Operand specifying with the operator a value for the property 

... x (list name) 

Note: The operand is also known as parameter on the appliance. 


Action 

(Event) 

... block the URL (and) ... log this action. 

Property Operator Operand 

the category of a URL ... ... is on list ... x (list name) 

Criteria

Rules on the user interface 

On the user interface, a web security rule appears in the following format: 

Figure 4-3 Sample rule on the user interface 



The rule blocks a URL if its category is on a blocking list, notifies the user who requested access to the 

URL of the blocking, and records the blocking by incrementing a counter. 

The following table provides an overview of the individual rule elements and their meanings. 

Table 4-1 Overview of rule elements 

Option Definition Comment 

Enabled Allows you to enable or disable the rule 

Name Name of the rule 

• Block URLs ... Name text 

• Category BlockList In name text: List used by the rule Clicking on the list name opens the list 

for editing. 

• Yellow triangle Next to a list name: Indicates that the list is 

initially empty 

Criteria Criteria of the rule The criteria is only visible after clicking 

the toggle button Show Details. 

• URL.Categories Property 

• Settings of the module that retrieves a value Clicking on the settings name opens the 

for the property (here: the URL Filter settings for editing. 

module) 

The module name is not visible in the 

rule. It appears, however, in the Edit 

window for the rule criteria. 

• at least one in list Operator 

• Category BlockList Operand, also known as parameter (here: a Clicking on the list name opens the list 

list used by the rule) 

for editing. 

The list name appears both in the rule 

name and the criteria to let it be 

available when the criteria is not visible. 

• Yellow triangle Next to a list name: Indicates that the list is 

initially empty 

Action Action of the rule 

• Block Name of the action The symbol varies with the action. 

• Settings of the action (here: settings Clicking on the settings name opens the 

specifying that a block message is sent to 

the user who is affected by the blocking) 

settings for editing. 

Events One (or more) events of the rule The events are only visible in full after 

clicking the toggle button Show 

Details. 

• Statistics.Counter. 

Increment 

Name of the event 

• “BlockedByURLFilter, Parameters of the event (here: the name of 

1” 

a counter and an increment) 

• Settings of the module that handles the Clicking on the settings name opens the 

event 

settings for editing. 

For more information on these elements, see the following sections. 


4 



Complex criteria 

The criteria of a rule can be made complex by configuring it with two or more parts. Each of the parts 

then has a property with operator and operand. The parts are linked by AND or OR. 

The following is an example of complex criteria: 

AND/OR Property Operator Operand 

URL.Categories at least one in list Drugs 

OR URL.Categories at least one in list Games/Gambling 

The criteria is matched if a filtered URL belongs to a category that is on any of the two specified 

category lists (or on both). 

If you configure criteria with three or more parts and use both AND and OR between them, you also 

need to put brackets to indicate how the parts are logically connected. For example, (a AND b) OR c 

differs in meaning from a AND (b OR c). 

When you add a third criteria part on the user interface, lowercase letters appear before the parts and 

an additional field is inserted at the bottom of the configuration window. 

The field displays your criteria parts in short, for example, a AND b OR c. You can then type brackets 

into the field as needed. 

ID AND/OR Property Operator Operand 

a URL.Categories at least one in list Drugs 

b AND URL.Categories at least one in list Games/Gambling 

c OR Antimalware.Infected 

 

Criteria Combination (a AND b) OR c 

Properties 

A property is a key element in every rule. If it has a particular value, the criteria of the rule is matched 

and the rule applies, which means that the rule action is triggered. 

For example, if the property Antimalware.Infected has the value true in the criteria of a particular rule 

for virus and malware filtering, the rule triggers its blocking action. 

A property in a rule is a property of a web object or of something that is related to a web object, such 

as the user who requests it. For example, Antimalware.Infected is the property of a web object that is 

requested by a user or sent in response by a web server or embedded in another object. 

A property has a name, a type, and a value. For every property, a particular range of values is possible. 

A value within this range is found for it during the filtering process by running a special module or by 

going through a particular list. 

In the following, some examples of properties are given. 

Property of a web page or a file 

Property — Antimalware.Infected 

Type — Boolean 

Values — true | false 

The meaning of this property can be paraphrased as “being infected by a virus or other malware”. 

A rule using this property could apply if its value is true. The Anti-Malware module scans web objects 

when the rule is processed to find out what the value of the property is. 


equals true

Property of a URL 

Property — URL.Categories 

Type — List of categories 

Values — Lists of URL categories 



The meaning of this property can be paraphrased as “belonging to (one or more) URL categories”. 

A rule using this property could apply if one of these categories is on a blocking list. The URL Filter 

module retrieves information from the Global Threat Intellegience on which category or categories a 

given URL belongs to. 

Property of a website or page 

Property — URL 

Type — String 

Values — Lists of URLs 

The meaning of this property can be paraphrased as “having a URL”. 

A rule using this property could apply if a URL is on a blocking list. During the filtering process, it is 

looked up whether the URL is on the list. No special module is needed for this lookup. 

For a list of available properties with explanations, see the List of properties in the appendix. 

Actions 

An action is the element of a rule that is executed if the criteria of the rule is matched. 

For example, if an object sent by a web server in response to a user request is found to be 

virus-infected, the criteria of a particular rule for virus and malware filtering is matched, and the rule 

triggers the Block action. 

Settings can be configured for some actions to determine the way they are executed. For example, the 

Block action has settings that specify a corresponding user message. The settings can also specify the 

blocking reason for logging purposes. 

Every action has an impact on the filtering process. This process can be stopped by an action, or the 

remaining rules in a rule set or cycle are skipped when an action has been executed, or the process just 

continues after an action. 

In the following, some examples of actions are given. 

Action — Block 

Settings — Specifying a message template and the blocking reason 

Impact — Stops the filtering process 

The blocking effect of this action is achieved by stopping the filtering process. If, for example, a request 

is blocked, processing stops completely and the request is not passed on to the appropriate web server. 

The user who sent the request is informed of the blocking. Different settings can be configured for the 

action, according to whether the blocking reason was a found virus or an inappropriate URL category, 

or something else. 

Action — Stop Rule Set 

Settings — None 

Impact — Stops processing of the current rule set and lets processing 

continue with the next rule set. 

This action can be used by a whitelisting rule to skip a blocking rule that follows it in the same rule set. 

Since this action does not affect the user, no settings for a user message are required. 


4 



Action — Continue 

Settings — None 

Impact — Lets processing continue with the next rule after the rule that 

triggered this action. 

This action does not affect a user and accordingly no settings are needed for a user message. 

For a list of the available actions, see the List of actions in the appendix. 

Events 

If the criteria of a rule matches, an event or several of them can optionally be triggered. For example, 

if an object is found to be virus-infected and blocked, an event can be triggered that writes an entry for 

the blocking action into a log file. 

The way an event is executed can be configured through parameters and settings. For example, the 

text of a log file entry can be specified as an event parameter and rotation of the log files as part of the 

event settings. 

Other activities executed by events are, for example: 

• Setting a value 

• Adding a request header 

• Incrementing a counter 

For a list of the available events, see the List of events in the appendix. 




About rule sets 4 

Web security rules are grouped and contained in rule sets on the appliance. This section provides some 

general information about these rule sets and the rule set systems they are included in. 

After the initial setup, a system of rule sets is implemented on the appliance. If you use the policy 

creation wizard, this system will match your selections. Rules, rule sets and filter lists are then 

implemented according to the type of your organization, your region, and the strictness you want to 

impose on the users of your network. If you choose not to make such selections, the default rule set 

system is implemented. 

In both cases, you can review and modify what has been implemented. You can modify rule sets and 

individual rules, including the filter lists, the settings of the modules used in the filtering process, and 

the settings of the actions that are triggered when rules apply. 

You can edit or delete all these items, move rules and rule sets to different positions, copy rules to 

insert them into other rule sets, and create new items of all types. You can also import rule sets from 

the internal library, move them to other positions, and modify them. 

Rules in rule sets 

A rule cannot stand on its own, it must be included in a rule set. A rule set can include just a single rule 

or several of them or one or more nested rule sets. If it includes nested rule sets, it can, but need not 

include individual rules on the same level as the nested rule sets. 

Rule sets usually include rules that work together to provide a particular function for ensuring web 

security. For example, a virus and malware filtering rule set might include a rule that blocks infected 

rule sets and one or several others that whitelist objects to let them skip the blocking rule and ensure 

users can access them. 

Another rule set might filter URLs and include rules for blocking individual URLs and URL categories, as 

well as whitelisting rules. 

You can modify the implemented system and group rules in rule sets to build functional units in 

whatever way is suitable for your network. 

Rule set cycles 

Rule sets are processed, with their rules, in the three cycles of the filtering process. A rule set can be 

processed in any combinations of these cycles, for example, only in the request cycle, in the response 

and embedded objects cycle, and also in all three cycles. 

The cycles of a rule set are at the same time those of the individual rules contained in it. A rule cannot 

differ with regard to cycles from its rule set. 

Rule set criteria 

Like rules, rule sets have criteria and are applied if these match. A rule set has criteria in addition to the 

criteria of its individual rules and usually these criteria differ from each other. For a rule to apply, both 

its own criteria and the criteria of its rule set must match. 

Rule set library 

The rule set library provides rule sets for you to import into your implemented rule set system. You can 

do this to add a function that is missing in your system or when the implemented rule sets do not suit 

your network in all respects. 


4 



Nested rule sets 

Rule sets can have other rule sets nested within them. A nested rule set has its own criteria. Regarding 

cycles, it can only be processed in the cycles of the nesting rule set, but need not be processed in all of 

them. 

This way, a nested rule set can be configured to deal especially with a particular cycle, while another 

nested rule set deals with a different cycle. 

For example, a media type filtering rule set could apply to all cycles, but have nested rule sets that are 

not processed in all of them: 

Media Type Filtering rule set (for requests, responses, and embedded objects) 

• Nested rule set Media Type Upload (only for requests) 

• Nested rule set Media Type Download (only for responses and embedded objects) 

Implementing a rule set system 

A system of rule sets can be implemented in the following ways: 

• Use of the policy creation wizard — When using this wizard, you can select values for the type of 

your organization, your region, and a level of strictness. A system of rule sets is implemented 

accordingly. 

• Default configuration — If you make no selections, the default system of rule sets is implemented. 

• Own configuration — You can create rule sets of your own, fill them with rules of your own and add 

them to a system that was created using the wizard or to the default system. If you find that a 

completely individual solution is best suited for your network, you can also use only rules and rule 

sets of your own to filter web traffic. 

• Logging and error handling rule sets — The appliance provides default rule sets for logging and 

error handling. These are part of every initial configuration, regardless of whether you use the wizard 

or implement the default system. They can be reviewed and modified like all other rule sets. 

Rule set systems 

This section gives an overview of the rule sets that can be implemented on your appliance by using the 

policy creation wizard or accepting the default. It also gives an overview of the rule set library. 

What rule sets are actually implemented on your appliance depends: 

• On the version of the appliance software 

• On whether you used the policy creation wizard (with particular selections) or accepted the default 

rule set system 

• On the modifications you made to the rule set system that was initially implemented 




Sample wizard rule set system 

When using the policy creation wizard to implement a rule set system, you might have made the 

following selections: 

Type of organization: commercial 

Location: Europe 

Level of strictness; limited (medium) 

The wizard then creates, for example, the following rule set system (nested rules sets are not shown): 

Table 4-2 Sample wizard rule set system (commercial – Europe – limited) 

Rule set Description 

Global Whitelist Lets whitelisted IP addresses, URLs, and responses with empty bodies skip all further 

filtering. 

Global Block Blocks IP addresses, authenticated users, and URLs entered in blocking lists. 

Media Type Filtering Controls media type filtering with nested rule sets for uploading and downloading media 

types. 

Content Filter Exempts users if entered in a whitelist. Blocks users if entered in a blocking list. Blocks URLs 

belonging to various categories. 

Gateway AntiMalware Controls virus and malware filtering. 

SSL Scanner Prepares SSL-secured web traffic for processing by other filtering functions with nested rule 

sets for certificate verification and inspection enabling. 

Default rule set system 

The default rule set system is implemented if you do not use the wizard. 

The following table shows the default rule set system (nested rule sets are not shown): 

Table 4-3 Default rule set system 


SSL Scanner Prepares SSL-secured web traffic for processing by other filtering functions with nested rule 

sets for certificate verification and inspection enabling. 

Global Whitelist Lets requests that are sent from clients with whitelisted IP address or are directed to 

websites with whitelisted URLs skip all further filtering. 

Common Rules Provides functions that support the filtering process, such as web caching, progress 

indication, and opening of archives. 

Authenticate and 

Authorize 

Content Filter for 

Unauthenticated User 


User Group “internet” 


User Group 

“internet_strict” 

Asks unauthenticated users to authenticate and blocks users who are not in an allowed user 

group with nested rule sets for both functions. 

Controls filtering of individual URLs, URL categories, and media types for unauthenticated 

users. 

Controls filtering of individual URLs, URL categories, and media types for users belonging 

to a particular user group. 

Controls filtering of individual URLs, URL categories, and media types for users belonging 

to a user group that has a stricter blocking level applied to it. This can be achieved, for 

example, by using block lists containing more or different entries compared to the lists used 

for other groups. 

Gateway Antimalware Controls virus and malware filtering using virus signatures and proactive methods. 


4 



Rule set library 

The following table shows the rule sets of the rule set library (nested rule sets are not shown): 

Note: Many of the rule sets that are provided in the library are also part of the default system of rule sets. 

However, there can be differences between a default system rule set and the corresponding library rule set. 

For example, the URL Filtering rule set appears as a nested rule set in several Content Filter rule sets of the 

default system. In each of these rule sets, the rules of the URL Filter use different whitelists and blocking 

lists. 

Table 4-4 Rule set library 


Access Log Logs user requests for web access. 

Access Log With Cache 

Status 

Logs user requests for web access and cache status. 

Authentication Server Controls authentication on an authentication server 

Authorized Override Allows users continued access to web pages when the configured quota is exceeded. 

Block on All Errors Blocks requests when an internal error has occurred on the appliance. 

Block on Antimalware Blocks requests when the anti-malware filter module cannot be loaded or is 

Engine Errors 

overloaded. 

Block on URL Filter Errors Blocks requests when the URL filter module cannot be loaded or an internal error 

occurred with this module. 

Blocking Sessions Blocks users for some period of time after trying to access web objects against 

configured restrictions. 

Bypass ePO Requests Lets connection requests received from an ePO server skip filtering. 

Coaching Ask users to confirm usage of web pages before they are allowed to continue 



Cookie Authentication Controls authentication using cookies and retrieving information from an 

authentication server. 

Cookie Authentication with Controls authentication using cookies and retrieving information from an 

Login Page 

authentication server when users provide their credentials on a logon page. 



Data Leakage Prevention Controls traffic flow between the appliance and a DLP solution. 

Direct Proxy Authenticate Asks unauthenticated users to authenticate and blocks users who are not in an allowed 

and Authorize 

user group with nested rule sets for both functions. 

Enable Opener Enables the module that opens multi-part objects, such as archives. 

Found Viruses Log Logs the names of viruses found by the anti-malware module. 

Gateway Antimalware Controls virus and malware filtering using virus signatures and proactive methods. 

Global Block Blocks requests when the requested URLs or IP addresses are on block lists. 

Global Whitelist Lets requests for whitelisted URLs or IP addresses skip further filtering. 

Handle Special Sites Handles communication with special whitelisted web servers and provides solutions 

for some communication problems. 

Handle Update Incidents Logs incidents concerning updates and sends various kinds of notifications. 

HTML Filtering Filters HTML pages and uses its nested rule sets to remove embedded objects, such 

as Java scripts and others, from these pages. 

ICAP Client Controls traffic flow between the appliance and an ICAP server. 

IM Authentication Controls authentication for users who communicate with the appliance using an 

instant messaging protocol. 

IM Logging Records requests received on the appliance under an instant messaging protocol. 

Log File Manager Incidents Logs incidents concerning the Log File Manager and sends various kinds of 

notifications. 

Long Running Connections Enables you to keep long running connections alive. 


Table 4-4 Rule set library 


Lookup User Name from 

Proxy Authorization Basic 

Header 



Retrieves information for authenticating users by a lookup based on the proxy 

authorization header. 

Media Type Filtering Controls media type filtering with nested rule sets for uploading and downloading 

media types. 

Monitoring Checks CPU overload, cache partitions, and request overload. 

Next Hop Proxy Ensures that internal hosts are used as next-hop proxy servers for internal requests. 

Progress Indication Enables display of progress page and data trickling as means of indicating download 

progress to the user. 

Remove Header Removes “via” information from the a request header. 

Script Filter Filters web pages for embedded script code and removes it. 

SiteAdvisor Enterprise Blocks request to force SiteAdvisor Enterprise into stand-down mode. 

Interlock 

SSL Scanner Prepares SSL-secured web traffic for processing by other filtering functions with 

nested rule sets for certificate verification and inspection enabling. 

Time Quota Allows users web usage only for a configured period of time per day, week, or other 

time units. 

Try Cookie Authentication 

Using Default Name 

Try-Auth Asks unauthenticated users to authenticate and blocks users who are not in an allowed 

user group with nested rule sets for both functions. 

URL Filtering Controls filtering of individual URLs and URL categories. 

Volume Quota Allows users web usage only as long as a configured amount of bytes per day, week, 

or other time units is not exceeded. 

Web Cache Controls caching of web objects with nested rule sets for reading from and writing to 

the cache. 

Welcome Page Controls display of a welcome page to users. 


4 




Rules and rules sets are implemented on the appliance to ensure web security. This section explains 

how you can work with them to make them even more suitable for your network. It explains some 

sample rules and provides detailed information on how to modify and create rules and rule sets. 

Rule Sets tab 

Use the Rule Sets tab to work with rules and rule sets on the appliance. It is selected from the Policy 

top-level menu. 

Rule sets 

toolbar — 

Rule sets 

tree — 

Rule sets 

menu — 

Figure 4-4 Rule Sets tab 

The main elements of the tab are: 

• Rule sets toolbar — Items for working with the rule sets on the rule sets tree 

• Rule sets tree — Tree structure displaying the rule sets of the appliance configuration 

• Rule sets menu — Buttons for displaying tree structures of: 

• (General) rule sets 

• Log handler rule sets 

• Error handler rule sets 

• User-defined properties (for use in rule set criteria, rule criteria, and rule events) 

• Rules toolbar — Items for working with list entries 

• Rules — Rules of the currently selected rule set 


— Rules 

toolbar 

— Rules

The Rule Sets toolbar provides the following options: 

Table 4-5 Rule Sets toolbar 

The Rules toolbar provides these options: 


Rule configuration 4 


Add Opens a menu or a window for adding an item, depending on what is currently selected 

from the Rule sets menu: 

• (Rule Sets is selected) — Opens a menu, from which you can select: 

• Rule Set from Library — Opens the Add from Rule Set Library window for 

importing a rule set from the rule set library 

• Rule Set — Opens the Add New Rule Set window to let you add a rule set to the 

appliance configuration 

• Top-Level Rule Set — Opens the Add New Top-Level Rule Set window for 

adding a rule set at the top level of the rule sets tree 

• (Log Handler is selected) — Lets you select Log Handler from a menu as the only 

accessible item to open the Add New Log Handler window for adding a new Log 

Handler rule set 

• (Error Handler is selected) — Lets you select Error Handler from a menu as the 

only accessible item to open the Add New Error Handler window for adding a new 

Error Handler rule set 

• (User-Defined Property is selected) — Lets you select User-Defined Property to 

open the Add New User-Defined Property window for adding a property 

Export Opens the Export Rule Set window for exporting a rule set to the library or into a file 

Edit Opens the Edit Rule Set window for editing a selected rule set 

Delete Deletes a selected rule set. A window opens to let you confirm the deletion 

Move up Moves a rule set up among other rules sets on the same level 

Move down Moves a rule set down among other rule sets on the same level 

Move out of Moves a rule out of its nesting rule set and onto the same level as the nesting rule set 

Move into Moves a rule set out of its nesting rule set and into the rule set following this rule set 

Expand all Expands all collapsed items on the rule sets tree 

Collapse all Lets all expanded items on the rule sets tree collapse 

The following three items above the Rules toolbar are also for handling rule sets 

Edit Opens the Edit Rule Set window for editing a selected rule set (same function as the 

corresponding item above the rule sets tree) 

Enabled Allows you to enable or disable a selected rule set 

Criteria Displays the criteria of a selected rule set 

Table 4-6 Rules toolbar 


Add Rule Opens the Add Rule window for adding a rule 

Edit Opens the Edit Rule window for editing a selected rule 

Delete Deletes a selected rule. A window opens to let you confirm the deletion 

Move up Moves a rule up within its rule set 

Move down Moves a rule set down within its rule set 

Copy Copies a selected rule 

Paste Pastes a copied rule 

Show Details Shows or hides details of a rule entry including the criteria 


4 



Adding a rule 

This section describes the Add Rule window and explains in detail the steps you can complete to add a 

new rule to a rule set. 

Use the Add Rule window to add new rules to rule sets. It opens after clicking Add Rule on the Rules 

toolbar of the Rule Sets tab. 

Note: There is also an Edit Rule window where the same options can be used for editing a rule. 

Figure 4-5 Add Rule window 

The following table describes the window. 

Table 4-7 Add Rule window 


Steps For adding: 

• Name, Comment, and Enabling 

• Criteria 

• Action 

• Events 

• Summary (for reviewing your settings) 

Note: You can select a step by clicking it or use Next and Back to navigate. 

Main window area Provides different items for completing each step 

Message field Assists you in completing the steps with messages and symbols 

Back Takes you back to the previous step 

Next Takes you to the next step 

Finish Finishes the procedure 

Cancel Leaves the procedure without adding a rule 

To add a rule, complete the steps in the window. For more information, see: 

• Add name, comment, and enabling 

• Add the criteria 

• Add an action 

• Add an event 

Note: You can at any time select the Summary step to review your settings. 


Add name, comment, and enabling 

Complete the following procedure to add general settings to a rule: 


2 On the rule sets tree, select a rule set for the new rule. 

3 Click Add Rule. The Add Rule window opens with the first step selected. 

4 Add the following: 

• Name — Name of the rule 

• Enable rule — When selected, the rule is enabled 

• [Optional] Comment — Plain-text comment on the rule 



Continue with another step, preferably with Add the criteria, or click Finish and then Save Changes. 

Add the criteria 

Complete the following procedure to add the criteria to a rule: 

1 In the Add Rule window, select Rule Criteria. 

Figure 4-6 Add Rule – Criteria 

2 In the Apply this rule section, configure when the rule is applied: 

• Always — The rule is always applied. 

• If the following criteria is matched — The rule is applied if the criteria configured below is 

matched. 


4 



3 In the Criteria section, click Add. The Add Criteria window opens. 

Figure 4-7 Add Criteria window (with property selected) 

4 In the Property area, use the following items to configure a property: 

• Property — List for selecting a property (property types shown in brackets) 

• Search — Opens the Property Search window to let you search for a property 

• Parameter — Opens the Property Parameters window for adding up to three parameters, see 

Step 5 

Note: The icon is grayed out if the property has no parameters. 

• Settings — List for selecting the settings of the module that delivers a value for the property 

(module name shown in brackets) 

Note: The icon is grayed out if no settings are required for the property and (not needed) is added. 

• Add — Opens the Add Settings window for adding new settings to the list 

• Edit — Opens the Edit Settings window for editing the selected settings 

If no parameters need to be configured for the property, click OK and continue with Step 6. 

5 [Conditional] To add property parameters: 

a Click Parameter. The Property Parameters window opens. 

Figure 4-8 Property Parameters window 


Add as many parameters as needed. A parameter can be a: 



• Value (String, Boolean, or numerical) — Configure it in the Value area. Then click OK. 

• Property — Follow the instructions for configuring properties, beginning again with Step 4. 

6 From the Operator list, select an operator. 

7 In the Parameter area, add a parameter (also known as operand). This can be a: 

• Value (String, Boolean, or numerical) — Configure it in the Value area. 

• Property — Follow the instructions for editing properties, beginning again with Step 4. 

8 Click OK to close the Add Criteria window. 

Note: Repeat steps 3 to 8 to add more criteria parts for complex criteria. Connect them by AND or OR 

(these options are then provided) and, for three or more criteria parts, type brackets to indicate how they 

are logically connected in the Criteria Combination field (appears then). 

9 Continue with another adding procedure, preferably with Add an action, or click Finish and then Save 

Changes. 

Add an action 

Complete the following procedure to add an action to a rule: 

1 In the Add Rule window, select Action. 

Figure 4-9 Add Rule – Action 

2 Use the following items to configure an action: 

• Action — List for selecting an action: 

• Continue — Continues with processing the next rule 

• Block — Blocks access to an object and stops processing rules 

• Redirect — Redirects the client that requested access to an object to another object 

• Authenticate — Stops processing the current cycle and sends an authentication request 

• Stop Rule Set — Stops processing the current rule set and continues with the next rule set 


4 



• Stop Cycle — Stops processing the current cycle, but does not block access to the requested 

object 

• Remove — Removes the requested object and stops processing the current cycle 

• Settings — List for selecting settings for the Block, Redirect, and Authenticate actions 

Note: The list is grayed out if no settings are required for an action and (not needed) is added. 

• Add — Opens the Add Settings window for add new settings to the list 


Continue with another adding procedure, preferably with Add an event, or click Finish and then Save 

Changes. 

Add an event 

Complete the following procedure to add an event (or more than one) to a rule: 

1 In the Add Rule window, select Events. 

Figure 4-10 Add Rule – Events 

2 In the Events section, click Add. A drop-down menu opens. 


3 Select Event. The Add Event window opens. 

Figure 4-11 Add Event window 

4 Use the following items to configure an event: 

Note: Repeat this part of the procedure to add more than one event. 

• Event — List for selecting an event (event types shown in brackets) 



• Parameters — Opens the Property Parameters window for adding up to three parameters, see 

Step 5 

Note: The icon is grayed out if the event has no parameters. 

• Settings — List for selecting settings for an event 

Note: The icon is grayed out if no settings are required for an event. 


• Edit — Opens the Edit Settings window for edit ing the selected settings 

If no parameters need to be configured for the event, click OK and continue with Step 6. 

5 [Conditional] To add parameters to an event: 

a Click Parameters. The Property Parameters window opens: 

b Add parameters as needed. A parameter can be a: 

• Value (String, Boolean, or numerical): — Configure it inthe Value area. Then click OK. 

• Property — Configure it in the Property area. Then click OK. 

6 [Conditional] If this is the last of the adding procedures: 

a [Optional] In the Add Rule window, select Summary to review what you have configured. 

b Click Finish and then Save Changes. 

Otherwise continue with another adding procedure. 


4 



Create a sample rule 

This section explains in detail how to create a sample rule. Creating new rules is one of the activities 

you can complete to modify the implemented rule set system. 

Note: The rule already exists in one of the library rule sets, but under a slightly different name (Block if virus 

was found). 

Rule 

Name 

Block if virus was detected 

Criteria Action 

Antimalware.Infected equals true –> Block 

Procedure 

Complete the following procedure to create this rule: 

Note: Comments in italics explain what you are doing through the step or steps that follow. 


Choosing a rule set for the rule 

2 From the rule sets tree, select Gateway Antimalware as the rule set for the rule. The rule set and 

its current rules appear on the settings pane. 

Opening the Add Rule window 

3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In 

the main window area, items appear for adding a name and other general settings. 

Adding general settings 

4 Add the following general settings: 

a Name — Type Block if virus was detected. 

b Enable rule — Deselect this checkbox, so the sample rule gets not enabled. 

c Comment — Skip this optional substep. 

Adding the criteria 

5 Select Rule Criteria. Items for adding the criteria appear. 

6 Click Add. The Add Criteria window opens. 

7 Add the criteria of the rule (Antimalware.Infected ... equals true): 

a From the Property list, select Antimalware.Infected. 

b In the Settings list, leave the default, which is Gateway Antimalware . 

The Anti-Malware module runs with these settings when it scans web objects, using virus 

signatures and proactive methods. 

c In the Operator list, leave equals, the default value. 

d In the Parameter area, select true from the Value list as operand (parameter) for the criteria. 

Note: (Boolean) is displayed in brackets next to Parameter. Antimalware.Infected is a property of the 

Boolean type. When it is selected, its parameter must have the same type. 

8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area. 


Adding the action 

9 Select Action. Items for adding an action appear in the main window area. 

10 Add an action with special settings (Block): 

a From the Action list, select Block. 

b From the Settings list, select Virus Found. 



Under these settings, a block message is sent to the user who requested an object when the 

object is blocked. 

Reviewing the rule 

11 Skip the Events step and select Summary to review what you have configured. 

Completing the sample configuration 

12 Click Finish. The Add Rule window closes and the new rule appears in the Gateway Antimalware rule 

set. 

Note: The rule is grayed out because it is not enabled. 


For more information, see About rule sets, Adding a rule, and Block if virus was found (Sample rule). 

Sample rules 

This section explains in detail three sample rules from the library rule sets of the appliance: 

• Do not filter URLs in Global Whitelist 

• Block URLs whose category is in Category BlockList 

• Block if virus was found 

Note: The Block if virus was found rule is also used in another section of this guide as an example for 

explaining step by step how a rule is created. For more information, see Create a sample rule. 

Do not filter URLs in Global Whitelist (Sample rule) 

This rule can be included in rule set for global whitelisting. 

Rule 

Name 

Do not filter URLs in Global Whitelist 


URL matches in list GlobalWhitelist –> Stop Cycle 

In plain text, the rule could be rendered as follows: 

If a URL is on a particular global whitelist, stop the current processing cycle. 

Purpose of the rule 

The rule is implemented to provide you with a means of ensuring that particular URLs can be accessed 

by the users of your network and are not blocked by any other rules. To achieve this, URLs are entered 

on a whitelist. If a whitelist URL is requested, the rule stops processing the request cycle. This means 

all following rules of this cycle, including those that might eventually block the URL, are not processed. 

When this rule and its rule set are implemented in a rule set system, it should obviously be placed at 

the beginning of the system to ensure there are no rule sets before it that block URLs. In this case, the 

whitelisting rule is truly global. It overrules all other measures that might be taken for URLs by the 

implemented rule set system. 


4 



Property and Criteria 

The property used in the criteria of the rule is URL. Its meaning can be paraphrased as “being a URL”. 

If a requested web object is a URL, then the rule is processed to see if it is on a particular whitelist. 

The whitelist is specified in the rule criteria as Global Whitelist. For looking up whether a given URL is 

on it, no special module is needed. Therefore the criteria includes no settings for a module. 

Action 

If the criteria of the rule matches, the rule applies and the Stop Cycle action is executed, with the 

impact that is the purpose of the rule. All measures that might prevent users from accessing the URL 

are avoided. 

The Stop Cycle action stops the request cycle when a request for access to the URL has been received. 

Since the rule set of the rule is processed in all three cycles of the filtering process, the Stop Cycle 

action can also stop the response or the embedded object cycle if a whitelisted URL is involved in these. 

The Stop Cycle action does not affect a user in the way that a blocking action would do. If the action 

and its rule work as intended, the user is allowed to access the requested URL. No message to the user 

is therefore needed, so the action of this rule has no settings to specify such a message. 

Process flow 

If processing the rule leads to the result that a URL is on the specified whitelist, the current cycle of the 

filtering process stops, according to what the rule says. Other cycles of the process can go on. For 

example, if an embedded object was sent with the request, the embedded object cycle could be started 

to filter this object. 

If the request cycle is stopped after the whitelisted URL has been sent, the request is passed on the 

appropriate web server. The appliance then waits for a response from this server, and if this is 

received, the response cycle of the filtering process is started to process this reponse. 

Block URLs whose category is in Category BlockList (Sample rule) 

This rule can be included in a rule set for URL filtering. 

Rule 

Name 

Block URLs whose category is in Category BlockList 


URL.Categories at least on in list Category Blacklist –> Block 


If the category of a URL is on a particular blocking list, block access to this URL. 


This rule is for blocking URLs not individually, but per category. All URLs that are related to, for 

example, drugs or online shopping are blocked. To achieve this, URL categories are entered on a 

blocking list. 

If a requested URL falls under a category that is on the list, the rule stops processing completely. The 

request is not passed on to the appropriate web server and the user who requested the URL cannot 

access it. In this sense, the URL is blocked. 

Property and criteria 

The property used in this rule is URL.Categories. Its meaning could be paraphrased as “belonging to a 

URL category”. If a requested web object is a URL, it is checked whether its categories are on the 

specified blocking list. If the URL belongs to more than one category, only one of them on the list is 

sufficient to trigger the blocking, as the rule says it: at least one in list. 




Information about URL categories is retrieved by a special module from a Global Threat Intelligence 

server. The settings of this module are therefore specified in the criteria of the rule. You can configure 

these settings to modify the way the module retrieves the information, for example, by using Global 

Threat Intelligence information retrieved earlier on and stored in a local database of the appliance. This 

can reduce latency. 

Action 

If the URL belongs to a category on the blocking list, the blocking action is executed. The settings of the 

action specify that a block message is sent to the user who requested the URL and is affected by the 

blocking action. 

Process flow 

The blocking action also stops the filtering process completely. When the request for the URL is 

received on the appliance, it is processed in the request cycle. Since the request is not forwarded to a 

web server, no response needs to be processed and looking for embedded objects that might have 

been sent with a request is also not needed because the request is blocked anyway. 

Processing can therefore be stopped completely. It continues when the next request is received on the 

appliance. 

Block if virus was found (Sample rule) 

This rule can be included in a rule set for virus and malware filtering. 

Rule 

Name 

Block if virus was found 




If a web object is infected, block it. 


This is a key rule of the filtering process on the appliance. It blocks access to web objects that are 

infected by viruses or other malware. It blocks this access in all cycles of the process. 

Whether an infected object is sent by a web server in response to a user request, or a user requests to 

upload an infected object from your network to the web, or an infected object is sent embedded with a 

request or response, all these attempts are blocked by the rule. 

Property and criteria 

The property used in the rule is Antimalware.Infected, which means “infected by a virus or other 

malware”. To detect an infection in a web object, a special module is needed, the Antivirus module (or 

engine). Settings for the modules are specified with the property. 

Action 

The blocking action that is executed if an infected object is detected affects the user who sent a request 

for access to the object. The action settings therefore specify that a message is sent to inform the user, 

in the same way, as it is done when a request is blocked by a URL filtering rule. 

Process flow 

Like in URL filtering, the blocking action of the virus and malware filtering rule stops the filtering 

process completely. When the next request is received on the appliance, the process continues. 


4 




Rule sets are the building blocks of your web security policy. This section tells you how to add rule sets 

to your configuration by importing them from a rule set library. It also explains step by step how you 

create a rule set on your own. 

Import a rule set 

A rule set library provides complete rule sets, which you can import if a particular function is missing in 

your implemented rule set system or the implemented rule sets do not suit your requirements. 

Complete the following procedure to import a rule set from the library: 


2 On the rule set tree, navigate to the position where you want to insert the new rule set. 

3 From the Add drop-down menu, select Rule Set from Library. A window with a list of the library 

rule sets opens. 

4 Select the rule set you want to import, for example, the Gateway Antimalware rule set. 

If conflicts arise when importing this rule set, they are displayed in the window. 

Note: Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist 

in an appliance configuration. 

5 Use one of the following methods to solve conflicts: 

• Click Auto-Solve Conflicts and choose one of the following strategies for all conflicts: 

• Solve by referring to the existing objects — If rules of the imported rule set refer to objects 

existing in the appliance configuration under the same names, references are made to apply to 

these existing objects. 

• Solve by copying and renaming to suggested — If rules of the imported rule set refer to 

objects existing in the appliance configuration under the same names, these objects are also 

used, but are renamed, so as to avoid conflicts. 

• Click the listed conflicts one after another and solve them individually by choosing either of the two 

above strategies each time. 

6 Click OK. The rule set is inserted in the rule sets tree. It is enabled by default. 

Note: Together with the rule set, lists and settings can be implemented in your configuration. The rules of 

the rule set need these items to make decisions on blocking and other actions. 

7 If necessary, use the blue arrows above the rule sets tree, to move the rule set to where you want it 

to be. 



Add a new rule set 

You can also create rule sets of your own to add them to the appliance configuration. 

Complete this procedure to add a new rule set: 



Rule set configuration 4 

2 On the rule set tree, navigate to the position where you want to insert the new rule set. 

3 Click Add above the rule set tree. A drop-down menu opens. 

4 Select Rule Set. The Add New Rule Set window opens. 

Figure 4-12 Add New Rule Set window 

5 Configure the following general settings for the rule set: 

• Name — Name of the rule 

• Enable — When selected, the rule set is enabled 

• [Optional] Comment — Plain-text comment on the rule set 

6 In the Applies to section, configure the processing cycles. You can select only one cycle, or any 

combination of these three: 

• Requests — The rule set is processed when requests from the users of your network are received 

on the appliance. 

• Responses — The rule set is processed when responses from web servers are received. 

• Embedded objects — The rule set is processed for embedded objects sent with requests and 

responses. 

7 In the Apply this rule set section, configure when the rule set is applied: 

• Always — The rule set is always applied. 

• If the following criteria is matched — The rule set is applied if the criteria configured below is 

matched. 


4 



8 In the Criteria section, click Add. The Add Criteria window opens. 

Figure 4-13 Add Criteria window (with property selected) 

9 In the Property area, use the following items to configure a property: 

• Property — List for selecting a property (property types shown in brackets) 

• Search — Opens the Property Search window to let you search for a property 

• Parameter — Opens the Property Parameters window for adding up to three parameters, see 

Step 10 

Note: The icon is grayed out if the property has no parameters. 

• Settings — List for selecting the settings of the module that delivers a value for the property 

(module names shown in brackets) 

Note: The icon is grayed out if no settings are required for the property and (not needed) is added. 



If no parameters need to be configured for the property, click OK and continue with Step 11. 

10 [Conditional] To add property parameters: 

a Click Parameter. The Property Parameters window opens. 

b Add as many parameters as needed. A parameter can be a: 

• Value (String, Boolean, or numerical) — Configure it in the Value area. Then click OK. 

• Property — Follow the instructions for configuring properties, beginning with Step 4. 

11 From the Operator list, select an operator. 

12 In the Parameter area, add a parameter (also known as operand). This can be a: 

• Value (String, Boolean, or numerical) — Configure it in the Value area. 

• Property — Follow the instructions for editing properties, beginning with Step 4. 

13 Click OK to close the Add Criteria window. 

14 (Optional] Select the Permissions tab and configure who is allowed to access the new rule set. 

15 Click OK to close the Add New Rule Set window. The rule set is inserted in your rule set system. 


For more information, see Access restrictions. 




List maintenance 4 

Web security rules use lists, such as whitelists and blocking lists, for retrieving information on web 

objects and users. This section tells you how to maintain these lists. 

There are several ways to access a list: 

• Lists tab — Select the Lists tab and navigate to a list. 

• Rules Sets tab — Select the Rule Sets tab and click a list name in a rule name or rule criteria. 

• Search function — Click the Search button and use the Search objects function for lists. 

Lists tab 

Use the Lists tab to maintain lists on the appliance. It is selected from the Policy top-level menu. 

Lists 

toolbar — 

Lists tree — 

Figure 4-14 Lists tab 


• Lists toolbar — Items for working with the lists on the Lists tree 

• Lists tree — Tree structure displaying the lists of the appliance configuration 

• List entries toolbar — Items for working with list entries 

• List entries — Entries of the currently selected list 

— List 

entries 

toolbar 

— List 

entries 


4 



The Lists toolbar provides the following options: 

Table 4-8 Lists toolbar 


Add Opens the Add List window for adding a list 

Edit Opens the Edit List window for editing a selected list 

Delete Deletes a selected list. A window opens to let you confirm the deletion 

View Opens a menu to let you display the lists in different ways (A-Z, Z-A, by list type, with 

or without list types for which currently no lists exist) 

Expand all Expands all collapsed items on the Lists tree 

Collapse all Lets all expanded items on the Lists tree collapse 

The List entries toolbar provides these options: 

Table 4-9 List entries toolbar 


Add Opens the Add window for adding a list entry, for example, the Add Regex 

window 

Add multiple Opens the Add window for adding multiple list entries if this is possible for 

a list type 

Edit Opens the Edit window for editing a selected list entry, for example, the 

Edit String window 

Delete Deletes a selected list entry 

A window opens to let you confirm the deletion. 

Move up Moves an entry up the list 

Move down Moves an entry down the list 

Filter Input field for typing a filtering term to display only matching list entries 

The filtering functions works as soon as you type a character in the field. 

List types 

The following types of lists exist on the appliance: 

• Custom lists — These lists can be modified by you. They are displayed on the upper branch of the 

Lists tree on the Lists tab. 

Custom lists include string, number, category, and other types of lists. Different list types can 

require different methods of maintaining them. 

• System lists — These lists cannot be modified. They are displayed on the lower branch of the Lists 

tree on the Lists tab. 

System lists include category and media type lists. 

• Inline lists — These lists can also be modified, but they do not appear on the Lists tab. They appear 

“inline” as part of the settings of a configuration item, for example, as part of the settings of a network 

protocol. 


Add a list 

Complete the following procedure to add a list to the appliance configuration: 


2 On the lists tree, go to the position where you want to add the list. 


List maintenance 4 

3 Click Add on the toolbar. The Add List window opens, with the Add List tab selected. 

4 Use the following items to configure general settings for the list: 

• Name — Name of the list 

• Comment — [Optional] Plain-text comments on the list 

• Type — List for selecting the a list type 

5 [Optional] Select the Permissions tab and configure who is allowed to view the list and edit it. 

6 Click OK. The Add List window closes and the new list appears on the Lists tree. 


You can now fill the list with entries. 

For more information, see Access restrictions and Add list entries. 

Add list entries 

Complete the following procedure to add entries to a list: 


2 From the lists tree, select the list you want to add entries to. 

3 Click Add above on the settings pane. The Add window opens, for example, the Add 

String window. 

Note: It depends on the list type, how an entry can be added to a list. For example, if the type is String, 

you can add entries by typing strings in the String field of the Add String window. If the type is MediaType, 

you need to select an entry from a media type folder, which is part of a system of folders. 

For the String and Wildcard Expression types, there is the option to add multiple entries in one go by 

clicking Add multiple and typing text for each entry in a new line. 

For wildcard expressions, there is also an option to test it by using the Test button in the corresponding 

window. 

4 Add an entry in the way it is done for a particular type. 

5 [Optional] In the Comment field, type a plain-text comment on the list entry. 

6 Click OK. The Add window closes and the entry is added to the list. 

For more entries, repeat steps 3 to 6 as often as needed. 


For more information on handling wildcard expressions, see Wildcard expressions. 


4 



Inline lists 

Inline lists do not appear on the Lists tab, they appear “inline” on the settings pane as a part of the 

settings for a configuration item. Their handling does not differ much from that of normal lists. This 

section gives an example of an inline list and shows you how to work with it. 

Sample inline list 

The sample inline list described here is the Port Forwarding Rules list. It contains rules for directing web 

traffic from one host to another. The list appears after clicking Port Forwarding on the Appliances tab 

of the Configuration top-level menu. 

On a toolbar, items are provided for working with the list. Other inline lists provide the same items 

(some do not provide all of them). The subject matter involved when working with these items varies, 

but the way of handling them is the same for all inline lists. 

Work with a sample inline list 

Complete the following procedure to work with a sample inline list: 


2 On the appliances tree, go to the appliance you want to configure settings for and select, for example, 

Port Forwarding, which is an item with settings that include an inline list. The sample inline list 

appears on the settings pane. 

3 Use the items on the toolbar to work with the sample inline list. 

Table 4-10 Items on the toolbar above the sample inline list (Port Forwarding Rules) 


Add Opens a window for adding a list entry 

Edit Opens a window for editing a selected list entry 

Delete Deletes a selected list entry. A window opens to let you confirm the deletion 

Move up Moves an entry up the list 

Move down Moves an entry down the list 

Filter Input field for typing a filtering term to display only matching list entries 

Note: The filtering functions works as soon as you type a character in the field. 

When adding or editing the rules in an inline list, you need to know the meanings of the elements 

that a list entry can have. For the sample inline list, they are described in the following table. 

Note: You also find this description in the section on port forwarding in the System Configuration chapter 

of this guide. 

Table 4-11 Sample inline list (Port Forwarding Rules) 


Source Host IP address of the host that is the source of web traffic in a port forwarding rule 

Source Port Port used on this host for outgoing web traffic 

Destination Host IP address of the host that web traffic from the source host should be directed to 

Destination Port Port used on this host for web traffic coming in from the source host and port 

Comment Plain-text comment on the port forwarding rule 

Similar tables are provided in sections on other functions when their configuration involves the use 

of an inline list. 





Action and engine settings 4 

Web security rules rely on special modules (also known as engines) to deliver information they need to 

know before triggering actions. Settings determine the way in which these modules retrieve the 

information and the actions are executed. This section tells you how to configure these settings. 

Settings tab 

Use the Settings tab to configure actions and engines on the appliance. It is selected from the Policy 


Settings 

toolbar — 

Settings 

tree — 

Figure 4-15 TSettings tab 


• Settings toolbar — Items for working with the actions and engines on the Settings tree 

• Settings tree — Tree structure displaying actions and engines of the appliance configuration 

• Settings — Settings of the currently selected item on the Settings tree 

The Settings toolbar provides the following options: 

Table 4-12 Settings toolbar 


Add Opens the Add Settings window for adding a setting 

Edit Opens the Edit Settings window for editing a selected setting 

Delete Deletes a selected setting. A window opens to let you confirm the deletion 

Expand all Expands all collapsed items on the settings tree 

Collapse all Lets all expanded items on the settings tree collapse 

— Settings 


4 



Types of settings 

Two types of settings can be configured on the Settings tab of the user interface: 

• Action settings — Settings for the actions that rules execute, for example, Block or Authenticate 

These settings are mainly configured for specifying the user messages that are sent when actions 

affect users. Actions that do not affect users have no settings, for example, Continue or Stop Rule 

Set. 

You can access these settings on the upper branch of the settings tree on the tab. 

Note: When settings of this type are described in this guide, the section title always contains the words 

action settings, for example, Authenticate action settings. 

• Engine settings — Settings for the modules (or: engines) that retrieve information for rules 

For example, the URL Filter module retrieves information to deliver values for the URL.Categories 

property in URL filtering rules. 

You can access these settings on the lower branch of the settings tree on the tab. 


engine settings, for example, Antimalware engine settings. 

A third type of settings is not configured on the Settings tab: 

• System settings — Settings of the appliance system, for example, network interface settings or 

domain name server settings 

You can access these settings on the Appliances tab of the Configuration top-level menu. 


system settings, for example, DNS system settings. 

For more information on action and system settings, see User messages and System configuration. 

For more information on engine settings, see the sections on functions with rules using these engines, 

for example, Virus and malware filtering. 

Add settings 

When adding settings to the appliance configuration, you do not create them completely new, but use 

existing settings that you give a new name and modify as needed. 

Complete the following procedure to add settings: 


2 From the Actions or Engines branch of the settings tree, select the settings you want to use as the 

starting point for creating new settings. 

3 Click Add above the Settings tree. The Add Settings window opens with an empty name field and the 

values of the selected settings in the other fields. 

Note: If you want to select not these, but other settings, you can also do this in the window. The Settings 

for pane provides a list of settings to choose from. 

4 In the Name field, type a name for the new settings. 

5 [Optional] In the Comment field, type a plain-text comment on the settings. 

6 Modify the existing values of the settings as needed. 

7 [Optional] Select the Permissions tab and configure who is allowed to view the settings and edit 

them. 

8 Click OK and then Save Changes. 




Access restrictions 4 

When you add or edit a new list, new settings, or a new rule set to your configuration, you can restrict 

access to them for users and roles. 

Complete the following procedure to restrict access for a newly added item: 

1 Go to Policy | Lists (or Rule Sets). 

2 On the tree structure, go to the position where you want to add the new item. 

3 Click Add above the tree structure. The adding window opens. 

4 Complete the steps for adding a new item. Then select the Permissions tab. 

Three modes of access can be configured: Read and Write, Read, and No Access. 

5 Click Add under the Read and Write pane. The Add Role or User window opens. 

6 Select a role or a user (or more than one of each type at once) from the list in the corresponding pane. 

Or type a wildcard expression as name of a role or user in the Wildcard field. 

7 Add as many entries to the Read and Write list as needed. Use the Delete button under the pane to 

delete entries. 

8 Fill the Read and No Access panes in the same way. 

9 Use the radio buttons under All others have to configure access for all roles and users that are not 

included in one of the lists on the tab. 



4 




5 

Filtering users 

Authentication and access management 

Contents 


Standard authentication 

Instant messaging authentication 

Cookie authentication 

Quota management 

Administrator accounts 

Users can be “filtered” on the appliance, which means you can allow web access only for those who are 

able to authenticate. Administrators need to have accounts with roles and privileges. This gives you 

control over who is active in your network. 

The sections of this chapter explain the authentication process and how to configure it, for example, by 

joining the appliance to a Windows domain to retrieve user information, or by using a database on an 

LDAP or RADIUS server, or on another server. 

They also explain how to guide users by configuring quotas for their web usage. Furthermore, they tell 

you how to set up accounts and roles for administrators and grant them privileges. 

Authentication process 

This section explains what happens on the appliance during the authentication process. Understanding 

this process should help you when you begin to configure authentication according to your own 

requirements. 

Authentication usually takes place in the request cycle of the filtering process. When users send 

requests to the web, for example, to view a web page or download a file, the appliance intercepts these 

requests and “considers” whether to block or allow them. 

There can be many reasons for not allowing a request, for example, the URL of a requested website 

could be on a blocking list. However, authentication usually does not look at the requested object, it 

looks at the user. Can information be found in a directory or database to prove that the user can be 

trusted? If yes, the user is authenticated. 

This is what the authentication rules of the appliance check. A special authentication module retrieves 

user information and passes it on to these rules to let them trigger actions, like asking an 

unauthenticated user to authenticate or forwarding a request of an authenticated user to further 

filtering. The methods the authentication module uses to retrieve the user information can be 

configured under its settings. 

Looking at the user need not be the only thing that happens in the authentication process. The rules for 

this process can also include the checking of web objects. Then authentication can also happen in the 

response cycle. For example, a rule might specify that when a web object is sent from the web in 

response to a request, a user must authenticate to be allowed access to the object. 


5 



Process flow for authenticating a user 

When a user sends a request to the web, the appliance intercepts it and begins processing the 

implemented rules. If these include authentication rules, the request is also checked by them. To 

trigger an action, an authentication rule needs to know whether the user who sent the request is 

authenticated. The authentication module retrieves user information and tells the rule about its 

findings. 

If the module has found that the user is not authenticated, the process flow is as follows: 

User is authenticated? – No. 

–> 

The user is informed that authentication is required and asked to provide credentials 

for authenticating. 

–> Processing of requests stops. The appliance waits until the next request is sent. 

When the user sends an authentication request including credentials, all implemented rules of the 

request cycle are processed again. When it comes to processing the authentication rules, the 

credentials are checked to see if they are sufficient to authenticate the user. If this is the case, the 

process continues as follows: 

–> User is authenticated? – Yes. 

–> 

Processing continues with the next rules in the request cycle. 

If not blocked by any of these, the request is passed on the appropriate web server. 

The authentication process uses the elements of an authentication rule in different ways. The rule 

criteria is processed to find out whether a user is already authenticated. The rule action eventually 

requests the user to authenticate. 



Filtering users 5 

Sample authentication rule 

In the following, an example of an authentication rule is explained. This rule can be included in a rule 

set of the appliance library. It is shown in a notation that comes close to how the rule appears on the 

user interface. 

Name 

Authenticate with User Database 


Authentication.Authenticate equals false –> Authenticate 

In plain text, this rule could be rephrased as follows: 

If the user has not yet been authenticated (through information from the user database), ask this 

user to submit credentials for authentication. 

Criteria and action 

The structure of the rule is the same as for all other rules on the appliance. It has two main elements, 

the criteria and the action. 

If the criteria is matched, the action is taken. The user is not authenticated – if this is matched, the 

Authenticate action is taken. 

The criteria has three elements: 

Property Operator Value of the property 

Authentication.Authenticate equals false 

The meaning of the Authentication.Authenticate property could be rendered as “having been 

authenticated”. The criteria could then be rephrased as follows: 

Having been authenticated is false (for the user who sent the request). 

Property 

A property is something related to a web object or a user. In this rule, “having been authenticated” is a 

property of the user who sent a request. 

Property names usually have two or more parts. For the Authentication.Authenticate property, the 

Authentication indicates that the property has something to do with authentication in general. The 

Authenticate part denotes a particular aspect of authentication like “having been authenticated”. 

Settings 

The sample rule also contains two terms in angle brackets: and . 

Terms in angle brackets are alway settings in rules on the appliance. The settings 

appear next to the property Authentication.Authenticate. They are the settings of the module that this 

property relies on for being assigned a value. 

The authentication module retrieves information from a database to let the rule know that 

Authentication.Authenticate (“being authenticated”) has the value false for a given user. 

The module settings are in this rule, which means the module is to retrieve user 

information from the local user database. 

The rule action, which is Authenticate, has as its settings. Settings of an action are mainly 

for specifying a particular message that is sent to users who are affected by the action. 


5 



Options for retrieving user information 

This section explains how to retrieve information for authenticating users yourself instead of having 

them provided by the default process. 

You might want to use the options described here when dealing, for example, with user requests that 

provide no header information on the user name and password, or when you use an authentication 

method, such as Kerberos, that provides no user group information. 

Filling the Authentication.RawCredentials property with values 

Configuring authentication basically means to configure a rule that evaluates user credentials, using the 

Authentication.Authenticate property, and executes the Authenticate action, which asks a user to 

submit credentials if the evaluation shows that this user is not authenticated. 

Note: The logon window for submitting authentication credentials is presented to the user by the 

Authenticate action. This is not part of processing the Authentication.Authenticate property, which is only the 

criteria that must be matched to let the Authenticate action be executed. 

The Authentication.Authenticate property gets the credentials it evaluates from the 

Authentication.RawCredentials property. This property is internally “filled” with these values by the 

proxy module. The proxy module gets the values from the relevant header of the request that a user 

sends. 

You can fill the Authentication.RawCredentials property with a user name and password yourself. For 

this purpose, you need to encode these values in Base64 format. 

You might do this to handle requests that do not include a header with user name and password. 

However, if you know that a given user sends requests from a client with a particular IP address, you 

can configure a rule that sets the Authentication.RawCredentials property to the relevant user name 

and password when a request with that address is received. 

Another rule, which includes the Authentication.Authenticate property, can then evaluate the 

credentials and eventually execute the Authenticate action. 

The two rules could look as follows: 

Name 

Set values for Authentication.RawCredentials 

Criteria Action Event 

Client.IP equals 10.143.104.45 –> Continue — Set Authentication.RawCredentials = 

“Basic Ym9ic21pdGg6dGVzdHBhc3M=” 

and: 

Name 






Filtering users 5 

Using the Authentication.GetUserGroups property to retrieve user information 

By default, values providing user information are retrieved when the Authentication.Authenticate 

property is processed within a rule. They are then available as the values of the 

Authentication.UserName and Authentication.ISAuthenticated properties, which can again be used in 

an appropriate rule. 

To retrieve user information, you can also use the Authentication.GetUserGroupsproperty in a rule. You 

might do this when using more than one database to retrieve information for the authentication 

process. For example, you use a Kerberos database to evaluate user credentials, but the Kerberos 

authentication method does not provide user group information. This information is on an LDAP server, 

however. 

When working with the Authentication.GetUserGroups property, you also need to set a value for the 

Authentication.RawUsername property, which is used as the key for the attribute lookup on the 

database in question. You need to set a key yourself because you do not know where the user name 

and other relevant information is stored on this database. 

Note: You can use this method to retrieve attributes only when the database in question is the internal User 

Database or an LDAP server. 

For example, you want to look up information about the user group on an LDAP server. Depending on 

this information, you block or allow requests that users send. The IP address of the client that a request 

is sent from serves as the key for the lookup. 

The rules for this could look as follows: 

Name 

Set key for database lookup 


Always –> Continue — Set Authentication.RawUsername = “10.134.103.43” 

and: 

Name 

Block if user is not in user group on LDAP server 


Authentication.GetUserGroups does not contain testgroup –> Block 


5 




To authenticate users on the appliance information is retrieved mainly from internal and external 

databases. This section describes the rules that control standard authentication and the settings for the 

module that handles the authentication process. 

Differerent methods can be configured on the appliance for authenticating users. With each of them, 

authentication information is retrieved in a different way. 

• NTLM — Uses a database on a Windows domain server 

• NTLM Agent — Uses an external agent on a Windows-based system for applying the NTLM 

authentication method 

• User database — Uses an internal database on the appliance 

• LDAP — Uses a database on an LDAP server 

• Novell eDirectory — Uses data from a directory on a server that takes the role of an LDAP server 

• RADIUS — Uses a database on a RADIUS server 

• Kerberos — Uses a database on a Kerberos server 

• SSL client certificate authentication — Uses a certificate that a client sends in SSL-secured 

communication 

• Authentication server — Uses a database on another external server 

An authentication rule includes settings for the module that retrieves the information. By configuring 

these settings you can specify which method should be used. 

Rules for authenticating users 

Rules for authenticating users are contained in an authentication rule set. This section describes an 

authentication rule set and explains how to modify one if its rules to implement a particular 

authentication method. 

An authentication rule set might not be implemented on the appliance after the initial setup, but you 

can import one from the rule set library. 

Note: If the library contains no rule set for authenticating user, it can still be part of the default system of rule 

sets. As usual, you can also configure an authentication rule set with rules of your own. 

Authenticate and Authorize 

This section describes the Authenticate and Authorize library rule set. The rules in this rule set control 

the authentication of users and allow only authorized users access to the web. 

Library rule set — Authenticate and Authorize 

Criteria — Connection.Protocol equals HTTP OR Connection.Protocol equals HTTPS 

Cycle — Requests (and IM) 

The rule set criteria specifies that the rule set applies when the protocol used on the connection for 

sending a request is either HTTP or HTTPs. 


• Authenticate with User Database 

• Authorize 



Standard authentication 5 

The rule set has also two rules of its own, which are processed before the nested rule sets: 

Need to authorize Client IP? 

Client.IP is in range list Unauthorized IPs –> Stop Rule Set 

The rule uses the Client.IP property to check whether a request was sent from a client with an IP 

address that is in the range list for unauthorized IP addresses. If this is the case, processing the 

rule set stops. No activities are then carried out to authenticate a user. Processing continues with 

the next rule set. 


Need to authorize URL? 

URL is in list Unauthorized URLs –> Stop Rule Set 

The rule uses the URL property to check whether a URL that access was requested is in the list of 

unauthorized URLs. If this is the case, processing the rule set stops. No activities are then carried 

out to authenticate a user. Processing continues with the next rule set. 


This nested rule set asks unauthenticated users to authenticate. Its authentication method is retrieving 

information from the internal user database. 

Nested library rule set — Authenticate with User Database 

Criteria — Authentication.IsAuthenticated equals false OR 

Authentication.Failed equals false 


The rule set criteria specifies that the rule set applies when a user has not yet been authenticated or 

has undergone the authentication process, but authentication failed. 

The rule set contains the following rule: 



The rule uses the Authentication.Authenticate property to check whether a user who sends a 

request for web access is authenticated. The settings that go with the property are the settings of 

the Authentication module. They specify that retrieving information from the internal user 

database on the appliance is used as the authentication method. 

If a user has not been authenticated by information from the internal database, the rule applies 

and the Authenticate action is executed. Processing stops and a message is displayed, asking the 

user to authenticate. The settings of the action specify that the message is displayed with default 

values. 

Processing continues when the next request is received on the appliance, which can be an 

authentication request by the same user. 

For information on how to modify the settings for the Authentication module to let the rule use a 

different authenticaiion method, such as NTM, LDAP, or others, see Implement an authentication 

method. 


5 



Authorize 

The Authorize rule set allows only requests from users who are members of a whitelisted user group. 

Nested library rule set — Authorize 




Only allow users of Allowed User Groups 

Authentication.UserGroups none in list Allowed User Groups –> Block 

The rule uses the Authentication.UserGroups property to allow only users access who are members 

of a group on the specified whitelist. If a user is not in one of the groups on the list, the rule 

applies and stops processing of all rules. The request is not passed on to a web server and blocked 

this way. 

The action settings specify that a notification is sent to the requesting user. Processing continues 

when the next request is received. 

Implement an authentication method 

If you do not want to keep the User Database authentication method, which is used by default in a rule 

of the Authentication and Authorize rule set, you can implement a different authentication method, 

such as NTLM, LDAP, and others. This section tells you how to modify the rule to implement this 

change. 

To implement a different authentication method: 


2 On the rule sets tree, go to the rule set that contains rules for authenticating users, for example, the 

default Authentication and Authorize rule set and select the nested Authenticate with User 

Database rule set. The rules of the nested rule set appear on the settings pane. 

3 Select the rule Authenticate with User Database and in the rule criteria click User Database. 

The Edit Settings window opens. 

4 From the list provided under Authentication Method, select an authentication method, for 

example, NTLM. 

5 Configure common and specific parameters for the selected method as needed. When you are done, 

click OK to close the window. 


Note: It is recommended that after changing the authentication method, you rename the settings of the 

Authentication module, the authentication rule, and the nested rule set, accordingly. 

For example, after selecting NTLM, rename the settings to NTLM and both the rule and the nested rule set 

to Authenticate with NTLM. 

Instead of renaming the default settings, you can also keep several settings with different names and 

parameter values for the Authentication module 

For more information on the settings you can configure for authenticating users, see Module for 

authenticating users. 


Module for authenticating users 



The Authentication module is called by the rules for authenticating users on the appliance to handle the 

authentication process. This section tells you how to configure the settings of this module, for example, 

to let it use a particular authentication method. 

Configure the Authentication module 

To configure settings for the authentication module: 


2 On the rule sets tree, go to the rule set that contains rules for authenticating users, for example, the 

default Authentication and Authorize rule set; and select the nested Authenticate with User 

Database rule set. The rules of the nested rule set appear on the settings pane. 

3 Select the rule that controls user authentication, for example, Authenticate with User Database 

and click the settings that are specified in the rule criteria, for example, User Database. The Edit 


Note: You can also access these settings on the Settings tab of the Policy top-level menu. 

On the Engines branch of the settings tree, go to Authentication and select the settings you want to 

configure, for example, User Database. 

4 Configure these settings as needed. Then click OK to close the window. 

Note: Configuring these settings can include a change of the authentication method, for example, from 

User Database to NTLM. 


For more information, see Settings for the Authentication module and Membership in a Windows 

domain. 

Settings for the Authentication module 

This section describes the settings for the Authentication module. 

The User Database settings are by default provided for the Authentication module. If you have selected 

a different authentication method and renamed the default settings accordingly, there can be settings 

named after another authentication method, such as NTLM or LDAP. 

Another option is not to rename the default settings, but to keep several settings with different names 

and parameter values for the Authentication module. 

Note: The settings for the Authentication module are described in the following, beginning with User 

Database. This is followed by descriptions of the settings that can be configured for other authentication 

methods. 

The descriptions follow the order the respective methods take under Authentication Method, which is one of 

the sections within each of the settings for the Authentication module. 


5 



User Database 

Settings specifying the User Database method to authenticate users 

Note: These settings are by default provided for the Authentication module. 

Authentication Method 

Settings for selecting an authentication method 

You can select one of the following: 

• NTLM 

• NTLM-Agent 

• User Database 

• LDAP 

• Novell eDirectory 

• RADIUS 

• Kerberos 

• SSL Client Certificate Authentication 

• Authentication Server 

After selecting a method, the settings that are specific to this method appear below the Common 

Authentication Parameters. 

Authentication Test 

Settings for testing whether a user with given credentials would be authenticated 

User — User name that is tested 

Password — Tested password 

Authenticate User — Executes the test 

Test result — Displays the outcome of the test 

Common Authentication Parameters 

Settings common to all authentication methods 

Proxy Realm — Location of the proxy that receives requests from users who are asked to authenticate 

Authentication attempt timeout — Time (in seconds) to elapse before the authentication process 

terminates if not completed successfully 

Use authentication cache — When selected, authentication information is stored in a cache 

Authentication is then based on this stored information, rather than on information retrieved from an 

authentication server or the internal user database. 

Authentication cache TTL — Time (in minutes) that authentication information is stored in the cache 

User Database Specific Parameters 

Settings for the User Database authentication method 

Send domain and machine name to the client — When selected, the names of the appliance and 

the domain it has been assigned to are sent to the client that a user who is to be authenticated sent a 

request from 

Enable basic authentication — When selected, the basic NTLM authentication method is applied to 

authenticate users 

Information that a user submits for authentication is then sent in plain-text format (less secure) to the 

Windows domain server. 




Enable integrated authentication — When selected, the integrated NTLM authentication method is 

applied to authenticate users 

Information that a user submits for authentication is then encrypted before it is sent to the Windows 

domain server. 

Enable NTLM cache — When selected, NTLM authentication information is stored in this cache 

Authentication is then based on this stored information, rather on information retrieved from the 


NTLM cache TTL — Time (in seconds) that authentication information is stored in this cache 

International text support — Set of characters used by default for a request sent from a client, for 

example, ISO-8859-1 

Advanced Parameters 

Settings for advanced configuration of this authentication method 

Always perform new evaluation of property values — When selected, a new evaluation to assign 

a value to a property is performed each time a rule containing this property is processed. If a value has 

been stored for a property in the cache, it is not used. 

While it is normally recommended to let cache values be used to improve performance, there can be 

situations where the new evaluation of a property is required. 

In these situations, the same property is used more than once within the authentication rules and with 

the same settings of the Authentication module. A new evaluation ensures the most current value is 

assigned to the property each time. 

NTLM 

Settings specifying the NTLM method to authenticate users 

Note: These settings are provided if you have selected the NTLM authentication method and configured the 

settings for the Authentication module accordingly. The settings name can vary. 

Authentication Method, Authentication Test, Common Authentication Parameters, Advanced 

Parameters 

The meaning and usage of these settings are the same as for the User Database settings. 

For more information, see User Database. 

NTLM Specific Parameters 

Settings for the NTLM authentication method 

Default NTLM domain — Name of the default Windows domain used for looking up authentication 

information 

Note: This is one of the domains you have configured on the Appliances tab of the Configuration top-level 

menu. 

Get global groups — When selected, information on global user groups is searched for on the 

Windows domain server 

Get local groups — When selected, information on local user groups is searched for on the Windows 

domain server 

Prefix group name with domain name (domain\group) — When selected, the name of the 

Windows domain appears before the name of the user group when authentication information on this 

group is sent from the domain server 

Enable basic authentication — When selected, the basic NTLM authentication method is applied to 

authenticate users. Information that a user submits for authentication is then sent in plain-text format 

(less secure) to the Windows domain server 

Enable integrated authentication — When selected, the integrated NTLM authentication method is 

applied to authenticate users. Information that a user submits for authentication is then encrypted 

before it is sent to the Windows domain server 


5 



Enable NTLM cache — When selected, NTLM authentication information is stored in this cache 

Authentication is then based on this stored information, rather on information retrieved from the 


NTLM cache TTL — Time (in seconds) that authentication information is stored in this cache 



NTLM Agent 

Settings specifying the NTLM Agent method to authenticate users 

Note: These settings are provided if you have selected the NTLM Agent authentication method and configured 

the settings for the Authentication module accordingly. The settings name can vary. 


Parameters 



NTLM Agent Specific Parameters 

Settings for the NTLM Agent authentication method 

Use secure agent connection — When selected, the connection used for communicating with the 

NTML Agent is SSL-secured 

Authentication connection timeout in seconds — Time (in seconds) to elapse before the 

connections to the NTLM-Agent is closed if no activities occur on it 

Agent Definition — List of agents that are available for performing NTLM authentication 


maintenance. 

Table 5-1 Agent Definition list 


String Name of an NTLM agent 

Comment Plain-text comment on the NTLM agent 

Default NTLM domain, Get global groups, ... — The remaining parameters have the same usage 

and meanings as for the NTML authentication method. 

For more information, see User Database Specific Parameters. 


LDAP 

Settings specifying the LDAP method to authenticate users 



Note: These settings are provided if you have selected the LDAP authentication method and configured the 



Parameters 



LDAP Specific Parameters 

Settings for the LDAP authentication method 

LDAP server(s) to connect to — List of LDAP servers to retrieve authentication information from 


Inline lists. 

Table 5-2 LDAP servers list 


String Name of an LDAP server 

Comment Plain-text comment on the LDAP server 

List of certificate authorities — List of certificate authorities for providing certificates when a Secure 

LDAP (S-LDAP) connection is used for communication with the LDAP server 


maintenance. 

Table 5-3 Certificate authorities list 


Certificate authority Name of a certificate authority 

Certificate revocation list List with information on when the certificate becomes invalid and URI used to access 

it 

Trusted Information on whether the certificate is trusted on the appliance 

Comment Plain-text comment on the certificate authority 

Credentials — User name of the appliance for logging on to the LDAP server 

Password — Password for that user name 

Clicking Set opens a window for configuring a new password. 



Enable LDAP version 3 — When selected, version 3 of the LDAP protocol is used 

Allow LDAP library to follow referrals — When selected, the lookup of user information can be 

redirected from the LDAP server to other servers 

Connection live check — Time (in minutes) to elapse between checks to see whether the connection 

to the LDAP server is still active 

LDAP operation timeout — Time (in seconds) to elapse before the connection to the LDAP server is 

closed if no communication occurs 

Base distinguished name to user objects — Distinguished name (DN) in the directory on the LDAP 

server where the lookup of user attributes should begin 

Map user name to DN — When selected, the name of the user who asks for authentication must map 

to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server 


5 



Filter expression to locate a user object — Filtering term for restricting the lookup of user 

attributes 

To substitute the user name in the filtering term, u% is used as a variable. 

Get user attributes — When selected, user attributes are looked up on the LDAP server to 

authenticate a user 

User attributes to retrieve — List of user attributes to retrieve from the LDAP server 


Inline lists. 

Table 5-4 User attributes list 


String User attribute 

Comment Plain-text comment on the user attribute 

Attributes concatenation string — String for separating user attributes found by the lookup, for 

example, / (slash) 

Get groups attributes — When selected, user group attributes are also looked up on the LDAP server 

to authenticate a user 

Base distinguished name to group objects — Distinguished name (DN) in the directory on the 

LDAP server where the lookup of group attributes should begin 

Filter expression to locate a group object — Filtering term for restricting the lookup of group 

attributes 

To substitute the user name in the filtering term, u% is used as a variable 

Group attributes to retrieve — List of group attributes to retrieve from the LDAP server 


Inline lists. 

Table 5-5 Group attributes list 


String Group attribute 

Comment Plain-text comment on the group attribute 

Attributes concatenation string — String for separating group attributes found in the lookup, for 

example, / (slash) 


Novell eDirectory 

Settings specifying the Novell eDirectory method to authenticate users 



Note: These settings are provided if you have selected the Novell eDirectory authentication method and 

configured the settings for the Authentication module accordingly. The settings name can vary. 

Authentication Method, Common Authentication Parameters, Advanced Parameters 



Novell eDirectory Specific Parameters 

Settings for the Novell eDirectory authentication method 

LDAP server(s) to connect to — List of the eDirectory servers that take the role of LDAP servers to 

provide authentication information 


Inline lists. 

Table 5-6 LDAP server list 


String Name of an LDAP server 

Comment Plain-text comment on the LDAP server 

List of certificate authorities, Credentials ... — Meaning and usage of other parameters for the 

Novell eDirectory authentication method are the same as for the LDAP authentication method. 

For more information, see LDAP. 

In addition to these, you need to configure the following parameters: 

eDirectory network address attribute — Name of the attribute that provides the network 

addresses used for the eDirectory server 

eDirectory network login time attribute — Name of the attribute that provides the logon time used 

on the eDirectory server 

eDirectory network minimal update interval — Time to elapse (in seconds) before information 

from the eDirectorry server is updated 


5 



RADIUS 

Settings specifying the RADIUS method to authenticate users 

Note: These settings are provided if you have selected the RADIUS authentication method and configured the 



Parameters 



RADIUS Specific Parameters 

Settings for the RADIUS authentication method 

RADIUS server definition — List of RADIUS servers that authentication information is retrieved from 


Inline lists. 

Table 5-7 RADIUS server list 

Element Description 

String Name of a RADIUS server 

Comment Plain-text comment on the RADIUS server 

Default domain name — Name of the domain that information is retrieved from if no other domain is 

specified 

Shared secret — Password used by the appliance to get access to the RADIUS server 

Radius connection timeout in seconds — Time (in seconds) to elapse before the connection to the 

RADIUS server is closed if no traffic occurs 



Value of attribute with code — Code value for the attribute retrieved with the user group 

information, according to RFC 2865 

For example, 25 is the code for the “class” attribute. 

Vendor specific attribute with vendor ID — Vendor ID for retrieving vendor-related data in the 

search for user group information 

According to RFC 2865, the vendor ID is a part of the vendor attribute, followed by a number of 

subattributes. Its code value is 26. 

Vendor subattribute type — Code value for the type of subattributes included in a vendor attribute. 

according to RFC 2865 

Since not all vendors adhere to this structure, it is recommended to specify 0 as value here. This allows 

the authentication module to retrieve all available vendor information. 


Kerberos 

Settings specifying the Kerberos method to authenticate users 



Note: These settings are provided if you have selected the Kerberos authentication method and configured 

the settings for the Authentication module accordingly. The settings name can vary. 




Kerberos Specific Parameters 

The specific settings of the parameters for the Kerberos authentication method are not configured as 

settings of the authentication module, but as settings of the appliance system. 

They can be accessed on the Appliances tab of the Configuration top-level menu under Kerberos 

Administration. 

After selecting Kerberos in the Authentication Method section of the Kerberos settings, you need to go 

to the Appliances tab and continue the configuration there. 

For more information, see Kerberos Administration system settings. 

Kerberos Administration system settings 

Settings for the Kerberos authentication method 

Key tab file — Input field for entering the file that contains the master key required to access the 

Kerberos server 

Note: You can type a file name or use the Browse button to browse to the file and enter its name in the field. 

When a ticket is issued for authentication according to the Kerberos method, the master key is read on 

the appliance and used to verify the ticket. 

If you are running a load balancer that directs web requests to the appliance, tickets are issued for the 

load balancer and verified on the appliance. It is then not checked whether a request is directed to the 

appliance. 

Kerberos realm — Administrative domain configured for authentication purposes 

Within the boundaries of this domain the Kerberos server has the authority to authenticate a user who 

submits a request from a host or using a service. 

Note: The realm name is case sensitive, however. normally only uppercase letters are used and it is good 

practice to make the realm name the same as that of the relevant DNS domain. 

Maximal time difference between appliance and client — Maximal time (in seconds) that the 

system clocks on the appliance and its clients are allowed to differ 

Note: Configuring Kerberos as the authentication method can lead to problems when particular browsers are 

used for sending requests: 

– When the Microsoft Internet Explorer is used in a version lower than 7.0, Kerberos authentication might not 

be possible at all. 

– When this explorer runs on Windows XP, Kerberos authentication might not work as expected. 

– When Mozilla Firefox is used, Kerberos authentication must be configured in the browser settings to enable 

this authentication method. 

Enable replay cache — When selected, a ticket that is issued for authentication cannot be used more 

than once 

Note: Selecting this option reduces authentication performance. 





5 



SSL Client Certificate 

Settings specifying the SSL Client Certificate authentication method to authenticate users 

Note: These settings are provided if you have selected the SSL Client Certificate authentication method and 





Client Certificate Specific Parameters 

Settings for the SSL Client Certificate authentication method 

User name — Name of the user and other user-related information provided in the certificate that a 

client sends for authentication in SSL-secured communication 

This information is contained in the Subject section of the certificate. The client is required to send the 

certificate under this authentication method, which is also known as x.509 Authentication method. 

When the certificate is read on the appliance, user name information is checked according to what you 

specify here and assigned as a value to the Authentication.Username property. 

You can use the following variables to specify the user name information: 

• $O$ – Organization 

• $OU$ – Organizational unit 

• $U$ – Unit 

• $CN$ – Common name 

• $L$ – Location 

• $ST$ – State 

• $C$ – Country 

In addition to the variables, you can specify plain-text characters here, for example, backslashes to 

separate different pieces of information. 

Realm name — Name of the realm and other realm-related information provided in the certificate that 

a client sends for authentication in SSL-secured communication 

This information is contained in the Issuer section of the certificate. 

When the certificate is read on the appliance, realm information is checked according to what you 

specify here and assigned as a value to the Authentication.Realm property. 

You can specify the variables listed under User name here, as well as plain-text characters. 

Check extended key usage — When selected, the usage information belonging to the key for the 

certificate must contain Client Certificate as an entry 

Accept expired certificates for ... — Number of days during which a certificate is still accepted after 

it has expired 

Block certificates with unknown revocation status — When selected, certificates are not 

accepted on the appliance if their revocation status is not known 

Certificate Authorities — List of certificate authorities (CAs) that can issue a certificate used for 

authentication in SSL-secured communication 


Inline lists. 


Table 5-8 Certificate Authorities list 



Element Description 


Certificate revocation Location where a certificate revocation list (CRL) can be found providing information on 

list URI 

which certificates have been revoked 

Trusted Information on whether a certificate authority is trusted 

Comment Plain-text comment on a certificate authority 




Authentication Server 

Settings specifying the Authentication Server method to authenticate users 

Note: These settings are provided if you have selected the Authentication Server authentication method and 





Authentication Server Specific Parameters 

Settings for the Authentication Server method 

Authentication server URL — URL of the server used under this method to look up authentication 

information 

Require client ID — When selected, the authentication server requires the ID of the client that a user 

sent a request from 

Store authentication result in a cookie — When selected, the information retrieved from the 

authentication server is stored in a cookie 

If cookie authentication is implemented, the cookie is added to the next request sent by the respective 

user, so that this user need not authenticate again. 

Allow persistent cookie for the server — When selected, a cookie can be used persistently for 

sending multiple requests to the authentication server 

Cookie TTL for the authentication server in seconds — Time (in seconds ) that a cookie sent with 

a request to the server is stored 

Cookie prefix — Prefix provided by the appliance for a cookie, for example, MWG_Auth 





5 



Membership in a Windows domain 

This section provides information on the membership of an appliance in a Windows domain. 

To use the NTLM method for authenticating users who send requests from clients, the appliance must 

be a member of a Windows domain. A machine account is created for the appliance within that domain, 

which is used to establish a connection between the appliance and the relevant Windows domain 

controller (DC). The appliance can then retrieve authentication information on users and user groups 

from that controller. 

You can run up to 10 connections from the appliance to different domain controllers within a domain at 

the same time. When the appliance receives authentication requests, it connects to the domain 

controllers that are configured and active. It measures the response time of each controller and 

distributes requests in such a way that the fastest controller gets the highest load to handle. 

Join the appliance to a Windows domain 

When you use the NTLM authentication method, you need to join the appliance to a Windows domain to 

let the authentication module retrieve user information stored on the domain server. The appliance can 

be joined to more than one domain. 

To join the appliance to a Windows domain: 


2 On the appliances tree, go to the appliance you want to join and select Windows Domain 

Memberhship. A list of domains appears on the settings pane. It is initially empty. 

3 Click Join to enter a domain into the list. The Join domain window opens. 

4 Configure a domain name, a domain controller, and other settings in the window. 

5 Click OK. The window closes and the new domain appears in the list. The appliance is now a member 

of this domain. 

Repeat steps 3 to 5 to add multiple domains. 

6 Use the other icons on the toolbar to work with the list: 

• Modify — Opens a window to let you modify a domain entry 

• Leave — Removes a domain from the list and lets the appliance leave this domain 

• Filter — Lets you enter a filtering term to display only domains with matching names 

• Refresh — Refreshes the list 

For more information, see Windows Domain Membership system settings and Configure the 

Authentication module. 




Windows Domain Membership system settings 

The Windows Domain Membership system settings must be configured when joining an appliance to a 

Windows domain or modify its membership in a domain. They provide a list of the domains that the 

appliance is a member of. 


Join Domain window 

The Join Domain window provides options for configuring the Windows domains that the appliance is a 

member of. 

The following table describes the window. 

Table 5-9 Join Domain window 


Windows domain name Name of the domain 


account name 

Name of the account for an appliance 

Overwrite existing account When selected, an existing account is overwritten 

Use NTLM version 2 When selected, NTLM version 2 is used 

Timeout for requests to this 

NTLM domain 

Configured domain 

controllers 

Number of active domain 

controllers 

Time (in seconds) to elapse before processing of a request sent from the 

appliance to a domain controller stops if no response is received 

List of domain controllers that the appliance can connect to in order to 

retrieve authentication information 

Entries must be separated by commas. 

Maximum number of configured domain controllers that can be active at the 

same time 

The allowed range is from 1 to 10. 

Administrator name Is used with a password when the appliance is joined to the domain to 

create an account for it 

The credentials are only used for this purpose and not stored. 

Password For the above administrator 

List of Windows domains 

List of all Windows domains the appliance is a member of 

The list displays the settings of a domain as configured by you in the Join Domain window, except for 

the administrator name and password. 

In addition to these settings, the following is shown: 

Status — Status of the domain 


5 




Instant messaging service (IM service) users can be authenticated on the appliance according to the 

rules of an appropriate rule set. This section describes the rules in a rule set for instant messaging 

authentication and the settings for the modules that are called by these rules. 

When the appliance is configured to run as a proxy under an instant messaging protocol, it can also 

authenticate users who send chat messages and files from clients that are connected to the appliance. 

A rule set with rules for authenticating users of an instant messaging service must be implemented to 

control the authentication. You can import the IM Authentication rule set from the rule set library or 

configure a rule set of your own. 

You can also configure the settings the Authentication module runs with when used by the rules for 

instant messaging authentication, as well as the settings of the File System Logging module when it 

handles logging activities according to the rules for instant messaging authentication. 

For more information, see Import a rule set and IM Authentication. 

IM Authentication 

This section describes the IM Authentication library rule set. The rules in this rule set control the 

authentication of users of an instant messaging service sending chat messages and files from clients 

that are connected to the appliance. 


Library rule set — IM Authentication 


Cycles — Requests (and IM), responses, embedded objects 


• IM Authentication Server 

• IM Proxy 

IM Authentication Server 

This nested rule set handles authentication for instant messaging users under the User Database 

method. 

Nested library rule set — IM Authentication Server 

Criteria — Authentication.IsServerRequest equals true 

Cycle — Requests (and IM), responses, embedded objects 

The rule set criteria specifies that the rule set applies when authentication has been requested for a 

user of an instant messaging service. 


Authenticate clients against user database 

Authentication.Authenticate equals false –> 

Authenticate 

The rule uses the Authentication.Authenticate property to check whether a user who sends a chat 

message or file under an instant messaging protocol is authenticated. The settings that follow the 

property in the rule criteria specify the User Database method for this authentication. 

If a user is not authenticated under this method, processing stops and a message is displayed 

asking the user to authenticate. Processing continues when the next user request is received. 



Instant messaging authentication 5 

The action settings specify that the IM Authentication template is used for displaying the 

authentication message to the user. 

Show Authenticated page 

Always –> Redirect — 

Set User-Defined.logEntry = 

“[” 

+ DateTime.ToISOString 

+ “]”” 

+ URL.GetParameter (“prot”) 

+ ““auth”” 

+ Authentication.Username 

+ ““ ”” 

+ URL.GetParameter (“scrn”) 

+ “““ 

FileSystemLogging.WriteLogEntry (User-Defined.logEntry) 

The rule redirects a request sent from a client by an instant messaging user to an authentication 

server and displays a message to inform the user about the redirect. 

The action settings specify that the Show IM Authenticated template is used for the message. 

The rule also uses an event to set values for a log entry on the authentication request. It uses a 

second event to write this entry into a log file. A parameter of this event specifies the log entry. 

The settings of the event specify the log file and the way it is maintained. 

IM Proxy 

This nested rule set handles authentication of instant messaging users under the Authentication Server 

method. 

Nested library rule set — IM Proxy 

Criteria — Connection.Protocol.IsIM equals true AND 

IM.MessageCanSendBack is true 


The rule set criteria specifies that the rule set applies when a user sends a chat message or a file on a 

connection under an instant messaging protocol and a message can already be sent back from the 

appliance to the user. 


Redirect not authenticated users to the authentication server 


The rule uses the Authentication.Authenticate property to check whether a user who sends a chat 

message or file under an instant messaging protocol is authenticated. The settings that follow the 

property in the rule criteria specify the Authentication Server method for this authentication. 

If a user is not authenticated under this method, processing stops and a message is displayed, 

asking the user to authenticate. Processing continues when the next user request is received. 

The action settings specify that the IM Authentication template is used for displaying the 

authentication message to the user. 


5 



Modules for authenticating users of an instant messaging service 

Two modules are called by the rules for authenticating users of an instant messaging service, the 

Authentication module and the File System Logging module. This section tells you how to configure the 

settings for these modules. 

Configure the authentication and logging modules 

Authentication for users of an instant messaging service and logging authentication activities involves 

the Authentication and the File System Logging modules. 

To configure settings for these modules: 


2 On the rule sets tree, go to the rule set that contains rules for authenticating users of an instant 

messaging service, for example, the IM Authentication rule set. 

3 Select the nested rule set with the rules containing the settings you want to configure. 

For example, select the nested IM Authentication Server rule set, which contains the rule 

Authenticate clients against the user database, and in the rule criteria, select the User 

Database at IM Authentication Server settings. 




For information on these settings, see Settings for the authentication and logging modules. 

For more information on the configuration procedure, see Configure the Authentication module and 

Implement an authentication method. 

Settings for the authentication and logging modules 

This section deals with the settings for the Authentication and File System Logging modules that are 

related to authentication of instant messaging users. 

These settings are implemented when you import the IM Authentication rule set from the rule set 

library. 

Authentication Server IM 

Settings for the Authentication module specifying the Authentication Server method to authenticate 

users of an instant messaging service 

Meaning and usage of these settings are the same as for the settings specifying the Authentication 

Server method to authenticate users under the HTTP and HTTPS protocol. 

For information on these settings, see Advanced Parameters. 

User Database at IM Authentication Server 

Settings for the Authentication module specifying the User Database method to authenticate users of 

an instant messaging service 

Meaning and usage of these settings are the same as for the settings specifying the User Database 

method to authenticate users under the HTTP or HTTPS protocol. 

For information on these settings, see User Database. 



Cookie authentication 5 

IM Logging 

Settings for the File System Logging module specifying the log file for logging activities related to 

instant messaging authentication and the way this log file is maintained 

Meaning and usage of these settings are the same as for other settings of the File System Logging 

Module. 

The settings include the default log file name. For the log file that entries on instant messaging 

authentication are written into, this name is im.log. 

For more information, see File System Logging Settings. 


Users can be authenticated by cookies once they have successfully authenticated on the appliance. This 

section tells you how to configure cookie authentication. It describes a rule set and the settings of the 

module for this authentication. 

The rules in a rule set for cookie authentication say that a cookie is stored for a successfully 

authenticated user and what should be done when this user sends another request. Typically, the user 

does then not need to authenticate again. 

Note: The size of a cookie grows with the user information it contains. This can cause a problem for the 

browser you use to log on to the appliance. 

The Mozilla Firefox browser version 3.5 or higher does not support cookies bigger than 32 KB. So cookie 

authentication might not work for a user who is a member of many user groups. 

A cookie authentication rule set is not implemented after the initial setup of the appliance, but you can 

import one from the rule set library or create a rule set of your own. 

Like other authentication activities, cookie authentication is handled by the Authentication module. 

When the rule set for cookie authentication is imported from the library, settings for this module are 

also implemented. 

Cookie Authentication (rule set) 

This section describes the Cookie Authentication library rule set. The rules in this rule set control teh 

use of cookies for authenticating users who have already been authenticated successfully 


i 

Library rule set — Cookie Authentication 




• Cookie Authentication at HTTP(S) proxy 

• Set Cookie for Authenticated Clients 

• Authenticate Clients With Authentication Server 

• Cookie Authentication at Authentication Server 

• Authentication Server Request 


5 



Cookie Authentication at HTTP(S) Proxy 

This nested rule set handles cookie authentication for users when the Authentication Server method is 

not applied. 

Nested library rule set — Cookie Authentication at HTTP(S) Proxy 

Criteria — Authentication.IsServerRequest equals false AND 

(Connection.Protocol equals “HTTP” or Connection.Protocol equals “HTTPS”) AND 

Command.Name does not equal “CONNECT” AND Command.Name does not equal “CERTVERIFY” 


The rule set criteria specifies that the rule set applies when a user sends a request under the HTTP or 

HTTPS protocol and the request is not one for opening a connection or verifiying a certificate, as can be 

sent in SSL-secured communication, while the Authentication Server method is not required for 

authenticating the user. 


• Set Cookie Authentication for Authenticated Clients 

• Authenticate Clients with Authentication Server 

Set Cookie for Authenticated Clients 

This nested rule set handles the setting of cookies for users once they have been successfully 

authenticated. 

Nested library rule set — Set Cookie for Authenticated Clients 

Criteria — Authentication.IsLandingOnServerLanding equals true 


The rule set criteria specifies that the rule set applies when a user who sent a request from a client has 

been successfully authenticated. 


Set cookie and redirect client to the requested URL 

Always –> Redirect 

The rule sets a cookie for a user who has been successfully authenticated and redirects the request 

the user sent from a client to the appropriate web server . 

The action settings specify a redirect message that is sent to the user. 


Authenticate Clients With Authentication Server 

This nested rule set asks users to authenticate if no valid cookie could be found for them and directs 

them to the authentication server. 

Nested library rule set — Authenticate Clients With Authentication Server 




Redirect clients that do not have a valid cookie to the authentication server 

Authentication.Authenticate equals false –> 

Authenticate 



Cookie authentication 5 

The rule uses the Authentication.Authenticate property to check whether a cookie has been set for 

a user on the client that a request was sent from. If no cookie can be found, a message is 

displayed, asking the user to authenticate. 

The settings for the module that checks whether the user is authenticated are specified with the 

property. 

The action settings specify an authentication message that is sent to the user. 


Cookie Authentication at Authentication Server 


required. 

Nested library rule set — Cookie Authentication at Authentication Server 



The following rule set is nested in this rule set: 

• Authentication Server Request 

Authentication Server Request 


applied. 

Nested library rule set — Authentication Server Request 

Criteria — Authentication.IsServerRequest equals true 


The rule set criteria specifies that the rule set applies when authentication of a user who sent a request 

requires the Authentication Server method. 


Do not authenticate clients that have valid cookies 

Authentication.Authenticate equals true –> Redirect 

 

The rule uses the Authentication.Authenticate property to check whether a cookie has been set for 

a user on the client that a request was sent from. If a cookie could be found, the request is 

redirected to the appropriate web server and no more authentication is required for the user. 


property. 


Authenticate user against user database 


 

The rule uses the Authentication.Authenticate property to check whether a user has been 

successfully authenticated. If not, a message is displayed, asking the user to authenticate. 


property. 

The action settings specify an authentication message that is sent to the user. 


5 



Redirect authenticated client back to the proxy 

Always — Redirect 

The rule redirects the request a user sent from a client. 


Module for cookie authentication 

The rules for cookie authentication call the Authentication module to retrieve user information. This 

section tells you how to configure settings for this module. 

Configure the module for cookie authentication 

To configure settings for the module that handles cookie authentication: 


2 On the rule sets tree, go to the rule set that contains rules for cookie authentication, for example, the 

Cookie Authentication rule set. 

3 Select the nested rule set with the rules containing the settings you want to configure. 

For example, select the nested Authenticate Clients with Authentication Server rule set, 

which contains the rule Redirect clients that have no valid cookie to the authentication 

server, and in the rule criteria, select the Local Cookie Authentication Server settings. 




For information on these settings, see Settings for the cookie authentication module. 

For more information on the configuration procedure, see Configure the Authentication module and 

Implement an authentication method. 

Settings for the cookie authentication module 

This section deals with settings for the Authentication module that are related to cookie authentication. 

These settings are implemented when you import the Cookie Authentication rule set from the rule set 

library. 

Authentication Server - Cookie Check 

Settings for the Authentication module when it looks for cookies under the Authentication Server 

method 

Meaning and usage of these settings are the same as for the settings of the module when it uses the 

Authentication Server method for standard authentication. 


Local Cookie Authentication Server 

Settings for the Authentication module when it looks for cookies 






Quota management 5 

User Database at Authentication Server 

Settings for the Authentication module specifying the User Database method for cookie authentication. 





You can guide the users of your network by imposing time and volume quotas and other restrictions on 

their web usage. This section explains these restrictions and tells you how to configure them. 

Restricting web usage through quota management 

Quotas for restricting the web usage of users can be imposed in several ways. Like other functions on 

the appliance, quotas are implemented by rules that use lists and call modules to retrieve relevant 

information. This section provides an overview of quota restrictions and the appliance functions that are 

related to them. 

Time quota 

By configuring time quotas, you can limit the time that users of your network are allowed to spend for 

web usage. Time quotas can be related to several parameters: 

• URL categories — When time quotas are related to URL categories, users are allowed only a limited 

time for accessing URLs that fall into particular categories, for example, Online Shopping. 

• IP addresses — When time quotas are related to IP addresses, users who send requests from 

particular IP addresses are allowed only a limited time for web usage. 

• User names — When time quotas are related to user names, users are allowed only a limited time 

for web usage. Users are identified by the user names they submitted for authentication on the 

appliance. 

Note: These parameters are used by the rules in the library rule set for time quotas. You can create rules of 

your own that use other parameters in relation to time quotas. 

The time that users spend on web usage is stored on the appliance. When the configured time quota 

has been exceeded for a user, a request that this user sends is blocked. A message is displayed to the 

user stating why the request was blocked. 

Users are identified by the user names they submitted for authentication. If no user name is sent with 

a request, web usage is recorded and blocked or allowed for the IP address of the client system that the 

request was sent from. 

Web usage can be limited to time spent per day, per week, or per month. 

Volume quota 

By configuring volume quotas, you can limit the volume of web objects, measured in GB and MB, that 

the users of your network are allowed to download from the web. Volume quotas can be related to 

several parameters: 

• URL categories — Users are allowed to download only a limited volume of web objects through URLs 

that fall into particular categories, for example, Streaming Media. 

• IP addresses — Users who send download requests from particular IP addresses are allowed only a 

limited volume. 

• User names — Users are allowed to download web objects only up to a limited volume. Users are 

identified by the user names they submitted for authentication on the appliance. 


5 



• Media types — Users are allowed to download web objects belonging to particular media types only 

up to a limited volume. 

Note: These parameters are used by the rules in the library rule set for volume quotas. You can create rules 

of your own that use other parameters in relation to volume quotas. 

Information on the volume that users download from the web is stored on the appliance. When the 

configured volume quota has been exceeded for a user, a request that this user sends is blocked. A 

message is displayed to the user stating why the request was blocked. 

Users are identified by the user names they submitted for authentication. If no user name is sent with 

a request, web usage is recorded and blocked or allowed for the IP address of the client system that the 

request was sent from. 

Web downloads can be limited to volume downloaded per day, per week, or per month. 

Session time 

You can configure session time for users. This is the time allowed for a single session that a user spends 

on web usage. 

Session time is configured separately and handled differently for time quotas, volume quotas, and other 

quota management functions. 

• Session time for time quotas — When configuring time quotas, you also need to configure a 

session time. Whenever session time has elapsed for a user, the amount of time that is configured as 

session time is deducted from the user’s time quota. 

As long as the time quota has not been used up, the user can start a new session. When the time 

quota has elapsed, a request that the user sends is blocked and a block message is displayed. 

• Session time for volume quotas — When configuring volume quotas, the session time has no 

impact on the volume quota for a user. 

You can still configure a session time to inform the user about the amount of time that has been 

used up for web access. When time has elapsed for a session, the user can start a new session, as 

long as the configured volume has not been consumed. If you set the session time to zero, no 

session time is configured and communicated to the user. 

• Session time for other quota management functions — Session time can be configured for 

other quota management functions, which include Coaching, Authorized Override, and Blocking 

Sessions. Accordingly, there can be a coaching, an authorized override, or a blocking session. 

When session time has elapsed for coaching and authorized overriding, a request that a user sends 

is blocked. A message is displayed to the user stating why the request was blocked. The user can 

start a new session unless time quota has also been configured and is used up. 

The session time that is configured for the blocking session function is the time during which 

requests sent by a particular user are blocked. When this time has elapsed, requests from the user 

are again accepted unless time quota has also been configured and is used up. 

Coaching 

For coaching the web usage of your users, you configure a coaching session with a particular length of 

time. When this session time has elapsed for a user, a block message is displayed. The user can then 

start a new session. 

You can configure coaching in relation to the parameters used in the Coaching library rule set, such as 

URL categories, IP addresses, and user names. You can also create rules of your own using other 

parameters. 




Authorized Override 

You can configure session time for a session that allows authorized overriding. When this session time 

has elapsed, a user request is blocked and a block message is displayed. The message also asks for 

submission of a user name and password to start a new session. 

These credentials must be those of an authorized user. For example, in a classroom situation, a user 

who gets blocked after termination of an authorized override session could be a student, while the 

teacher is the authorized user. 

The block message also provides an option to specify the time length of the authorized override session 

for the user who was blocked. 

Note: The time length that is configured for this user should not exceed the time length configured for all 

other users as part of the module settings for authorized overriding. 

You can configure authorized overriding in relation to the parameters used in the Authorized Override 

library rule set, such as URL categories, IP addresses, and user names. You can also create rules of 

your own using other parameters. 

Blocking Sessions 

By configuring blocking sessions you can block requests sent by a user for a configured period of time 

after the user has sent a request that is blocked according to a configured rule, for example, a request 

for a URL that falls into a category on a list used by a blocking rule. 

This is a means of enforcing a web security policy that handles unwanted access to web objects with 

more strictness. 

You can configure blocking sessions in relation to the parameters that are used in the Blocking Sessions 

library rule set. You can also create rules of your own using other parameters. 

Combining quota management functions 

Using a particular quota management function to restrict web usage has no impact on the use of other 

quota management functions. For example, time quotas and volume quotas are configured and 

implemented separately on the appliance. 

You can, however, combine these functions in meaningful ways. For example, you can impose coaching 

on users’ access to some URL categories, while requesting authorized override credentials for other 

categories. For still another group of categories you could block users who attempt to access them over 

a configured period of time. 

Rules for quota management 

Rules for quota management are contained in several rule sets. Each rule set deals with a particular 

quota management function, such as time quota, volume quota, coaching, and others. This section 

describes the rules in these rule sets and explains how to configure them to implement quota 

management. 

Time Quota (rule set) 

This section describes the rules in a library rule set for implementing time quotas. 


Library rule set — Time Quota 

Criteria — SSL.Client.Context.IsApplied equals true OR 

Command.Name does not equal “CONNECT” 


The rule set criteria specify that the rule set applies to SSL-secured communication, as well as to other 

communication, where the CONNECT command is not used at the beginning. 


5 




• Time Quota With URL Configuration 

• Time Quota With IP Configuration 

Note: This nested rule set is not enabled by default. 

• Time Quota With Authenticated User Configuration 


Time Quota With URL Configuration 

This nested rule set handles time quota management related to URL categories. 

Nested library rule set — Time Quota With URL Configuration 

Criteria — URL.Categories at least one in list URL 

Categories Blocklist for Time Quota 


The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls 

into a category on the blocking list maintained especially for time quota management. 


Redirecting after starting new time session 

Quota.Time.lsActivationRequest equals true –> Redirect 

The rule redirects a request to let a user again access a web object after session time has been 

exceeded and the user has chosen to continue with a new session. 

The action settings specify a message to the requesting user. 

Check if time session has been exceeded 

Quota.Time.Session.Exceeded equals true –> 

Block 

The rule uses the Quota.Time.SessionExceeded property to check whether the configured session 

time has been exceeded for a user. If it has, the user’s request for web access is blocked. 

The URL Category Configuration settings, which are specified with the property, are the settings of 

the module for handling time quotas. 


Check if time quota has been exceeded 

Quota.Time.Exceeded equals true –> 

Block 

The rule uses the Quota.Time.Exceeded property to check whether the configured time quota has 

been exceeded for a user. If it has, the user’s request for web access is blocked. 

The settings of the module that handles time quotas are specified with the property. 





Time Quota With IP Configuration 

This nested rule set handles time quota management related to IP addresses. 

Nested library rule set — Time Quota With IP Configuration 

Criteria — Client.IP is in list IP Blocklist for Time Quota 


The rule set criteria specifies that the rule set applies when a user sends a request from a client with an 

IP address that is on the blocking list maintained especially for time quota management. 

The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for 

the module settings, which are IP Configuration. 

Time Quota With Authenticated User Configuration 

This nested rule set handles time quota management related to user names. 

Nested library rule set — Time Quota With Authenticated 

User Configuration 

Criteria — Authenticated.RawUserName is in list User Blocklist for 

Time Quota 


The rule set criteria specifies that the rule set applies when a request is sent by a user whose user 

name is on the blocking list maintained especially for time quota management. 

The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for 

the module settings, which are Authenticated User Configuration. 

Volume Quota (rule set) 

This section describes the rules in a library rule set for implementing volume quotas. 


Library rule set — Volume Quota 




The rule set criteria specify that the rule set applies to SSL-secured communication, as well as to other 

communication, where the CONNECT command is not used at the beginning. 


• Volume Quota With URL Configuration 

• Volume Quota With IP Configuration 


• Volume Quota With Authenticated User Configuration 


• Volume Quota With Media Type Configuration 



5 



Volume Quota With URL Configuration 

This nested rule set handles volume quota management related to URL categories. 

Nested library rule set — Volume Quota With URL 

Configuration 


Categories Blocklist for Volume Quota 



into a category on the blocking list maintained especially for volume quota management. 


Redirecting after starting new volume session 

Quota.Volume.lsActivationRequest equals true –> 

Redirect 


exceeded and the user has chosen to continue with a new session. 


Check if volume session has been exceeded 

Quota.Volume.SessionExceeded equals true –> 

Block 

The rule uses the Quota.Volume.SessionExceeded property to check whether the configured 

session time has been exceeded for a user. If it has, the user’s request for web access is blocked. 


the module for handling volume quotas. 


Check if volume quota has been exceeded 

Quota.Volume.Exceeded equals true –> 

Block 

The rule uses the Quota.Volume.Exceeded property to check whether the configured volume quota 

has been exceeded. If it has, a user’s request for web access is blocked. 

The settings of the module that handles volume quotas are specified with the property. 


Volume Quota With IP Configuration 

This nested rule set handles volume quota management related to IP addresses. 

Nested library rule set — Volume Quota With IP 

Configuration 

Criteria — Client.IP is in list IP Blocklist for Volume Quota 



IP address that is on the blocking list maintained especially for volume quota management. 

The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except 

for the module settings, which are IP Configuration. 




Volume Quota With Authenticated User Configuration 

This nested rule set handles volume quota management related to user names. 

Nested library rule set — Volume Quota with Authenticated 

User Configuration 


Volume Quota 



name is on the blocking list maintained especially for volume quota management. 


for the module settings, which are Authenticated User Configuration. 

Volume Quota With Media Type Configuration 

This nested rule set handles volume quota management related to media types. 

Nested library rule set — Volume Quota with Media Type 

Configuration 

Criteria — MediaType.FromFileExtension at least one in list Media 

Type Blocklist for Volume Quota 


The rule set criteria specifies that the rule set applies when a user sends a request for a web object that 

belongs to a media type on the blocking list maintained especially for volume quota management. 


for the module settings, which are Media Type Configuration. 

Coaching (rule set) 

This section describes the rules in a library rule set for coaching users in their web usage. 


Library rule set — Coaching 




The rule set criteria specifies that the rule set applies to SSL-secured communication, as well as to 

other communication, where the CONNECT command is not used at the beginning. 


• Coaching With URL Configuration 

• Coaching With IP Configuration 


• Coaching With Authenticated User Configuration 



5 



Coaching With URL Configuration 

This nested rule set handles coaching related to URL categories. 

Nested library rule set — Coaching With URL Configuration 


Categories Blocklist for Coaching 



into a category on the blocking list maintained especially for coaching. 


Redirecting after starting new coaching session 

Quota.Coaching.lsActivationRequest equals true –> 

Redirect 

The rule redirects a request to let a user again access a web object after the coaching session time 

has been exceeded and the user has chosen to continue with a new coaching session. 


Check if coaching session has been exceeded 

Quota.Coaching.SessionExceeded equals true –> 

Block 

The rule uses the Quota.Coaching.SessionExceeded property to check whether the coaching 

session time has been exceeded for a user. If it has, the user’s request for web access is blocked. 


the module that handles coaching. 


Coaching with IP Configuration 

This nested rule set handles coaching related to IP addresses. 

Nested library rule set — Coaching with IP Configuration 

Criteria — Client.IP is in list IP Blocklist for Coaching 



IP address that is on the blocking list maintained especially for coaching. 

The rules in this rule set are the same as in the Coaching with URL Configuration rule set, except for the 

module settings, which are IP Configuration. 




Coaching with Authenticated User Configuration 

This nested rule set handles volume quota management related to user names. 

Nested library rule set — Coaching with Authenticated User 

Configuration 


Coaching 



name is on the blocking list maintained especially for coaching. 

The rules in this rule set are the same as in the Coaching with URL Configuration rule set, except for the 

module settings, which are Authenticated User Configuration. 

Authorized Override (rule set) 

This section describes the rules in a library rule set for allowing an authorized override to users when 

session time has been exceeded. 


Library rule set — Authorized Override 




The rule set criteria specifies that the rule set applies to SSL-secured communication, as well as to 

other communication, where the CONNECT command is not used at the beginning. 

Three rule sets are nested in this rule set: 

• Authorized Override With URL Configuration 

• Authorized Override With IP Configuration 


• Authorized Override With Authenticated User Configuration 


Authorized Override With URL Configuration 

This nested rule set handles authorized overriding related to URL categories. 

Nested library rule set — Authorized Override With URL 

Configuration 


Categories Blocklist for Authorized Override 



into a category on the blocking list maintained especially for authorized overriding. 


5 




Redirect after authenticating for authorized override 

Quota.AuthorizedOverride.lsActivationRequest equals true –> 

Redirect 


exceeded and the credentials the user submitted to continue with a new session have been 

validated. 


Check if authorized override session has been exceeded 

Quota.AuthorizedOverride.SessionExceeded equals true –> 

Block 

The rule uses the Quota.AuthorizedOverride.SessionExceeded property to check whether the 

configured session time has been exceeded for a user. If it has, the user’s request for web access 

is blocked. 


the module that handles authorized overriding. 


Authorized Override With IP Configuration 

This nested rule set handles authorized overriding related to IP addresses. 

Nested library rule set — Authorized Override With IP 

Configuration 

Criteria — Client.IP is in list IP Blocklist for Authorized Override 



IP address that is on the blocking list maintained especially for authorized overriding. 

The rules in this rule set are the same as in the Authorized Override With URL Configuration rule set, 

except for the module settings, which are IP Configuration. 

Authorized Override With Authenticated User Configuration 

This nested rule set handles authorized overriding related to user names. 

Nested library rule set — Authorized Override With 

Authenticated User Configuration 


Authorized Override 



name is on the blocking list maintained especially for authorized overriding. 

The rules in this rule set are the same as in the Authorized Override With URL Configuration rule set, 

except for the module settings, which are Authenticated User Configuration. 




Blocking Sessions (rule set) 

This section describes the rules in a library rule set for blocking sessions. 


Library rule set — Blocking Sessions 




There is one nested rule set in this rule set: 

• Blocking Sessions With URL Configuration 

Blocking Sessions With URL Configuration 

This nested rule set handles blocking sessions related to URL categories. 

Nested library rule set — Blocking Sessions With URL 

Configuration 


Categories Blocklist for Blocking Session 



into a category on the blocking list maintained especially for blocking sessions. 


Block user if blocking session is active 

BlockingSession.IsBlocked equals true –> Block 

The rule uses the BlockingSession.IsBlocked property to check whether a blocking session has been 

activated for a user who sends a request. If it has, the request is blocked. 


Activate blocking session if category is in list Category List for Blocking Session 

URL.Categories at least one in list Category List for Blocking Session –> Continue — 

BlockingSession.Activate 

The rule uses the URL.Categories property to check whether a URL that a user requests access to 

falls into a category on the blocking list maintained especially for blocking sessions. If it falls into a 

category on the list, a blocking session is activated for the user. 

The BlockingSession.Activate event is used to activate the blocking session. The event settings are 

specified with the event. 


5 



Configuring quota management functions 

This section tells you how to configure quota management functions to restrict the web usage of the 

users in your network. 

The following quota management functions are available on the appliance: 

• Time quotas 

• Volume quotas 

• Coaching 

• Authorized override 

• Blocking sessions 

For general information on these functions, see Restricting web usage through quota management. 

For descriptions of the configuration procedures, see Configure time quotas and Configure volume 

quotas and other quota management functions. 

Configure time quotas 

You can configure time quotas to restrict the web usage of your users. This includes maintenance of the 

lists and configuration of the module settings that are specified by the time quota rules. 

Note: A rule set for time quotas is not implemented on the appliance after the initial setup. You can import a 

rule set from the rule set library or create a rule set of your own. 

To configure time quotas: 


2 On the rule sets tree, expand the rule set that contains rules for time quotas, for example, the Time 

Quota rule set. The nested rule sets appear. 

3 Select the appropriate nested rule set. For example, to configure time quotas in relation to URL 

categories, select Time Quota With URL Configuration. The general settings and rules of the rule 

set appear on the settings pane. 

4 In the rule set criteria, click the URL Category Block List for Time Quota list name. 


The Edit List (Category) window opens. 

5 Add URL categories to the blocking list. Then click OK to close the window. 

6 In the criteria for one of the rules, click the URL Category Configuration settings name. The Edit 


7 Configure session time and the time quota per day, week, and month. Then click OK to close the 

window. 


For more information on the module settings for time quota, see Time Quota engine settings. For 

adding categories to a category blocking list, see Add a URL category to a blocking list. 




Configure volume quotas and other quota management functions 

You can configure volume quotas and other quota management functions to restrict the web usage of 

your users. This includes maintenance of the lists and configuration of the module settings that are 

specified by the quota rules. These activities are carried out in the same way as for time quotas. 

Note: Rule sets for quota management functions are not implemented on the appliance after the initial setup. 

You can import rule sets from the rule set library or create rule sets of your own. 

To configure volume quotas and other quota management functions: 


2 On the rule sets tree, expand the rule set that contains rules for the quota management function you 

want to configure, for example, Volume Quota. The nested rule sets appear. 

3 Select the appropriate nested rule set, for example, Volume Quota With IP Configuration. The 

general settings and rules of the rule set appear on the settings pane. 

4 In the rule set criteria, click the appropriate blocking list name, for example, IP Block List for 

Volume Quota. 



5 Add the appropriate entries to the blocking list, for example, IP addresses. Then click OK to close the 

window. 

6 In the criteria for one of the rules, click the appropriate settings name, for example, IP 

Configuration. The Edit Settings window opens. 

7 Configure the appropriate parameters, for example, session time and the volume quota per day, 

week, and month. Then click OK to close the window. 


For information on configuring time quotas, see Configure time quotas. For individual module settings, 

see Module settings for quota management. 


5 



Module settings for quota management 

Values for time and volume quotas and for session times are configured on the appliance as settings of 

the quota modules. The quota rules call these modules to retrieve information about these values. This 

section describes the settings for the various modules that are involved in quota management. 

Module settings apply only to the module they are configured for. However, settings names can be the 

same for different modules. For example, in the library rule sets for quota management, there are 

settings named URL Configuration for the Time Quota module, the Volume Quota module, and all other 

modules dealing with quota management. 

Time Quota engine settings 

You can configure the Time Quota engine settings. These are the settings of the module that handles 

time quotas to restrict the web usage of your users. 

Note: You can configure these settings on the Settings tab of the Policy top-level menu. You can also click the 

settings name in a quota rule on the Rule Sets tab to configure these settings. 

URL Category Configuration 

Settings for time quotas related to URL categories 

Time Quota per Day, Week, Month, and Session Time 

Settings for selecting the time unit or the session time that quotas are configured for in the next 

section. 

Note: When a time unit or the session time is selected, the heading of the next section reads accordingly. 

Time quota per day (week, month) — When selected, the quota that is configured in the next 

section applies to the selected time unit 

Session time — When selected, the quota that is configured in the next section applies to the session 

time 

Hours and Minutes for . . . 

Settings for configuring time quotas that apply to the selected time unit or the session time 

Note: The heading of this section varies according to what you selected in the preceding section. 

Hours — Allowed hours per day, week, month, or for the session time 

Minutes — Allowed minutes per day, week, month, or for the session time 

Actual Configured Time Quota 

Displays the configured time quotas 

Time quota per day (week, month) — Allowed time per day, week, or month 

Session time — Allowed session time 

IP Configuration 

Settings for time quotas related to IP addresses 

These settings are configured in the same way as for time quotas related to URL categories. 


Settings for time quotas related to user names 


Default 

Default settings for time quotas 





Volume Quota engine settings 

You can configure the Volume Quota engine settings. These are the settings of the module that handles 

volume quotas to restrict the web usage of your users. 




Settings for volume quotas related to URL categories 

Volume Quota per Day, Week, Month, and Session Time 

Settings for selecting the time unit or the session time that quotas are configured for in the next 

section. 

Note: When a time unit or the session time is selected, the heading of the next section reads accordingly. 

Volume quota per day (week, month) — When selected, the quota that is configured in the next 

section applies to the selected time unit 

Session time — When selected, the quota that is configured in the next section applies to the session 

time 

Volume for . . . (Hours and minutes for . . .) 

Settings for configuring quotas that apply to the selected time unit or the session time 

Note: The heading of this section and the displayed settings vary according to what you selected in the 

preceding section. 

GiB — Allowed volume per day, week, or month 

MiB — Allowed minutes per day, week, or month 

or (for the session time): 

Hours — Hours for the session time 

Minutes — Minutes for the session time 

Actual Configured Volume Quota 

Displays the configured volume quotas 

Volume quota per day (week, month) — Allowed time per day, week, or month 

Session time — Allowed session time 


Settings for volume quotas related to IP addresses 

These settings are configured in the same way as for volume quotas related to URL categories. 


Settings for volume quotas related to user names 


Media Type Configuration 

Settings for volume quotas related to user names 


Default 

Default settings for volume quotas 



5 



Coaching engine settings 

You can configure the Coaching engine settings. These are the settings of the module that handles 

coaching. 




Settings for coaching related to URL categories 

Hours and Minutes of Session Time 

Settings for configuring the time length of a coaching session 

Days — Days of the coaching session 

Hours — Hours of the coaching session 

Minutes — Minutes of the coaching session 


Settings for coaching related to IP addresses 

These settings are configured in the same way as for coaching related to URL categories. 


Settings for coaching related to user names 


Default 

Default settings for coaching 





Authorized Override engine settings 

You can configure the Authorized Override engine settings. These are the settings of the module that 

handles authorized overriding. 




Settings for authorized overriding related to URL categories 

Hours and Minutes of Maximum Session Time 

Settings for configuring the time length of session where authorized overriding is allowed 

Days — Days of the authorized override session 

Hours — Hours of the authorized override session 

Minutes — Minutes of the authorized override session 


Settings for authorized overriding related to IP addresses 

These settings are configured in the same way as for authorized overriding related to URL categories. 


Settings for authorized overriding related to user names 


Default 

Default settings for authorized overriding 


BlockSessionFilter engine settings 

You can configure the BlockSessionFilter engine settings. These are the settings of the module that 

handles blocking sessions. 




Settings for blocking sessions related to URL categories 

Hours and Minutes of Session Time 

Settings for configuring the time length of a blocking session 

Days — Days of the blocking session 

Hours — Hours of the blocking session 

Minutes — Minutes of the blocking session 


5 



Quota system settings 

Quota system settings are general settings for time intervals related to quota management. If an 

appliance is a node in a central management configuration, you can also configure time intervals for 

synchronization of data with other appliances. 


They can also appear under the name of Coaching (instead of Quota), but apply in both cases to all options 

that are provided for quota management: Authorized override, blocking sessions, coaching, time quota, and 

volume quota. 

Quota Intervals for Synchronisation Saving in Minutes 

Settings for time intervals related to quota management 

Save interval — Time (in minutes) to elapse before current quota values are saved on an appliance, 

for example, the volume in bytes that has been consumed by a particular user 

Interval for sending updated quota data — Time (in minutes) to elapse before current quota 

values are distributed from an appliance to all nodes in a central management configuration 

The distributed data includes the changes in quota values that have occurred since the last time that 

data were distributed from the appliance. 

Interval for base synchronisation — Time (in minutes) to elapse before quota values are 

synchronized on all nodes in a central management configuration 

The synchronization takes a snapshot of the current quota values on all appliances. The values that are 

most recent with regard to individual users are distributed to all appliances. 

The values are also distributed to nodes that were temporarily inactive and did not receive updates sent 

during that time. They are, furthermore, distributed to nodes that have been newly added to the 

configuration, so they did not receive any previous updates. 

Cleanup database after — Time (in days) to elapse before data is deleted in the quota database 

Before data is deleted, a check is performed to see whether the data is obsolete. Data is obsolete if the 

time interval that has been configured for a quota management function has elapsed. 

For example, if a particular amount of bytes has been configured as volume quota for a user to be 

consumed during a month, the amount that the user actually consumed during a month becomes 

obsolete when a new month begins. The cleanup then deletes this data if the time configured under the 

Cleanup database after option has also elapsed. 

Stored data becomes obsolete after a month for time quotas. For other quota management functions, 

other time intervals are relevant. For example, for coaching and authorized overriding, the cleanup 

cannot be performed before the allowed session time has elapsed. 




Administrator accounts 5 

Administrator accounts can be set up and managed on the appliance or on an external server. This 

section tells you how to do this and how to create administrator roles with different access privileges for 

administrators. 

Internal management of administrator accounts 

You can manage accounts internally. These are stored on the appliance, not on an external server. 

Complete the below procedures to do this. 

Add an administrator account 

To add an internal administrator account: 

1 Go to Accounts | Administrator accounts. 

Note: On the Administrator Accounts tab, an administrator and a role have already been inserted at the 

initial setup. 

2 Under Internal Administrator Accounts, click Add. The Add Administrator window opens. 

3 Add a user name, a password, and other settings for the account. Then click OK. 


For more information, see Administrator account settings. 

Edit an administrator account 

To edit an internal administrator account: 


2 Under Internal Administrator Accounts, select an account and click Edit. The Edit Administrator 

window opens. 

Note: You can use the Filter input field to type a filtering term and display only accounts with matching 

names. 

3 Edit the settings of the account as needed. 


For more information, see Administrator account settings. 

Delete an administrator account 

To delete an administrator account: 


2 Under Internal Administrator Accounts, select an account and click Delete. A window opens to 

let you confirm the deletion. 

Note: You cannot delete all administrator accounts. At least one must always exist on the appliance. 



5 



Administrator account settings 

You can use the administrator account settings to add or edit an administrator account. 

User name — User name of the administrator 

Password — Administrator password 

Password repeated — Repetition of the password to check and confirm it 

Note: In the Edit Administrator window, you need to select Set a new password before the two password 

fields become available. 

Role — List for selecting an administrator role 

Note: You can use the Edit and Add icons to edit and add roles. The modified and added roles appear also in 

the list of administratrator roles under Roles. 

[Optional] Name — Real name of the person that the account is set up for 

Test with current settings 

You can test whether an administrator with given credentials would be admitted on the appliance. The 

following settings are provided for this purpose on the Administrator Accounts tab of the Accounts 


User — User name that is tested 

Password — Tested password 

Test — Executes the test 

The Authentication Test Results window opens to display the outcome of the test. 

Administrator roles 

You can set up roles and use them to configure administrator accounts. 

Manage administrator roles 

Complete the following procedure to manage administrator roles: 


Note: On the Administrator Accounts tab, an administrator and a role have already been inserted after the 

initial setup. 

2 Under Roles, click Add to add a role. The Add Role window opens. 

3 In the Name field, type a role name. 

4 Configure access rights for the dashboard, rules, lists, and other items. 

5 Use the Edit and Delete icons to edit and delete roles. 

Note: The added and modified roles appear also in the list of administratrator roles under Internal 

Administrator Accounts and the deleted disappear. 


For more information, see Administrator role settings. 



Administrator accounts 5 

Administrator role settings 

You can use the following settings to add or edit an administrator role. The items of the user interface 

listed here are accessible for the role according to your selections. 

Name — Name of the role 

Dashboard accessible — When selected 

Policy – Rules accessible — When selected 

Top level move & create — When selected 

Policy – Lists accessible — When selected 

List creation — When selected 

Policy – Settings accessible — When selected 

Settings creation — When selected 

Configuration accessible — When selected 

Accounts accessible — When selected 

Log files accessible — When selected 

Permissions accessible — When selected 

Read only admin — When selected, the role allows only to read information on the user interface, but 

not any configuration or other activities 

For more information, see Manage administrator roles. 

Configure external account management 

You can have administrator accounts managed on external authentication servers and map externally 

stored user groups and individual users on to roles on the appliance. 

Complete the following procedure to configure external account management: 


2 Click Administrator accounts are managed in an external directory server. Additional 

settings appear. 

3 Under Authentication Server Details, configure settings for the external server. These settings 

determine the way the authentication module on the appliance retrieves information from that server. 

4 Use the settings under Authentication group = role mapping, to map user groups and individual 

users stored on the external server to roles on the appliance: 

a Click Add. The Group/User Role Mapping window opens. 

b Select the checkboxes next to the input field for groups and users as needed and type group and 

user names in these fields. 

c Click OK. 

d Under Role to map to, select a role. 

Note: You can use the Edit and Delete icons to edit and delete roles. 

e Click OK and then Save Changes. 

For information on the settings for the authentication server, see Settings for the Authentication 

module. 


5 




6 

Web filtering 

Contents 

Filtering web objects 

Virus and malware filtering 

URL filtering 

Media type filtering 

HTML filtering 

Global whitelisting 

SSL scanning 

Supporting functions 

User messages 


The McAfee Web Gateway appliance filters web objects before the users of your network can access 

them. The sections of this chapter explain the filtering process and tell you how to administer it. 

The functions for filtering web objects are controlled by rules. These say, for example, when access to 

an object is blocked or allowed. They go through blocking lists and whitelists and call modules to let 

them retrieve other relevant filtering information. 

For example, a rule calls the Anti-Malware module to find out whether an object is infected, while 

another rule calls the URL Filter module to retrieve information on URL categories. 

Administering the filtering process 

Administering the filtering process for web objects includes the following activities: 

• Reviewing and modifying the filtering rules — These rules are implemented at the initial setup 

by the policy creation wizard or as a default system. You can review and modify what is implemented. 

• Maintaining the filter lists — These include mainly blocking lists and whitelists for URLs, media 

types, HTML pages, and other web objects. 

• Configuring the module settings — By configuring these settings you determine the way the 

modules retrieve relevant information for the filtering process. For example, it depends on these 

settings whether the Antimalware module uses only virus signatures to detect infected web objects 

or also proactive methods. 

• Adapting user messages on filtering actions — A message sent to a user might read as follows: 

The transferred file contained a virus and was therefore blocked. To adapt these messages, you need 

to configure the settings of the actions in question. 


6 



The sections of this chapter explain these activities in detail for individual filtering functions. They 

assume that you have read the Rule and Rule Sets chapter, which provides general information on 

handling rules and how they use filter lists and modules. 

For more information, see Rules and rule sets and the sections on individual filtering functions, such as 

Virus and malware filtering, URL filtering, and others. 

For adapting user messages, see User messages. 

Functions for filtering web objects 

You can use the following functions to filter web objects on the appliance: 

• Virus and malware filtering — You can filter web objects and block them if they are infected by 

viruses and other malware, using the Antimalware module, which can apply different methods when 

scanning objects. 

• URL filtering — You can filter URLs individually and per category and block inappropriate or 

malicious content, using filter lists and information that the URL Filter module retrieves from the 

global Global Threat Intelligence system. 

• Media type filtering — You can filter media types and block text, audio, image, streaming, or other 

media, using appropriate filter lists for upload and download. 

• HTML filtering — You can filter HTML pages and have embedded objects, including Java and Visual 

Basic scripts, ActiveX controls, and others, removed from them. 

• Global whitelisting — You can enter URLs onto a global whitelist to ensure the users of your 

network can access them. 

• SSL scanning — You can have SSL-secured requests inspected to make them available for further 

filtering and block objects if they are not sufficiently secured by a valid certificate. 

You can also use functions that do not themselves filter web objects, but support the filtering process: 

• Progress indication — You can show users the progress made in downloading objects. 

• Next-hop proxies — You can use next-hop proxies for routing requests to their destinations. 

For more information, see the sections on individual filtering and supporting functions, for example, 

URL filtering or Progress Indication. 




Virus and malware filtering 6 

The appliance filters web objects to block viruses and other malware. This section gives an overview of 

the virus and malware filtering process and describes in detail how you can modify it. 

Virus and malware filtering process 

Several elements work together in the virus and malware filtering process on the appliance. These 

include: 

• Filtering rules that control the process 

• Whitelists that are used by rules to exempt particular web objects from filtering 

• The Anti-Malware module, which is called by a suitable rule to scan web objects for infections by 

viruses and other malware 

Filtering rules 

The rules that control the virus and malware filtering process are usually contained in one rule set. 

There is a rule that blocks web objects if infected by viruses and other malware. To find out about 

infections, the rule calls the Anti-Malware module, which scans objects and lets the rule know about its 

findings. 

Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them 

applies, the blocking rule is skipped and no virus and malware filtering is done for the whitelisted 

objects. 

You can review these rules, modify or delete them, and also create your own rules. 

For more information, see Rules for virus and malware filtering. 

Whitelists 

Whitelists are used by whitelisting rules to let particular web objects skip the blocking rule, which 

means there is no virus and malware filtering for these objects. There can be different whitelists for 

URLs, media types, and other types of objects. 

Note: Blocking lists are typically not used in virus and malware filtering because here the blocking depends 

not on lists, but on the findings of the Anti-Malware module. 

You can add entries to these lists or remove entries. You can also create your own lists and let them be 

used by the whitelisting rules. 

For more information, see Whitelists for virus and malware filtering. 

Anti-Malware module 

The Anti-Malware module scans objects to detect infections by viruses and other malware. Based on the 

findings of this module, the blocking rule blocks access to web objects or lets them pass through. 

You can configure settings for this module, for example, to let it scan objects using only virus 

signatures to detect infections or also proactive methods. 

For more information, see Module for virus and malware filtering. 


6 



Rules for virus and malware filtering 

Rules that filter web objects for infections are contained in a virus and malware filtering rule set. This 

section explains these rules and describes a library rule set. 

A virus and malware filtering rule set typically includes a blocking rule that blocks access to infected 

objects. It can also include rules for whitelisting web objects, such as URLs, media types, and others, 

that should not be filtered to avoid getting blocked eventually. 

The whitelisting rules are placed before the blocking rule, so they are processed before it. If a 

requested object is on one of the whitelists, the corresponding rule applies. It stops the processing of 

the rule set, so the blocking rule is not processed and cannot apply. 

A rule set like this is included when the wizard creates a system of rule sets. It is also included in the 

default system. 

Rule sets for virus and malware filtering differ from each other mainly with regard to their whitelisting 

rules, which can cover different types of web objects and use different whitelists. They do not differ, 

however, in their fundamental structure, which combines a blocking rule with one or more whitelisting 

rules that are processed before it. 

View the implemented virus and malware filtering rules 

The virus and malware filtering rules that are implemented on the appliance can be viewed on the user 

interface. 


2 On the rule sets tree, select the rule set that contains the virus and malware filtering rules, which is 

by default named Gateway Antimalware. The individual rules appear on the settings pane. 

3 On the settings pane, click Show Details. Rule conditions and events are displayed for each rule. 

You can modify these rules, copy and paste them, delete them, and also create your own rules. 




Process flow in a virus and malware filtering rule set 

This section describes the process flow in a rule set for virus and malware filtering. This rule set could, 

for example, include: 

• A whitelisting rule for media types 

• A whitelisting rule for URLs 

• A blocking rule that blocks access to objects if they are infected. 

When, for example, an infected, non-whitelisted object is sent in response to a user request from a web 

server, these rules work together, creating a process flow as follows: 

Object is a URL and on the whitelist? 

– No. –> 

Object is streaming media and on the 

whitelist? – No. 

Object is infected by a virus or other 

malware? – Yes. –> 

Processing continues with the next rule in the rule set. 

–> Processing continues with the next rule in the rule set. 

Processing of rules stops. 

The object is blocked (and not passed on to the user 

who requested it). A block message is sent to this user. 

If the object were streaming media and on the whitelist, the process flow would be: 

Object is URL and on the whitelist? – 

No. –> 

Object is streaming media and on the 

whitelist? – Yes. –> 

Object isinfected bya virus or other 

malware? 

Processing continues with the next rule in the rule set. 

Processing of the rule set stops. 

The blocking rule is not processed. The object is not 

scanned for infections. 


6 



Virus and malware filtering rules 

This section explains in detail a blocking rule and a whitelisting rule for virus and malware filtering. 

Note: The rules are shown here in a notation that comes close to how they appear on the user interface. 

Blocking rule 

The following is an example of a blocking rule for virus and malware filtering. 

Name 




In plain text, this rule can be rephrased as follows: 

If an object is infected by a virus or other malware, block access to it. 

The key element in the rule criteria is Antimalware.Infected. It is the property that is checked for a 

given web object. Antimalware.Infected is (“equals”) true if the object is actually infected by a virus or 

other malware. The Antimalware module is called to find out whether this is the case. If it is, the criteria 

is matched and the rule applies. The rule then executes its action, which is the Block action. It blocks 

access to the object. 

The Antimalware.Infected property has the Gateway Antimalware settings specified for it. This means 

the module that scans objects for infections runs with these settings. The settings determine, for 

example, which methods are used for the scanning. 

The Block action also has settings specified for it. These settings determine that a message is sent to a 

user who is affected by the action and what this message looks like. For this virus and malware filtering 

rule, the Virus Found settings are specified, which means that the message mentions an infection of the 

requested object as the reason for the blocking. 

Whitelisting rule 

The following is an example of a whitelisting rule for virus and malware filtering. 

Name 

Do not filter specific URLs 


URL matches in list Antimalware.URL Whitelist –> Stop Rule Set 


If a URL matches one of the entries on the whitelist for virus and malware filtering, do not process 

the virus and malware filtering rule set any further. 

The property in the rule criteria is URL. When the rule is processed, it is checked for a given URL 

whether it matches one of the entries in the list (“matches in list”) that is specified in the criteria as the 

Antimalware.URL Whitelist. If it does, the criteria matches and the rule applies. 

The rule then executes the Stop Rule Set action, which stops processing of the virus and malware 

filtering rule set and lets all rules of the rule set that follow this whitelisting rule be skipped, including 

the blocking rule (if placed behind this rule). 




Gateway Antimalware 

This section explains the rules in a library rule set for virus and malware filtering. 


Library rule set — Gateway Antimalware 




Remove partial content for HTTP requests 

Cycle.TopName equals “Request” AND (Connection.Protocol equals “http” OR Connection.Protocol 

equals “https”) –> Continue — Header.RemoveAll (“Range”) 

The rule uses the Cycle.TopName and Connection.Protocol properties to check whether the current 

processing cycle is the request cycle and whether a request is sent in HTTP or HTTPS mode. If this 

is the case, the Header.RemoveAll event modifies the request by removing the specification that 

only partial content is requested. 

A request for complete content is then forwarded to the relevant web server and eventually 

received from there, so that the complete content of a web object can be processed on the 

appliance. For example, a complete archive can be opened and scanned for viruses and other 

malware. Malicious content that is distributed over several parts of a file can be detected by 

scanning the complete file, while it could go unnoticed if only parts of the file were scanned. 

The Continue action lets processing continue with the next rule. 

Block partial content for FTP requests 

Cycle.TopName equals “Request” AND Connection.Protocol equals “ftp” AND Command.Categories 

contains “Partial” –> Block 

The rule uses the Cycle.TopName, Connection.Protocol, and Command.Categories properties to 

check whether the current processing cycle is the request cycle, the request is sent in FTP mode, 

and the command category used for the FTP transfer contains Partial as a string. This allows the 

appliance to detect an FTP request for partial content and block it. 

Unlike with HTTP or HTTPS requests, an FTP request for partial content cannot be modified to 

make it a request for complete content. However, security problems would arise if partial content 

was accepted on the appliance, which are the same as the ones that were explained in the 

comment on the rule for blocking HTTP and HTTPS requests. 


Allow if user agent matches User Agent Whitelist 

Header.Request.Get (“User-Agent”) matches in list User Agent WhiteList –> Stop Rule Set 

The rule uses the Header.Request.Get property to check the user agent information that is sent 

with the header of a request. If the user agent in question is on the specified whitelist, processing 

of the rule set stops, so the blocking rule of the rule set is not processed and cannot block the 

request. 

A parameter of the property specifies that it is the user agent information that must be checked 

when the rule is processed. 

Note: This rule is not enabled by default. Using this rule alone for whitelisting will cause a security problem 

because usually a client can set whatever user agent it prefers. 


6 



Allow URL hosts that match in list Antimalware URL Whitelist 

URL.Host matches in list Antimalware URL Whitelist –> Stop Rule Set 

The rule uses the URL.Host property to check whether a given URL matches one of the entries on 

the specified whitelist. If it does, processing of the rule set stops and the blocking rule is not 

processed. 

You can use this rule to exempt web traffic from filtering when the hosts of the URLs involved are 

well-known web servers for which it is safe to assume that they spread no viruses and other 

malware. Whitelisting increases performance because it avoids the effort of scanning the 

respective web objects. 

Allow streaming media from list Antimalware Media Whitelist 

(URL Categories contains Streaming Media OR 

URL Categories contains Internet Radio / TV OR 

URL Categories contains General News) 

AND MediaType.Ensured all in list Antimalware Media Type Whitelist –> Stop Rule Set 

The rule uses the URL.Categories property to check whether a given URL belongs to Streaming 

Media or related categories. The URL Filter module, which is called to retrieve category 

information, runs with the Default settings, as specified with the property. 

The second part of the criteria uses the MediaType.Ensured property to check if the media type of 

a web object is found on the specified whitelist. 

If the URL belongs to one of the categories in question, and the web object that is located by the 

URL is of a media type that is on the whitelist, processing of the rule set stops and the blocking 

rule is not processed. 

The Anti-Malware module scans complete files, which means it waits for the end of data 

transmission before starting the scan. As streaming media is by nature an endless stream of data, 

the Anti-Malware module would wait forever. However, the risk that streaming media will contain a 

virus or other malware is very low. Therefore, streaming media can be exempted from scanning. 



— Statistics.Counter.Increment (“BlockedByAntiMalware”,1) 

The rule uses the Antimalware.Infected property to check whether a given web object is infected 

by a virus or other malware. The Anti-Malware module, which is called to scan the object runs with 

the Gateway Antimalware settings, as specified with the property. These settings let the module 

use all its three submodules and their methods to scan web objects. 

If the module finds that a web object is infected, processing of all rules stops and the object is not 

passed on any further. Access to it is blocked this way. In a request cycle, the infected web object 

is not passed on to the web. In the response and embedded object cycles, it is not passed on to 

the user who requested it. 


The rule also uses an event to count blocking due to virus and malware infections. The event 

parameters specify the counter that is incremented and the size of the increment. The event 

settings specify the settings of the Statistics module, which executes the counting. 


Whitelists for virus and malware filtering 



You can maintain whitelists for web objects to let them skip virus and malware filtering. This section 

explains how this is done and describes some sample whitelists. 

You can add entries for particular web objects, such as URL, media types, and others, onto whitelists. 

The rules of the virus and malware filtering rule set use these lists and let the rule that would 

eventually block the objects not be processed. 

Note: This means that when you edit a whitelist, you also modify the rule that uses it. You should therefore 

make sure you know which rule uses a list that you edit. 

You can do this, for example, by reviewing the rules of the virus and malware filtering rule set to see which 

list names appear in rule names and criteria. 

Whitelists are created at the initial setup of the appliance together with the corresponding rules and 

rule sets. You can also create lists of your own. 

The procedures used to maintain whitelists differ according to the list type. For example, you can add 

wildcard expressions to a whitelist for URLs by typing them into the list. When adding media types, 

however, you select them from folders with media type groups. 

Sample whitelists for virus and malware filtering 

This section describes some sample whitelists used by the library Gateway Antimalware rule set. 

When you import the rule set, these lists are also imported. You can find them on the Lists tab of the 

Policy top-level menu, sorted by their types and names. 


User Agent Whitelist 

List of wildcard expressions for user agents 

Requests for URLs that have user agents matching these expressions are allowed to skip virus and 

malware filtering by an appropriate rule. 

Type — Wildcard Expression 



Table 6-1 User Agent Whitelist 


Wildcard Expression Wildcard expression for user agents 

Comment Plain-text comment on a wildcard expression 

Antimalware URL Whitelist 

List of wildcard expressions for URLs 

Requests for URLs matching these expressions are allowed to skip virus and malware filtering by an 

appropriate rule. 




Table 6-2 Antimalware URL Whitelist 


Wildcard Expression Wildcard expression for URLs 



6 



Antimalware Media Type Whitelist 

List of media types 

Requests for web objects that belong to these media types are allowed to skip virus and malware 

filtering by an appropriate rule. 

Type — MediaType 

Initial entries — application/ogg – Audio/Video files in OGG format 

application/vnd.ms-af – Microsoft Multimedia Container 

and others 


Table 6-3 Antimalware Media Type Whitelist 


MediaType Media type 

Comment Plain-text comment on a media type 

Add a wildcard expression to a virus and malware filtering whitelist for URLs 

You can add a wildcard expression to a whitelist in a virus and malware filtering rule to exempt requests 

for URLs that match this expression from filtering. 


2 On the rule sets tree, select the rule set that contains rules for virus and malware filtering, for example 

Gateway Antimalware. The rules appear on the settings pane. 

3 Find the rule that uses a whitelist to exempt requests for particular URLs from filtering, for example, 

Allow URL hosts that match in list Antimalware User Whitelist, and click on the list name. The 

Edit List (Wildcard Expression) window opens. 













Add a wildcard expression to a virus and malware filtering whitelist for user 

agents 

You can add a wildcard expression to a whitelist in a virus and malware filtering rule to exempt requests 

from filtering when these are sent from clients with user agents that match the expression. 




3 Find the rule that uses a whitelist to exempt requests sent with particular user agents from filtering, 

for example, Allow if user agent matches in list User Agent Whitelist, and click on the list 

name. 












Add a media type to a virus and malware filtering whitelist 

You can add a media type to a whitelist to let web objects of this type skip virus and malware filtering. 




3 Find the rule that uses a whitelist to exempt web objects that belong to a particular media type from 

filtering, for example, Allow streaming media from list Antimalware Media Type Whitelist, 

and click on the list name. 

The Edit List (MediaType) window opens. 


5 Expand the group folder with the media type you want to add, for example, Document, and select 

the media type, for example, application/vnd/ms-excel. 


6 Click OK. The window closes and the media type appears on the whitelist. 




6 



Change the list used by a whitelisting rule 

This section explains how to change a list for a whitelisting rule used in virus and malware filtering by 

replacing it with a new list you have created. 

Create a new list for a whitelisting rule 

To create a new list: 


2 On the Custom Lists branch of the lists tree, select Wildcard Expression and click Add. The Add 

List window opens. 

a In the Name field, type a name for the new list, for example, My Antimalware URL Whitelist. 

b [Optional] In the Comment field, type a plain-text comment on the new list and on the 

Permissions tab, configure who is allowed access to it. 

c Click OK. The Add List window closes and the new list is inserted on the lists tree under Wildcard 

Expression. 


Modify a whitelisting rule to use a new list 

To let a whitelisting rule use a new list: 


2 On the rule sets tree, select a virus and malware filtering rule set, for example, the Gateway 

Antimalware rule set. The rules of this rule set appear on the settings pane. 

3 Select the whitelisting rule for URLs, for example, Allow URL hosts that match in list 

Antimalware URL Whitelist, and click Edit immediately above the topmost rule. The Edit Rule 

window opens. 

4 Select Rule Criteria and then the rule and click Edit. The Edit Criteria window opens. 

5 From the drop-down list under Parameter – Value, select the new list. 

6 Click OK and Finish to close the open windows. The name of the new list appears in the criteria of 

the whitelisting rule on the settings pane. 


The whitelisting rule for URLs now uses your new list. You need to fill this list with wildcard expressions 

to let URLs skip virus and malware filtering. 

For information on how to fill a list with entries, see Add list entries. 


Module for virus and malware filtering 



The Anti-Malware module (also known as Anti-Malware engine) scans web objects for infections by 

viruses and other malware. This section tells you how to configure this module and describes the 

module settings. 

The blocking rule of the virus and malware filtering process relies on the Anti-Malware module to find 

out whether a web object is infected by viruses or other malware. By configuring settings for it, you can 

let the module do its scanning job in different ways. 

Note: This means that when you edit the module settings, you also modify the blocking rule that uses it. You 

should therefore make sure you know which blocking rule uses the module whose settings you edit. You can 

do this, for example, by reviewing the rule in the virus and malware filtering rule set to see which settings 

name appears in the rule criteria. 

The module has three submodules, which can run in different combinations. Each submodule uses 

different methods to detect infections in web objects. 

Note: Which of the submodules are available on your appliance depends on the licenses you have purchased. 

• McAfee Gateway Anti-Malware — Uses proactive methods. You can configure several advanced 

settings for this submodule, however not for the other two. 

• McAfee Anti-Malware — Uses virus signatures. In contrast to the proactive methods, virus 

signatures can only be applied to detect viruses that are already known. 

• Avira — Provides the scanning methods of a third-party product. 

The submodules and their methods can be combined into scanning modes as follows: 

Mode a: proactive + signatures + third-party 

Mode b: proactive + signatures 

Mode c: signatures only 

Other module settings are for the AV PreScan option, which reduces the scanning load, or the Mobile 

Code Behavior option, which lets you set a level of strictness in classifying code. 

For more information, see Configure the Anti-Malware module and Select a different mode for scanning 

web objects. 

Configure the Anti-Malware module 

This section tells you how to configure settings for the Anti-Malware module. 

Complete the following procedure to configure these settings: 


2 On the settings tree, go to Engines | Anti-Malware and select a settings name, for example, 

Gateway Antimalware. 



For more information on these settings, see Anti-Malware engine settings. 


6 



Select a different mode for scanning web objects 

This section explains how to select a different mode for the module that scans web objects for 

infections. 

Note: Which mode can be selected on your appliance depends on the licenses you have purchased. 

To select a different mode for the scanning module: 


2 On the rule sets tree, select a virus and malware filtering rule set, for example, Gateway 

Antimalware. The rules of this rule set appear on the settings pane. 

3 Make sure Show Details (above the list of rules) is enabled and in the criteria of the Block if virus 

was found rule, select the module settings, for example Gateway Antimalware. The Edit Settings 

window opens. 

4 Scroll down to the Select scanning engines section and select a combination of submodules that 

uses a particular scanning mode. 

• McAfee Gateway Anti-Malware including McAfee Anti-Malware — When selected, these 

two submodules and Avira are active. 

–> Scanning mode: proactive methods + virus signatures + third-party module functions 

• McAfee Gateway Anti-Malware including McAfee Anti-Malware without Avira — When 

selected, only the first two submodules are active. 

–> Scanning mode: proactive methods + virus signatures. 

• McAfee Anti-Malware only — When selected, only this submodule is active. 

–> Scanning mode: signatures only 

Note: If you select this mode for a Gateway Antimalware rule set, you should rename the settings and 

the rule set, for example, to McAfee Anti-Malware settings and rule set respectively, to indicate a key 

setting has changed. 





Anti-Malware engine settings 

You can configure the Anti-Malware engine settings. These are settings of the module used in virus and 

malware filtering to scan web objects. 

Note: These settings can be configured on the Settings tab of the Policy top-level menu. 

Gateway Antimalware 

Settings for the scanning module used in virus and malware filtering 

Select Scanning Engines 

Settings for selecting a combination of submodules to determine the scanning mode 

McAfee Gateway Anti-Malware including McAfee Anti-Malware — When selected, these two 

submodules and Avira are active 

Web objects are then scanned using: 

proactive methods + virus signatures + third-party module functions 

McAfee Gateway Anti-Malware including McAfee Anti-Malware without Avira — When 

selected, only the first two submodules are active 


proactive methods + virus signatures 

McAfee Anti-Malware only — When selected, only this submodule is active 


signatures only 

Mobile Code Behavior 

Settings for configuring a risk level in classifying mobile code 

The risk level can take values from 60 to 100. 

A low value means the risk in proactively scanning the behavior of mobile code and not detecting that it 

is malware is low because the scanning methods are applied very strictly. Mobile code will then be 

classified as malware even if only a few criteria of being potentially malicious have been detected. 

This can lead to classifying mobile code as malware that is actually not malicious (“false positives”). 

While more proactive security is achieved with a stricter setting, accuracy in determining which mobile 

code is really malicious will suffer. Consequently, the appliance might block web objects that you want 

to get through to your users. 

A high value means the risk in not detecting malicious mobile code is high (more “false negatives”), but 

more accuracy is achieved in classifiying mobile code correctly as malicious or not (fewer “false 

positives”). 

Classification threshold — Slider scale for setting a risk level as described above 

• Minimum value (maximum proactivity): 60 

• Maximum value (maximum accuracy): 100 


Settings for all submodules 

Enable AV PreScan — When selected, performance of the submodules is improved by reducing the 

load sent to them for scanning 

Note: This option is by default selected. It is generally recommended not to change this setting. 


6 



Enable GTI file reputation queries — When selected, information on the reputation of files retrieved 

from the Global Threat Intelligence system is included in the scanning result that the Anti-Malware 

module provides 

Advanced Settings for McAfee Gateway Anti-Malware 

Settings applying only to the McAfee Gateway Anti-Malware submodule 

Note: The following options are by default selected. It is generally recommended not to change these 

settings. 

(General Settings) 

Settings for some general scanning methods 

Enable Artemis queries — When selected, queries regarding infected objects are also performed on 

an Artemis database 

Enable heuristic scanning — When selected, heuristic methods are used in scanning web objects 

Enable detection for potentially unwanted programs — When selected, web objects are also 

scanned for potentially unwanted programs 

Enable mobile code scanning — When selected, mobile code is scanned in general 

Note: Individual settings can be configured under Scan the following mobile code types. 

Scan the Following Mobile Code Types 

Settings for including different types of mobile code in the scanning 

Windows executables — When selected, these are scanned 

Once downloaded from the web or received by email, these executables can become a threat when 

launched because they run with all the privileges of the current user. 

JavaScript — When selected, this is scanned 

JavaScript code can be embedded virtually anywhere, from web pages and PDF documents to video and 

HTML files. 

Flash ActionScript — When selected, this is scanned 

ActionScript code can be embedded in flash videos and animations and has access to the flash player 

and the browser with all their functions. 

Java applets — When selected, these are scanned 

Java applets can be embedded in web pages. Once activated, they can run at different permission 

levels, based on a digital certificate and the user’s choice. 

Java applications — When selected, these are scanned 

Java applications run stand-alone with all privileges of the current user. 

ActiveX controls — When selected, these are scanned 

ActiveX controls can be embedded in web pages and office documents. Once activated, they run with all 

privileges of the current user. 

Windows libraries — When selected, these are scanned 

These libraries usually come along with an executable in a setup package or are downloaded from the 

web by a running executable or by malicious code. 

Visual Basic script — When selected, this is scanned 

Visual Basic script code can be embedded in web pages or in emails. 

Visual Basic for applications — When selected, this is scanned 

Visual Basic macros can be embedded in office documents created with Word, Excel, or PowerPoint. 




Block the Following Behavior 

Settings for selecting code behavior that leads to blocking 

Data theft: Backdoor — When selected, the following is blocked: Malicious applications that grant an 

attacker full remote access and control to a victim’s system through existing or newly created network 

channels 

Data theft: Keylogger — When selected, the following is blocked: Malicious applications that hook 

into the operating system to record and save keyboard strokes 

The captured information, such as passwords, is sent back to the attacking party 

Data theft: Password stealer — When selected, the following is blocked: Malicious applications that 

gather, store, and leak sensitive information, such as the system configuration, confidential data, 

credentials, and other data for user authentication 

System compromise: Code execution exploit — When selected, the following is blocked: Exploits 

for vulnerabilities in any client applications, such as browsers, office programs, or multi-media players, 

that could allow an attacker to run arbitrary code on the compromised system 

System compromise: Browser exploit — When selected, the following is blocked: Exploits for 

vulnerabilities in browser applications and plug-ins that could allow the attacker to run arbitrary code, 

steal sensitive data, or escalate privileges 

System compromise: Trojan — When selected, the following is blocked: Malicious applications that 

pretend to be harmless or useful, but actually perform malicious activities 

Stealth activity: Rootkit — When selected, the following is blocked: Malicious applications or device 

drivers that manipulate the operating system and hide presence of malware on infected systems 

After the compromise, files, registry keys, and network connections belonging to the malware 

processes turn invisible and could be hard to recover 

Viral Replication: Network worm — When selected, the following is blocked: Malicious applications 

or device drivers that self-replicate using email, the internet, peer-to-peer networking, or by copying 

themselves onto removable media such as USB devices 

Viral Replication: File infector virus — When selected, the following is blocked: Self-replicating 

applications that infect existing files on the hard-disk, embedding viral code in order to spread through 

the newly infected host file 

System compromise: Trojan downloader — When selected, the following is blocked: Malicious 

applications or script code that download and execute additional payload from the internet 

System compromise: Trojan dropper — When selected, the following is blocked: Malicious 

applications that carry hidden payload, extract and launch it upon execution 

System compromise: Trojan proxy — When selected, the following is blocked: Malicious 

applications that allow to relay potentially malicious hidden network activity through the compromised 

system 

Web threats: Infected website — When selected, the following is blocked: Websites that contain 

injected malicious script code or request additional malicious code as soon as it is opened in a browser 

The initial infection might have taken place through an SQL injection attack against the web server. 

Stealth activity: Code injection — When selected, the following is blocked: Applications that copy 

their code into other, often legitimate processes, resulting in a hijacking of the respective privileges and 

trust 

This technique is typically employed by malware that tries to hide its presence on compromised 

systems and tries to evade detection. 

Detection evasion: Obfuscated code — When selected, the following is blocked: Applications that 

consist of highly scrambled of encrypted code 

Detection evasion: Packed code — When selected, the following is blocked: Applications whose 

content has been compressed by a run-time packer or protector 

Applying a run-time packer to an application changes the way it looks so it is harder to it is harder to 

classify. 


6 



Potentially unwanted: Ad-/Spyware — When selected, the following is blocked: Applications that 

show potentially annoying or unwanted advertisements, but also track and analyze the user’s activities 

and behavior 

Potentially unwanted: Adware — When selected, the following is blocked: Applications that show 

potentially annoying or unwanted advertisements, but also track and analyze the user’s activities and 

behavior 

Data theft: Spyware — When selected, the following is blocked: Applications that track and analyze 

the user’s activities and behavior, steal sensitive data, and leak this data to the attacker’s servers 

Potentially unwanted: Dialer — When selected, the following is blocked: Applications that provide 

access to content, such as pornography, through a more expensive network connection 

Web threats: Vulnerable ActiveX controls — When selected, the following is blocked: Potentially 

vulnerable ActiveX controls that are restricted to other on-browser usage and should not be used on a 

web page 

Potentially unwanted: Suspicious activity — When selected, the following is blocked: Potentially 

malicious code that is identified by either non-standard or not fully trusted behavior 

Web threats: Cross-site scripting — When selected, the following is blocked: Malicious scripts that 

try to exploit browser or web application access-control vulnerabilities in browsers or web applications 

to steal user-specific data, such as cookies 

Potentially unwanted: Deceptive behavior — When selected, the following is blocked: Misleading 

messages, missing code tricks, and fake alerts presented to users 

These threats might tell users that their systems are infected with spyware and promote so-called fake 

AV applications for cleaning. 

Potentially unwanted: Redirector — When selected, the following is blocked: Redirecting code that 

forwards users visiting a website to other, potentially malicious locations 

This behavior is often caused by an infection of a previously legitimate website. 

Potentially unwanted: Direct kernel communication — When selected, the following is blocked: 

Applications that directly communicate with the Windows kernel or in kernel mode 

These might try to install a rootkit or to destabilize the system. 

Potentially unwanted: Privacy violation — When selected, the following is blocked: Potentially 

malicious code that accesses sensitive or private data 

This could result in eavesdropping your clipboard content or reading registry keys. 

Network Behavior and DLP 

Settings for handling unknown browsers, unwanted programs, and data leakage 

Forbid unknown browsers to download executables — When selected, requests for downloading 

executables submitted by unknown browsers are blocked 

Block requests sent by PUPs — When selected, requests sent by potentially unwanted programs 

(PUPs) are blocked 

Treat as request sent by a PUP if probability is at least — Slider scale to set the probability 

(in percent) for classifying a request as being sent by a potentially unwanted program 

Detect unsolicited POSTs — When selected, unsolicited POST requests, which could enable data 

leakage, are detected 


URL filtering 


URL filtering 6 

The appliance filters URLs to block inappropriate or malicious content. This section gives an overview of 

the URL filtering process and describes how you can modify it. 

URL filtering process 

Several elements work together in the URL filtering process on the appliance. These include: 

• Filtering rules that control the process 

• A whitelist and blocking lists that are used by rules to exempt some URLs from filtering and block 

others 

• The URL filter module, which is called by suitable rules to retrieve information on URL categories and 

reputation scores from the Global Threat Intelligence system 

Filtering rules 

The rules that control the URL filtering process are contained in a URL filtering rule set. One of these 

rules says, for example, that access to a URL is blocked if it matches an entry on a blocking list. 

Another rule blocks URLs if they belong to a category that is on a blocking list. This rule calls the URL 

filter module to retrieve category information for URLs from the Global Threat Intelligence system. 

Another rule works in a similar way to block URLs that have a bad reputation. 

A whitelisting rule exempts URLs from filtering if they match entries on the list used by the rule. This 

rule is placed and processed before the blocking rules. If it applies, the blocking rules are skipped and 

no URL filtering is performed for the whitelisted objects. 

You can review these rules, modify or delete them, and also create your own rules. 

For more information, see Rules for URL filtering. 

Whitelist and blocking lists 

A whitelist is used by a whitelisting rule to let particular URLs skip the blocking rule, which means there 

is no URL filtering for these objects. 

Note: Since a URL filtering rule set handles only URL filtering, whitelists are not needed for several types of 

objects as they are in virus and malware filtering. 

Blocking lists are used by rules for blocking URLs according to the categories they belong to or because 

they match an entry on a list. Each of the blocking rules uses its own list. 

You can add entries to these lists or remove entries. You can also create your own lists and let them be 

used by the whitelisting rules. 

For more information, see Whitelist and blocking lists for URL filtering. 

Filter module 

The module for URL filtering retrieves information on URL categories and reputation scores from the 

Global Threat Intelligence system that is maintained by McAfee. Based on this information, blocking 

rules block access to URLs. The module name is URL Filter. 

You can configure settings for this module, for example, to let it include category information retrieved 

from an Extended List that you provide or to perform a DNS lookup for URLs and include the 

corresponding IP address in the search for category information. 

For more information, see Module for URL filtering. 


6 


URL filtering 

Rules for URL filtering 

Rules that filter URLs are contained in a URL filtering rule set. This section explains an individual 

filtering rule and describes the rules in a URL filtering rule set. 

A rule set for URL filtering usually includes a blocking rule that blocks access to URLs per category and 

one that blocks access according to reputation. A whitelisting rule exempts URLs that should not get 

blocked from filtering. 

The whitelisting rule is placed before the blocking rules, so it is processed before them. If a requested 

URL matches an entry on the whitelist, the rule applies. It stops the processing of the rule set, so the 

blocking rules are not processed and cannot apply. 

A rule set like this is usually included when the wizard creates a system of rule sets. It is also included 

in the default system. There can be several URL filtering rule sets in a rule set system, containing rules 

that apply to different user groups. 

URL filtering rule sets can differ from each other in that they use different blocking lists and whitelists. 

They do not differ, however, in their basic structure, which combines a whitelisting rule with blocking 

rules that block URLs individually or according to their categories and reputation scores. 

View the implemented URL filtering rules 

The URL filtering rules that are implemented on the appliance can be viewed on the user interface. 


2 On the rule sets tree, go to the rule set that contains the URL filtering rules, which is by default named 

URL Filtering. The individual rules appear on the settings pane. 

3 On the settings pane, click Show Details. Rule conditions and events are displayed for each rule. 

You can modify these rules, delete them, and also create your own rules. 

URL filtering rule 

This section explains a category blocking rule, which is a key rule type in URL filtering. 

Note: The rule is shown here in a notation that comes close to how it appears on the user interface. 

Name 

Block URLs whose category is in URL Category BlockList 


URL.Categories at least one in list Category BlockList –> Block 


If a URL belongs to a category that is on a blocking list, block access to it. 

The property of the rule criteria is URL.Categories. This property is checked for a given URL and the URL 

Filter module is called to find the categories the URL belongs to. If these are on the specified blocking 

list, the criteria is matched and the rule applies. 

The rule then executes its action, which is the Block action. It blocks access to the URL. If a URL 

belongs to more than one category, it is blocked if any of these categories is on the list. 

The URL.Categories property has the Default settings specified for it. This means the module that 

retrieves the category information runs with these settings. The settings determine, for example, 

whether a DNS lookup is performed for a URL and category information also searched for based on the 

corresponding IP address. 




The Block action also has settings. These specify a message that is sent to a user who is affected by the 

action. 

For this URL blocking rule, the URL Blocked settings are specified, which means that the message 

mentions the category that a requested URL belongs to as the reason for the blocking. 

URL Filtering (rule set) 

This section describes the URL Filtering library rule set. 


Library rule set — URL Filtering 




Allow URLs that match in URL WhiteList 

URL matches in list URLWhiteList –> Stop Rule Set 

The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, 

processing of the rule set stops and the blocking rules that follow the whitelisting rule are not 

processed. 

You can use this rule to exempt URLs from filtering to make sure they are available to the users of 

your network and do not get blocked by any of the following blocking rules. Whitelisting also 

increases performance because it avoids the effort of retrieving information about the respective 

URLs. 

Block URLs that match in URL BlockList 

URL matches in list URL BlockList –> Block — Statistics.Counter.Increment 

(“BlockedByURLFilter”,1) 

The rules uses the URL property to check whether a given URL is on the specified blocking list. If it 

is, processing of all rules stops and the request for access to the URL is not passed on to the 

appropriate web server. Access to it is blocked this way. 


The rule also uses an event to count blocking due to virus and malware infections. The event 

parameters specify the counter that is incremented and the size of the increment. The event 

settings specify the settings of the Statistics module, which executes the counting. 

Enable SafeSearchEnforcer 

Always –> Continue — Enable SafeSearchEnforcer 

The rule enables the SafeSearchEnforcer, which is an additional module for filtering access to web 

sites with adult content. 

The enabling is done by executing an event. The settings of the module are specified with the 

event. 

Processing continues with the next rule. 


6 


URL filtering 

Allow uncategorized URLs 

List.OfCategory.IsEmpty(URL.Categories) equals true –> Stop Rule Set 

The rule uses the List.OfCategory.IsEmpty property, which has the URL.Categories property as a 

parameter, to check whether the list of categories for categorizing a URL is empty. This would 

mean that the URL is uncategorized, as it could not be assigned to any of the existing categories. 

Specifying the URL.Categories property as a parameter ensures that it is a particular list of 

categories that is checked. It is the list that is the value of this property. 

To provide a list of categories as the value for the URL.Categories property, the URL Filter module 

is called, which retrieves this list from the Global Threat Intelligence system. The module runs with 

the specified Default settings. 

If a URL is uncategorized, processing of the rule set stops and the blocking rules that follow this 

rule are not processed. The request for the URL is forwarded to the appropriate web server and, 

unless access to the URL is blocked in the response or embedded object cycle, the user is allowed 

to access the web object that was requested by submitting the URL. 

For information on how to modify this rule to let it execute a block action, see Modify a filtering rule 

to block uncategorized URLs. 

Block URLs whose category is in URL Category BlockList 

URL.Categories at least one in list Category BlockList –> Block 

— Statistics.Counter.Increment (“BlockedByURLFilter”,1) 

The rule uses the URL.Categories property to check whether one of the categories a given URL 

belongs to is on the specified blocking list. The URL Filter module, which is called to retrieve 

information on these categories, runs with the Default settings, as specified with the property. 

If one of the URL’s categories is on the list, processing of all rules stops and the request for access 

to the URL is not passed on to the appropriate web server. Access to it is blocked this way. 

The URLBlocked action settings specify that the user who requested this access is notified of the 

blocking. 

The rule also uses an event to count blocking due to URL filtering in the same way as the blocking 

rule for individual URLs in this rule set. 

Block URLs with bad reputation 

URL.IsHighRisk equals true –> Block — Statistics.Counter.Increment 

(“BlockedByURLFilter”,1) 

The rules uses the URL.IsHighRisk property to find out whether a URL has a reputation that lets 

access to it appear as a high risk. If the value for this property is true, processing of all rules stops 

and the request for access to the URL is not passed on to the appropriate web server. Access to it 

is blocked this way. 

The reputation score is retrieved by the Global Threat Intellegence module, which runs with the 

settings specified after the property. 

The URLBlocked action settings specify that the user who requested this access is notified of the 

blocking. 

The rule also uses an event to count blocking due to URL filtering in the same way as the blocking 

rule for individual URLs in this rule set. 


Modify a filtering rule to block uncategorized URLs 

You can modify a filtering rule that allows uncategorized URLs to let it block these URLs. 




2 On the rule sets tree, select the rule set that contains rules for URL filtering, for example, the default 

URL Filtering rule set. The rules appear on the settings pane. 

3 Select the rule Allow uncategorized URLs and click Edit. The Edit Rule window opens. 

4 Select Action and from the list of actions, select Block. 

5 Select Name and in the Name field type Block in the place of the word Allow. 

6 Click Finish. The window closes and the modified rule appears on the settings pane. 


The modifed rule uses the same criteria as the default rule to detect uncategorized URLs. However, 

instead of allowing them, it blocks them. It also stops the processing of all other rules and sends a 

block message to the user who requested access to the URL. Processing continues when the next user 

request is received on the appliance. 

If you want to keep the default rule (in disabled state), use the Copy and Paste buttons above the list of 

rules to copy the default rule and apply your modifications to the copied rule. 

The Move up and Move down buttons allow you to move the additional rule to the appropriate position, 

which should be immediately before or after the old rule. 

By selecting or deselecting the Enabled checkbox in each rule line, you can easily switch between the 

rules if a change in your web security policy should require it. 

Whitelist and blocking lists for URL filtering 

You can maintain different lists for use by the URL filtering rules. This section provides information on 

how this is done and describes some sample lists. 

The URL filtering rules use the following types of lists: 

• URL whitelist — List of wildcard expressions 

URLs that match these expressions are allowed by a whitelisting rule to skip URL filtering. 

• URL category blocking list — List of URL categories 

URLs that belong to these categories are blocked by a blocking rule. 

• URL blocking list — Lists of wildcard expressions 

URLs that match these expressions are blocked by a blocking rule. 

The procedures used to maintain URL filter lists differ according to the list type. For example, to add 

URL categories to a category blocking list, you select them from category folders. 

Adding entries to a whitelist for individual URLs is done in the same way as for a virus and malware 

filtering whitelist. You enter wildcard expressions onto the list that URLs will eventually match or not. 

Adding entries to a blocking list for individual URLs is also done in this way. 

For more information on these lists, see Sample lists for URL filtering. 

For information on adding entries to blocking lists and whitelists, see Add a URL category to a blocking 

list and Add a wildcard expression to a virus and malware filtering whitelist for URLs. 


6 


URL filtering 

Sample lists for URL filtering 

This section describes several sample lists that are used by the rules of the library URL filtering rule set. 

When you import the rule set from the library, these lists are also imported. You can find them on the 

Lists tab of the Policy top-level menu, sorted by their names. 


URL WhiteList 

Library list of wildcard expressions for URLs 




Table 6-4 URL WhiteList 




Category BlockList 

Library list of URL categories 

Type — Category 



Table 6-5 Category BlockList 


Category URL category 

Comment Plain-text comment on the category 

URL BlockList 

Library list of wildcard expressions for URLs 




Table 6-6 URL BlockList 







Add a URL category to a blocking list 

You can add a URL category to a blocking list to block access to all URLs falling into that category. 


2 On the rule sets tree, select the rule set that contains rules for URL filtering. The rules appear on the 

settings pane. 

3 Find the rule that uses a category blocking list, for example, Block URLs whose category is in 

Category BlockList, and click on the list name. 



4 Expand the group folder with the category you want block, for example, Purchasing, and select the 

category, for example, Online Shopping. 

Note: To add multiple categories at once, select multiple categories or one or multiple group folders. 

5 Click OK. The window closes and the category appears on the blocking list. 


For more information on how to maintain lists, see List maintenance. 

Extended Lists for blocking URLs per category 

You can maintain Extended Lists of URLs that you have assigned to categories yourself. These lists can 

be included when the URL filter module retrieves category information. This section tells you how to 

add and edit an Extended list. 

Add an Extended List 

This section tells you how to add an Extended List of URLs with categorizations of your own. 

Complete the following procedure to do add this list: 


2 On the Engines branch of the settings tree, go to URL Filter and select the settings you want to 

configure, for example, Default. 

3 Under Extended List, click Add. The Add List window opens. 

4 [Optional] In the Comment field, type a plain-text comment on the list and on the Permissions tab, 

configure who is allowed access to it. 

5 Click OK & Edit. The Edit List (Extended List Element) window opens. 

6 To add a list entry: 

a Click Add. The Add Extended List Element window opens. 

b Configure the following: 

• Protocol — Network protocol that must be used if categorization and, eventually, blocking is 

to be applied for a URL 

For example, if FTP is specified here, categories are not looked up and blocking is never applied 

when requests are sent under HTTP or HTTPs. 

• URL — URL that is categorized 

c Under Categories, click the Edit symbol. An Edit window opens with a list of group folders 

containing URL categories. 


6 


URL filtering 

d Expand the folder with the category you want to assign the URL to, for example, Lifestyle, and 

select the checkbox next to this category, for example, Travel. 

Note: Repeat this substep if you want to add more than one category. 

e Click OK. The Edit window closes and the category or categories appear on the list in the Add 

Extended List Element window. 

7 Click OK. The Add Extended List Element window closes and the new entry appears on the Extended 

List in the Edit List (Extended List Element) window. 

Note: Repeat steps 6 and 7 if you want to add more entries to the Extended List. 

8 Click OK. The Edit List (Extended List Element) window closes and the new list appears: 

• On the lists tree under Extended List Element 

• Under the Extended List options of the Default settings for the URL Filter module 


Edit an Extended List 

This section explains how you edit an Extended List to modify your categorizations of URLs. 

Complete the following procedure to edit this list: 


2 On the lists tree, go to Extended List Element and select the Extended List you want to edit. The 

list entries appear on the settings pane. 

3 Edit the list, using the items on the toolbar above the entries. The following table describes the list 

entries: 

Table 6-7 Extended List 


Protocol Network protocol that must be used if categorization and, eventually, blocking is to be 

applied for a URL 

URL URL that is categorized 

Categories URL categories that the URL is assigned to 

Comment Plain-text comment on the URL 


For more information on how to maintain lists, see List maintenance. 


Module for URL filtering 



You can configure the module for URL filtering to let it retrieve information on URLs in different ways. 

This section explains how this is done and describes the module settings. 

The name of the module for URL filtering is URL Filter. It is also known as URL Filter engine. When this 

module is called by a URL filtering rule to retrieve information on particular URLs, it connects to the 

Global Threat Intelligence (GTI) system. This system provides information on categories and 

reputation scores for URLs, based on the content of the corresponding web pages. 

Various technologies, such as link crawlers, security forensics, honeypot networks, sophisticated 

auto-rating tools, and customer logs are used to gather this information. An international, multi-lingual 

team of McAfee web analysts evaluates the information and enters URLs under particular categories 

into a database. 

To gather information on the reputation of a URL, its behavior on a worldwide real-time basis is 

analyzed, for example, where a URL shows up in the web, its domain behavior, and other details. 

Configure the URL Filter module 

To configure settings for the URL Filter module: 


2 On the rule sets tree, select the rule set that contains rules for URL filtering. The rules appear on the 


3 Find the rule that uses a category blocking list, for example, Block URLs whose category is in 

Category BlockList. The settings of the URL filter module appear within the rule criteria next to the 

URL.Categories property. Their name is, for example, Default. 

4 Click on the settings name. The Edit Settings window opens. 



For more information on these settings, see Settings for the URL Filter module. 

Settings for the URL Filter module 

This section describes the settings for the URL Filter module, which is the module that retrieves 

information from the Global Threat Intelligence system. 

Default 

Default settings for the URL Filter module 

Extended List 

Settings for Extended Lists 

Use the extended list — List for selecting an Extended List 

Add — Opens the Add List window for adding an Extended List 

Edit — Opens the Edit List (Extended List) window for editing the selected Extended List 


6 


URL filtering 

Rating Settings 

Settings for retrieving rating information on URLs based on categories and reputation scores 

Search the CGI parameters for rating — When selected, CGI parameters are included in the search 

for information 

CGI (Common Gateway Interface) parameters in a URL trigger scripts or programs when the URL is 

accessed. Information on CGIs can affect the categorization of a URL. 

Search for and rate embedded URLs — When selected, embedded URLs are included in the search 

for information and rated. Information on an embedded URL can affect the categorization of the 

embedding URL 

Note: Searching for embedded URLs can reduce performance. 

Do a forward DNS lookup to rate URLs — When selected, a DNS lookup is performed for a URL that 

no relevant information has been found for 

The IP address that was looked up is used for another search. 

Do a backward DNS lookup for unrated IP-based URLs — When selected, a backward DNS 

lookup, based on its IP address, is performed for a URL that no relevant information has been found for 

The host name that was looked up is used for another search. 

Use the built-in keyword list — When selected, the built-in keyword list is included in the search 

Only use online GTI web reputation and categorization services — When selected, information 

on URL categories and reputation scores is only retrieved from the Global Threat Intelligence system 

Use online GTI web reputation and categorization services if local rating yields no results — 

When selected, information on URL categories and reputation scores is only retrieved from the Global 

Threat Intelligence system if the search in the internal database yielded no results 

Use default GTI server for web reputation and categorization services — When selected, the 

appliance connects to the default server for retrieving information on URL categories and reputation 

scores from the Global Threat Intelligence system 

Note: When this option is not selected, the following options for using a non-default server are accessible. 

IP of the server — IP address of the server used to connect to the Global Threat Intelligence 

system when the default server is not used 

Format: or or 

Regular IPv6 addresses cannot be specified here. 

Port of the server — Port number of the port on this server that listens to requests from the 

appliance 

Allowed range: 1 – 65535 





Advanced settings for the URL Filter module 

Force rating attempts to run in synchronous mode — When selected, the search is performed in 

synchronous mode 

Searching in synchronous mode means that if the Global Threat Intelligence system is involved, the 

appliance connects to the Global Threat Intelligence server for processing a particular request and does 

not begin with processing other requests before the server has responded and processing of the first 

request has been completed. 

Note: Using this option will reduce performance if the Global Threat Intelligence server is slow in responding. 

Treat connection problems to the cloud as errors — When selected, problems arising on the 

connection from the appliance to the Global Threat Intelligence server are logged as errors 

Properties for error handling are set and eventually rules from an Error Handler rule set are executed. 

Do a backward DNS lookup also for private addresses — When selected, private IP addresses 

are included in the backward DNS lookup 

Excluding these addresses from the lookup leads to an increase in performance for URL filtering. 

Note: This option is disabled by default. 

The lookup includes the following types of addresses: 

• IPv4 

• Private addresses 

• Zeroconf addresses 

• IPv6 

• Link local addresses 

• Site local addresses 

• Unique local addresses 

Proxy Settings 

Settings for configuring a proxy the appliance can use to connect to the Global Threat Intelligence 

system 

Use upstream proxy — When selected, the appliance uses a proxy for connecting to the Global 

Threat Intelligence server on which lookups for URL category information, also known as “in-the-cloud” 

lookups, can be performed 

IP or name of the proxy — IP address or host name of the proxy 

Port of the proxy — Number of the port on the proxy that listens for lookup requests from the 

appliance 

User name — User name for the appliance when logging on to the proxy 

Password — Password for the appliance 

Set — Opens a window for setting the password 


6 


URL filtering 

Logging 

Settings for logging URL filtering activities on the appliance 

Enable logging — When selected, URL filtering activities are logged on the appliance 

Note: If this option is not selected, the following logging options are grayed out. 

Log level — List for selecting the log level 

Log levels are as follows: 

• 00 FATAL — Logs only fatal errors 

• 01 ERRORS — Logs all errors 

• 02 WARNING — Logs errors and warnings 

• 03 INFO — Logs errors, warnings, and additional information 

• 04 DEBUG1 ... 013 DEBUG9 — Log information required for debugging URL filtering activities 

The amount of logged information increases from level DEBUG1 to DEBUG9. 

• 14 TRACE — Logs information required for tracing URL filtering activities 

• 15 ALL — Logs all URL filtering activities 

(Log area) — Settings for including different areas of URL filtering activities into the logging 

• LOG_AREA_ALL — When selected, all URL filtering activities are logged 

• LOG_AREA_NETWORK — When selected, activities regarding the network connections used for 

URL filtering are logged 

• LOG_AREA_DATABASE_SEARCH — When selected, activities regarding the retrieval of data for 

URL filtering from the internal database are logged 

• LOG_AREA_DNS — When selected, activities regarding a DNS lookup that is performed for URL 

filtering are logged 

• LOG_AREA_URL — When selected, activities for handling URLs, such as parsing them, are logged 

• LOG_AREA_CLOUD — When selected, activities regarding the retrieval of information from the 

Global Threat Intelligence system are logged 


Different versions of URL category sets 



When individual URLs are assigned to categories under the Global Threat Intelligence system, a 

particular set of categories is used. You can configure which set you want to be used on the appliance. 

An example of how sets differ from each other is category splitting for malicious sites. Category Set 3 

has a single category named Malicious Sites. This category is kept in Category Set 4, but the categories 

Browser Exploits and Malicious Downloads are added to enable a more refined categorizing. 

After installing version 7.1 of the McAfee Web Gateway appliance (clean install), Category Set 4 is 

implemented on the appliance. 

After upgrading from a 7.0.x version to version 7.1, use of the category sets can require further action. 

There are two cases: 

• An older version uses Category Set 3 and one or more of the rules implemented in this version use 

directly a category that is affected by a change under Category Set 4. 

For example, a rule includes the following criteria: 

URL.Categories contains Malicious Sites 

Under Category Set 4, use of the Malicious Sites category has become ambiguous because it is 

unclear whether the category itself should be used or one of the two categories that were split off 

from it. You can then continue to use Category Set 3 on your appliance or explicitly migrate to 

Category Set 4. A function for this is provided on the user interface. 

If you migrate to Category Set 4, all rule sets that are affected by the migration appear on the 

user interface marked in red color. You then need to modify these rule sets manually to resolve 

conflicts arising from the migration. For example, you can select one of the two categories that 

were split off from Malicious Sites to replace the former category in criteria where it is used 

directly. 

• An older version uses Category Set 3 and none of the rules implemented in this version use directly 

a category that is affected by a change under Category Set 4. 

For example, a category list contains the Malicious Sites category. Then the two categories that 

were split off from it are added to the list. 

Migration from Category Set 3 to 4 is then performed as part of the upgrade. No further action 

regarding category sets is required from your side. 

For information on how to migrate from Category Set 3 to 4, see Migrate to Category Set 4. 

Migrate to Category Set 4 

To migrate the URL category set that is used on the appliance from version 3 to 4: 


2 On the toolbar of the settings pane, click Migrate URL Filter category set from version 3 to 4. 

The set of URL categories used on the appliance changes from category set 4 to category set 4. 

Rule sets that use modified or abandoned categories are displayed in red within the rule sets tree. 

3 Review the rules in these rule sets and modify them as needed. 



6 




The appliance filters media according to their types, based on rules that use appropriate filter lists, so 

particular text, audio, image, streaming, and other media can be blocked. This section explains media 

type filtering and tells you how to modify the rules and lists that are involved in the filtering. 

Rules for media type filtering 

Rules for media type filtering block and whitelist media types. This section explains how these rules 

work and how you can modify them. It also describes a media type filtering rule set from the library. 

A media type filtering rule set typically includes nested rule sets for controlling media upload and 

download. In each rule set, there is at least one rule that blocks media if their types are on a blocking 

list. 

There can be whitelisting rules that let media skip the blocking rule. There can also be several blocking 

rules to handle different media types or media types in different contexts, for example, media types 

embedded in archives. A special rule calls an opener module to open media. 

Note: Media type filtering rules can also be included in rule sets that are not media type filtering rule sets in 

the first place, for example, in virus and malware filtering rule sets. 

Media type filtering rule 

The following is an example of a rule for blocking media types. 

Note: The rule is shown here in a notation similar to the one used on the user interface. 

Name 

Block types from list Download Media Type Blocklist 


MediaType.EnsuredTypes at least one in list Download Media Type –> Block 

Blocklist 

 


If media belongs to a type that is on a particular blocking list, block access to it. 

The rule criteria checks the MediaType.EnsuredTypes property. Media have this property if it can be 

ensured with a probability of more than 50% that they are of a particular type. This is the case if a 

signature from an internal list on the appliance can be found in the object code of the media. 

For media that have their types ensured in this sense, the rule looks up the specified blocking list to see 

whether they are on it. It they are, the criteria is matched and the rule applies. If media belong to 

multiple types, already one of them on the list is sufficient to let the criteria match. 

The rule then executes the Block action. Processing of all rules stops and the media is not passed on to 

the user who requested it. This way, access to it is blocked. 

The settings of the Block action specify a message that is sent to a user who is affected by the action. 

The message mentions media type as the blocking reason. 



Media type filtering 6 

Media type filtering properties 

Most of the media type filtering rules in a library rule set use the MediaType.EnsuredTypes property. 

There are several other properties, however, which let rules behave differently when included in their 

criteria. 

There is, for example, the MediaType.NotEnsuredTypes property. If you use this property in the criteria 

of a blocking rule, the rule blocks media whose types are on a blocking list even if the probability that 

they actually are of this type is less than 50%. You could do this if you wanted to make sure a media 

type gets blocked under all circumstances. 

The following table lists the properties of the rules in a library rule set for media type filtering. 

Table 6-8 Media type filtering properties 

Property Description 

MediaType.EnsuredTypes Property of media that have their types ensured with a probability of more than 

50% 

This level of probability is assumed if a media type signature from an internal list 

on the appliance can be found in the object code of the media. 

MediaType.NotEnsuredTypes Property of media for which the probability that they actually are of their respective 

types is less than 50% 

MediaType.FromFileExtension Property of media for which types are assumed based on the extensions of the 

media type file names 

Extensions and the media types associated with them are looked up in an internal 

catalog on the appliance. There are, however, extensions that are used by more 

than one media type. 

MediaType.FromHeader Property of media for which types are assumed according to the content type field 

of the headers sent with the media 

Headers are read and evaluated in a standardized format. To filter headers in their 

original formats, you can use the Header.Get property. 

MediaType.IsSupported Property of embedded or archived media that can be extracted by the opener 

module of the appliance. 

List.OfMediaType.IsEmpty Property of media with types that are not on an internal list 

For information on other properties, see the List of properties in the appendix. For a procedure to let a 

rule use a different property, see Modifying a media type filtering rule. 

Processing data in MIME format 

Web objects can be filtered on the appliance when they are multi-part objects transmitted in MIME 

(Multi-Purpose Internet Mail Extension) format, which is used for data sent in POST messages. Several 

MIME type filtering properties are available for configuring within filtering rules. 

The MIME format provides a header and header parameters for each part of a multi-part object, for 

example, for each member of an archive. The information contained in a MIME header and its 

parameters specifies the type of the object in question. The format is also known as 

multipart/form-data format. 

You can use the Composite Opener module of the appliance in a rule to open multi-part objects that are 

transmitted in MIME format and extract individual parts from it. You can then block or allow these parts 

depending on whether a particular header or header parameter is sent with them, or depending on the 

value that a header or header parameter has. 

You can set up rules for this using special MIME data filtering properties. These rules are similar to the 

ones you can use for media type filtering. 


6 



The following table lists the MIME data filtering properties that are available on the appliance: 

Table 6-9 MIME data filtering properties 

Property Description 

Body.HasMimeHeader Boolean property that is true if the body of a part that was extracted from 

a multi-part object has a MIME header with a given name 

Body.HasMimeHeaderParameter Boolean property that is true if the body of a part that was extracted from 

a multi-part object has a MIME header parameter with a given name 

Body.MimeHeaderValue Property filled with a string that is the value of a given MIME header 

Body.MimeHeaderParameterValue Property filled with a string that is the value of a given MIME header 

parameter 

Media Type Filtering (rule set) 

This section describes the rules of a library rule set for filtering the upload and download of media 

types. 


Library rule set — Media Type Filtering 



The following rule sets are nested in this rule set. 

• Upload Media Type 

Note: This rule set is not enabled by default. 

• Download Media Types 

Upload Media Type 

This nested rule set blocks the upload of media belonging to particular media types. It is processed in 

request cycles when users request to upload media to the web, as well as in embedded object cycles 

when objects are embedded in media. 

Nested library rule set — Upload Media Type 


Cycle — Requests (and IM) and embedded objects 


Block types from list Upload Media Type Blocklist 

Media.TypeEnsuredTypes at least one in list Upload Media Type Blocklist –> Block — Statistics.Counter.Increment (“BlockedByMediaFilter”, 1) 

The rule uses the Media.TypeEnsuredTypes property to check for media that have their type 

ensured if they are on the specified list. If they are, access to the media type is blocked and 

processing rules stops. 

The rule uses an event to count blocking due to media type filtering. The event parameters specify 

the counter that is incremented and the size of the increment. The event settings specify the 

settings of the Statistics module, which executes the counting. 

Processing continues with the next request that is received on the appliance. 




Download Media Types 

This nested rule set blocks the download of media belonging to particular media types. It is processed 

in response cycles when web servers send media in response to user requests for downloading them, as 

well as in embedded object cycles when objects are embedded in media. 

Nested library rule set — Download Media Types 


Cycle — Responses and embedded objects 


Block types from Download Media Type Blocklist 

Media.TypeEnsuredTypes at least one in list Download Media Type Blocklist –> Block — Statistics.Counter.Increment (“BlockedByMediaFilter”, 1) 

The rule uses the Media.TypeEnsuredTypes property to check for media that have their type 

ensured if they are on the specified list. If they are, access to the media type is blocked and 

processing rules stops. 

The rule uses an event to count blocking due to media type filtering. The event parameters specify 

the counter that is incremented and the size of the increment. The event settings specify the 

settings of the Statistics module, which executes the counting. 

Processing continues with the next request that is received on the appliance. 

Modifying a media type filtering rule 

You can modify a media type filtering rule to filter a different kind of media types by changing the 

property in the rule criteria. This section tells you how to do this and how create a new filter list for use 

by the modified rule. 

Create a filter list for a modified rule 

To create a new filter list for use in a modified media type filtering rule: 


2 On the Custom Lists branch of the lists tree, select Media Type and click Add. The Add List window 

opens. 

3 In the Name field, type a name for the new list, for example, Not Ensured Download Media Type 

Blocklist. 

4 [Optional] In the Comment field, type a plain-text comment on the new list and on the Permissions 

tab, configure who is allowed to access it. 

5 Click OK. The Add List window closes and the new list is inserted on the lists tree under MediaType. 


7 On the rule sets tree, select a rule set for media type downloads, for example, Media Type 

Download. 

Before a media type filtering rule can make use of the new list, you need to fill with entries, so the rule 

knows what to block or allow. 

For information on filling a list for media type filtering, see Add a media type to a media type filter list. 


6 



Change a property in a media type filtering rule 

To let a media type filtering rule filter a different kind of media types, you can, for example, replace the 

MediaType.EnsuredTypes property in the rule criteria with MediaType.NotEnsuredType. 

To replace this property: 


2 On the rule sets tree, select a rule set for media type filtering, for example, the nested Download 

Media Type rule set in the Media Type Filtering rule set. 

3 Select a rule, for example, Block types from Download Media Type Blocklist, and click Edit. The 

Edit Rule window opens. 

4 Select Rule Criteria and under Criteria select the rule. Then click Edit. The Edit Criteria window 

opens. 

5 From the drop-down list under Property select a new property, for example, 

MediaType.NotEnsuredTypes (instead of MediaType.EnsuredTypes). 

6 From the list under Parameter – Value, select Not Ensured Download Media Type Blocklist. 

7 Click OK and then Finish to close the windows. The modified rule appears on the settings pane. 


The modified rule blocks not ensured media types that are on your new list. 

If you want to keep the old rule to have rules for both filtering ensured and not ensured media types, 

use the Copy and Paste buttons above the list of rules to copy the old rule and apply your modifications 

to the copied rule. 

The Move up and Move down buttons allow you to move the additional rule to the appropriate position, 

which should be immediately before or after the old rule. 


Lists for media type filtering 



You can maintain lists for media type filtering. This section explains different types of these lists and 

some sample lists that are used by the library rules. It also describes how you add a media type to a 

list.some sample lists that are used by the library rules. 

Media type lists contain different kinds of media, such as text, audio, image, streaming, and others. 

When editing these lists, you do not type names of media types, but select them from folders. Some 

lists are provided by the system and cannot be edited at all. You can use them only as they are. 

Apart from being system or user-maintained lists, lists used in media type filtering are the same with 

regard to editing. However, you can use them for different purposes and this way have blocking lists, 

whitelists, upload lists, download lists, or even upload blocking lists, upload whitelists, and so on. 

The following is an overview of the kinds of media type filtering lists you can use on the appliance. 

However, you can also create and use lists and lists types other than these. 

• Upload whitelists and blocking lists — Lists of media types that users are allowed or not to upload 

to the web 

• Download whitelist and blocking lists — Lists of media types that are allowed or not when users 

attempt to download them from the web 

With regard to editing, media type filtering lists can be: 

• Custom lists — Can be reviewed and edited like all other custom lists 

• System lists — Are provided by the appliance system and cannot be edited 

There are system lists for text, audio, image, streaming, and other media types. 

You can view these lists under System Lists | Media Types on the Lists tab of the Policy 


If you see, for example, that a media type is on a system list used by a blocking rule, but do not 

want this media type to be blocked, you cannot remove it from the list. However, you can modify 

the rule to let it not use the system list, but a custom list without the media type in question. 

Sample lists for media type filtering 

This section describes some sample lists used by the Media Type Filtering rule set from the library. 

When you import the rule set, these lists are also imported. You can find them on the Lists tab of the 

Policy top-level menu, sorted by their names. 


Upload Media Type Blocklist 

List of media types that are blocked when users attempt to upload to them to the web 

Type — Media Type 



Table 6-10 Upload Media Type Whitelist 


Media type Media type that is not allowed for uploading to the web 



6 



Download Media Type Blocklist 

List of media types that are blocked when users attempt to download them from the web. 

Type — Media Type 



Table 6-11 Media Type Blocklist 


Media type Media type that is not allowed for downloading from the web 


Add a media type to a media type filter list 

You can add a media type to a list media type filtering. 


2 On the rule sets tree, go to a rule set that contains rules for media filtering, for example, the nested 

Download Media Types rule set of the Media Type Filtering rule set and select it. The rules 

appear on the settings pane. 

3 Select the rule Block types from Media Type Blocklist and click on the list name. The Edit List 

(MediaType) window opens. 


5 Expand the group folder with the media type you want to add, for example, Audio, and select the 

media type, for example, audio/mp4. 


6 Click OK. The window closes and the media type appears on the filter list. 






HTML filtering 6 

The appliance can filter HTML pages and remove embedded objects from them. This section explains 

HTML filtering and describes the rules, lists and module settings involved in the filtering process. 

Rules for HTML filtering typically say whether er objects embedded in HTML pages should be removed 

or kept. They evaluate object types and use also filter lists. They call an opener module to make 

embedded objects accessible for filtering. 

The types of objects HTML filtering can remove include the following: 

• Java applets — Are embedded in HTML pages (unlike the stand-alone Java applications) and run, 

once their certificates are accepted, with all privileges of the current user 

• ActiveX controls — Run with all privileges of the user 

• Scripts — Include JavaScript, JScript, and Visual Basic Script 

• Media types — Include text, audio, image, streaming, and other media types 

Rules for HTML filtering 

To enable HTML filtering on the appliance, a rule set containing appropriate rules must be implemented. 

This section describes a sample rule set from the rule set library. 

After the initial setup, an HTML filtering rule set is not implemented on the appliance. You can import 

the HTML Filtering rule set from the library and modify it according to your requirements or create a 

rule set of your own. 

For more information, see Import a rule set and HTML Filtering (rule set). 

HTML Filtering (rule set) 

This section describes the rules of a library rule set for HTML Filtering. 


Library rule set — HTML Filtering 



The rule set contains a rule and the following two nested rule sets: 

• Enable HTML Filtering 

• HTML Filtering 

The following rule is contained in the rule set in addition to the nested rules sets: 

Remove Content-Encoding header 

Always –> Continue — Header.RemoveAll (“Accept-Encoding”) 

The rule uses an event to remove the content encoding header from a request. 

This header is not needed because filtering is only applied to the content, which is eventually sent 

in not encoded format to the user who requested it. The name of the header is specified by the 

event parameter. 



6 



Enable HTML Filtering 

This nested rule set prepares HTML filtering by enabling the HTML opener and removing a header 

element. 

Nested library rule set — Enable HTML Filtering 


Cycles — Requests (and IM) and responses 


Enable HTML opener 

Always –> Continue — Enable HTML Opener 

The rule uses an event to enables the HTML opener. The settings of this module are specified with 

the event. 

Processing continues with the next rule. 

Remove header for “Content-Length” 

Always –> Continue — Header.RemoveAll (“Content-Length”) 

The rule uses an event to remove the header providing the content length from a request. 


HTML Filtering (nested rule set) 

This nested rule set removes different types of objects embedded in HTML pages, using a nested rule 

set for each type. 

Nested library rule set — Enable HTML Filtering 

Criteria — MediaType.EnsuredTypes contains text/html 

Cycles — Embedded objects 

The following rule sets are nested in this rule sets: 

• Embedded Objects 

• Embedded Scripts 

• ActiveX Controls 


• Advertising Filter 





Embedded Objects 

This nested rule set removes Java applets embedded in HTML pages, as well as other embedded media 

types if they are on a blocking list. 

It is processed in the embedded object cycle when these objects are sent with requests or responses. 

Nested library rule set — Embedded Objects 


Cycle — Embedded objects 


Java applets 

HTMLElement.Name equals “APPLET” OR ( 

HTMLElement.Name equals “OBJECT” AND 

HTMLElement..HasAttribute (“codetype”) equals true AND 

HTMLElement.Attribute (“codetype”) equals “application/java”) –> Remove 

The rule uses several HTMLElement ... properties to remove an element from an HTML page if it is 

found that particular values are true for these properties. An element is removed if its name is 

APPLET or if its name is OBJECT and has a code type attribute with application/java as its value. 

Processing of the embedded object cycle stops then and the HTML page is forwarded without the 

removed element to the user who requested it or to the web if a user attempted to upload it. 

Stop if element is not interesting 

(HTMLElement.Name does not equal “OBJECT” AND 

HTMLElement.Name does not equal “embed”) OR 

HTMLElement.HasAttribute (“type”) equals false –> Stop Rule Set 

The rule uses several HTMLElement ... properties to check whether an element needs not be 

removed. An element needs not be removed if its name is neither OBJECT nor embed or has no 

type attribute at all. 

Processing of the rule set stops then, so the rule that removes elements from HTML pages (and 

follows this rule in the rule set) is not processed. Processing continues with the next rule set. 

Default action for unlisted media types 

HTMLElement.Attribute (“type”) is not in list Media Type Whitelist 

HTMLElement.Attribute (“type”) is not in list Media Type Blocklist –> Stop Rule Set 

The rule uses the HTMLElement.Attribute property to check whether an element is of a type that is 

neither on the relevant whitelist nor the blocking list. In this case, a default action is executed, 

which for this rule is Stop Rule Set. 

Processing of the rule set stops then, so the whilelisting and blocking rules for media types that 

follow in the rule set are not processed. Processing continues with the next rule set. 

Handle whitelisted media types 

HTMLElement.Attribute (“type”) is in list Mediatype whitelist 

The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a 

media type whitelist. If it is, the rule applies. 

Processing of the rule set stops then, so the removing rule that follows this rule in the rule set is 

not processed. Processing continues with the next rule set. 



6 



Handle blocklisted media types 

HTMLElement.Attribute (“type”) is in list Mediatype blocklist –> Remove 

The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a 

media type blocklist. If it is, the rule applies and the media type in question is removed from the 

HTML page. 

Processing of the embedded object cycle stops then and the HTML page is forwarded without the 

removed element to the user who requested it or to the web if a user attempted to upload it. 

Embedded Scripts 

This nested rule set removes script code embedded in HTML pages, providing options for keeping some 

code types. 

It is processed in the embedded object cycle when this code is sent with requests or responses. 

Nested library rule set — Embedded Scripts 

Criteria — HTMLElement.Name equals “SCRIPT” 


The rule criteria specifies that the rule set applies when an element of the script type is embedded in 

an HTML page. 


Variable resetter 

Always –> Continue – Set User-Defined.removeOneScript = false 

The rule sets the User-Defined.removeOneScript property to false, so the break rules that follow 

this rule later in the rule set do not apply. Processing continues with the next rule. 


JavaScript 

HTMLElement.Script.Type (“type”) equals “text/javascript” –> Stop Rule Set 

– Set User-Defined.removeOneScript = true 

The rule uses the HTMLElement.Script.Type property to check whether an element is of the 

JavaScript type. If it does, the rule applies. 

Processing of the rule set stops then, so the rule that removes script code at the end of the rule set 

is not processed. This way, the embedded script code is kept in the HTLM page. Processing 

continues with the next rule set. 

If you want to remove JavaScript code, replace the Stop Rule Set by the Remove action. 

The rule also sets the User-Defined.removeOneScript property to true. This property is evaluated 

by the break rule that follows this JavaScript rule. 

When this rule applies with Stop Rule Set or Remove as its action, processing of the rule set is 

stopped. If you let the rule use an action that does not stop the rule set, you can enable the break 

rule. It will find that the value for the User-Defined.removeOneScript property is true and stop 

processing of the rule set accordingly. 

To reset the value of the User-Defined.removeOneScript property to false, you need to enable the 

reset rule at the beginning of the rule set. With this value for the property, the break rules of the 

rule set will not apply. 


Break; 

User-Defined.removeOneScript equals true –> Stop Rule Set 



The rule stops processing of the rule set if the User-Defined.removeOneScript property has true as 

its value. Processing continues with the next rule set. 


JScript 

HTMLElement.Script.Type equals “text/jscript” –> Stop Rule Set 

– Set User-Defined.removeOneScript = true 

This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule. 

Break; 


This rule works in the same way as the break rule that follows the JavaScript rule. 


Visual Basic script 

HTMLElement.Script.Type “text/vbscript” equals “vbscript” 

–> Stop Rule Set – Set User-Defined.removeOneScript = true 

This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule. 

Break; 


This rule works in the same way as the break rule that follows the JavaScript rule. 


Other scripts 

Always –> Remove 

The rule removes all embedded script code from HTML pages, unless it is kept from doing so by 

one of the rules preceding it in the rule set. These can stop the rule set before the process reaches 

the removing rule. They can do so for JavaScript, JSCript, and Visual Basic script code if enabled. 

If you want this to happen for other script code as well, you can add appropriate rules. 

The break rules of the rule set can also stop it and let the removing rule not be processed. 

If the removing rule is processed, it stops processing of the embedded objects cycle. Processing 

then continues with the next cycle. 


6 



ActiveX Controls 

This nested rule set removes ActiveX controls embedded in HTML pages. 



Nested library rule set — ActiveX Controls 



The rule set contains several rules and the nested Filter ActiveX in Scripts rule set. 

Advertising Filter 

The nested Advertising Filter library rule set removes advertising elements embedded in HTML pages, 

such as images, layers, forms, and others. 



Nested library rule set — Advertising Filter 



The rule set contains a rule and the following nested rule sets: 

• Link Filter 

• Dimension Filter 

• Popup Filter 

• Script Filter 

Sample lists for HTML filtering 

You can maintain lists for use by HTML filtering rules. This section describes some sample lists that are 

used by the rules in the HTML Filtering library rule set. 

When you import this rule set, these lists are implemented. You can find them on the Lists tab of the 

Policy top-level menu, sorted by their types and names. 


Media Type Whitelist 

List of media types embedded in HTML pages you want to keep 




Table 6-12 Media Type Blocklist 


Media type Media type that is kept during HTML filtering 

Comment Plain-text comment on the media type 


Media Type String Blocklist 

List of media types embedded in HTML pages you want to remove 




Table 6-13 Media Type String Blocklist 


Media type Media type that is removed by HTML filtering 


Module for opening objects embedded in HTML pages 



A rule in an HTML filtering rule set can call an opener module to open objects embedded in HTML pages 

to make them accessible for filtering. This section explains how to configure settings for this module. 

Configure the HTML opener 

You can configure settings for the module that opens objects embedded in HTML pages. 


2 On the Engines branch of the settings tree, go to Enable.HTMLOpener and select the settings you 

want to configure, for example, HTML Filtering. 



For more information on these settings, see HTML Opener engine settings. 

HTML Opener engine settings 

You can configure the HMTL Opener engine settings. These are settings for the module that opens 

objects embeded in HTML pages to make them accessible for filtering. 


HTML Opener Configuration 

Settings for the HMTL opener 

(HTML Opener list) — List of objects embedded in an HTML page that the module should open 


Inline lists. 

Table 6-14 HTML Opener list 


Node name Type of an object that the HTML opener should open. 

Only open start tags When selected, the HTML opener opens only starts tags, which contain the attributes 

that are checked by the rules. 

Comment Plain-text comment on the element 

Only open elements that refer to external sources — When selected, the HTML opener opens 

only these elements, for example, when pictures are transmitted from an external server 

You can select this option if you think that HTML pages stored on the local server can be trusted and 

need not have elements removed. 


6 




URLs and other web objects can be placed on global whitelists to skip all further filtering for related 

requests. This section explains global whitelisting and describes a library rule set for this function, as 

well as some lists used by the whitelisting rules. 

Rules for global whitelisting 

This section explains what a global whitelisting rule set does and describes a sample library rule set. 

A rule set for global whitelisting contains at least one whitelisting rule for a particular object type, for 

example, for URLs. The rule uses a list to stop the filtering cycle for web objects that have been entered 

onto it. 

The rule set is typically placed at the beginning of a rule set system and before the rule sets that do 

virus and malware filtering, URL filtering, and other filtering jobs. This way, all these rule sets are not 

processed in the current cycle when the rule or rules of the global whitelisting rule set apply. 

The impact of the rule set is global because it does not only disable a particular kind of filtering, but all 

filtering that would have been executed after it in the filtering process. 

Global Whitelist 

This section describes the rules in a library rule set that exempts requests from all further filtering when 

they are related to web objects on particular lists. 


Library rule set — Global Whitelist 




Client IP is in list Allowed Clients 

Client.IP is in list Allowed Clients –> Stop Cycle 

The rule uses the Client.IP property to check whether the IP address of a client that a request was 

sent from is on the specified whitelist. If it is, the rule applies and stops the current processing 

cycle. The request is then forwarded to the appropriate web server. 

URL.Host matches in list Global Whitelist 

URL.Host matches in list Global Whitelist –> Stop Cycle 

The rule uses the URL.Host property to check whether the host that a URL sent in a request 

provides access to is on the specified whitelist. If it is, the rule applies and stops the current 

processing cycle. The request is then forwarded to the web server that is the requested host. 


Global whitelists 


Global whitelisting 6 

You can maintain lists for use by global whitelisting rules. This section describes some sample lists and 

tells you how to add a web object to a global whitelist. 

Sample lists for global whitelisting 

The sample lists described here are used by the rules in the Global Whitelist library rule set. After 

importing the rule set, you will find them on the Lists tab of the Policy top-level menu, sorted by their 

names. 


Global Whitelist 

List of wildcard expressions for hosts that URLs provide access to 




Table 6-15 Global Whitelist 


Wildcard Expression Wildcard expression for hosts 


Allowed Clients 

List of IP addresses for clients 

Type — IP 



Table 6-16 URL WhiteList 


IP IP address of a client 

Comment Plain-text comment on an IP address 

Add a wildcard expression to a global whitelist for URLs 

You can add a wildcard expression to a whitelist used by a global whitelisting rule to exempt requests 

from further filtering when they submit URLs providing access to hosts that match the expression. 


2 On the rule sets tree, select a rule set that contains rules for global whitelisting, for example Global 

Whitelist. The rules appear on the settings pane. 

3 Find the rule that uses a whitelist to exempt requests when they submit URLs for hosts matching the 

wildcard expressions on the list, for example, URL.Host matches in list Global Whitelist and click 

on the list name. 





6 


SSL scanning 

SSL scanning 









SSL-secured requests can be inspected by an SSL scanning module before other appliance functions 

filter them. This section explains the SSL scanning process and tells you how you can modify it. 

The rules in a rule set for SSL scanning call the SSL scanning module to let it verify the certificates sent 

with SSL-secured requests. If certificate verification does not lead to blocking a request, the rules call 

the module to enable content inspection and have the request filtered by the other implemented rule 

sets. 

The rules also handle the CONNECT request that SSL-secured communication begins with if it does not 

use the transparent mode. Whitelists of hosts and certificates can be used to skip certificate verification 

and content inspection. 

Rules for SSL scanning 

To use SSL scanning on the appliance, a rule set containing appropriate rules must be implemented. 

This section describes a sample rule set from the library. 

A rule set for SSL scanning contains rules for handling the different types of requests that a client sends 

to the appliance in SSL-secured communication and for enabling certificate verification and content 

inspection. Other rules whitelist requests if, for example, the host or the certificate that a request is 

related to are on a whitelist. 

SSL Scanner 

This section describes the rules in a library rule set for SSL scanning. 


Library rule set — SSL Scanner 




• Handle Connect Call 

• Certificate Verification. 

• Verify Common Name (proxy setup) 

• Content Inspection 

• Verify Common Name (transparent setup) 



SSL scanning 6 

Handle CONNECT Call 

This nested rule set handles the CONNECT call in SSL-secured communication and enables certificate 

verification. 

Nested library rule set — Handle Connect Call 

Criteria — Command.Name equals “CONNECT” 


The rule criteria specifies that the rule set applies if a request is received on the appliance that contains 

the CONNECT command, which is sent in the opening phase of SSL-secured connection. 


Set client context 

Always –> Continue — Enable SSL Client Context with CA 

The rule enables the use of a server certificate that is sent to a client. The event settings specify the 

McAfee Web Gateway root certificate authority (CA), which is implemented on the appliance after 

the initial setup, as the default issuer of this certificate. 

Tunneled hosts 

URL.Host is in list SSL Host Tunnel List –> Stop Cycle 

The rule lets requests for access to hosts with a URL that is on the specified whitelist skip SSL 

scanning. 

Restrict destination ports to Allowed CONNECT Ports 

URL.Port is not in list Allowed Connect Ports –> Block 

The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports. 


Enable certificate verification without EDH for hosts in no-EDH server list 

URL.Host is in list No-EDH server –> Stop Rule Set — Enable SSL Scanner 

The rule enables the certificate verification for requests sent from a host on the no-EDH 

(Ephemeral Diffie-Hellman) server list. 

The event settings specify running in verification mode for the SSL scanning module and a special 

cipher string for data encryption on non-EDH hosts. 

Enable certificate verification 

Always –> Stop Rule Set — Enable SSL Scanner 

The rule enables certificate verification. The event settings specify that the SSL scanning module 

runs in verification mode. 


6 


SSL scanning 

Certificate Verification 

This nested rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted 

certificates skip verification and blocks others according to particular criteria. 

Nested library rule set — Certificate Verification 

Criteria — Command.Name equals “CERTVERIFY” 



the CERTVERIFY command, which is sent to request the verification of a certificate. 


Skip verification for certificates found in Certificate Whitelist 

SSL.Server.Certificate.HostAndCertificate is in list Certificate Whitelist –> Stop Rule Set 

The rule lets whitelisted certificates skip verification. 

Block self-signed certificates 

SSL.Server.Certificate.SelfSigned equals true –> Block 

The rule blocks requests with self-signed certificates. The action settings specify a message to the 

requesting user. 

Block expired server (7 day tolerance) and expired CA certificates 

SSL.Server.Certificate.DaysExpired greater than 7 OR 

SSL.Server.CertificateChain.ContainsExpiredCA equals true –> Block 

The rule blocks requests with expired server and CA certificates. The action settings specify a 

message to the requesting user. 

Block too long certificate chains 

SSL.Server.CertificateChain.PathLengthExceeded equals true –> Block 

The rule blocks a certificate chain if it exceeds the path length. 

The settings in the property specify a list for the module that checks the certificate authorities. The 

action settings specify a message to the requesting user. 

Block revoked certificates 

SSL.Server.CertificateChain.ContainsRevoked equals true –> Block 

The rule blocks a certificate chain if one of the included certificates has been revoked. 

The settings in the property specify a list for the module that checks the certificate authorities. The 

action settings specify a message to the requesting user. 

Block unknown certificate authorities 

SSL.Server.CertificateChain.FoundKnownCA equals false –> Block 

The rule blocks a certificate chain if none of the certificate authoritiies (CAs) issuing the included 

certificates is a known CA . The settings in the property specify a list for the module that checks 

the certificate authorities. 



Block untrusted certificate authorities 



SSL.Server.FirstKnownCAIsTrusted equals false –> Block 

The rule blocks a certificate chain if the first known CA that was found is not trusted. The settings 

in the property specify a list for the module that checks the certificate authorities. 


Verify Common Name (proxy setup) 

This nested rule set verifies set the common name in a certificate. It applies only to requests sent in 

non-transparent mode. 

Nested library rule set — Verify Common Name (proxy setup) 

Criteria — Connection.SSL.TransparentCNHandling equals false 


The rule criteria specifies that the rule set applies if a request is received through a connection used in 

SSL-secured communication and verification of the common name is not performed in transparent 

mode. 


Allow matching hostname 

URL.Host equals Certificate.SSL.CN –> Stop Rule Set 

The rule allows a request if the URL of the requested host is the same as the common name in the 

certificate. 

Allow wildcard certificates 

Certificate.SSL.CN.HasWildcards equals true AND 

URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set 

The rule allows requests to hosts sending certificates that have wildcards in their common names 

matching the URLs of the hosts. To verify that a common name containing wildcards matches a 

host, this name is converted into a regular expression. 

Allow alternative common names 

URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set 

The rule allows requests to hosts with alternative common names in their certificates and the host 

matches at least one of them. 

Block incident 

Always –> Block 

If any of the rules for allowing matching common names applies, processing of the rule set stops 

and this rule is not processed. Otherwise, requests are blocked by this rule due to a common name 

mismatch. The action settings specify a message to the requesting user. 


6 


SSL scanning 

Content Inspection 

This nested rule set completes the handling of a CERTVERIFY call. It lets some requests skip content 

inspection according to particular criteria and enables inspection for all others. 

Nested library rule set — Content Inspection 

Criteria — Command.Name equals “CERTVERIFY” 



the CERTVERIFY command, which is sent to request the verification of a certificate. 


Skip content inspection for hosts found in SSL Inspection Whitelist 

Connection.SSL.Transparent equals false AND 

URL.Host matches in list SSL Inspection Whitelist –> Stop Rule Set 

The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in 

non-transparent mode. 

Skip content inspection for CN found in SSL Inspection Whitelist 

Connection.SSL.Transparent equals true AND 

Certificate.SSL.CN matches in list SSL Inspection Whitelist –> Stop Rule Set 

The rule lets requests with whitelisted common names in their certificates skip content inspection. 

It applies only in transparent mode. 


Do not inspect connections with client certificates 

Connection.Client.CertificateIsRequested equals true –> Stop Rule Set 

The rule lets requests skip inspection if they require the use of client certificates. 


Enable content inspection 

Always –> Continue — Enable SSL Scanner 

The rule enables content inspection. The event settings specify that the SSL scanning module runs 

in inspection mode. 

If any of the rules for skipping content inspection applies, processing of the rule set stops and this 

last rule, which enables the inspection, is not processed. Otherwise, content inspection is enabled 

by this rule. 




Verify Common Name (transparent setup) 

This nested rule set verifies the common name in a certificate. It applies only to requests sent in 

transparent mode. 

Nested library rule set — Verify Common Name (transparent setup) 

Criteria — Connection.SSL.TransparentCNHandling equals true AND Command.Name does not equal “CONNECT” 

AND Command.Name does not equal “CERTVERIFY” 


The rule criteria specifies that the rule set applies if a request is received through a connection used in 

SSL-secured communication and verification of the common name is performed in transparent mode. 

The rules of the rule set check the same criteria to verify a common name as those of the Verify 

Common Name rule set for the non-transparent mode. 

However, in the latter mode, the host name to be checked is taken from the CONNECT request, which 

is not sent under the transparent mode. In this mode, the host name is taken from the request that is 

sent. 

For more information, see Verify Common Name (proxy setup). 

Lists for SSL scanning 

This section describes some sample lists for SSL scanning. The lists are used by the rules of the library 

SSL Scanner rule set. 

Note: When you import this rule set, the lists are also imported. You can find them on the Lists tab of the 

Policy top-level menu, which displays lists sorted by their types and names. 


Allowed CONNECT Ports 

List of ports that are allowed CONNECT ports on destination servers 

Type — Number 

Initial entry — 443 – Default HTTPS port 


Table 6-17 Allowed CONNECT Ports list 


Number Number of a port that is an allowed CONNECT port on a destination server 


Certificate White List 

List of certificates that are not verified by the SSL scanning module 

Type — Host and Certificate 



Table 6-18 Certificate White List 


Certificate Name of a whitelisted certificate 

Host Host that the certificate proves to be trustworthy (in regular expression format) 

Comment Plain-text comment on the certificate 


6 


SSL scanning 

No-EDH Server 

List of hosts that are non-EDH servers 

When requests are sent from these hosts, the SSL scanning module verifies the certificate with special 

settings. 


The list is initially empty 


Table 6-19 No-EDH Server list 


String Host name of a non-EDH server 

Comment Plain-text comment on the server 

SSL Inspection White List 

List of hosts 

For requests sent to these hosts, the SSL scanning module does not enable content inspection. 




Table 6-20 SSL Inspection White List 


Wildcard expression Name of a whitelisted host (in regular expression format including also wildcards) 

Comment Plain-text comment on the host 


Modules for SSL scanning 



The SSL scanning rules call several modules to execute jobs that are related to SSL scanning. This 

section tells you how to configure these modules. 

You can configure the following modules: 

• SSL Scanner — Enables certificate verification and content inspection, which are key jobs in SSL 

scanning. 

Typically, there are separate settings for the module when called to verify certificates and when 

called to inspect content. 

• SSL Client Context — Handles the sending of a certificate from the appliance to a client. 

After the initial setup, the module uses a certificate issued by the default root certificate authority 

(CA) that is implemented on the appliance. For further administration, it is recommended that you 

create your own root CA, using the options provided with the module settings. 

• Certificate Chain — Handles the building of a certificate chain. 

When building the chain, the module uses a list of certificate authorities for the certificates that are 

included in the chain. You can add certificate authorities to existing lists and also add new lists. 

Configure a module for SSL scanning 

This section describes the procedure for configuring the modules that are involved in SSL scanning. 

To configure an SSL scanning module: 


2 On the Engines branch of the settings tree, go to the module you want to configure settings for and 

select these settings. For example, go to SSL Scanner and select Default Certificate Verification. 



For more information on these settings, see SSL Scanner engine settings, SSL Client Context engine 

settings, and Certificate Chain engine settings. 

SSL Scanner engine settings 

You can configure the SSL Scanner engine settings. These are the settings for the module that the SSL 

scanning rules call to verify certificates and enable content inspection in SSL-secured communication. 


Certificate Verification Without EDH 

Settings for the SSL Scanner module when it uses a special mode to verify certificates in 

communication with web servers that do not support the EDH (Ephemeral Diffie-Hellman) method 

Meaning and usage of these settings are the same as for the Default Certificate Verification settings. 

For the Server cipher list parameter, the string specified as its value usually differs from the string 

specified for the default settings. 

For more information, see Default Certificate Verification. 


6 


SSL scanning 

Default Certificate Verification 

Settings for the SSL Scanner module when it uses the default mode to verify certificates 

Enable SSL Scanner 

Settings for configuring standard parameters of certificate verification 

SSL scanner function — Function performed by the SSL Scanner module 

• Certificate verification — When selected, the module verifies certificates submitted in SSL-secured 

communication 

Note: For the Default Certificate Verification and Certificate Verification Without EDH settings, this option 

is enabled by default. 

• SSL inspection — When selected, the module inspects the content of web objects transmitted in 

SSL-secured communication 

SSL protocol version — Version of the protocol the SSL Scanner module follows when it performs its 

functions 

• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used 

• SSL 3.0 — When selected, SSL version 3.0 is used 

Server cipher list — String of Open SSL symbols used for decrypting server data 

The SSL Scanner module uses different strings for default certificate verification and for verifying 

certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. 

SSL session cache TTL — Time (in seconds) for keeping the parameter values of a session in 

SSL-secured communication stored in the cache 

Allow handshake and renegotiation with servers that do not implement RFC 5746 — When 

selected, the SSL Scanner module performs these activities also in communication with web servers 

that fail to comply with the specified standard 

Allow Alternative Handshakes 

Settings for handshakes in SSL-secured communication that use alternative parameter values 

Use alternative handshake settings after handshake failure — When selected, the SSL Scanner 

module uses alternative parameter values after the first attempt to perform a handshake in 

SSL-secured communication has failed 

SSL protocol version — Version of the protocol the SSL Scanner module follows when it performs an 

alternative handshake 



Server cipher list — Alternative string of Open SSL symbols used for decrypting server data 

The SSL Scanner module uses different strings to do the default certificate verification and a special 

kind of verification for certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) 

method. 

Enable Content Inspection 

Settings for the SSL Scanner module when it enables the inspection of content 

Meaning and usage of these settings are the same as for the Default Certificate Verification settings. 

For the SSL scanner function parameter, the SSL inspection option is enabled by default. 

For more information, see Default Certificate Verification. 




SSL Client Context engine settings 

You can configure the SSL Client Context engine settings. These are the settings for the module that 

deals with the certificates the appliance sends to its clients. 


Default CA 

Settings for the SSL Client Context module when it uses a certificate issued by the default root 

certificate authority (root CA) 

Define SSL Client Context 

Settings for the SSL Client Context module 

(Current root certificate authority) — Parameters and values of the root certificate authority (root CA) 

that is currently in use on the appliance 

After the initial setup, a default root CA is implemented on the appliance. For further administration, it 

is recommended that you create your own root CA. Use the Generate New button to create this 

certificate authority. 

Send certificate chain — When selected, the appliance sends information on the chain of 

certificates that are involved in the process of validating the certificate the appliance sends to its 

clients 

The certificate the appliance sends as a server to its clients is considered to exist on level 0. When a 

certificate authority (CA) signs this server certificate to validate it, it is done on level 1. When an 

additional certificate authority validates the first certificate authority, it is done on level 2. With each 

additional certificate authority that is involved, the level increases by one. 

When a certificate authority validates another certificate authority, it issues and signs a certificate for 

this authority. However, instead of being validated by another certificate authority, a certificate 

authority can also validate itself by issuing and signing a certificate. This certificate is then called a 

self-signed certificate. 

The certificates involved in the validating process are said to form a certificate chain. In the simplest 

case, a certificate chain has only two members: the certificate the appliance sends as a server to its 

clients and the self-signed certificate of the certificate authority that signed the server certificate on 

level 1. The certificate authority that stands at the beginning of the validating process is known as the 

root certificate authority (root CA). 

Information on a certificate chain includes data on all the certificate authorities involved. The appliance 

needs to send this information to its clients if not all of these certificate authorities are known and 

trusted by the clients. 

Certificate chain — Input field for entering information on a certificate chain 

After importing an existing certificate authority (CA) that is involved in a certificate chain, the 

information on this certificate chain appears in the field. 

Perform insecure renegotations — When selected, the module renegotiates the parameters for 

the SSL-secured communication even if this is insecure to do 

Client cipher list — String of Open SSL symbols used for decrypting client data 

SSL session cache TTL — Time (in seconds) for keeping the parameter values of a session in 

SSL-secured communication stored in the cache 

SSL protocol version — Version of the protocol the SSL Scanner module follows when it performs a 

handshake 



For more information on how to create a new certificate authority or import an existing certificate 

authority for use instead of the default one, see Create your own certificate authority and Import a 



6 


SSL scanning 

Create your own certificate authority 

This section describes a procedure for creating a certificate authority (CA) of your own for use instead 

of the certificate authority that is implemented on the appliance after the initial setup. 

To create a certificate authority: 


2 On the Engines branch of the settings tree, go to SSL Client Context with CA and select the 

settings you want to configure, for example, Default. 

3 Click Generate New. The Generate New Certificate Authority Window opens. 

4 In the Organization and Locality fields, type suitable information for your own certificate authority. 

5 [Optional] In the Organizational unit and State fields, type suitable information. From the 

Country list, select a country. 

6 In the Common name field, type a common name for your own certificate authority. 

7 [Optional] In the Email address field, type an email address of your organization. 

8 From the Valid for list, select the time that your certificate authority should be valid. 

9 [Optional] In the Comment field, type a plain-text comment on the certificate authority. 

10 Click OK. The new certificate authority is generated. 


The certificate authority you created through this procedure is the one that signs the certificate the 

appliance sends to its clients in the starting phase of the SSL-secured communication. 

For information on other settings for the communication between the appliance and its clients, see SSL 

Client Context engine settings. 

Import a certificate authority 

This section describes a procedure for importing an existing certificate authority (CA) for use instead of 

the certificate authority that is implemented on the appliance after the initial setup. 

To import a certificate authority: 


2 On the Engines branch of the settings tree, go to SSL Client Context with CA and select the 

settings you want to configure, for example, Default. 

3 Click Import. The Import Certificate Authority Window opens. 

4 In the the Certificate field, enter the name of the file that contains the data for the certificate 

authority you want to import. To do this, click the Browse button and browse to a suitable file. 

The file must be encoded in PEM (Privacy-enhanced mail) format. 

5 In the the Private key field, enter the name of the file that contains the key the certificate authority 

uses for signing certificates. To do this, click the Browse button and browse to a suitable file. 

The file must be encoded in PEM format. The key must have a length of at least 2048 bit. 

6 [Conditional] If the private key is protected by a password, type it in the Password field. 

Note: Only unencrypted keys and key that are AES-128-bit encrypted can be used here. 

7 [Conditional] If the certificate authority is involved in a certificate chain and you want to retrieve 

information on this chain to let the appliance send it to its clients with a certificate, enter the name 

of the file that contains the information in the Certificate chain field. To do this, click the Browse 

button and browse to a suitable file. 

The file must be encoded in PEM format. 


8 Click OK. The window closes and the certificate authority is imported. 




The certificate authority you imported through this procedure is the one that is used for issuing the 

certificate the appliance sends to its clients in the starting phase of the SSL-secured communication. 

For information on other settings for the communication between the appliance and its clients, see SSL 

Client Context engine settings. 

Certificate Chain engine settings 

You can configure the Certificate Chain engine settings. These are the settings for the module that 

deals with the certificates the appliance receives from web servers. 


Default 

Default settings for the Certificate Chain module 

Certificate Verification 

Settings for the certificates used to build a certificate chain 

List of certificate authorities — List for selecting a list of certificate authorities (CAs) that sign the 

certificates in a certificate chain 

The following table describes the entries in a list of certificate authorities. For information on 

maintaining a list of this type, see Inline lists. 

Table 6-21 List of certificate authorities lists 



Certificate revocation list List with information on when a certificate signed by this certificate authority 

becomes invalid and the URI used to access the list 

Trusted Information on whether a certificate authority is trusted on the appliance 

Comment Plain-text comment on a certificate authority 

For information on how to import a certificate authority for the certificates in a certificate chain, see 

Add a certificate authority. 

Add a certificate authority 

This section describes a procedure for importing an existing certificate authority (CA) and adding it to a 

list of known certificate authorities. 

To import and add a certificate authority: 


2 On the Engines branch of the settings tree, go to Certificate Chain and select the settings you want 

to configure, for example, Default. 

3 Select a list of certificate authorities and click Edit. The Edit List (Certificate Authority) window opens. 

4 Click Add. The Add Certificate Authority window opens. 

5 [Optional] Type the name of a certificate revocation list (CRL) in the input field provided here and 

select or deselect Trusted, according to the status the new certificate authority should have. 

6 Click Import. A window opens to let you access your file system. 

7 Browse to the file for the certificate authority you want to import and click Open. The window closes 

and information on the new certificate authority appears in the Add Certificate Authority window. 


6 



8 Click OK. The window closes and the new certificate authority appears on the list in the Edit List 

(Certificate Authority) window. 

9 Click OK to close the Edit List (Certificate Authority) window. 



Some functions on the appliance do not filter web objects or users, but support the filtering process in 

various ways. This section explains some of these functions. 

You can use them to do, for example, the following: 

• Show download progress — You can configure methods to show users the progress made in 

downloading web objects. 

• Throttle bandwith for uploads and downloads — You can limit the speed used for uploading data 

from clients to the appliance or downloading them from web servers to the appliance. 

• Route requests through next-hop proxies — You can use these proxies to route requests to their 

destinations. 

For more information, see Progress Indication, Bandwidth throttling, and Next-hop proxies. 

Progress Indication 

The progress made in downloading objects from the web can be shown to users in different ways. This 

section explains how to configure the methods for showing this progress. 

It depends on the users’s browser which method of progress indication is appropriate. Accordingly, the 

rules of a progress indication rule set call different modules that use one or the other method to show 

download progress. 

Administering progress indication on the appliance includes the following activities: 

• Make sure a progress indication rule set is implemented — The rule set that is implemented 

as part of a default system contains rules for calling a module that displays a progress page for Mozilla 

browsers and another module that uses data trickling for all others. You can also create a rule set of 

your own and let it contain different rules. 

• Configuring the settings of the progress indication modules — When a default rule set is 

implemented, module settings are also available. You can modify the settings of the module that 

executes data trickling and of the one that uses a progress page. 

For more information, see Progress Indication (rule set) and Configure the progress indication modules. 

Progress Indication (rule set) 

This section describes the rule in a library rule set that enable a progress page or data trickling to show 

download progress to users. 

For general information on understanding and handling rules, see Rules and rule sets 

Library rule set — Progress Indication 

Criteria — MediaType.FromHeader does not equal text/htm 

Cycles — Responses 

The rule set criteria specifies that the rule set applies when media that is sent in reponse to the 

appliance is not of the text or htm type. 



Progress Page 


Supporting functions 6 

Header.Request.Get (“User-Agent”) matches *(Mm)ozilla* –> Stop Rule Set — Enable Progress 

Page 

The rule enables a progress page for Mozilla browsers. The event settings specify what the 

progress page looks like, for example, the language it uses. 

Data Trickling 

Always –> Stop Rule Set — Enable Data Trickling 

The rule enables data trickling for all browsers that are not Mozilla. The event settings specify the 

chunk and block sizes used for the trickling. 

Configure the progress indication modules 

When a default rule set for progress indication is implemented, settings for two modules that use 

different methods of progress indication are also implemented. 

Complete the following procedure to configure these settings: 


2 On the Engines branch of the settings tree, go to Enable.DataTrickling or Enable.Progress Page 

and select the settings you want to configure, for example, Default. 


• Data trickling — For all browsers that are not Mozilla 

You can configure the size of the first chunk and the trickle rate. 

• Progress page — For Mozilla browsers 

You can configure a page for the progress bar, a page for download completion, and other 

settings. 

Templates are used to provide these two pages. You can configure them in the same way as the 

templates for user messages. 


For more information, see Enable Data Trickling engine settings, Enable Progress Page engine settings, 

and User messages. 

Enable Data Trickling engine settings 

You can configure the Enable Data Trickling engine settings. These are the settings of the module that 

uses the data trickling method for progress indication. 

Note: These settings are configured on the Settings tab of the Policy top-level menu. 

Data Trickling Parameters 

Settings for chunks and blocks used in data trickling 

Size of first chunk — Size (in bytes) of the first chunk of a web object that is forwarded using the 

data trickling method 

Forwarding rate — Portion of a web object that is forwarded every five seconds 

The forwarding rate is the thousandth part of the volume that is to be forwarded multiplied by the value 

you configure here. 


6 



Enable Progress Page engine settings 

You can configure the Progress Page engine settings. These are the settings of the module that uses 

the progress page method for progress indication. 


Default 

Default settings for the progress page 

Progress Page Parameters 

Settings for templates and timeouts 

Templates 

Settings for the templates used by the progress page 

Language — Settings for selecting the language of the progress page 

Auto (Browser) — When selected, the message is in the language of the browser that the 

blocked request was sent from 

Force to — When selected, the message is in the language chosen from the list that is provided 

here 

Value of ‘Message.Language’ property — When selected, the message is in the language that 

is the value of the Message.Language property 

This property can be used for creating a rule. 

Collection — List for selecting a template collection 

Add — Opens the Add Template Collection window for adding a template collection 

Edit — Opens the Template Editor for editing a template collection 

Template name for progress bar page — List for selecting a template 

Add — Opens the Add Template window for adding a template 

Edit — Opens the Template Editor for editing a template 

Template name for download finished page — List for selecting a template 



Template name for download canceled page — List for selecting a template 



Timeouts 

Settings for the timeouts that apply to the progress page 

Delay for redirects to progress page — Time (in seconds) to elapse before the progress page 

appears 

File availability time before download — Time (in minutes) to elapse before a file is no longer 

available to a user before the download 

File availability time after download — Time (in minutes) to elapse before a file is no longer 

available to a user after the download 


Bandwidth throttling 



You can limit the speed for uploading and downloading data to the appliance in a process also known as 

bandwidth throttling. This section explains how this process is configured and provides two examples of 

bandwidth throttling rules. 

You can use bandwidth throttling, for example, to avoid a situation where the network performance you 

need for completing a particular task is impacted by other users who are individually uploading objects 

to the web or are requesting large downloads from the web. 

Bandwidth throttling events 

Two events are available for use in rules that can trigger bandwidth throttling: 

• The Throttle.Client event limits the speed of data transfer from a client to the appliance. This is the 

case when a client sends a request for uploading an object to a web server and the request is 

intercepted on the appliance together with the object. 

• The Throttle.Server event limits the speed of data transfer from a web server to the appliance. In this 

case, there has been a client request to download an object from a web server, and after this request 

has been filtered on the appliance and forwarded, the web server sends the object in response. 

The transfer speed is measured in Kbps (kilobits per second). The events both have a parameter for 

specifying the maximum speed that should be used during a transfer. The lowest value that you can 

specify here is 10 Kbps. 

Bandwith throttling rule for uploads 

The following is an example of a rule that can execute bandwidth throttling rule for uploads. 

Note: The example shows approximately how the rule appears on the user interface. 

Name 

Limit upload speed for hosts on throttling list 


URL.Host is in list Upload Throttling List –> Continue – Throttle.Client (10) 

The rule uses the Throttle.Client event to limit the speed with which uploads are performed to 10 Kbps 

if the web server that the data should be uploaded to is on a particular list. 

In the criteria of the rule, the URL.Host property is used to retrieve the host name of the web server 

that is specified in the uploading request. 

If the Upload Throttling List contains this name, the criteria is matched and the rule applies. The 

throttling event is then executed. 

The Continue action lets rule processing continue with the next rule. 


6 



Bandwith throttling rule for downloads 

The following is an example of a rule that can execute bandwidth throttling rule for downloads. 


Name 

Limit download speed for media types on throttling list 


MediaType.EnsuredTypes at least one in list MediaType 

Throttling List 

–> Continue – Throttle.Server (1000) 

The rule uses the Throttle.Server event to limit the speed with which downloads are performed to 1000 

Kbps if the web object that should be downloaded belongs to a media type on a particular list. 

In the criteria of the rule, the MediaType.EnsuredTypes property is used to detect the media type of the 

web object that the web server sends. An object can also be found to belong to more than one type. 

If any of these types is on the Media Type Throttling List, the criteria is matched and the rule applies. 

The throttling event is then executed. 

The Continue action lets rule processing continue with the next rule. 

Bandwidth throttling rules and rule sets 

It is recommended that you create an overall rule set for bandwidth throttling rules and embed two rule 

sets in it, one for throttling uploads and another for throttling downloads. You can then let the 

embedded upload rule set apply for the request cycle and the embedded download rule set for the 

response cycle. 

Note: Within each embedded rule set, you can have multiple throttling rules that apply to different kinds of 

web objects. 

The overall rule set for bandwidth throttling should be placed at the beginning of your rule set system. 

If this is not done, rules in other rule sets can start unthrottled downloads of web objects before your 

throttling rules are executed. 

For example, a rule for virus and malware filtering could trigger the download of a web object that has 

been sent by a web server in response to a user request. The web object then needs to be completely 

downloaded to the appliance to see whether it is infected. If your bandwidth throttling rule set is placed 

and processed after the rule set with the virus and malware filtering rule, bandwidth throttling is not 

applied to that download. 


Next-hop proxies 



The appliance can use next-hop proxies for routing requests received from its clients to their 

destinations. This section explains how to implement and configure these proxies. 

When next-hop proxies are implemented, rules in a corresponding rule set use a module to call proxies 

that have been entered onto a list for routing requests. 

For example, you can route requests that have internal destinations using internal proxies. IP 

addresses of destinations that are internal are then entered onto a list, which the routing rule relies on. 

Similarly, there can be a list of internal next-hop proxy servers for use by the rule. 

A rule set with rules for using next-hop proxies is not implemented on the appliance after the initial 

setup. You can import a rule set from the library and modify it according to your needs or create a rule 

set of your own. 

When you import a next-hop proxy rule set, a server list is also imported, which is initially empty and 

must be filled by you. You can also create more than one list and use these lists for routing in different 

situations. 

Settings for the next-hop proxy module are mported with a library rule set as well. You can configure 

these settings to let the module use a particular next-hop proxy list and to determine the mode of 

calling the proxies (round-robin or fail-over). 

For more information on modes of calling next-hop proxies, see Next-hop proxy modes. 

For information on a rule set, lists, and module settings for next-hop proxies, see Next-Hop Proxy, Lists 

for next-hop proxy routing, and Configure next-hop proxy settings. 


6 



Next-hop proxy modes 

When multiple servers are available as next-hop proxies for routing requests, the next-hop proxy 

module can use two modes to call them: round-robin and fail-over. 

When routing a request in round-robin mode, the next-hop proxy module calls the server that is next 

on the list to the one that was called last time. 

For the next request, this is handled in the same way, so all servers on the list will eventually have 

been used as next-hop proxies. 

Figure 6-1 Round-robin mode 

When routing a request in fail-over mode, the next-hop proxy module calls the first server on the list. 

If the server fails to respond, the call is repeated until the configured number of retries is reached. Only 

then is the next server in the list tried. It is called in the same way as the first, and eventually the next 

server in the list is tried. 

This is continued until a server responds or all servers in the list were found to be unavailable. 

Figure 6-2 Fail-over mode 




Next-Hop Proxy 

This section describes a library rule set with a rule that routes internal requests through internal 

next-hop proxies. 

For general information on understanding and handling rules, see Rules and rule sets 

Library rule set — Next-Hop Proxy 




Use internal proxy for internal host 

URL.Destination.IP is in range list Next Hop Proxy IP Range List OR URL.Destination.IP is in list Next 

Hop Proxy IP List –> Continue — Enable Next Hop Proxy 

The rule uses the URL.Destination.IP property to check whether an IP address that corresponds to 

a URL is in one of the ranges specified on a list or is on a list directly. If it is, the rule uses an event 

to route requests for access to these URLs through internal next-hop proxies. 

The event settings specify settings that include the next-hop proxy list and the mode for calling 

proxies. 

Lists for next-hop proxy routing 

This section describes the library next-hop proxy lists. When you import the Next Hop Proxy rule set 

from the library, these lists are also imported. 

Note: You can find the list on the Lists tab of the Policy top-level menu, which displays lists sorted by their 

types and names. 


Next-Hop Proxy IP List 

List of IP addresses that are the destinations of requests received on the appliance 

Type — IP 



Table 6-22 Next-Hop Proxy IP List 


IP IP address of the destination for a request 

Comment Plain-text comment on an IP address 

Next-Hop Proxy IP Range List 

List of IP address ranges for the destinations of requests received on the appliance 

Type — IPRange 



Table 6-23 Next-Hop Proxy IP Range List 


IPRange IP address range for destinations of requests 

Comment Plain-text comment on an IP address range 


6 



Configure next-hop proxy settings 

You can configure the settings of the module that calls next-hop proxies. 


2 On the Engines branch of the settings tree, go to Next-Hop Proxy and select the settings you want 

to configure, for example, the Internal Proxies settings. 



For more information on these settings, see Next-Hop Proxy engine settings. 

Next-Hop Proxy engine settings 

You can configure the Next-Hop Proxy engine settings. These are the settings of the module that calls 

next-hop proxies to route requests. 


Next-Hop Proxy Server 

Settings for configuring servers as next-hop proxies 

List of next-hop proxy servers — List for selecting a next-hop proxy server list 


Inline lists. 

Table 6-24 Next-hop proxy servers list 


Name Name of a next-hop proxy server list 

Comment Plain-text comment on a next-hop proxy server list 

Round robin — When selected, the next-hop proxy module uses the next-hop proxy following the one 

in the list that has been used last 

When the end of the list has been reached, the first next-hop proxy in the list is again selected. 

Fail over — When selected, the next-hop proxy module tries the first next-hop proxy in the list first 

If it fails, it is retried until the configured retry maximum has been reached. Then the second next-hop 

proxy in the list is tried, and so on, until a server responds or all are found to be unavailable. 


User messages 


User messages 6 

Messages can be sent to users when a filtering rule blocks their requests for web access or affects them 

in other ways. This section tells you how to modify these messages. 

Messages are sent to users based on templates. To modify what messages look like, you adapt these 

templates. This is done under the settings for the actions that affect users. 

• Authenticate — Template-based message for telling a user that authentication is required to access 

a URL 

• Block — Template-based message for telling a user that a request was blocked for various reasons, 

for example, because a virus was detected in the requested object 

• Redirect — Template-based message for telling a user that redirecting to another URL is needed for 

accessing the requested object 

Message templates 

Message templates contain standard text with variables. The variables are filled with values as needed 

in a given situation. 

Note: All variables used in message templates are also properties used by rules. For example, URL is a 

variable in a message text and a property used in the rule that exempts URLs from filtering. 

For example, a Virus Found message might have the following text and variables: 

• Standard text — The transferred file contained a virus and was therefore blocked. 

• Variables — as follows: 

• URL — URL that the user requested to access the file 

The variable used to display a URL is $URL$. 

• Virus name — Name of the found virus that caused the blocking of the file 

The variable used to display a virus name is $List.OfString.ByName(String)$. 

Note: When editing a message template, you can select and insert variables from a list of properties. 

To serve as variables in message templates, these are converted into strings (if they are not strings 

already). 

For this reason, it makes no sense to select “string converter” properties here, which are properties 

whose job it is to convert other data types into strings, for example, the NumberToString(String) 

property. 

Different versions can exist of a particular template regarding: 

• File format — .html or .txt 

• Language — Language of template 

Templates can exist for multiple languages. An English version is provided by default for all initially 

existing templates. 

You can group templates into collections and have, for example, a default collection and collections for 

other purposes. 

You can edit message templates when you edit the settings for particular actions. For more information, 

see Adapt a user message template. 


6 


User messages 

Adapt a user message template 

You can adapt the templates of messages sent to users when they are affected by an action of a 

filtering rule. 

Complete the following procedure to adapt a template: 


2 On the Actions branch of the settings tree, go to an action and select the settings you want to 

configure, for example, the Virus Found settings of the Block action. 


For example, to edit the text of a message: 

a From the list under Template Name, select a template, for example, Virus Found. 

b Click Edit. The Template Editor opens. 

c On the templates tree, double-click the Virus Found folder. The folder opens and displays 

templates in the available languages and file formats (.html and .txt). 

d Select, for example, en for English and html. The corresponding template appears on the settings 

pane. 

Initially, the template text reads as follows: The transferred file contained a virus and was 

therefore blocked. 

e Edit this text as needed. 

4 Click Save Changes on the Template Editor. 

For more information, see Template Editor and Settings for message templates. 

Template Editor 

The Template Editor is a device on the user interface that allows you to edit existing templates for user 

messages. 

Note: The Template Editor opens when you click Edit for a selected template or template collection on the 

Settings tab of the Policy top-level menu (after selecting the settings of the Authenticate, Block, or Redirect 

action on the settings tree). 

When editing a message template, you can do the following: 

• Select a language for the message of the template 

• Edit the text of the message 

• Replace the variables of the template 

• Provide a block reason for logging purposes (only for Block action templates) 

• Provide a URL for redirecting (only for Redirect action templates) 


The following table describes the options of the Template Editor in detail: 

Table 6-25 Template Editor 




Templates Displays a tree structure (for viewing templates and selecting them for editing) with the 

following elements: 

• Template collections — Collections of templates, for example, the Default collection 

• Templates — Templates belonging to a collection, for example, Virus Found 

For each template, the following is provided under a tree node: 

– de, en ... — Language versions of the template 

– html — version in .html format 

– txt — version in .txt format 

When you select a format, the template content appears on the HTML Editor pane. 

• Import — Opens the Import window to let you browse to a file containing .html and .txt 

template versions for a particular language and import it 

• Export — Opens the Export window to let you browse to a template file and export it 

• (Expand All) — Expands all collapsed items on the Templates tree 

• (Collapse All) — Lets all expanded items collapse 

A right-click on a collection, template, language version, or format opens a menu with the 

following options (the selection of the options varies with the item): 

• Clone — Opens the Clone window for inserting a copy of an item under a new 

name into a collection 

• Add Content File — Opens the Add Content File window for adding a file 

• Rename — Opens the Rename window for renaming an item 

• Change — Opens the Change Language window for changing a language version 

• Delete — Deletes an item 

A window opens to let you confirm the deletion. 


6 


User messages 

Table 6-25 Template Editor (continued) 


File System Displays a tree structure (for completing general tasks, such as adding, renaming, and 

deleting template files) with the following elements: 

• Template collections — Collections of templates, for example, the Default collection. 

• Language versions — Templates sorted by language versions (and within a language 

group first by names and then by formats). 

For example, the en language group contains: 

– authenticationrequired.html 

– authenticationrequired.txt 

– AuthorizedOnly.html 

– AuthorizedOnly.txt 

... 

When you select a format, the template content appears on the HTML Editor pane (same 

function as on the Templates pane). 

• Images — Image files (with images used in templates) sorted by name 

• Add — Opens the following menu: 

– New File — Opens the Filename window for adding a file with a new name 

– New Directory — Opens the Rename Directory window for adding a selected folder 

of the tree structure under a new name 

– Existing File or Directory — Opens your file manager for selecting and adding a file 

or folder 

• Edit — Opens the following menu: 

– Rename — Opens the Rename window for renaming an item 

– Delete — Deletes an item. A window opens to let you confirm the deletion 

• Cut — Copies and deletes a selected item 

• Copy — Copies a selected item 

• Paste — Pastes a copied item 

• Delete — Deletes a selected item 

• (Expand All) — Expands all collapsed items on the File System tree 

• (Collapse All) — Lets all expanded items collapse 

A right-click on an item opens a menu with the above options (options that do not apply for 

an item are grayed out). 

HTML Editor Displays the content the template that is currently selected on the Templates or File System 

pane. 

• Add — Opens the following menu: 

– Resource Reference — Opens the Insert Resource Path window for entering the 

path to a resource, such as an image or other graphical element, that appears in 

a template 

– Property — Opens the Choose Property window for adding a property that appears 

as a variable in a template, for example, $URL$ 


• Edit — Opens the following menu: 

– Cut — Copies and deletes a selected portion of template content 

– Copy — Copies a selected portion 

– Paste — Pastes a copied portion 

– Delete — Deletes a selected portion 

– Select All — Selects the complete template content 

• Discard Changes — Undoes your changes of a template 

• Show Source — Toggle button to display the HTML source code of a template 

• Languages drop-down menu — Lets you select the language of the preview 

• Preview — Displays a preview of a template

Table 6-25 Template Editor (continued) 


Viewer (visible Displays the image contained in a currently selected image file 

instead of the HTML 

Editor when an image 

file is selected on the 

• 

• 

Zoom In — Enlarges an image 

Zoom Out — Reduces the size of an image 

File System tree) • Fit to Window — Lets an image fill out the Viewer pane 

• Original Size — Displays an image in original size again 

Save Template 

Changes 

Saves your changes to a template 

Cancel Lets you leave the Template Editor without changes 




6 


User messages 

Settings for message templates 

You can configure settings for the Authenticate, Block, and Redirect actions, including the settings of 

the templates for messages to affected users. This section describes these settings. 


Block action settings 

The settings for the Block action allow you to configure user messages and a block reason for logging 

purposes. 

A typical text of a user message sent with this action is: The file was blocked, because the detected 

media type is not allowed. 

Language and Template Settings 

Settings for the Block action 

Language — Settings for selecting the language of a user message 

Auto (Browser) — When selected, the message is in the language of the browser that the blocked 

request was sent from 

Force to — When selected, the message is in the language chosen from the list that is provided 

here 

Value of Message.Language property — When selected, the message is in the language that is the 

value of the Message.Language property 

This property can be used for creating a rule. 

Template collection — List for selecting a template collection 

Add — Opens the Add Template Collection window for adding a template collection 

Edit — Opens the Template Editor for editing a template collection 

Template name — List for selecting a template 



Secure Web Reporter block reason ID — Numerical value for a block reason 

Block reason — Block reason in plain text 

Authenticate action settings 

The settings for the Authenticate action allow you to configure user messages informing users that they 

need to authenticate in a given situation. 

A typical text of a user message sent with this action is: You must be authenticated to access this 

URL.The file was blocked, because the detected media type is not allowed. 

Failed Login Message Template 

Settings for the Authenticate action 

These settings are the same as for the Block action (except for the block reason) and are configured in 

the same way. 

For more information, see Block action settings. 




Redirect action settings 

The settings for the Redirect action allow you to configure user messages and the redirect URL. 

A typical text of a user message sent with this action is: The object has moved to another place, please 

enable redirects in your browser. 

Redirect Settings 

Settings for the Redirect action 

Most of these settings are the same as for the Block action and are configured in the same way. The 

following settings apply only to the Redirect action: 

Redirect.URL — When selected, the URL used for redirecting is the value given to the Redirect.URL 

property. This property can be part of a corresponding rule 

User-defined URL — When selected, the redirecting URL must be specified by you 

Redirect URL — Input field for this redirecting URL 

For more information, see Block action settings. 


6 


User messages 


7 

System configuration 

Contents 

Configuring the appliance system 

System settings 

System files 

Database updates 

Central management 


The McAfee Web Gateway appliance is a system providing functions for authenticating users and 

filtering web objects. You can configure settings for these functions and also for the system itself, 

including settings for network interfaces, the user interface, central management, and other items. 

You can configure system settings on the user interface or on a command line interface (CLI). The 

sections of this chapter describe these settings. 

Initial setup system settings 

Some system settings are configured during the initial setup. You can later modify these settings, as 

well as configure other system settings. 

The following table shows the initial settings and their default values: 

Table 7-1 Initial setup system settings 

Parameter Default value 

Primary network interface eth0 

Autoconfiguration with DHCP yes 

Host name mwgappl 

Root password webgateway 

Remote root logon with SSH off 

Default gateway 

DNS server 

For more information, see System settings. 


7 



System configuration after the initial setup 

System settings that can be configured after the initial setup include the following: 

• Network system settings — Settings for integrating the appliance system into your network 

You can modify the initial settings for the primary network interface of the appliance and the 

domain name server. You can also modify the default proxy mode of the appliance and configure 

settings for port forwarding and static routes. 

• Central Management system settings — Settings for running multiple instances of the appliance 

You can run the appliance as a standalone system or integrate multiple instances of the appliance 

in a system that you administer using Central Management methods. 

• Authentication system settings — Settings for authenticating users 

In addition to configuring authentication rules, you can configure some authentication methods 

also through system settings. This includes joining the appliance to Windows domains and using a 

Kerberos server for authenticating users. 

• System settings for logging and troubleshooting — Settings for logging system functions and 

solving problems 

You can configure the log file manager, forward data to an ePO server, and monitor events using 

an SNMP agent. You can also generate core files and enable connection tracing. 

• System settings for other functions — Settings for licensing, date and time, and the user 

interface 

The license system settings are used immediately after the initial setup to import a license for an 

appliance. Settings for date and time and the user interface can be modified later as needed. 




System settings 7 

This section tells you where you can configure the settings of the appliance system on the user 

interface and describes individual system settings. 

Appliances tab 

Use the Appliances tab to configure the settings of the appliance system. It is selected from the 

Configuration top-level menu. 

Appliances 

toolbar 

(on tab) — — Appliance 

toolbar 

(appears 

when an 

appliance 

name is 

selected, 

for 

example, 

mwgappl) 

Appliances 

tree — 

Figure 7-1 Appliances tab 


• Appliances toolbar — Options for adding and deleting appliances and updating all of them 

• Appliances tree — Tree structure displaying different appliances and system settings 

• Appliance toolbar — Options for working with a selected appliance (appears when the appliance 

name is selected, for example, mwgappl) 

• Appliance settings — System settings of the selected appliance 

Appliances toolbar 

The Appliances toolbar provides the following options: 

Table 7-2 Appliances toolbar 


Add Opens the Add Appliance window for adding an appliance 

Delete Deletes a selected appliance. A window opens to let you confirm the deletion 

— Appliance 

settings 

Manual engine update Updates DAT files with virus signatures and other filtering information for all configured 

appliances 


7 



Appliance toolbar 

The Appliance toolbar provides the following options: 

Note: This toolbar appears only when an appliance name is selected on the Appliances tree, for example, 

mwgappl. 

Table 7-3 Appliance toolbar 


Reboot Restarts an appliance 

Flush cache Flushes the web cache of an appliance 

Update appliance 

software 

Implements an updated version of the appliance software 

Shutdown Lets an appliance become inactive 

Rotate logs Rotates log files on an appliance 

Rotate and push logs Rotates log files on an appliance and pushes them to the destination that you have 

specified in the Log File Manager settings 

Configure the system settings 

The system settings of an appliance include settings for network interfaces, central management, and 

other functions. This section tells you how to access these settings and where they are described within 

this guide. 

Note: When you administer multiple appliances using central management, you can also configure their 

system settings from the one you are logged on to. 

Complete the following procedure to configure the system settings of an appliance: 


2 On the appliances tree, go to an appliance and select the system settings you want to configure, for 

example, Network. 



For information on individual system settings, see the following table. 

Note: Some of the system settings are described in this guide together with functions they are related to. For 

example, the Kerberos Administration system settings are described in the chapter on authentication. 

Table 7-4 List of sections on system settings 

Individual system settings are described under ... 

Central Management system settings 

Date and Time system settings 

DNS system settings 

ePolicy Orchestrator system settings 

File Server system settings 

Kerberos Administration system settings 

License system settings 

Log File Manager system settings 

Network system settings 

Network Protection system settings 

Port Forwarding system settings 

Proxies (HTTP(S), FTP, ICAP, and IM) system settings 

Quota system settings 


Table 7-4 List of sections on system settings 

Individual system settings are described under ... 

SNMP system settings 

Static Routes system settings 

Troubleshooting system settings — Information on these 

settings is provided under Enable the creation of core 

files and Enable the creation of connection tracing files. 

User Interface system settings 

Windows Domain Membership system settings 

Date and Time system settings 



The Date and Time system settings include settings for the time servers that synchronize date and time 

on the appliance, as well as for the time zone. 


Date and Time 

Settings for date and time on the appliance system 

Enable time synchronization with NTP servers — When selected, the appliance uses time servers 

under the NTP (Network Time Protocol) for time synchronization 

The system time of the appliance is then synchronized with the time on the NTP servers. This will fail, 

however, if the delta between both times is too big. It is therefore recommended that you restart the 

appliance after configuring time synchronization with NTP servers. When the appliance restarts, it sets 

system time to the time on the NTP servers. 

NTP Server List — List of servers used for time synchronization under the NTP protocol. 


Inline lists. 

Table 7-5 NTP Server List 


String Name of an NTP server 

Comment Plain-text comment on the NTP server 

Select time zone — List for selecting a time zone 

Time synchronization performed by the NTP servers or manually set time refer to the time zone that 

you select here. 

Set System Time Manually 

Settings for configuring time and date on the appliance system manually 

Current date and time — Elements for setting date and time on the appliance system. 

• (Date field) — For entering a date by typing it in the field or using a calendar 

• (Calendar icon) — Opens a calendar for selecting a date 

After selecting a date on the calendar and clicking OK, the date appears in the date field. 

• (Time field) — For typing a time 

Set now — Sets the date and time you have entered into the corresponding fields 


7 



DNS system settings 

The DNS system settings are settings for the domain name servers. The appliance uses these to 

retrieve the IP addresses that match the host names submitted in user requests. 


Domain Name Service Settings 

Settings for the IP addresses of different domain name servers 

Primary Domain Name Server — IP address of the first server 

Secondary Domain Name Server — IP address of the second server 

Tertiary Domain Name Server — IP address of the third server 

File Server system settings 

The File Server system settings are used for configuring dedicated file server ports on the appliance to 

enable, for example, the downloading of files by clients. 


HTTP Connector Port 

Settings for configuring dedicated file server ports on the appliance 

Enable dedicated file server port over HTTP — When selected, the dedicated HTTP file server ports 

configured below are enabled 

HTTP connector — Port number of the dedicated HTTP file server port 

You can enter more than one port number here, separating them by commas. The allowed range is 

1024 to 65335. 

Note: You can set up a port forwarding rule if you want to forward requests to ports 1-1023. 

Instead of entering a port number alone, you can enter it with an IP address. This means connecting to 

the appliance over this port is only allowed when using the specified address. 

For example: 

An appliance has two interfaces with IP addresses as follows: 

eth0: 192.168.0.10, eth1: 10.149.110.10 

You enter the following under HTTP connector: 

4711, 192.168.0.10:4722 

Then connecting to the appliance over port 4711 is allowed using both IP addresses, whereas 

connecting over port 4722 requires that IP address 192.168.0.10 is used. 

Note: Restricting connections in the latter way can be used for setting up an intranet. 

Enable dedicated file server port over HTTPS — When selected, a dedicated HTTPS file server port 

is enabled 

HTTPS connector — Port number of the dedicated HTTPS file server port 


1024 to 65335. 

Entering an IP address with a port number can be done in the same way as for the HTTP connector and 

has the same meaning. 


For more information on port forwarding rules, see Port Forwarding system settings. 


License system settings 



The License system settings are used to import a license for the appliance. Information on the license is 

also displayed with these settings. 


License administration 

Settings for importing a license and reviewing license information 

Import License 

Provides items for importing a license 

License file — Input field for entering the name of a license file 

You can type a file name here or use the Browse button and select an appropriate file. 

Browse — Opens the file manager on your system to let you browse to a license file 

Activate — Activates the license specified in the input field 

Note: The Activate button is grayed out as long as you have not entered a file name in the input field. 

License information 

Displays information on the license that is currently in use on the appliance 

The following table explains this information. 

Table 7-6 License information 


Status Status of a license 

Creation Date when the license was created 

Expiration Date when the license expires 

License ID Numerical value that identifies the license 

Customer Name of the license owner 

Seats Number of workplaces in the owner’s company that the license is valid for 

Evaluation Information whether the license has been evaluated 

Network system settings 

The Network system settings are used for configuring the network interfaces of the appliance. 


Network Interface Settings 

Settings for configuring network interfaces 

Host name — Name of the appliance 

Enable these network interfaces — List of network interfaces that can be enabled or disabled 

IPv4 — Tab for configuring network interfaces under version 4 of the Internet Protocol 


7 



The following table describes this tab. 

Table 7-7 IPv4 tab 


IP settings List for selecting a method of configuring an IP address for a network interface 

• Obtain automatically (DHCP) — The IP address is automatically obtained, using the 

Dynamic Network Host Protocol (DHCP). 

• Configure manually — The IP address is configured manually, using the input fields 

below. 

Note: If this option is not selected, the input fields are grayed out. 

• Disable IPv4 — Version 4 of the Internet Protocol is not used for this interface. 

IP address IP address of the network interface (manually configured) 

Subnet mask Subnet mask of the network interface (manually configured) 

Default route Default route for web traffic using the network interface (manually configured) 

MTU Maximum number of bytes in a single transmission unit 

IP aliases List of aliases for the IP address 

• Add alias — Opens the Input window for adding an alias 

• Delete — Deletes a selected alias 

IPv6 — Tab for configuring network interfaces under version 6 of the Internet Protocol 


Table 7-8 IPv6 tab 


IP settings List for selecting a method of configuring an IP address for a network interface 

• Obtain automatically (DHCP) — The IP adress is automatically obtained, using the 

Dynamic Network Host Protocol (DHCP). 

• Solicit from router — The IP address is obtained by a router. 

• Configure manually — The IP address is configured manually using the input fields 

below. 

Note: If this option is not selected, the input fields are grayed out. 

• Disable IPv6 — Version 6 of the Internet Protocol is not used for this interface. 

IP address, subnet These items have the same meanings as on the IPv4 tab, see above. 

mask, and so on 

Advanced — Tab for configuring additional media and a bridge for a network interface 


Table 7-9 Advanced tab 

Options Definition 

Media List for selecting additional media for use with the network interface 

• Automatically detect — Media for use with the network interface are automatically 

detected if available in the network environment of the appliance. 

• 1000BaseT-FD, 1000Base-HD, ... — The selected media item is used with the 

network interface. 

Bridge enabled When selected, web traffic is routed through the network interface in transparent bridge 

mode 

• Name — Name of the transparent bridge 


Network Protection system settings 



The Network Protection system settings are used to configure a default policy for handling traffic that 

comes in to the appliance system from the network and exceptions to the default policy. 


Network Protection Rules 

Settings for handling incoming traffic to protect the appliance system 

Enable network protection — When selected, the settings configured in the following for network 

protection are enabled 

Input policy — List for selecting the action taken on incoming traffic 

Incoming traffic can either be dropped or accepted. 

Allow Ping requests — When selected, the appliance accepts and answers Ping requests. 

Exceptions from default policy — List of network devices that send traffic to the appliance system 

Traffic from these devices is not handled according to the configured input policy. When this policy 

drops incoming traffic, traffic sent from the devices listed here is accepted and vice versa. 


Inline lists. 

Table 7-10 Network devices list 


Device Name of a network device that sends traffic to the appliance system 

* or no entry means all devices are covered. 

Protocol Protocol used for sending traffic 

Source IP address or address range of the network device or devices that send traffic to the 

appliance system 

Destination port Port on the appliance that is the destination of network traffic 

Comment Plain-text comment on the network device 

Port Forwarding system settings 

The Port Forwarding system settings are used for configuring rules to let the appliance direct web traffic 

sent from a particular port on a particular host to another host and port. 


Port Forwarding 

Settings for configuring port forwarding rules 

Port forwarding rules — List of port forwarding rules 


Inline lists. 

Table 7-11 Elements of an entry in the Port Forwarding Rules list 


Source Host IP address of the host that is the source of web traffic in a port forwarding rule 

Source Port Port used on this host for outgoing web traffic 

Destination Host IP address of the host that web traffic from the source host should be directed to 

Destination Port Port used on this host for web traffic coming in from the source host and port 

Comment Plain-text comment on the port forwarding rule 


7 



Static Routes system settings 

The Static Routes system settings are for configuring routes that always use the same gateway and 

interface on this gateway when web traffic is routed from the appliance to a particular host. 


Static routes 

Settings for configuring static routes 

Static Routes List — List of static routes used under version 4 of the Internet Protocol 


Inline lists. 

Table 7-12 Static Routes List 


Destination IP address and (optionally) netmask of the host that is the destination for a static route 

Gateway IP address of the gateway for routing web traffic from the appliance to this host 

Device Interface used on this gateway for the static route 

Description Plain-text description of the static route 

Comment Plain-text comment on the static route 

Static Routes List (IPv6) — List of static routes used under version 6 of the Internet Protocol 

The elements of the entries in this list have the same meanings as under version 4, see above. 

User Interface system settings 

The User Interface system settings are used for configuring the ports of the local user interface on the 

appliance and for configuring a session timeout. 


HTTP Connector Port 

Settings for configuring the user interface on the appliance 

Enable local user interface over HTTP — When selected, you can connect to the user interface using 

the HTTP protocol 

HTTP connector — Port for connecting to the user interface under HTTP 

You can enter more than one port number here, separated by commas. The allowed range is 1024 to 

65335. 

Note: If you want to use a port with a number from 1 to 1023, you can set up a port forwarding rule that 

forwards requests from the port configured here to one of these. 


the user interface over this port is only allowed when using the specified address. 

Enable local user interface over HTTPS — When selected, you can connect to the user interface 

using the HTTPS protocol 

HTTPS connector — Port for connecting to the user interface under HTTPS 


1024 to 65335. 



the user interface over this port is only allowed when using the specified address. 




Session timeout — Time (in minutes) to elapse before a session on the user interface is closed if no 

activities occur 

The allowed range is 1 to 9999. 

For more information on port forwarding rules, see Port Forwarding system settings. 

Login Page Options 

Settings for the page used to log on to the appliance 

Allow browser to save login credentials — When selected, credentials submitted by a user for 

logging on to the appliance are saved by the browser 

Restrict browser session to IP address of user — When selected, a session for working with the 

user interface is only valid as long as the IP address of the client that the user started this session from 

remains the same 

Let user decide to restrict session for IP address or not — When selected, it is up to the user who 

started a session for working with the user interface whether it should be valid only for the IP address 

of the client that the session was started from 

User Interface Certificate 

Settings for a certificate used in SSL-secured communication through the HTTPs appliance port 

Subject, Issuer, Validity, Extensions — Information on the certificate that is currently in use 

Import — Opens the Import Certificate Authority window for importing a new certificate 

Certificate chain — Displays a certificate chain that is imported with a certificate 

For more information on the window used for importing a certificate, see Import Certificate Authority 

window. 

Import Certificate Authority window 

Settings for importing a certificate that is used in SSL-secured communication 

Certificate — Input field for entering the name of a certificate file 

The file name can be entered manually or by using the Browse button in the same line. 

Browse — Opens the local file manager to let you browse for and select a certificate file 

Private key — Input field for entering the name of a private key file 

The file name can be entered manually or by using the Browse butting in the same line. 

Note: Only keys that are AES-128-bit encrypted or unencrypted keys can be used here. 

Browse — Opens the local file manager to let you browse for and select a private key file 

Password — Input field for entering a password that allows the use of a private key. 

Import — Opens the Import Certificate Authority window for importing a new certificate 

OK — Starts the import process for the specified certificate 

Certificate chain — Input field for entering the name of a certificate chain file 

The file name can be entered manually or by using the Browse butting in the same line. 

Browse — Opens the local file manager to let you browse for and select a certificate chain file 

Note: After importing a certificate with a certificate chain, the certificate chain is displayed in the Certificate 

chain field of the User Interface Certificate settings. 


7 

System files 


System files 

You can edit the system files of the appliance with a file editor. This section tells you how to work with 

this editor. 

File Editor tab 

Use the File Editor tab to edit system files on the appliance. It is selected from the Configuration 


Appliances — 

System 

files — 

Figure 7-2 File Editor tab 


• Appliances — Tree structure of appliances that can be administered from this appliance 

• System files — Tree structure of system files for an appliance 

• Toolbar — Items for editing a system file 

• File text — Text of the currently selected system file 

File Editor toolbar 

The following table describes the options of the File Editor toolbar: 

Table 7-13 File Editor tool bar 


Edit Opens a menu with editing options 

• Cut Cuts out selected text 

• Copy Copies selected text 

• Paste Pastes copied or cut-out text. 

• Delete Deletes selected text 


— Toolbar 

— File 

text


Table 7-13 File Editor tool bar (continued) 


• Select All Selects the complete text 

Discard Changes Discards text changes 

A window opens to let you confirm the discarding. 


Database updates 7 

Information retrieved from external databases for use in the filtering process needs to be updated on 

the appliance from time to time. This section tells you how you can schedule automatic updates and 

also how to update this information manually. 

Web objects are filtered on the appliance in a rule-based process. The filtering rules need information 

on these objects before they can trigger actions, such as blocking access to an object or allowing it. 

They rely for this information on special modules. 

For example, a virus and malware filtering rule relies on the Antivirus module (or engine) to find out 

whether an object is virus-infected, or a URL filtering rules relies on the URL Filter module for URL 

category information. 

The modules retrieve this information, for example, virus signatures stored in DAT files, from external 

databases. The database updates on the appliance are updates of this information. 

You can update database information on the appliance using different methods. 

• Manual engine update — You can manually update database information for the modules of the 

appliance you are currently logged on to. 

If you are running multiple appliances and use Central Management functions to administer them, 

this manual update applies also to all appliances that you have included as nodes in this Central 

Management configuration. 

• Automatic engine update — You can also configure automatic updates in regular intervals for the 

modules of the appliance you are currently logged on to. These updates can retrieve information: 

• From the internet — Information is then downloaded from the relevant external databases. 

Note: Database information is updated in this way immediately after the initial setup of an appliance. 

• From other nodes in a Central Management configuration — Information is then downloaded 

from these nodes. For every node, you can in turn configure whether uploading linformation from 

it to other nodes is allowed. 

You can configure these updates when you set up the Central Management configuration, 

specifying for each node how it should behave regarding automatic updates. 

Update database information manually 

This section tells you how update database information manually. The update applies to the modules of 

the appliance you are logged on to and to those of other appliances if you have included them in a 

Central Management configuration. 

Complete the following procedure to update database information manually: 


2 On the appliances toolbar, click Manual Engine Update. The update is performed. 


7 



Schedule automatic engine updates 

This section tells you how to schedule automatic updates of database information for the modules of 


If you want to run multiple appliances in a central management configuration, you can schedule these 

updates when you set up the configuration. 

Complete the following procedure to schedule automatic engine updates: 


2 On the appliances tree, navigate to the appliance you want to schedule automatic updates for and 

select Central Management Configuration. 

3 Scroll down to Automatic Engine Updates and configure update settings as needed. 

• Enabling of automatic updates — To make sure updates can happen automatically on an 

appliance at all 

• Sources of the updates — These can be external databases on the internet. In a Central 

Management configuration, these can also be other nodes. 

• Update intervals — With a special setting for updating certificate revocation lists (CRLs) 

• Use of update proxies — To enable a fail-over when systems become unavailable 

• Advanced update settings — For the upload of updated information from one node to others in 

a Central Management configuration and other functions 


Automatic Engine Updates system settings 

The Automatic Engine Updates settings are for scheduling automatic updates of database information 

for modules used in the filtering process. 


Enable automatic updates — When selected, database information is automatically updated 

Allow to download updates from the internet — When selected, database updates are 

downloaded from the internet 

Allow to download updates from other nodes — When selected, database updates are 

downloaded from other nodes in a Central Management configuration 

Update interval — Time (in minutes) to elapse before database information is again updated 

The time is set on a slider scale. 

Note: The range of allowed values is 15 to 360. 

CRL update interval — Time (in hours) to elapse before certificate revocation lists used in filtering 

SSL-secured web traffic are updated 

This update uses a method that differs from those of other updates and must therefore be configured 

separately. 

The time is set on a slider scale. 


Enable update proxies — When selected, proxy servers are used for routing updated database 

information 



Database updates 7 

Update proxies (fail over) — List of proxy servers used for routing updated database information 

The proxy servers are used in fail-over mode. The first server on the list is tried first and only if the 

configured timeout has elapsed is the next server tried. 


Inline lists. 

Table 7-14 Update Proxies list 


Host Host name or IP address of the server that is used as proxy for routing updates 

Port Port on the proxy that listens for update requests 

User User name of the user who is authorized to request updates that use the proxy 

Password Password of this user 

Comment Plain-text comment on the proxy 


Settings for advanced update functions 

Allow to upload updates to other nodes — When selected, updated database information can be 

uploaded from the appliance (as a a node in a central management configuration) to other nodes 

The first time an update starts, it should wait an appropriate time before starting — Time (in 

seconds) to elapse before an update is started 


The first time an automatic update starts, it uses the startup interval to update — Time (in 

seconds) to elapse between attempts to start an automatic update for the first time 

During an update, the coordinator subsystem, which stores updated information on the appliance, tries 

to connect to the appliance core, where the modules reside that use this information. A low value for 

this interval can therefore speed up updates because it reduces the time the coordinator might have to 

wait until the core is ready to receive data. 


Try to update with start interval — Maximum number of attempts (1 to 9) the appliance makes 

when trying to start an update 

Use alternative URL — URL of an update server that is used instead of the default server 

Verify SSL tunnel — When selected, an option to “tunnel” SSL-secured web traffic is used for updates 


7 




You can set up multiple appliances within your network and run them as nodes in a central 

management configuration. This section explains how to configure settings for a configuration of this 

type. 

As nodes in a central management configuration, the appliances have the following connections: 

• Each of the appliances has clients that direct their web traffic to it. 

• Appliances are joined in appliance groups that allow, for example, updates from one appliance to 

others. An appliance can be a member of different groups at the same time. 

After setting up an appliance, you can configure central management settings for it. You can then add 

other appliances that you want to be in the same group to the configuration. After adding an appliance, 

you can view and configure its system settings on the user interface of the appliance that the other 

appliance was added to. 

The following diagram shows a group of appliances in a central management configuration. 

Figure 7-3 Central management configuration 


Configure central management settings 

You can run multiple appliances in a central management configuration. 

To configure central management settings for an appliance: 



Central management 7 

2 On the appliances tree, go to the appliance you want to configure central management settings for 

and select Central Management Configuration. 

3 Configure these settings as needed. They include: 

• Communication parameters — The IP address used for communication with other nodes, a 

timeout, and the maximum number of retries 

• Group membership — The group or groups that an appliance belongs to 

• Update schedules — Methods and intervals for database updates 

• Advanced settings — For storing configuration data and other functions 


For more information, see Central Management system settings. 

Add an appliance to a central management configuration 

When administering a central management configuration, you can add appliances and run them as 

members of the same group. 

To add an appliance: 


2 On the appliances toolbar, click Add. The Add Appliance window opens. 

3 Configure settings for the appliance: 

• Host name or IP — Of the added appliance 

• Network group — Group that the appliance belongs to (selected from a list) 

4 Click OK. The new appliance appears on the appliances tree. 



7 



Central Management system settings 

The Central management system settings are used for configuring an appliance as a node in a central 

management configuration. 


Central Management Settings 

Settings for a node in a central management configuration 

IP addresses for central management communication — List of IP addresses of the node 


Inline lists. 

Table 7-15 IP address list 


String String for an IP address of the appliance when it is a node in a central management 

configuration 

Comment Plain-text comment on a IP address 

Timeout for distributing messages to other nodes — Time (10 to 600 seconds) to elapse before 

the node makes the next attempt to send a message to another node that has not yet responded 


Advanced Management Settings 

Settings for advanced central management functions 

Multiplier for timeout when distributing over multiple nodes — Factor to increase the time 

interval that has been configured under Timeout for distributing messages to other nodes in the Central 

Management Settings section. 

The interval can be increased by a value ranging from 1 to 2. 

The value is set on a slider scale. 

Attempts made for each address of another node to distribute messages — Maximum number 

of attempts (1 to 5) the node makes when trying to reach another node under a particular IP address 

that has not yet responded 

The number is set on a slider scale. 

Node priority — Priority (ranging from 1 to 100) that the node takes within the configuration. The 

highest priority is 1. 

When you add a node to a group of nodes in a Central Management configuration, the nodes that have 

a lower priority (a higher value) and are allowed to receive configuration settings from other nodes 

receive new settings from this node. 

Note: If this is not your intention, you should make sure the nodes that you add have the same priority as the 

already existing nodes. In this case, the most recent configuration settings are distributed, either from the 

newly added node to the existing nodes or from the node with the most recent settings in the group to the 

new node. 


Allow a GUI server to attach to this node — When selected, a server providing an additional user 

interface for the appliance is allowed to connect to the node 

Allow to attach a GUI server from non-local host — When selected, a server with an additional 

user interface that is not running within your network is allowed to connect to the node 

GUI control address — IP address and port number of the server that provides an additional user 

interface 

GUI request address — IP address and port number of this server used when sending requests to it 




Contact other nodes unencrypted — When selected, messages sent from this node to other nodes 

in the configuration are not encrypted 

Enable IP checking for other nodes — When selected, the IP address can be verified when 

messages are sent from this node to other nodes in the configuration 

Multiplier for timeout when distributing over multiple nodes — Time (10 to 600 seconds) to 

elapse before the node makes the next attempt to send a message to another node that has not yet 

responded 

Allowed time difference — Difference in time (10 to 600 seconds) allowed for an update 

The seconds are set on a slider scale. 

Enable version checking for other nodes — When selected, the version of an update that is 

distributed to other nodes can be verified 

This way updates that are already implemented on a node can be avoided. 

• Level of version check — Level of thoroughness when verifying the version of an update 

Verification levels range from 1 (very relaxed: only the major version number must match) to 6 

(very strict: the build number must also match) 

The level is set on a slider scale. 

This Node is a Member of the Following Groups 

Settings for including a node in a group of nodes 

Group runtime — Group of the node, in which runtime data can be shared with all nodes of the group, 

for example, the amount of quota time or volume 

Group update — Group of the node, in which updates can be shared with all nodes of the group 

Group network — Group of the node, in which it can immediately connect to all other nodes of the 

group 

A node can be a member of more than one network group. In this case, the nodes of one group that a 

node is a member of can connect through this node to nodes of another group that this node is also a 

member of. 

All groups that a node is a member of are listed here. 


Inline lists. 

Table 7-16 Group Network list 


String String for the name of a group of nodes 

Comment Plain-text comment on the group 

Automatic Engine Updates 

Settings for automatically updating database information for special appliance modules 

For more information, see Automatic Engine Updates system settings. 


7 



Handle Stored Configuration Files 

Settings for storing configuration file folders on disk 

Keep saved configuration folders for a minimal time — Time (1 to 365 days) that configuration 

file folders are at least stored on disk 

Keep minimal number of configuration folders — Number of configuration file folders (1 to 100) 

that are at least stored on disk at any time 

Keep minimal number of packed folders — Number of packed configuration file folders (1 to 100) 

that are at least stored on disk at any time 

Note: Configuration folders are packed when the minimal time configured for storing them on disk has 

elapsed and the minimal number of folders stored on disk at any time would be exceeded if they were stored 

unpacked any longer. 

Advanced Scheduled Jobs 

Settings for scheduled jobs 

Job list — List of scheduled jobs on an appliance 


For information on how to create a scheduled job and add it to the job list, see Add a scheduled job. 

For general information on maintaining a list of this type, see Inline lists. 

Table 7-17 List of scheduled jobs 


Start job Time setting for starting a scheduled job, for example, hourly, daily, once 

Start job immediately Information on whether a scheduled job is started immediately if this has not 

if it was not started at 

its original schedule 

happened according to the originally configured schedule 

Job Type of job, for example, Backup Configuration or Upload File 

Unique Job ID ID of a scheduled job 

When this job has 

finished run job with 

ID 

ID of a job that is run immediately after this job 

Comment Plain-text comment on a scheduled job 

Add a scheduled job 

You can add scheduled jobs to a list on the appliance to have them executed according to a time 

schedule that you configure. Scheduled jobs include creating a backup configuration, uploading a file, 

and other activities. This section tells you how to add such a job to the job list. 

To add a scheduled job: 


2 On the appliances tree, go to the appliance you want to configure a scheduled job for and select 

Central Management Configuration. 

3 On the settings pane, click Advanced Scheduled Jobs. The scheduled jobs list appears. 

4 On the toolbar above the list, click Add. The Add Scheduled Job window opens. 

5 Configure settings for the scheduled job. 

6 Click OK. The window closes and the new scheduled job appears on the job list. 


For information on the scheduled job settings, see Scheduled job settings. 


Scheduled job settings 

This section describes the settings for adding or editing a scheduled job. 

Time Settings 

Settings for configuring the time when a scheduled job is started 

Start job — List for selecting the time setting 

• Hourly — Starts a scheduled job every hour 

• Daily — Starts a scheduled job once on a day 

• Weekly — Starts a scheduled job once in a week 

• Monthly — Starts a scheduled job once in a month 

• Once — Starts a scheduled job only once 



• Activated by other job — Starts a scheduled job after another job has been completed 

(Time parameter settings) — Settings specifying the parameters for the time setting, for example, the 

minute in an hour when a job scheduled for hourly execution should be started 

Note: Which time parameter settings are available depends on the selected time setting. For example, if you 

have selected Hourly, you can configure the minute in an hour, but not a day or week. 

• Minute — Minute in an hour 

• Hour — Hour on a day 

• Day of month — Day in a month 

• Enter day of week — List for selecting a day in the week 

• Month — Month in a year (specified by a number from 1 to 12) 

• Year — Year (four digits) 

Start job immediately if it was not started at its original schedule — When selected, a 

scheduled job is started immediately if this has not happened according to the originally configured 

schedule 

This can be the case, for example, when an appliance is temporarily shut down due to overload and a 

job was scheduled to run during this downtime. The job is then executed as soon as the appliance is up 

again. 

Job Settings 

Settings for configuring the type and ID of a scheduled job 

Job — List for selecting the type of a scheduled job 

• Backup configuration — Creates a backup of an appliance configuration 

• Restore backup — Restores a backup of an appliance configuration 

• Upload file — Uploads a file to an external server using the HTTP or HTTPS protocol 

• Download file — Downloads a file onto the appliance using the HTTP or HTTPS protocol 

• Yum update — Performs a yum update on an appliance configuration. 

Note: This scheduled job type is not available when an appliance runs in a FIPS-compliant mode. 

Unique job ID — String that uniquely identifies a scheduled job 

Note: The characters specified in this string are case-sensitive. 

Job description — Optional description of a scheduled job in plain-text format 


7 



When this job has finished run job with ID — ID of a scheduled job that is to run immediately 

after the job configured here has finished 

Note: You must have configured the Activated by other job time setting for the job that runs immediately 

after. 

Execute job on remote node — List for selecting other nodes to execute a scheduled job when an 

appliance is a node in a central management configuration 

The list displays the host names of the other appliances that are nodes within the same central 

management configuration. The scheduled job that you configure on this appliance is executed with its 

time and parameter settings on the selected node or nodes. 

A message is sent to the other node or nodes to inform them about the scheduled job. 

Parameter Settings 

Settings for configuring more parameters of a scheduled job 

These settings differ for each job type you have selected under Job Settings. However, for a scheduled 

job that performs a yum update there are no additional parameter settings. 

Backup configuration parameter settings 

Settings for configuring a scheduled job that creates a backup of an appliance configuration 

Use most recent configuration — When selected, the scheduled job creates a backup from the most 

recent appliance configuration 

Backup configuration path — Name of the path to the folder where the configuration that should be 

used for the backup is stored 

Format: /opt/mwg/storage/default/configfolder 

Note: This setting is only available if Use most recent configuration is deselected. 

Save configuration to path — Path and file name for the backup configuration 

Format: // 

Note: You must set user rights for the folder you want to store the backup configuration in, making the 

McAfee Web Gateway appliance the owner who is allowed to write data into the folder. 

On the command line provided, for example, by a serial console, run the appropriate commands to create a 

folder or change the rights for an existing folder. 

Restore backup parameter settings 

Settings for configuring a scheduled job that restores a backup of an appliance configuration 

Restore backup from file — Path and file name for the configuration file that should be used to 

restore a backup 

Format: // 

Only restore policy — When selected, a scheduled job backs up only settings related to the web 

security policy that was implemented on an appliance 

Settings needed for connecting an appliance to a network, such as the UUID or IP address, are not 

restored. 

Lock storage during restore — When selected, no other files can be stored on the appliance until the 

scheduled job has completely restored the backup configuration 

Upload file parameter settings 

Settings for configuring a scheduled job that uploads a file to an external server using the HTTP or 

HTTPS protocol 

File to upload — Path and file name for a file that should be uploaded 

Format: // 

Destination to upload file to — Path name to the server that a file should be uploaded to under the 

HTTP or HTTPS protocol and file name for storing the file on the server 




Format: http | https: /// 

Enable basic authentication — When selected, basic authentication is required for uploading a file to 

a destination server 

User name — User name submitted for basic authentication 

Note: This setting is only available if Enable basic authentication is selected. 

Password — Password submitted for basic authentication 

Set — Opens the New Password window for setting a password 

When a password has been set, the Set button is replaced by a Change button, which opens the New 

Password window for changing a password. 


Download file parameter settings 

Settings for configuring a scheduled job that downloads a file to the appliance using the HTTP or HTTPS 

protocol 

URL to download — URL for the location of a file that should be downloaded under the HTTP or HTTPS 

protocol and name of the file 

Format: http | https: /// 

Save downloaded file to — Path to the location where a downloaded file should be stored and file 

name for storing the file 

Format: // 

Enable basic authentication — When selected, basic authentication is required for downloading a file 

from a location 

User name — User name submitted for basic authentication 


Password — Password submitted for basic authentication 

Set — Opens the New Password window for setting a password 

When a password has been set, the Set button is replaced by a Change button, which opens the New 

Password window for changing a password. 


Comment 

Optional comment on a scheduled job in plain-text format 


7 




8 Monitoring 

Contents 

Monitoring the appliance 

Dashboard 

Logging 

Performance measurement 

Transferring data to an ePO server 

Event monitoring with SNMP 

Error handling 

Monitoring the appliance 

You can monitor the McAfee Web Gateway appliance when it executes the filtering functions that 

ensure web security for your network. The sections in this chapter provide on overview of this 

monitoring, tell you how to access the dashboard, and explain how to use logging and other functions 

for monitoring purposes. 

Monitoring functions 

This section gives an overview of the monitoring functions that are available on the appliance. 

• Dashboard — The user interface provides a dashboard, where you can view information on web 

usage, filtering activities, and system behavior. 

• Logging — The appliance provides two default logs for storing log files. Entries in these files are 

written by rules in corresponding rule sets. You can configure the handling of these log files, such as 

rotation, deletion, and pushing. Other log files are not maintained by rules. 

The default rule-based logs are: 

• Access log — Records requests for access to the web received on the appliance 

• Viruses Found log — Records viruses and other malware that infected requested objects 

• Monitoring with external devices — You can transfer information on the appliance status to a 

server that has McAfee ePolicy Orchestrator (ePO) software installed and monitor events on the 

appliance with an agent application under the SNMP protocol. 

Troubleshooting functions 

When problems arise in working with the appliance, you might want to take troubleshooting measures. 

Monitoring what has happened in a problem situation can be one of the means for troubleshooting. 

The user interface provides a Troubleshooting top-level menu, which also includes some monitoring 

functions. 


8 

Dashboard 

Monitoring 

Dashboard 

For more information, see Troubleshooting. 

The dashboard on the user interface of the appliance allows you to monitor key events and parameters, 

such as alerts, filtering activities, status, web usage, and system behavior. If the appliance is a node in 

a central management configuration, statuses and alerts are also shown for the other appliances. 

This section tells you how to access the dashboard and gives an overview of the information it provides. 

Access the dashboard 

To access the dashboard: 

1 Select the Dashboard top-level menu. 

2 Select one of the following two tabs: 

• Alerts — Shows status and alerts 

• Charts and Tables — Shows web usage, filtering activities, and system behavior 

Alerts tab 

The Alerts tab displays information on the status and alerts for the appliance and, in case the appliance 

is a node in a central management configuration, also of the other appliances. 

View status and alerts information 

To view the information shown on the Alerts tab: 

1 Go to Dashboard | Alerts. 

2 [Optional] Refresh the alerts information that is provided on the lower part of the tab in one of the 

following ways: 

• Automatic refresh — Select or deselect this checkbox for an automatic refresh after a given 

period of time. 

Note: This option is selected by default. 

• Refresh now — Click this button for an immediate refresh. 


Monitoring 

Dashboard 8 

Overview of status information 

Information about the status of appliances is provided under Appliances Status on the Alerts tab of the 

dashboard. The following table provides an overview of this information. 

Table 8-1 Overview of status information 

Information Description 

Appliance Basic appliance information: 

• Name — Name of an appliance 

Performance Key performance parameters: 

• Alert peaks, seven last days — Most severe alert on an appliance for each of 

the last seven days 

A colored field is displayed for each day (right-most field is today): 

• Gray — No alert during the day 

• Green — Most severe alert during the day was an information 

• Yellow — Most severe alert during the day was a warning 

• Red — Most severe alert during the day was an error 

• Requests per second — Diagram showing how number of web requests in 

HTTP and HTTPS mode received on the appliance evolved over the last 30 

minutes 

The value to the right of the diagram is the average number of requests per 

second over the last ten minutes. 

McAfee Anti-Malware Versions Update and version information for virus and malware filtering modules: 

• Last update — Number of minutes since the appliance modules related to 

virus and malware filtering were last updated 

• Gateway Engine — Version number of the McAfee Gateway Anti-Malware 

engine 

• Proactive Database — Version number of the Proactive Database 

• Engine — Version number of the McAfee Anti-Malware engine 

• DATs — Version number of the DAT files (containing virus signatures) 

URL Filter Update and version information URL filtering module: 

• Last update — Number of days since the appliance module for URL filtering 

was last updated 

• Version — Version number of the URL filtering module 


8 

Monitoring 

Dashboard 

Filtering alerts information 

Information about alerts on an appliance is provided under Alerts on the Alerts tab of the dashboard. 

You can filter the information that is displayed using several filters. The following table explains these 

filters. 

Table 8-2 Items for filtering alerts information 


Appliance Filter Filters alerts according to the appliances they occurred on 

Click the button to display a window for selecting the appliances you want to 

view alerts for. 

The filter applies as soon as you close the window. 

Date Filter Filters alerts according to the period of time they occurred in 

Click the button to display a drop-down menu for selecting the time period you 

want to view alerts for. 

The filter applies as soon as you close the menu. 

You can select one of the following: 

• All 

• Today 

• Yesterday 

• Last week 

• Custom 

Under the Custom option, you can set a start and end date on two calendars 

and type a start and end time in two filter fields. The time format is 

hh:mm:ss, using the 24-hours notation, for example, 1 p. m. is 13:00:00. 

When an appliance is a node in a central management configuration and you 

have selected several nodes of this configuration in the Appliance Filter, alerts 

are shown for all nodes. They are shown, however, according to the date and 

time of the user interface you are working with on a particular node to set the 

Date Filter. 

For example, you select Today in the Date Filter on a node in Amsterdam at 

7 p. m. local time. This means all alerts that occurred during the last 19 hours 

are shown. For a node in New York, local time is 1 p. m. at the time you set the 

filter. 

Alerts that occurred on the New York node are then shown for the last 19 hours, 

not for the last 13 hours, which would correspond to what Today is for the New 

York node. 

Message Filter Filters alerts according to alert message types and strings within the message 

texts 

The filter applies as soon as you have set the filter options. 

Set these options in the following way: 

• Error, Warning, Information — Select the alert message type you want to 

view or any combination of types. 

• Filter — Optionally type a filtering term into this field. Only alerts with 

message texts matching this term and the selected type or types are shown. 

Note: The search for matching terms is performed on alert entries as they 

are stored in an internal database on the appliance, not as they appear on 

the user interface. 


When alerts appear on the user interface, the alert message text can include 

additional parts. For example, the word origin is added to the name of the 

component that is the origin of an alert. You can, however, not use origin or 

other added terms to filter alerts.

Charts and Tables tab 

Monitoring 

Dashboard 8 

The Charts and Tables tab displays statistical data on web usage, filtering activities, and system 

behavior of the appliance and, in case the appliance is a member in a central management 

configuration, also of the other appliances. 

View charts and tables information 

To view the information shown on the Chart and Tables tab: 

1 Go to Dashboard | Charts and Tables. 

2 From the Appliance drop-downlist, select the appliance you want to view chart and tables 

information for. 

3 [Optional] Click Update to ensure you see the latest information. 

4 From the list on the navigation pane, select the information you want to view, for example Web Traffic 

Summary. 

Display options 

You have several options for displaying the information on the Charts and Tables tab, depending on the 

type of information that is provided. 

There are the following types of information: 

• Evolving data — Shows how particular parameters evolved over a selected time interval 

For example, you can view how the number of blocked or allowed URL requests evolved over a 

selected time interval. 

• Top scores — Shows top numbers for activities or byte volumes related to key items of the filtering 

process up to the moment when you view them 

What you see then is these numbers, but not how they evolved over time. 

For example, you can view the URL categories that have been most often requested. Or you can 

view media types ranked according to the volumes transferred when web objects of these types 

were downloaded. 

Note: The maximum number of items stored on the appliance for presenting top scores at a given point in 

time is 1500. When this number is exceeded, items that have the lowest occurence or byte volumes are 

removed. 

• Other information — Shows other information presented on tables 

For example, you can view the current versions of key modules on the appliance such as the 

Anti-Malware module or the URL Filter module. 


8 

Monitoring 

Dashboard 

The following table explains the display options for evolving data and top scores. For the tables that 

show other information, there are no particular display options. 

Table 8-3 Options for displaying information on the Charts and Tables tab 


For evolving data 

Show last Drop-down list for selecting a time interval: 1 hour | 3 hours | ... | 1 year 

Resolution Displays the time unit used for the diagram that shows the evolution of a parameter over 

the selected interval 

Resolution varies with the interval. 

For example, when 1 hour is selected, the diagram uses 1 minute as the time unit, when 

1 year is selected, the diagram uses 1 day. 

View Drop-down menu for selecting: 

• Display mode: Line | Stacked 

• Average values 

Refreshes the view 

For top scores 

Top Drop-down list for selecting how many of the items with the highest scores are shown: 

10 | 25 | ... | 1000 

For example, the 25 URL categories that were most often requested can be shown. 

Refreshes the view 

Overview of charts and tables information 

The Charts and Tables tab displays statistical data on web usage, filtering activities, and system 

behavior. The following table provides an overview of this information. 

Table 8-4 Overview of charts and tables information 


Executive Summary 

URL Executive Summary Shows how numbers of requests evolved during the selected interval and sorts them 

into allowed (“good”) requests and requests blocked by filtering rules for viruses and 

other malware, URLs, and media types 

Categories by Hits Shows the URL categories that were requested most often within the interval 

selected for the summary 

Malwares by Hits Shows the virus and malware types that were requested most often within the 

interval selected for the summary 

System Summary 

Network Utilization Shows how numbers of requests sent and received evolved during the selected 

interval 

System Utilization Shows how usage of hard disk, CPU, physical memory of the appliance system, and 

the physical memories of the core and coordinator modules evolved during the 

selected interval 

Update Status Shows the versions of several modules and filter information files that are 

implemented on the appliances, for example, of the Gateway Antimalware engine or 

of the anti-malware signature files 

Last Update Shows when several modules of the appliance were last updated, for example, the 

URL Filter module 

Open Ports Lists the ports on the appliance that are currently listening to requests. 

WCCP Services Shows status of WCCP services used to redirect traffic to the appliance 

Active Proxy Connections Shows how numbers of connections evolved during the selected interval 

Web Traffic Summary 

Traffic per Protocol Shows how volumes of web traffic under the HTTP, HTTPS, and FTP protocols 

evolved during the selected interval 


Table 8-4 Overview of charts and tables information (continued) 

Monitoring 

Dashboard 8 


Requests per Protocol Shows how numbers of requests under the HTTP, HTTPS, and FTP protocols evolved 

during the selected interval 

ICAP Traffic Summary 

ICAP Traffic Shows how volumes of ICAP requests in REQMOD and RESPMOD modes evolved 


ICAP Requests Shows how numbers of ICAP requests in REQMOD and RESPMOD modes evolved 


IM Traffic Summary 

Instant Messaging Traffic Shows how volumes of instant messaging requests evolved during the selected 

interval for different services 

Instant Messaging Requests Shows how numbers of instant messaging requests evolved during the selected 


Instant Messaging Clients Shows how numbers of instant messaging clients evolved during the selected 


Traffic Volume 

Top-Level Domains by Bytes 

Transferred 

Top-Level Domains by 

Number of Requests 

Destinations by Bytes 

Transferred 

Destinations by Number of 

Requests 

Source IPs by Bytes 

Transferred 

Source IPs by Number of 

Requests 

Web Cache Statistics 

Lists the domains that were requested most according to the amount of bytes 

transferred from them 

Lists the domains that were requested most according to the number of requests for 

them 

Lists the destinations that were requested most according to the number of bytes 

transferred from them 

Lists the domains that were requested most according to the number of requests for 

them 

Lists the source IPs that most volume was transferred to 

Lists the source IPs that most requests were made from 

Web Cache Efficiency Shows how numbers of caching requests evolved during the selected interval and 

sorts them into hits and misses 

Web Cache Object Count Shows how numbers of objects in the cache evolved during the selected interval 

Web Cache Usage Shows how usage of the cache evolved during the selected interval 

Malware Statistics 

Malware URLs by Hits Lists the URLs infected by viruses and other malware that were most requested 

Malware by Hits Lists the malware types that most requests were made for 

URL Filter Statistics 

Category Shows how numbers of requested URL categories evolved during the selected 

interval 

Reputation Shows how numbers of requests evolved during the selected interval and sorts them 

according to the reputation of the requested URLs 

Categories by Hits Lists the URL categories that were most requested 

Sites Not Categorized by Hits Lists among the sites that are not categorized those that were most requested 

Malicious Sites by Hits Lists among the sites that were found to be infected those that were most requested 

Media Type Statistics 

Media Type Groups by Hits Shows how numbers of requested media type groups evolved during the selected 

interval and sorts the different types into audio files, images, and others 

Media Types by Bytes Lists the media types that were most requested according to the number of bytes 

transferred 

Media Types by Hits Lists the media types that were most requested according to the numbers of 

successful requests for them 


8 

Monitoring 

Dashboard 

Table 8-4 Overview of charts and tables information (continued) 


Certificate Statistics 

Certificate Incidents Shows how numbers of incidents evolved during the selected interval and sorts them 

according to the events that caused the incident, for example, expired certificates 

or common name mismatches 

System Details 

Network Utilization Shows how numbers of requests sent and received evolved during the selected 

interval 

CPU Utilization Shows how CPU usage evolved during the selected interval 

Memory Usage Shows how usage of memory evolved during the selected interval 

Swap Space (Virtual 

Memory) Usage 


Shows how usage of virtual memory evolved during the selected interval 

File System Utilization Shows how usage of the file system evolved during the selected interval 

File System Utilization Shows usage of the file system per partition 

Open TCP Ports Shows how numbers of open TCP ports evolved during the selected interval 

Authentication Statistics 

Authentication Requests Shows how numbers of requests processed remotely, locally, or found in the cache 

evolved under each authentication method during the selected interval 

Average Request Processing Shows how average processing time for requests sent to a server evolved under 

Time per Method in ms each authentication method during the selected interval 

Current Requests Report Shows numbers of requests, cache hits, and minimum, maximum, and average 

processing time for requests sent to a server 

Current Connection Status Shows the connections that are currently active under each authentication method 

Performance Information 

General Performance Shows how the processing time consumed on average for completing particular 

tasks evolved during the selected interval 

These tasks include performing a DNS lookup, connecting to a given web server, and 

the work done by the rule engine to process a request throughout all cycles. 

Note: When measuring the time consumed for DNS lookups, only lookups on 

external servers are considered. Cache lookups are disregarded. 

Detailed Performance Shows how the time consumed on average for processing a request throughout all 

cycles evolved during the selected interval 

Note: This performance information is only measured and displayed for web 

traffic that uses HTTP and HTTPS connections. 

The processing of a request throughout all cycles (request, response, and embedded 

object cycles) is considered to be one transaction. 

Average processing time is shown for complete transactions, but also for particular 

data transfers going on during a transaction: 

• First Byte Received from Client until First Byte Sent to Client – Shows the 

average processing time consumed between receiving the first byte from a client 

on the appliance and sending the first byte to this client within a transaction 

• Last Byte Received from Client until Last Byte Sent to Client – Shows the average 

processing time consumed between receiving the last byte received from a client 

on the appliance on and sending the last byte to this client within a transaction 

• First Byte Sent to Server until First Byte Received from Sever – Shows the 

average processing time consumed between sending the first byte from the 

appliance to a web server and receiving the first byte from this server within a 

transaction 

• Last Byte Sent to Server until Last Byte Received from Server – Shows the 

average processing time consumed between sending the last byte from the 

appliance to a web server and receiving the last byte from this server within a 

transaction

Logging 

Monitoring 

Logging 8 

Appliance behavior can be recorded in log files. This section describes the available log file types, 

explains their handling, and gives an example of configuring a log file to record found viruses. 

Log file types 

There are several types of log files on the appliance. They differ in the type of data that is recorded and 

in the way the recording is done. 

Log files that record the same kind of data are stored in a folder, which is called a log. 

System log files 

Some log files are maintained by the appliance system, which includes the operating system and 

several system-related services. For these log files, data is recorded by system functions. You can view 

these files on the user interface, but not edit or delete them. 

Note: When system log files are unreadable, they are not shown on the user interface. 

The files are also rotated in regular intervals by the system. There is no option for configuring this 

rotation. 

Module log files 

Another type of log file is maintained by particular modules of the appliance, such as the proxy or 

anti-malware module. Data for these log files is recorded by module functions. You can view these files 

on the user interface, but not edit or delete them. 

Rotation, deletion, and pushing of these files is handled by the Log File Manager, which you can 

configure settings for. The files are stored in subfolders that are located on the appliance under 

/opt/mwg/log. 

All files in these folders are handled by the Log File Manager, except those that have mwgResInfo as a 

part of their names. The folders with the following names are also not handled by the Log File Manager: 

cores, feedbacks, tcpdump, migration, system, ruleengine_tracing, connection_tracing, 

message_tracing. 

Logs for module log files include the following: 

• Audit log — Stores log files that record changes to the appliance configuration 

• Debug log — Stores log files that record debugging information 

• Migration log — Stores log files that record migration activities 

• MWG errors logs — Stores log files that record errors occurring in modules of the appliance 

There are separate errors logs for the core and coordinator subsystems, the Anti-Malware module, 

the user interface, and the system configuration daemon. 

• Update log — Stores log files that record updates of modules and files on the appliance 

Rule-based log files 

There are also log files that record data based on rules. The recording is executed by events that are 

triggered when these rules apply. For example, a rule triggers an event when an object that a user 

requested is infected by a virus. The triggered event writes an entry with information on the user, the 

infected object, date and time of the request, and so on, to the log file. 

You can edit the rules for this type of log files in the same way as any other rules. 

The following rule-based log files are provided on the appliance by default: 

• Access log — Stores log files that record requests and related information, including date and time, 

user name, requested object, infection of an object, blocking of an object 


8 

Monitoring 

Logging 

• Found viruses log — Stores log files that record the names of viruses and other malware that were 

found to infect requested objects 

The log also records date and time, user name, IP address of the client a request was sent from, 

requested URL. 

• Incident logs — A number of logs for storing log files that record incidents concerning various 

functions, such as licensing, monitoring, or updates 

To these default logs, you can add logs that you have created yourself. 

View log files 

The log files that exist on the appliance can be viewed on its user interface. 

To view log files on the appliance: 

1 Select the Troubleshooting top-level menu. 

2 On the appliances tree, go to the appliance you want to view log files for and select Log Files. A list 

of log file folders appears. 

3 Double-click the folder or subfolder with the log files you want to view. The folder opens to display its 

log files. 

4 Select the log file you want to view and, on the toolbar above the list, click View. 

Log file handling using rules 

When log files use rules, they have their entries written by events of those rules. If a logging rule 

applies, one event sets the parameter values that are recorded, another writes these values into a log 

file. The log for this file is specified by the settings of the write event. These settings include also 

options for configuring log file rotation, deletion, and pushing. 

So, when handling log files using rules, you need to take care of the following: 

• Logging rules — Rules including the criteria and events that write log file entries when the criteria 

are matched 

• Logging rule sets — Rule sets containing logging rules 

These rule sets are nested on the appliance in top-level rule sets known as log handlers. A Default 

log handler is provided after the initial setup. 

• Logging event settings — Settings that specify the log for the log files and measures, such as 

rotation, deletion, and pushing 

The log and the measures are handled by a particular module (or engine) on the appliance. By 

default, this is the File System Logging engine. 

If you want to use log files of your own, you need to configure all these items in an appropriate way. 

For more information, see Use self-configured log files. 


Sample logging rule 

Monitoring 

Logging 8 

This section explains a sample logging rule. The rule is taken from the Found Viruses Log rule set, 

which is provided on the appliance by default. 

Note: The rule is shown in a notation that comes close to the one used on the user interface. 

Name 

Write Found Viruses Log 

Criteria Action Events 

Antimalware.Infected equals true –> Continue — Set User-Defined.LogLine = 

+ DateTime.ToWebReporterString 

+ “ ”” 

+ Authentication.Username 

+ “ ” 

+ String.ReplaceIf Equals (IP.ToString. 

(Client.IP), “”, “-”) 

+ ““ ”” 

+ List.OfString.ToString (Antimalware. 

VirusNames) 

+ ““ ”” 

+ URL 

+ ““” 

The rule applies when a requested object has been found to be infected. 

The rule then triggers two events, one to set parameter values, including the names of the found 

viruses and malware items and related information, and another to write an entry with these values 

into a log file. 

The elements of this rule have the following meanings: 

• Criteria — Antimalware.Infected equals true 

The criteria of the rule uses the Antimalware.Infected property. It is matched when it has the value 

true. This means that the rule applies when a filtered object is infected. 

• Action — Continue 

When it applies, the rule triggers the Continue action. This action lets processing continue with the 

next rule after the events of the current rule have been executed. 

• Events — When it applies, the rule also triggers two events: 

• Set User-Defined.logLine = ... — Sets the parameter values that are logged, including: 

• DateTime.ToWebReporterString — Date and time in Web Reporter format of the request for the 

object that was found to be infected 

The value is converted into a string before being logged. 

• Authentication.Username — Name of the authenticated user who requested the object 

• String.ReplaceIf Equals (IP.ToString. (Client.IP), “”, “-”) — IP address of the client the request 

was sent from 

The address is converted into a string. 

FileSystemLogging.WriteLogEntry 

(User-Defined.logLine) 


8 

Monitoring 

Logging 

• List.OfString.ToString (Antimalware.VirusNames) — List with the names of the found viruses 

and other malware items 

The list is converted into a string. 

• URL — URL that was requested 

• FileSystemLogging.WriteLogEntry ... — Executes the write event. 

The entry that is to be written and the log file it is written into are specified with the event: 

• (User-Defined.logLine) — Event parameter specifying the entry 

This is a log file line with the parameter values that have been set by the other event of the rule. 

• — Event settings specifying the log file 

Note: Clicking the settings name on the user interface opens the settings for editing. 

You can modify this logging rule or create similar rules of your own. For more information, see Create a 

sample logging rule. 

Create a sample logging rule 

This section describes steps for creating a sample logging rule. The rule is taken from the Found Virus 

Log Rule Set, which is provided on the appliance by default. 

Note: The rule name is slighty modified to avoid a conflict with the existing rule. 

To create a sample logging rule: 


2 From the Rule Sets menu, select Log Handler and then the Found Viruses Log rule set. 

3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In 

the main window area, items appear for adding a name and other general settings. 

4 Add the following general settings: 

a Name — Type Write Found Malware Log. 

Note: The name of the already existing logging rule is Write Found Viruses Log. 

b Enable rule — Deselect this checkbox, so the sample rule gets not enabled. 

5 Select Rule Criteria. Items for adding the criteria appear. 

6 Click Add. The Add Criteria window opens. 

7 Add the criteria of the rule (Antimalware.Infected equals true): 

a From the Property list, select Antimalware.Infected. 

b In the Operator list, leave equals. 

c In the Parameter area, select true from the Value list. 

8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area. It 

lets the rule write a log file entry if an object is actually found to be infected. 

9 Select Action and from the Action list, select Continue. This action lets the filtering process continue 

after the log file entry has been written. 

10 Select Events. 

11 Click Add and from the drop-down menue that appears select Set Property Value. The Add Set 

Property window opens. 

12 From the list under Set this property (string), select User-Defined.logLine. 


13 Configure the following for the log file line: 

“[” + DateTime.ToString(“ ”) + “]” 

+ Authentication.UserName + ““ ”” 

+ String.IP.ToString (Client.IP) + ““ ” 

+ String.List.String.ToString (Antimalware.VirusNames) + ““ ” 

+ URL + ““ ”” 

To do this: 

Monitoring 

Logging 8 

a Click Add and in the window that opens select Value and enter an opening square bracket. Then 

click OK. 

b Click Add again, select Property, and from the properties list, select DateTime.ToString 

(String). 

c Click Parameters and in the Property Parameters window (where Value is selected), click OK. 

Then click OK again to close the preceding window. 

d Click Add, select Value and enter a closing square bracket. Then click OK. 

This adds the date and time part included in square brackets and with an output field for the 

date and time value. 

e Click Add, select Property, and from the properties list, select Authentication.UserName. 

Then click OK. 

f Click Add and in the Value field, type “ ”. Then click OK. 

This adds the user name part with an output field for the value. 

g Use the appropriate items to add properties and output fields for the client IP address and the 

remaining parameters as shown at the beginning of this step. 

h Click OK to close the Add Set Property window. 

14 To add the write event, click Add and select Event. The Add Event window opens. 

15 From the properties list, select FileSystemLogging.WriteFileEntry. 

16 Click Parameters. The Property Parameters window opens. 

17 From the properties list, select User-Defined-LogLine. This adds the entry that is written into the 

log file. 

18 Click OK on both open windows to close them. 

19 Select Summary to review what you have configured. 

20 Click Finish. The sample logging rule is inserted in the Found Viruses Log rule set. Click Delete to 

remove it again. 



8 

Monitoring 

Logging 

Create a log handler 

When you create new logging rules, you can insert them into existing logging rule sets or create new 

rule sets for them. These must be nested themselves in top-level rule sets known as log handlers. This 

section tells you how to create a log handler. 

Note: You can also use the Default log handler for inserting new logging rule sets. 

Complete the following procedure to do this: 


2 From the Rule Sets menu, select Log Handler. 

3 On the log handler tree, navigate to the position where you want to insert the new log handler. Then 

click Add. 

4 From the drop-down menu that appears, select Log Handler. The Add New Log Handler window 

opens with the Rule Sets tab selected. 

5 Configure the following general settings: 

• Name — Name of the log handler 

• Enable — When selected, the log handler is enabled. 

• [Optional] Comment — Plain-text comment on the log handler. 

6 [Optional] Click the Permissions tab and configure who is allowed to access the new log handler. 

7 Click OK to close the Add New Log Handler window. The log handler is inserted into the tree structure. 


You can now insert one or more nested rule sets into the log handler and fill these with rules. 

For more information, see Add a new rule set, Create a sample logging rule, and Access restrictions. 

Use self-configured log files 

You can use log files of your own to monitor appliance behavior and have entries written into them by 

rules. This section explains how this is done. 

Complete the following procedure to enable the use of your own log files: 


2 Use the items on this tab to create a log handler and a nested rule set within this log handler. 

3 Create a log for storing log files: 

a Go to Policy | Settings. 

b Go to File System Logging and select one of the existing settings, for example, Access Log 

Configuration. These will serve as the starting point for creating new setting, including settings 

for a new log. 

c Click Add above the Settings tree. The Add Settings window opens. 

d In the Name field, enter a name for the new settings. 

e [Optional] Type a comment on the new settings and use the Permission tab to configure who is 

allowed access to the new settings. 

f Under Name of the log, type the name of the new log. 

g Configure other items of the new settings as needed. 

h Click OK. The Add Settings window closes and the new settings appear under File System 

Logging on the Settings tree. 


Monitoring 

Logging 8 

4 Go to Policy | Rule Sets and insert a logging rule that triggers events when its criteria is matched 

into the rule set you created in step 2. The logging rule should triggers the following events if its 

criteria is matched: 

• A set event that sets parameter values for a log file entry 

• A write event that writes the entry into a log file of the log you created 

Note: The criteria of the logging rule relates to what you want to log, for example, Antimalware.Infected 

equals true as the criteria if you want to log requests for infected objects. Then the set and write events 

are triggered if an object is found to be infected. 


The new log and the log files are stored in a folder of the program files for McAfee Web Gateway. To 

view them, navigate with your file manager to the location where these program files are stored and go 

to: 

/opt/mwg/log/user-defined-logs// 

For more information, see Create a log handler, Add a new rule set, Create a sample logging rule, 

Configuring log file settings, and Access restrictions. 

Use of a property in a logging rule to record blocking key words 

When user access to web objects is blocked on the appliance, you can in some situations use the 

List.LastMatches property to find out why it was done. This section explains what you need to configure 

to use the property in this way. 

The implemented rules on your appliance could, for example, include a rule for blocking access to web 

objects containing unwanted text, which is identified by the occurrence of “bad” key words. Then you 

might be interested in knowing not only that access to an object has been blocked, but also what the 

key words were that led to the blocking. 

To find out about the key words, you need to configure the following: 

• A list of the key words 

• A rule that blocks access to web objects with text containing the key words 

• An addition to a default logging rule to let it record the key words 

List of key words 

You can create a list of key words on the Lists tab and fill it with suitable entries. 

For more information on how to create this list, see Create a list of key words. 

Rule for blocking text with key words 

You can create a rule for blocking text with key words, which must be contained in a rule set. You can 

create both items on the Rule Sets tab. 

The following is an example of what the blocking rule could look like: 

Block text with bad words 

User-Defined.listOfWords at least one in list BadWords –> Block 

The rule uses the User-Defined.ListOfWords property to compare the text contained in the body of 

a web object with the words in the BadWords list. The value of the property is a string list of all the 

words that are in this text. If one of these words matches a word from the list, access to the web 

object with this text is blocked for the user who requested it. 

Processing then stops and continues with the next request that is received on the appliance. 


8 

Monitoring 

Logging 

The settings of the blocking action specify a message to the requesting user. They also include an 

ID for the block reason, which is recorded in the entry that is written into the Access Log for the 

request. 

To configure action settings for the rule, you need to create these settings before you create the rule. 

If you want to set the text contained in the body of the web object as the value of the 

User-defined.listOfWords property, you must use another rule to set the value. This rule, which must be 

placed and executed before the blocking rule, could look as follows: 

Set User-Defined.listOfWords 

Always –> Continue — Set User-Defined.listofWords = String.ToStringList (Body.Text “ ” “.,;:‘’!?”) 

When this rule is processed, it is always executed. It uses an event to set the User-Defined.listOf 

Words property to a value, which is the list of words in a text. To provide this list, the String.To 

StringListProperty converts the words from the text contained in the body of a web object into a 

list. The web object is the one that is currently being requested by a user. 

The Body.Text property is the first parameter of the String.ToStringList property. It is a string 

containing the text in the body of the requested web object. The other two parameters specify a 

list delimiter and a character that has all its occurrences deleted in the list, which is the whitespace 

in this case. 


For information on how to configure a user-defined property for the blocking rule, see Create a 

user-defined property of the list type. 

For creating a rule set to contain the two rules, see Create a rule set for new rules. 

For creating the rules, see Create a rule for setting text as the value of a user-defined property and 

Create a rule for blocking text with bad key words. 

Addition to a default logging rule 

You can use the Rule Sets tab to work with the default logging rules. To let a logging rule write key 

words that have been identified by a suitable rule into the Access Log, you need to add the value of the 

List.LastMatches property to the log line used by the log. 

The value of the List.LastMatches property is a string containing all elements that have been found to 

match when two lists are compared using an operator such as at least one in list or all in list. 

After adding this value to the log line of the Access Log, you will see in this log the word or words that 

the blocking rule has identified as the reason for blocking access to a web object. 

For example, the blocking rule compares a keyword list containing the words “shopping”, “travel”, and 

“games” to a list of words created by converting the text in question. If the comparison uses the 

at-least-one-in-list operator, the occurrence of the word “shopping” is sufficient for blocking access to 

this text. The log line then includes this word. This way you not only know why access was blocked, but 

also the key word that triggered the blocking. 

If you use a different operator, for example, the all-in-list operator, the blocking rule is only executed if 

all key words are matched within the text in question. All key words are then recorded. 

After adding the value of the List.LastMatches property to the log line of the Access Log, the default 

logging rule that writes this line into the log could look as follows: 

Write access.log 

Always –> Continue — 

Set User-Defined.logLine = 

DateTime.ToWebReporterString + “ ” 

+ Authentication.Username + “ ” 

... 


+ Number.ToString (Block.ID) + ““” 

+ List.LastMatches + “ ” 

Monitoring 

Logging 8 

FileSystemLogging.WriteLogEntry (User-Defined.logLine) 

When the rule is processed, it is always executed. It uses two events: one to set values for a log 

line and another to write this line into the Access Log on the appliance. 

The first event uses the User-Defined.logLine property to set a log line that is written into the 

Access Log, for example, when a request has been received on the appliance. The elements of the 

log line are the values of the properties specified for the event. The List.LastMatches property 

provides the key word or words that triggered the blocking of access to a web object. 

The second event writes the log line with the values it has been set to into the Access Log. The log 

line is specified as a parameter of this event. The Access Log is specified by the event settings. 

The Continue action lets processing continue with the next rule, which can be contained in this or 

the next rule set. 

Create a list of key words 

To create a string list of key words that can have matches in a given text: 


2 On the lists tree, go to Custom Lists | String. 

3 Click Add on the toolbar. The Add List window opens. 

4 On the Add List tab, configure the following general settings: 

• Name — For example: BadWords 

• Comment — [Optional] Plain-text comment on the list 

• Type — String (preselected) 

5 [Optional] Click the Permissions tab and configure who is allowed to view and edit the list. 

6 Click OK. The Add List window closes and the new list appears on the lists tree. 


For information on how to fill the new list with entries, see Add entries to a key word list. 

Add entries to a key word list 

To add entries to a key word list: 


2 On the lists tree, go to Custom Lists | String, and select the list you created for entering key words, 

for example, BadWords. 

3 On the settings pane, click Add. The Add String window opens. 

4 Under String, type an entry, for example, Travel. 

Note: To add multiple entries at once, click Add multiple and use a new line of the window for each 

entry. 

5 [Optional] In the Comment field, type a plain-text comment on the list entry. 

6 Click OK. The Add String window closes and the entry is added to the list. 

Repeat steps 3 to 6 as often as needed to add more entries. 



8 

Monitoring 

Logging 

Create a user-defined property of the list type 

To create a user-defined property of the list type for comparison to another list: 


2 From the rule sets menu, select User Defined Properties. 

3 Click Add and select User Defined Properties. The Add New User Defined Property window opens. 

4 Configure the following settings for the property: 

• Name — User-Defined.listOfWords 

• Type — List 

• List content type — String 

• Comment — [Optional] Plain-text comment on the property 

5 Select the Initially empty checkbox. 

6 Click OK. The Add New User Defined Property window closes and the property is added to the list. 


You can use a rule to set this property to a particular value, which is a list of strings. You can then use 

another rule to compare this string list to another string list, for example, a list of bad key words. 

For more information on these rules, see Create a rule for setting text as the value of a user-defined 

property and Create a rule for blocking text with bad key words. 

Create a rule set for new rules 

To create a rule set to contain the two rules you want to use for blocking unwanted text: 


2 On the rule sets tree, navigate to the position where you want to insert the rule set. 

Note: A good position to insert the rule set is before the rule sets that control other filtering functions, 

such as URL or virus and malware filtering. 

3 Click Add above the rule sets tree. A drop-down menu opens. 

4 Select Rule Set. The Add New Rule Set window opens. 

5 Configure the following general settings for the rule set: 

• Name — Name of the rule set, for example, Block Unwanted Text 

• [Optional] Comment — Plain-text comment on the rule set 

6 Select the Enable checkbox. 

7 [Optional] Click the Permissions tab and configure who is allowed to view and edit the rule set. 

8 In the Applies to section, select Responses and Embedded objects. 

9 In the Apply this rule set section, select Always. 



Create a rule for setting text as the value of a user-defined property 

Monitoring 

Logging 8 

A rule can convert text that is the body of a web object to a list of strings and set this list as the value 

of a used-defined property. 

To configure this rule: 


2 From the rule sets tree, select the rule set you have created for the rule, for example, Block Unwanted 

Text. 

3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. 

4 In the Name field, type the rule name, for example, Set User-Defined.listOfWords. 

5 Select Rule Criteria and under Apply this rule, select Always. 

6 Select Action and from the Action list, select Continue. 

7 Select Events, click Add, and select Set Property Value. The Add Set Property window opens. 

8 From the list under Set this property, select the user-defined property you created, for example, 

User-Defined.listOfWords. 

9 Under To this value, select Property and from the list of properties, select String.ToStringList. 

10 Click Parameters. The Property Parameters window opens. 

11 Configure the three parameters of the String.ToStringList property as follows: 

a Parameter 1: Select Property and from the list of properties, select Body.Text. 

b Parameter 2: Make sure Value is selected, and in the List Delimiter field, type the character to 

use as a delimiter. 

c Parameter 3: Make sure Value is selected, and in the Trim Characters field, type the characters 

you do not want to appear at the beginning and end of words in the string list that is the result of 

the conversion. 

12 Click OK to close the Property Parameters window and then again for the Add Set Property window. 

13 Click Finish. The Add Rule window closes and the new rule appears on the settings pane. 

After using this rule to set a particular text as the value of the User-Defined.listOfWords property, you 

can use another rule to compare this text to a list of key words and eventually execute a blocking 

action. 

For more information about this rule, see Create a rule for blocking text with bad key words. 

For more information about delimiters and trim characters and how to specify them as parameters, see 

the description of the String.ToStringList property in the List of properties. 

Add action settings for a key word blocking rule 

When a rule blocks text containing key words, the settings of the blocking action can specify a message 

to the user who requested access to this text. 

To add these settings to the preconfigured settings for blocking actions: 


2 On the Actions branch of the settings tree, select Block. 

3 Click Add. The Add Settings window opens. 

4 Configure the following general parameters: 

• Name — For example: Bad Words Found 

• Comment — [Optional] Plain-text comment on the settings 


8 

Monitoring 

Logging 

5 [Optional] Select the Permissions tab and configure who is allowed to view the settings and edit 

them. 

6 Click OK. The settings appear under Block on the settings tree. 


To use these settings for a rule that blocks bad key words, you also need to configure several special 

parameters. 

For more information, see Configure action settings for a key word blocking rule. 

Configure action settings for a key word blocking rule 

To configure special settings for the action in a rule that blocks bad key words: 


2 On the Actions branch of the settings tree, go to Block and select the settings you configured for 

this rule, for example, Bad Words Found. Options for configuring parameter values appear on the 


3 In the McAfee Web Reporter Block Reason ID field, type 111. 

4 In the Block Reason field, type a description of the block reason, for example, Text contains bad 

words. 

5 Next to the Template Name list, click Add. The Add Template Window opens. 

6 Configure the following general parameters: 

• Name — Name of the template that is used for sending a message to a user, for example, 

Bad Words Found 

• File name — Name of the html and txt files that can be sent as user messages. 

The file names are by default generated from the template name. To specify a different name, 

deselect the auto checkbox and type a file name into the field. 

• Languages — List for selecting the language of the user messages, for example, English (En). 

• Content File Type — Types of the files that deliver the content of the user messages: html and txt 

7 Click OK & Edit. The Template Editor opens. 

The template you added and the content files of the types and in the language you selected appear 

on the templates tree of the editor, for example, Bad Words Found | en | html and txt. 

8 Configure the content files of the types you selected: 

a Select, for example, the html file. A blank area appears under HTML Editor on the right side of 

the editor. 

b Fill the html file with content, for example, by copying content from the default html file: 

• On the templates tree, go to Default Error Template and from the en branch, select html. 

The content of the English default html file appears. 

• Click Edit and then Select All and Copy. 

• Go back to the Bad Words Found template and from the en branch, select html. 

• Click into the blank area, select Edit and then Paste. The default content appears. 

c Modify the default content: 

• In the first content line, type BadWordsFound to replace DefaultError as the template name. 

• In the Title section, go to the line below and type Bad Words Found 

to replace Default Block as the template title. 


Monitoring 

Logging 8 

• In the Content section, go to the line below , delete the default 

text completely and type the text you want to appear in the user message. 

Type, for example: The text you requested access to was blocked because it contained 

words that are on a list of forbidden words. 

d Select the txt file and fill it with content. 

You can proceed in the same way as for the hmtl file. If you copy and paste the content of the 

default txt file, you only need to type new text to replace the existing template title and 

message text. 

e Click Save Template Changes. The Template Editor closes. 

f Click Save Changes. 

Action settings are now available for the blocking action in a rule that blocks bad key words. For 

information on how to create this rule, see Create a rule for blocking text with bad key words. 

For more information on configuring action settings that specify user messages, see User messages. 

Create a rule for blocking text with bad key words 

A rule can block text containing “bad” key words, which are eventually recorded in a log file. 

This rule requires special settings for the blocking action, which you must have created before creating 

the rule. 

To create the blocking rule: 


2 From the rule sets tree, select the rule set you have created for the rule, for example, Block Unwanted 

Text. 

3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. 

4 In the Name field, type the rule name, for example, Block bad words. 

5 Select Rule Criteria and click Add. The Add Criteria window opens. 

a From the Property list, select User-Defined.listOfWords. 

b From the Operator list, select a suitable operator, for example, at least one in list. 

c From the Value list in the Parameter area, select the list you created, for example, BadWords. 

6 Click OK. The Add Criteria window closes and the added criteria appears in the main window area. 

7 Select Action and configure the following: 

a From the Action list, select Block. 

b From the Settings list, select the settings you created for the rule, for example, Bad Word Found. 

8 Click Finish. The Add Rule window closes and the new rule appears on the settings pane. 


For information on creating the action settings that are required for this rule, see Add action settings for 

a key word blocking rule. 

When this rule has been processed and a blocking action was executed, the blocking reason and the 

key words that triggered the blocking can be recorded in an entry of the Access Log. 

To ensure an entry with this data is written into the log, you need to modify the appropriate logging 

rule. 

For more information, see Modify a default logging rule to record key words. 


8 

Monitoring 

Logging 

Modify a default logging rule to record key words 

You can modify a default logging rule that writes entries into the Access Log to include the key words 

that led to the blocking of text with “bad” key words. 

To modify this rule: 


2 From the rule sets menu, select Log Handler. 

3 Expand the Default log handler rule set and select the nested Access Log rule set. The rules of this 

rule set appear on the settings pane. 

4 Select the Write access.log rule and click Edit. The Edit Rule window opens. 

5 Select Events and in the Events field, select the Set User-Defined.logLine = ... event. 

6 Click Edit. The Edit Set Property window opens. 

7 Click Add. The Please Enter a String window opens. 

8 Click Property and from the list of properties, select List.LastMatches. 

9 Click OK. The window closes and the List.LastMatches property is added to log line that is written into 

the Access Log. 

10 Click Add again, select Value in the window, and in the input field type the following string: “ ” 

(whitespace embedded in quotes). 

11 Click OK to close the Edit Set Property window. 

12 Click Finish to close the Edit Rule window. The modified rule appears on the settings pane. 


After modifying the rule in this way, the log line for the Access Log contains a string that is the value of 

the List.LastMatches property. 

If a blocking rule blocks access to text based on a comparison to a list of bad key words, this string 

contains the matching key word or words that led to the blocking. 

For more information, see Use of a property in a logging rule to record blocking key words. 


Configuring log file settings 

Monitoring 

Logging 8 

By configuring log file settings, you can determine how log files are rotated, deleted, and pushed. For 

rule-based log files, these specify also the log that is used to store the log files. This section tells you 

how these settings are configured for the different types of log files. 

Configure settings for rule-based log files 

Complete the following procedure to configure this type of log files: 


2 On the settings tree, go to File System Logging and select the settings you want to configure, for 

example, Access Log Configuration. 

3 Configure these settings as needed: 

• Log settings — For log name, log file header, and other parameters 

• Log file settings — For rotation, deletion, and pushing of log files 


For more information, see File System Logging engine settings 

Configure settings for system-maintained log files 

Complete the following procedure to configure this type of log files: 


2 On the appliances tree, go to the appliance you want to configure system settings for and select Log 

File Manager. 

3 Configure these system settings as needed. They include settings for rotation, deletion, and pushing 

of log files. 


For more information, see Log File Manager system settings 


8 

Monitoring 

Logging 

Log file settings 

You can configure log file settings to determine the handling of log files on the appliance, for example, 

how they are rotated and deleted. This section describes these settings for different types of log files. 

File System Logging engine settings 

The File System Logging engine settings are settings for the module that handles rule-based log files on 



File System Logging Settings 

Settings for a log that stores log files 

Name of the log — Log name 

Enable log buffering — When selected, the log is buffered. The buffer interval is 30 seconds 

Enable header writing — When selected, the header below is added to all log files 

Log header — Input field for typing a header for all log files 

Encrypt the log file — When selected, log files are stored encyrpted 

First password, Repeat password — Input field for creating a password for access to encrypted log 

files 

[Optional] Second password, Repeat password — Input field for creating an second password for 

access to encrypted log files 

Settings for Rotation, Deletion, and Pushing 

Settings for handling log files 

Enable specific settings for User-Defined Log — When selected, the settings configured in the 

following apply to the user-defined logs, which store the log files that are rule-based 

Otherwise the system settings configured for the Log File Manager function apply also to this log. 

Auto Rotation 

Settings for rotating log files automatically according to size and time of day 

Enable auto rotation — When selected, log files are rotated according to the following settings 

Note: You can configure just one of the two settings or both. 

Enable log file rotation if log file size exceeds — When selected, log files are rotated 

according to the size (in MiB) specified in the input field provided here 

Enable scheduling of log file rotation — When selected, log files are rotated according to the 

time of day (in hours and minutes) specified in the input field provided here 

Note: The 24-hours format is used here, for example, 1:30 p. m. is 13:30. 

Auto Deletion 

Settings for deleting log files automatically according to size and last time of modification 

Enable auto rotation — When selected, log files are deleted according to the following settings 

Note: You can configure just one of the two settings or both. 

Enable log file deletion if log file size exceeds — When selected, log files are rotated 

according to the size (in MiB) specified in the input field provided here 

Enable autodeletion of unchanged files — When selected, log files are deleted after the time 

(in days) specified in the input field provided here 


Monitoring 

Logging 8 

Auto Pushing 

Settings for pushing rotated log files to another server 

Enable auto pushing — When selected, rotated log files are pushed from the local database on the 

appliance to the server specified by the following settings 

Destination — Network protocol, host name, and path of the server 

A variable can be added to the path name to specify the pushing process more precisely. 

For example, %h can be added for the host name of the appliance that log files were pushed from. 

The destination could then be specified as follows: 

ftp://myftp.com/%h 

When the log files are pushed, the variable is replaced with the appropriate value, which is a host 

name in this example. 

The variables you can use here include: 

%h – host name of an appliance 

%y – current year (four digits) 

%m – current month (one or two digits) 

%% – for % (if it is to occur in a host name) 

User name — Name of the user who is authorized to push log files to the server 

Enable pushing log files directly after rotation — When selected, pushing follows rotation 

immediately 

Push interval — Time (in hours) to elapse before the next log files are pushed (if not pushed 

immediately after rotation) 

Log File Manager system settings 

The Log File Manager system settings are settings for the function that handles system-maintained log 

files. 


Global Log File Settings 

Settings for all log files that no specific settings have been configured for 

Auto Rotation, Auto Deletion, Auto Pushing 

Meanings and usage of these settings are the same as of the corresponding settings for the File System 

Logging module. 

For more information, see File System Logging engine settings. 

Destination 

Destination that a file is pushed to 

Settings for the Update Log 

Enable specific settings for Update Log — When selected, the settings configured in the following 

apply to the Update Log. Otherwise the global log file settings apply 





8 

Monitoring 

Logging 

Settings for the Audit Log 

Enable specific settings for Audit Log — When selected, the settings configured in the following 

apply to the Audit Log. Otherwise the global log file settings apply 




Advanced 

Settings for auto-deletion of core and feedback files 

Enable auto-deletion of core files — When selected, core files are automatically deleted according 

to the settings you configure 

You can specify a number, a time interval, and a volume to let core files that exist in excess of these 

values be automatically deleted 

Enable auto-deletion of feedback files — When selected, feedback files are automatically deleted 

according to the settings you configure 

You can specify a number, a time interval, and a volume in the same way as for core files. 


Log handler rule sets 

Monitoring 

Logging 8 

Log handler rule sets are top-level rule sets with nested rule sets that include logging rules. This section 

describes the nested logging rule sets that are provided by default on the appliance. 

Access Log 

This nested logging rule set records requests for access to the web sent from users of your network. 

Nested logging rule set — Access Log 



Write access.log 


Set User-Defined.logLine = DateTime.ToWebReporterString + “ ”” ... 


The rule uses an event to fill a log file entry with parameter values relating to requests sent by 

users, such as user names or request headers. It uses another event to write this entry to a log 

file. 

The log file entry is specified as a parameter in both events. The log that stores the log file is 

specified by the settings of the write event. 

Values for the following parameters are set and logged by the events of the rule (properties used 

by the set event are shown in italics): 

• Date and time — DateTime.ToWebReporterString 

• User name — Authentication.UserName 

• Client IP address — String.ReplaceIfEquals (IP.ToString(Client.IP), “”, “-”) 

• Response status — String.ReplaceIfEquals (Number.ToString (Response.StatusCode), “”, “-”) 

• Request header — RequestHeader.FirstLine 

• URL category — List.OfCategory.ToString (URL.Categories) 

• URL reputation — String.ReplaceIfEquals (URL.ReputationString, “”, “-”) 

(URL.Reputation) 

• Media type — MediaType.ToString (MediaType.FromHeader) 

• Body size — String.ReplaceIfEquals (Number.ToString (Body.Size), “”, “-”) 

• User agent — Header.Request.Get(“User-Agent”) 

• Virus and malware names — List.OfString.ToString (Antimalware.VirusNames) 

• Block action ID — Number.ToString (Block.ID) 

The logging rule applies whenever a request for access to the web is received. The two rule events 

for filling and writing a log entry are then executed. 

Processing continues with the next rule or rule set. 


8 

Monitoring 

Logging 

Found Viruses 

This nested logging rule set records names of viruses and other malware found in requested web 

objects. 

Nested logging rule set — Found Viruses Log 



Write found viruses.log 

Antimalware.Infected equals true –> Continue — 

Set User-Defined.logLine = DateTime.ToWebReporterString + “ ”” ... 


The rule uses an event to fill a log file entry with parameter values relating to web objects infected 

by viruses or other malware, such as virus names or IP addresses. It uses another event to write 

this entry to a log file. 

The log file entry is specified as a parameter in both events. The log that stores the log file is 

specified by the settings of the write event. 

Values for the following parameters are set and logged by the events of the rule (properties used 

by the set event in italics): 

• Date and time — DateTime.ToWebReporterString 

• User name — Authentication.UserName 

• Client IP address — String.ReplaceIfEquals (IP.ToString(Client.IP), “”, “-”) 

• Virus and malware names — List.OfString.ToString (Antimalware.VirusNames) 

• URL — URL 

The logging rule applies whenever a requested web object has been found to be infected. The two 

rule events for filling and writing a log entry are then executed. 

Processing continues with the next rule or rule set. 



Monitoring 

Performance measurement 8 

Processing time consumed for particular activities is measured on the appliance and displayed on the 

user interface. This section tells you where it is displayed and how you can set up rules for logging 

processing time and for measuring it on your own. 

View performance information 

How the appliance performs is measured by recording average processing times for several activities 

such as performing DNS lookups or processing client requests. This information is displayed on the 

dashboard of the user interface. 

To view this information: 

1 Go to Dashboard | Charts and Tables. 

2 Select Performance Information. 

For details about the information displayed here, see Overview of charts and tables information. 

Properties for logging performance information 

You can log performance information using logging rules with appropriate properties. For each type of 

performance information, a corresponding property is available. 

For example, the dashboard displays information on the average time it takes to resolve host names by 

looking up names on a DNS server. The property Timer.ResolveHostNameViaDNS corresponds to this 

information. The value of this property is the time that was consumed for looking up a host name 

appearing in a request that was processed on the appliance. The time is measured in milliseconds. 

You can use this property to create an element in a log line. When this line is written to a log file by a 

logging rule, the time for looking up host names is recorded together with other information covered by 

the log line. 

Other properties that make performance information available for logging include Timer.HandleConnect 

ToServer for measuring the time needed to connect to external servers or Timer.TimeConsumedByRule 

Engine for the time the rule engine needs to do its job when a request is received on the appliance. 

The time that is measured and made available by a property includes the time needed for the relevant 

activity, for example, connecting to external servers while a particular request was processed on the 

appliance throughout all relevant processing cycles (request, response, and embedded object cycles). 

Processing one individual request on the appliance is considered to be one transaction. 

A transaction need not go through all cycles for a given request. For example, if a user sends a request 

to access a web page falling into a category that is blocked under a particular web security policy, a 

block message is returned to this user, the request is not forwarded to a web server, and processing 

does not enter the response cycle. 

All properties that make performance information available for logging have the element Timer at the 

beginning of their names. For more information on these properties, see the List of properties. 


8 

Monitoring 


Using properties in rules to log performance information 

You can insert the properties that are available on the appliance for logging performance information 

into logging rules that write log lines into log files. 

The properties for logging performance information make this information available with regard to the 

processing of individual requests. When a request is received on the appliance, particular activities are 

completed to process it, which are together considered as one transaction. 

An Access Log exists by default on the appliance with log files into which a log line is written whenever 

a transaction has been completed for a request. This log is an appropriate location for recording 

performance information. 

Writing log lines into the log files of the Access Log is handled by a logging rule. This rule uses one 

event to create a log file entry and another to write this entry as a log line into a log file. 

A log entry is composed of several elements, each of which adds a particular piece of information, for 

example, the date and time when a request was received on the appliance. By inserting an element 

providing performance information into the entry you can let this information be recorded. 

The event that creates a log entry for the Access Log begins as follows: 

Set User-Defined.logLine = DateTime.ToWebReporterString + “”” ... 

Date and time for a request is recorded by the DateTime.ToWebReporterString + “”” element. More 

elements providing other information follow this element. 

To record performance information about, for example, the processing time consumed for DNS lookups 

you need to add the following element: 

+ Number.ToString (Timer.ResolveHostNameViaDNS) + “”” 

Since the log line is a string, the numerical value for the processing time must be converted to string 

format before it can be recorded. This is done by the Number.ToString property, which takes the 

Timer.ResolveHostNameViaDNS property as a parameter. 

For more information on working with log entries, see Sample logging rule and Create a sample logging 

rule. 

Events for measuring performance in rule set processing 

You can measure the time the rule engine consumes for processing individual rule sets. Several events 

to be used in appropriate rules are available for this purpose. 

The reason for measuring this time could be that you want to know whether performance is improved 

or reduced after you have applied changes to the rule set. 

The events for measuring rule set processing performance control an internal watch on the appliance. 

The following events are available: 

• Stopwatch.Start (String) — Starts the internal watch 

• Stopwatch.Stop (String) — Stops the internal watch 

• Stopwatch.Reset (String) — Resets the internal watch 

The string parameter that each of these events takes can be used to identify the event. For example, if 

you use these events to record processing time for the URL Filtering rule set, you can assign 

URLFiltering as a value to this string. 


Monitoring 

Performance measurement 8 

Using events in rules to measure processing time for rule sets 

To measure the time the rule engine consumes for processing a rule set you can use the events that 

control the internal watch on the appliance in appropriate rules. 

A rule that uses, for example, the Stopwatch.Start event to start measuring processing time for the 

URL Filtering rule set could look as follows: 


Name 

Start stopwatch for rule set 


Always –> Continue – Stopwatch.Start (“URLFiltering”) 

In a similar way, you can use the events for stopping and resetting the internal watch in other rules. 

To measure the time consumed for processing the rule set, you can place a rule containing the starting 

event at the beginning of the rule set and one with the stopping event at the end. 

However, if you have rules in a rule set that can execute a Stop Rule Set, Stop Cycle, or Block action, 

you need to place the starting rule at the beginning of the rule set and a stopping event into each rule 

that executes one of the mentioned actions. 

A rule with an event to stop the internal watch inserted would look as follows: 


Name 

Allow URLs in URL Whitelist 


URL matches in URL Whitelist –> Stop Rule Set – Stopwatch.Stop (“URLFiltering”) 

When this rule is applied, it stops processing the URL Filtering rule set because the URL that a user 

requested access for has been found to be on the list of allowed URLs. The stopwatch event must 

therefore be inserted into this rule. 

If it were inserted into a separate rule at the end of the rule set, this rule would never be processed 

because the whitelisting rule had stopped processing of the rule set before all its rules were processed. 

In this case, the event that stops the internal watch would never be executed. 


8 

Monitoring 


Properties for logging rule set processing time 

You can log the time that has been measured for rule set processing by the events that control the 

internal watch on the appliance. Properties to be used in logging rules are available for this purpose. 

The following properties have the time that has been measured by the internal watch for rule sets 

assigned as their values: 

• Stopwatch.GetMilliSeconds (String) — Time measured for rule set processing in milliseconds 

• Stopwatch.GetMicroSeconds (String) — Time measured for rule set processing in microseconds 

The string parameter that these properties take is used to ensure the values they hold are the ones 

measured by the events that have the same string as a parameter. 

For example, the value assigned to the Stopwatch.GetMilliseconds (URLFiltering) property is the one 

thas has been measured by the Stopwatch.Start (URLFiltering) and Stopwatch.Stop (URLFiltering) 

events. 

You can use these properties in the same way as other properties for recording processing time by 

inserting them in logging rules. 

For more information, see Using properties in rules to log performance information. 



Monitoring 

Transferring data to an ePO server 8 

The McAfee Web Gateway appliance can be monitored on the McAfee ePolicy Orchestrator ® 

(ePO) 

console. This section tells you how to configure the appliance to transfer monitoring data to a server 

with McAfee ePO software installed. 

The McAfee ePO security management console is a tool for administering several McAfee products, 

including the McAfee Web Gateway appliance. If you configure the McAfee ePO software and the 

appliance accordingly, you can log on to the appliance from the McAfee ePO console and have 

monitoring data transferred from the appliance to the McAfee ePO server. 

When data transfer to the McAfee ePO server is configured, this server sends SSL-secured requests for 

data collected on the appliance in regular intervals. Then you need to allow the CONNECT request that 

the SSL-secured communication begins with to bypass the normal processing of web security rules, so 

it does not get blocked on the appliance. For example, if you have authentication rules implemented, 

this would lead to blocking because the McAfee ePO server does not support the authentication method 

used by these rules. 

You can import an appropriate rule set from the library to enable the bypassing or create a rule set of 

your own. 

For more information, see Configure the data transfer, Import a rule set, and Bypass ePO Requests. 

Configure the data transfer 

To configure the transfer of data to a McAfee ePO server on the appliance: 


2 On the appliances tree, go to the appliance you want to transfer data from and select ePolicy 

Orchestrator. 

3 Configure the ePolicy Orchestrator Settings as needed. These include settings for an account on 

the appliance that is needed to transfer the data, as well as settings for the data collection process. 


For more information, see ePolicy Orchestrator system settings. 


8 

Monitoring 


ePolicy Orchestrator system settings 

The ePolicy Orchestrator system settings can be configured to allow the transfer of McAfee ePO data. 


ePolicy Orchestrator Settings 

Settings for transferring data to a McAfee ePO server 

ePO user account — User name of the user who is authorized to retrieve McAfee ePO data on the 

appliance 

Password, Repeat password — For the user retrieving the data 

Enable data collection for ePO — When selected, data for the McAfee ePO server is collected on the 

appliance 

Data collection interval in minutes — Time (in minutes) to elapse between data collections 

The range is between 10 minutes and 6 hours. 

Bypass ePO Requests 

This section describes a library rule set that lets requests from a McAfee ePO server to connect to the 

appliance bypass the filtering process. 


Library rule set — Bypass ePO requests 

Criteria — Command.Name equals “CONNECT” 


The rule set criteria specifies that the rule set applies when the SSL-secured communication between 

the McAfee ePO server and the appliance begins with a request from the server to connect to the 

appliance. 


Skip subsequent rules for ePO requests 

URL.Host equals “127.0.0.1” OR URL.Host equals “[::1]” –> Stop Cycle – Enable SSL Client Context 

Enable SSL Scanner 

The rule uses the URL.Host property to identify the host of a requested URL, based on the IP 

address of the host. If this address is 127.0.0.1, the host of the requested URL is the appliance. 

When the McAfee ePO server sends a request to connect to the appliance, it uses this address. 

So if 127.0.0.1 is the requested address, the rule applies and stops all further processing in the 

request cycle. This way the CONNECT request is allowed to pass through. 

The next step in this process is sending and verifying certificates. The rule includes an event to 

enable the sending of a client certificate that is issued by the default certificate authority. You can 

modify the event settings to have the certificate issued by another authority. 

The rule also includes an event to enable verification of the certificate sent by the McAfee ePO 

server without using the EDH (Ephemeral Diffie-Hellman) method, which is the appropriate 

procedure for this server. 

When certificate verification has been completed, the SSL-secured communication can go ahead. 



Monitoring 

Event monitoring with SNMP 8 

Events on the McAfee Web Gateway appliance can be monitored under SNMP (Simple Network 

Management Protocol). This section tells you what you need to configure on the appliance for this 

monitoring option. 

The monitoring is done by an SNMP client that communicates with an SNMP agent, which is provided on 

the appliance. When SNMP monitoring is configured, you can view system information on the appliance 

and have messages sent about particular system events or incidents, for example, when CPU usage 

exceeds a particular value. 

Messages sent under the SNMP protocol are known as traps. The host systems that messages are sent 

to are known as trap sinks. 

Configure SNMP monitoring 

To configure SNMP monitoring: 


2 On the appliances tree, navigate to the appliance you want to monitor events on and select SNMP. 

3 Configure the SNMP settings as needed. 

• SNMP port settings — Settings for the ports on the appliance that listen to requests from the 

SNMP client 

• SNMP system information — Information on the appliance that is the monitored system 

• SNMP protocol options — Options for the communication between the appliance and the client 

• SNMP trap sinks — Information on the host systems that traps are sent to 


For more information, see SNMP system settings. 

SNMP system settings 

The SNMP system settings can be configured to allow event monitoring under SNMP. 


SNMP Port Settings 

Settings for the port listening to requests from the SNMP client 

Enable UDP — When selected, allows UDP to be used to communicate with the SNMP client 

UDP port — Port listening to requests under UDP 

Enable TCP — When selected, allows TCP to be used to communicate with the SNMP client 

TCP port — Port listening to requests under TCP 

SNMP System Information 

Settings for the appliance that is the monitored system 

Description — Helps identify the system 

Object ID — ID of the object in the Management Information Base (MIB) where information on the 

monitored system begins 

Contact person — Mame of the person administering the SNMP functions of the system 

Physical location — Location of the system 


8 

Monitoring 


SNMP Protocol Options 

Settings for communities and users who are allowed access to information under different versions of 

the SNMP protocol 

SNMP v1 — When selected, allows version 1 of SNMP to be used 

SNMP v2c — When selected, allows version 2c of SNMP to be used 

Communities for SNMPv1 and SNMPv2c access — List of communities who are allowed access 

The following table describes the list entries. For information on maintaining a list of this type,, see 

Inline lists. 

Table 8-5 SNMP Communities list 


Community string String denoting a community, for example, public, that allows access to information 

Allowed root OID ID of the item on the MIB (Management Information Base) tree where the part of the 

information that access is allowed to begins 

Note: When * or no value is specified here, access to all information is allowed. 

Allowed from Host name or IP address of the host system that access is allowed from 

Note: When * or no value is specified here, access is allowed from every host. 

Read-only access Information on whether only reading access is allowed 

Comment Plain-text comment on a community 

SNMP v3 — When selected, allows version 3 of SNMP to be used. 

SNMP v3 users — List of users who are allowed access 


Inline lists. 

Table 8-6 SNMP v3 Users list 


User name Name of a user who is allowed access 

Allowed root OID ID of the item on the MIB (Management Information Base) tree where the part of the 

information that access is allowed to begins 

Authentication 

Note: When * or no value is specified here, access to all information is allowed. 

Information on the hash algorithm used to authenticate a user 

Encryption Information on the encryption method used for communication with the SNMP client 

Read-only access Information on whether only reading access is allowed 

Comment Plain-text comment on a user 

SNMP Trap Sinks 

Settings for the host systems that traps are sent to 

Trap sinks — List of the host systems that traps are sent to 


Inline lists. 

Table 8-7 Trap Sinks list 


Host name or IP 

address 

Host name or IP address of a host system that traps are sent to 

Port Port on a host listening for traps 

Community string String denoting a community, for example, public, that allows the sending of data to a trap 

sink 



Table 8-7 Trap Sinks list (continued) 

Monitoring 

Error handling 8 


Send SNMP v2c traps Information on whether traps can be sent under version v2c of SNMP (or under v1) 

Comment Plain-text comment on a trap sink 

SNMP-MIB Files 

Provides two .txt files containing information related to SNMP monitoring on the appliance 

MCAFEE-SMI.txt — Contains Structure of Management Information (SMI) on McAfee, including 

contact information for the McAfee customer service 

MCAFEE-MWG-MIB.txt — Contains descriptions of the items in the Management Information Base 

(MIB) that you can do SNMP monitoring for on the appliance 

When errors and incidents occur on the appliance, you can use rules to take appropriate measures. 

This section explains two types of error handling and describes the rule sets that are by default 

provided for error handling. It also describes a procedure for creating a top-level error handling rule set 

(also known as error handler). 

View the rule sets for error handling 

To view the rule sets that are implemented on the appliance for error handling: 


2 From the rule sets menu, select Error Handler. A rule set tree appears displaying the Default rule 

set for error handling with its nested rule sets. 

If you have created your own rule sets for error handling, these are also displayed. 

For more information on the default rule sets, see Rule sets for error handling. 

Error handling using error IDs 

This section explains how you can use error IDs as a means of error handling. 

Errors that occur on the appliance are identified by an error ID. For example, error ID 14000 indicates 

a failure to load the Anti-Malware module. 

Error IDs can be used by rules to trigger a particular method of error handling, such as blocking access 

to web objects or creating an entry in the system log. To enable the use of error IDs in rules, the 

Error.ID property is available. A rule can trigger an action or event when this property has a particular 

value. 

For more information on the use of error IDs in a default rule set, see Block on Anti-Malware Engine 

Errors. For individual error IDs, see List of error IDs. 

Error handling using incidents 

This section explains how you can use incidents as a means of error handling. 

There is a group of activities and situations that is termed incidents on the appliance. Incidents can be 

related to the appliance system, as well as to its subsystems and modules. For example, a failure of the 

Log File Manager to push log files is recorded as an incident. 


8 

Monitoring 


Incidents can be used by rules to trigger a particular method of error handling, such as sending a 

notification message or creating an entry in the system log. To enable the use of incidents in rules, key 

incident parameters, including the ID, severity, origin, and others, are made available as properties. 

For example, there is the Incident.ID property. A rule can use this property to trigger an event that 

creates a syslog entry if the value of the property is a particular number. 

Rules using incidents 

The Default rule set for error handling contains a nested rule set providing rules that trigger a 

notification message and other error handling events when incidents concerning the Log File Manager 

occur. The name of this nested rule set is Log File Manager Incidents. Other nested rule sets handle 

incidents related to updates and licensing. 

You can also create rules and rules sets of your own that use incidents for error handling. 

For more information on incident use in a default rule set, see Log File Manager Incidents. 

Incident parameters and properties 

Incidents are recorded on the appliance with their IDs and other parameters. For each parameter, there 

is a property, which can be used in an appropriate rule. 

• Incident ID — Each incident is identified by a number. For example, the incident with ID 501 is a 

failure of the Log File Manager to push log files. The Incident.ID property can be used in a rule to 

check the ID of an incident. 

• Description — An incident can be explained by a description in plain text. The name of the relevant 

property is Incident.Description. 

• Origin — Each incident is assigned to the appliance component that is its origin. Origins are specified 

by numbers. For example, origin number 5 specifies the Log File Handler. The name of the relevant 

property is Incident.Origin. 

The origin of an incident is further specified by the value of the Incident.OriginName property. 

• OriginName — The origin of an incident is further specified by the name of the appliance component 

that is involved in the incident. The name of the relevant property is Incident.OriginName. 

The origin name can specify a subcomponent that is a part of the component specified by the 

origin number. For example, origin number 2 (Core) can be further specified by the origin name 

as: 

• Core 

• Proxy 

• URL Filter 

• and other names of core subcomponents 

• Severity — Each incident is classified according to its severity. Severity levels range from 0 to 7, with 

0 indicating the highest level. 

Note: These levels are the same as those used for entries in a syslog file. 

The name of the relevant property is Incident.Severity. 

• Affected host — If there is an external system that is involved into an incident, for example, a server 

that the appliance cannot connect to, the IP address of this system is also recorded. The name of the 

relevant property is Incident.AffectedHost. 

For more information on the properties that are available for use in incident handling rules, see List of 

properties. For individual incident IDs, see List of incident IDs. 


Rule sets for error handling 

Monitoring 


Several rule sets for error handling are provided by default on the appliance. They are nested in the 

Default error handler rule set. This section describes these rule sets. 


Long Running Connections 

This nested error handling rule set keeps connections alive when a proxy module error occurs. 

Nested error handling rule set — Long Running Connections 

Criteria — Error.ID equals 20000 

The rule set criteria specifies that the rule set applies when the value of the Error.ID property is 20000, 

which indicates a malfunction of the proxy module. 


Keep connection always alive 

Always –> Stop Cycle 

When the rule is executed, it stops the current processing cycle. The rule is always executed when 

the criteria of its rule set is matched. Stopping the processing cycle prevents the connection from 

being closed in the course of further rule processing. 


Monitoring (rule set) 

This nested error handling rule set handles measures taken when an incident occurs that involves the 

appliance system. 

Nested error handling rule set — Monitoring 

Criteria — Incident.ID equals 5 

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 5, 

which indicates an incident that involves the appliance system. 

The following rule sets are nested within this rule set: 

• Check CPU Overload 

• Check Cache Partition 

• Check Request Overload 


8 

Monitoring 


Check CPU Overload 

This nested error handling rule set handles measures that are taken when the CPU load exceeds a 

configured value. 

Nested error handling rule set — Check CPU Overload 

Criteria — Statistics.Counter.GetCurrent(“CPULoad”) 

greater than or equals 95 

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. 

GetCurrent property for CPU load is 95 or higher. This value indicates the percentage of the maximum 

load that the CPU is currently running with. 

The Statistics module, which provides the value, runs with default settings, as is specified after the CPU 

Load property parameter. 


Create notification message 

Always –> Continue — Set User-Defined.loadMessage = 

“CPU load at “ 

+ Number.ToString (Statistics.Counter.GetCurrent(“CPULoad”)) 

+ “%” 

The rule is always executed when the criteria of its rule set is matched. The rule then uses an 

event to set a user-defined property to a chain of values that make up a message text on the CPU 

overload. 


Send SNMP trap and other rules 

Always –> Continue — ... 

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set 

criteria is matched. The rules then use different events for taking measures to make the 

administrator aware of the CPU overload. 

Note: These rules are not enabled by default. 

Check Cache Partition 

This nested error handling rule set handles measures that are taken when the web cache usage 

exceeds a configured value. 

Nested error handling rule set — Check Cache Partition 

Criteria — Statistics.Counter.GetCurrent(“WebCacheDiskUsage”) 



GetCurrent property for web cache usage is 95 or higher. This value indicates the percentage of the 

maximum allowed usage of the web cache that is currently in use. 

The Statistics module, which provides the value, runs with default settings, as is specified after the 

WebCacheDiskUsage property parameter. 




Monitoring 


Always –> Continue — Set User-Defined.cacheMessage = 

“Cache partition usage at “ 

+ Number.ToString (Statistics.Counter.GetCurrent(“WebCacheDiskUsage”)) 

+ “%” 


event to set a user-defined property to a chain of values that make up a message text on the web 

cache usage. 





criteria is matched. The rules use different events for taking measures to make the administrator 

aware of the web cache usage. 


Check Request Overload 

This nested error handling rule set handles measures that are taken when the number of requests 

processed on the appliance per second exceeds a configured value. 

Nested error handling rule set — Check Request Overload 

Criteria — Statistics.Counter.GetCurrent(“HttpRequests”) 



GetCurrent property for requests is 480,000 or higher. This value is the number of requests that are 

currently processed one the appliance per second. 

The Statistics module, which provides the value, runs with default settings, as is specified after the 

HttpRequests property parameter. 




Set User-Defined.requestsPerSecond = 

Statistics.Counter.GetCurrent(“HttpRequests”)) 

/ 60 

Set User-Defined.requestLoadMessage = 

“detected high load: ” 

+ Number.ToString (User-Defined.requestsPerSecond) 

+ “requests per second” 

The rule is always executed when the criteria of its rule set is matched. The rule then uses two 

events to set user-defined properties. One of these properties is set to the number of requests that 

are currently processed on the appliance per second. The other is set to a chain of values that 

make up a message text on this number. 



8 

Monitoring 





criteria is matched. The rules use different events for taking measures to make the administrator 

aware of the request overload. 


Log File Manager Incidents 


Log File Manager. 

Nested error handling rule set — Log File Manager Incidents 

Criteria — Incident.ID greater than or equals 501 AND Incident ID 

less than or equals 600 

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 

within the range of incidents that involve the Log File Manager. 



Incident.ID equals 501 –> Continue — Set User-Defined.notificationMessage = 

“A log file cannot be pushed. Please have a look at the mwg-logfilemanager errors log 

(/opt/mwg/log/mwg-errors/mwg-logmanager.errors.log).” 

The rule checks whether the value of the Incident.ID property is 501, which indicates that the Log 

File manager could not push a log file. If this is the case, the rule uses an event to set a 

user-defined property for sending a notification message to a string value that is the text of this 

message. 



Incident.ID equals 501 –> Continue — ... 

The Send SNMP trap rule and other rules in the rule set check the value of the Incident.ID property 

in the same way as the Create notification message rule and use different events to take measures 

if this value is 501. 



Monitoring 


Handle Update Incidents 

This nested error handling rule set handles measures taken when an incident occurs that involves 

updates performed on the appliance. 

Nested error handling rule set — Handle Update Incidents 

Criteria — Incident.OriginName equals “Updater” OR Incident.ID 

equals 299 OR Incident.ID equals 298 

The rule set criteria specifies that the rule set applies when the update module is specified by the value 

of the Incident.OriginName property or the value of the Incident.ID property is within the range of 

incidents that involve the update module. 


Create update incident message 

Always –> Continue — Set User-Defined.eventMessage = 

“Update Event triggered [“ 

+ Number.ToString (Incident.ID) 

+ “]:” 

+ Incident.Description 

+ “; origin:” 

+ Incident.OriginName 

+ “; severity:” 

+ Number.ToString (Incident.Severity) 


event to set a user-defined property to a chain of values that make up a message text on the 

update incident. The message includes values for several incident properties. 


Create syslog entry and other rules 

Always (or other criteria) –> Continue — ... 

The Create syslog enty rule and other rules in the rule set use different events to take measures if 

the respective rule criteria is matched. 



8 

Monitoring 


Handle License Incidents 


expiration date of the license for your appliance. 

Nested error handling rule set — Handle License Incidents 

Criteria — Incident.ID equals 200 

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 200, 

which indicates that the remaining number of days for your licence has been checked. 


Create license incident message 

Always –> Continue — Set User-Defined.notificationMessage = 

“License expires in ” 

+ Number.ToString (License.RemainingDays) 

+ “ days” 


event to set a user-defined property to a chain of values that make up a message text on the 

remaining number of days for your license. 


Create syslog entry and other rules 

Always (or other criteria) –> Continue — ... 

The Create syslog enty rule and other rules in the rule set use different events to take measures if 

the respective rule criteria is matched. 


Block on Anti-Malware Engine Errors 

This nested error handling rule set blocks access to all web objects when the Anti-Malware module 

cannot be loaded or is overloaded. 

Nested error handling rule set — Block on Anti-Malware 

Engine Errors 



Block if Anti-Malware engine cannot be loaded 

Error.ID equals 14000 –> Block 

The rule blocks access to all web objects when the value of the Error.ID property is 14000, which 

indicates an error that prevents the Anti-Malware module from loading. 

The action settings specify a message to a user who requested access. 

Block if Anti-Malware engine is overloaded 

Error.ID equals 14001 –> Block 

The rule blocks access to all web objects when the value of the Error.ID property is 14001, which 

indicates all connections to the Anti-Malware module are currently in use and the module is 

overloaded. 



Monitoring 


Block on URL Filter Errors 

This nested error handling rule set blocks access to all web objects when the URL Filter module cannot 

be loaded or another error regarding this module occurs. 

Nested error handling rule set — Block on URL Filter Errors 

Criteria — Error.ID greater than or equals 15000 AND Error.ID less 

than or equals 15999 

The rule set criteria specifies that the rule set applies when the value of the Error.ID property lies within 

the specified range, which is the range for errors related to URL filtering. 


Block if Anti-Malware engine cannot be loaded 

Error.ID equals 15000 OR Error.ID equals 15002 OR Error.ID equals 15004 OR Error.ID equals 

15005 –> Block 

The rule blocks all requests for web access when the value of the Error.ID property is one of those 

specified in the rule criteria. These values indicate errors that prevent the URL Filter module from 

loading. 

The action settings specify a message to a requesting user. 

Block all other internal URL Filter errors 

Always –> Block 

The rule is always executed when its rule set applies and the rule preceding it in the rule set has 

not been executed. The rule then blocks all requests for web access. 

The action settings specify a message to a requesting user. 

Block on All Errors 

This nested error handling rule set blocks access to all web objects when an internal error occurs on the 

appliance. 

Nested error handling rule set — Block on All Errors 



Always block 

Always –> Block 

The rule blocks access to all web objects when an internal error occurs. 


The rule in this rule set is for handling internal errors on the appliance. It is executed at the time 

when an internal error occurs, which can, of course, not be predicted and can happen at any time 

during the filtering process or not at all. In this sense, processing the rule is not part of the normal 

process flow. 

After executing the blocking, the rule stops all further processing of rules for the requests, 

responses, or embedded objects that were being filtered when the internal error occurred. 

This way it is ensured that no malicious or inappropriate web objects enter your network or leave 

it while the appliance is not fully available. 

The process flow continues when the next request is received if the internal error did not lead to a 

general interruption of the appliance functions. 


8 

Monitoring 


Create an error handler 

When you create new error handling rules, you can insert them into existing error handling rule sets or 

create new rule sets for them. These must be nested themselves in top-level rule sets known as error 

handlers. This section tells you how to create an error handler. 

Note: You can also use the Default error handler for inserting new nested error handling rule sets. 

Complete the following procedure to do this: 


2 From the Rule Sets menu, select Error Handler. 

3 On the error handler tree, go to the position where you want to insert the new error handler. Then 

click Add. 

4 From the drop-down menu that appears, select Error Handler. The Add New Error Handler window 

opens with the Rule Sets tab selected. 

5 Configure the following general settings: 

• Name — Name of the error handler 

• Enable — When selected, the error handler is enabled. 

• [Optional] Comment — Plain-text comment on the log handler. 

6 [Optional] Click the Permissions tab and configure who is allowed to access the new error handler. 

7 Click OK to close the Add New Error Handler window. The error handler is inserted into the tree 

structure. 


You can now insert one or more nested rule sets into the error handler and fill these with rules. 

For more information on creating a rule set, see Add a new rule set and Access restrictions. For the rule 

sets that are by default available for error handling, see Rule sets for error handling. 


9 Troubleshooting 

Contents 

Troubleshooting appliance problems 

Create a feedback file 

Enable the creation of core files 

Enable the creation of connection tracing files 

Create a packet tracing file 

Use network tools 

Back up and restore the appliance configuration 

Troubleshooting appliance problems 

The sections of this chapter explain how to use troubleshooting tools and methods if problems arise 

when working with the appliance. 

Files for recording appliance behavior 

You can record appliance behavior and evaluate the data recorded in the corresponding files. Several 

types of files can be created for this purpose: 

• Log files — For logging different events and functions, such as access to the appliance or updates of 

files and modules 

• Rule tracing files — For recording the processing of rules 

• Feedback files — For backtracing functions after the failure of a particular function 

• Core files — For recording memory content after a crash has occurred 

• Connection tracing files — For recording activities on the connections from the appliance to other 

network components 

• Packet tracing files — For recording network activities of the appliance 

Network tools 

You might need to test whether connections to other network components still work. The appliance 

provides several tools, including ping, nslookup, and others, for this purpose. 


9 

Troubleshooting 


Backup and restore files 

When other troubleshooting methods do not work, it can be necessary to remove a faulty configuration 

and replace it with a backup. Having a backup available might also help in other situations, for 

example, when you want to discard changes applied to an existing configuration. 

The appliance provides functions for creating backups and using them to restore configurations. 


Feedback files can be used on the appliance to trace back functions when the process on the appliance 

is halted due to the failure of particular functions. 

To create a feedback file: 

1 Go to Troubleshooting | Feedback. 

2 Select or deselect Pause running McAfee Web Gateway as needed. 

Note: It is recommended that you use this option to stop the appliance before creating the feedback file. 

3 Click Create Feedback File. The file is created and appears with its name, size, and date in the list 

under Feedback file. 

Using the items on the toolbar, you can: 

• View — file content 

• Delete — files 

• Download — files 

• Copy Link — copy links to files 

Enable the creation of core files 

Core files can be created on the appliance to record memory content after system crashes. 

To enable the creation of core files: 

1 Go to Configuration | Troubleshooting. 

2 Make sure Enable core file creation is selected. Core files are then created after crashes. 

They can be viewed on a list after selecting the Troubleshooting top-level menu, navigating to an 

appliance, and selecting Core Files. 







Enable the creation of connection tracing files 


Enable the creation of connection tracing files 9 

Trace files can be created on the appliance to record activities on connections from the appliance to 

other network components. 

To enable the creation of connection tracing files: 

1 Go to Configuration | Troubleshooting. 

2 Make sure Enable connection tracing is selected. Connection tracing files are then created. 

Note: To trace only activities on a connection to a network component with a particular IP address, select 

Restrict tracing to only one IP and type the address in the IP field. 

Connection tracing files can be viewed on a list after selecting the Troubleshooting top-level 

menu, navigating to an appliance, and selecting Connection Tracing. 






Create a packet tracing file 

Packet tracing files can be used on the appliance to review network activities of the appliances and 

detect reasons for errors and failures. 

To create a packet tracing file: 

1 Go to Troubleshooting | Packet tracing. 

2 Under Command line parameters, type parameters for the packet tracing file as needed. 

3 Click tcpdump start. The packet tracing file is generated and appears with its name, size, and date 

in the list under Results (dump). 

To stop the ongoing creation of a packet tracing file, click tcpdump stop. 







9 




Several network tools are provided for troubleshooting on the appliance. 

To use a network tool: 

1 Go to Troubleshooting | Network Tools. 

2 Under Command line parameters, type the parameters for a command that is provided by a 

particular network tool. For example, type the name of a host you want to “ping”. 

3 Click the button for a network tool: 

• ping 

• ping6 

• nslookup 

• traceroute 

• traceroute6 

• ip neigh 

• service restart 

• ntp 

The corresponding command is executed and the output displayed in the Results field, for 

example: 

Ping: unknown host testhost 

Back up and restore the appliance configuration 

The appliance configuration, including rules, lists, settings, and administrator accounts, can be stored 

in a backup file and also restored from there. 

Complete the following procedure to backup or restore the appliance configuration: 

1 Go to Troubleshooting | Backup/Restore. 

2 Under Backup Policy, Configuration, and Accounts, proceed as follows: 

• To backup the configuration, click Backup to file. 

A window opens to let you select a file for storing the configuration. 

• To restore the configuration, click Restore from file. 

A message informs you that you will be logged out after restoring and asks whether you really 

want to do it. If you confirm, a window opens to let you select a file for restoring the 


If you only want to restore the rules, lists, and settings that were configured on the tabs of the 

Policy top-level menu, make sure the Only restore policy checkbox is selected before clicking 

the 


List of actions 

Appendix: Configuration lists 

Contents 

List of actions 

List of error IDs 

List of events 

List of incident IDs 

List of properties 

Wildcard expressions 

The following table provides a list of the actions that can be configured in web security rules on the 

appliance. 

The actions are listed in alphabetical order. 

Table A-1 List of actions 

Name Description 

Authenticate • Stops processing the rules in the current cycle 

• Sends an authentication request to the client of the user who requested access to a web 

object 

• Continues processing with the next cycle 

Block • Blocks access to a requested web object 

• Stops processing rules 

• Continues when the next request is received on the appliance 

Continue Continues processing with the next rule 

Redirect Redirects a client that requested access to a web object to another object 

Remove • Removes a requested web object 

• Stops processing the rules in the current cycle 


Stop Cycle • Stops processing the rules in the current cycle 

• Does not block access to a requested web object 


Stop Rule Set • Stops processing the rules of the current rule set 

• Continues processing with the next rule set 





The following table provides a list of the error IDs that can be configured in web security rules on the 

appliance. 

The error IDs are grouped in numerical ranges as follows: 

10000–10049: Incorrect usage of properties or events 

10050–10099: Errors of the rule processing module 

10100–10199: General errors 

11000–11999: License Manager errors 

12000–12999: Errors related to the appliance system 

13000–13999: Persistent Database (PDStore) errors 

14000–14999: Virus and malware filtering errors 

15000–15999: URL filtering errors 

16000–16999: ICAP client errors 

20000–21000: Proxy module errors 

For more information on how to use error IDs, see Error handling using error IDs. 

Table A-2 List of error IDs 

Error ID Error name Error message 

10000 WrongPropParams $onPosition$: Wrong parameters or types for property $propName$. 

10001 UnknownProperty $onPosition$: Error in rule ‘$ruleName$’: Property dispatcher does not 

know property $propName$. 

10002 NoPropParam $onPosition$: No parameter for property $propName$ given. 

10003 WrongThirdPropParam $onPosition$: Wrong type of third parameter for property 

$propName$. 

10004 InvalidPropertyParameter $onPosition$: Parameters for property $propName$ are invalid, 

reason: $reason$. 

10005 InvalidPropertyParameter2 Parameters are invalid. Reason: $reason$ 

10006 UnknownProperty2 $onPosition$: Unknown property $propName$. 

10007 UnknownFunc $onPosition$: Unknown function $funcName$. Details: $reason$ 

10050 WrongOperator $onPosition$: Error in Rule '$ruleName$': wrong operator '$operator$' 

used on left hand side type $typeLeft$ and right hand side type 

$typeRight$. 

10051 WrongOperator_NoNames $onPosition$: $action$ failed. Type of $property$ is $typeName$, but 

it has to be $formatType$. 

10052 FormatError $onPosition$: User-defined property '$propName$' could not be 

found. Reason: it was not yet set (not initialized). 

10053 UserDefinedPropertyNotFound $onPosition$: User-defined property '$propName$' could not be 

found. Reason: it was not yet set (not initialized). 

10054 PropertyNotFound $onPosition$: Property '$propName$' could not be found. Reason: it 

was not yet set (not initialized). 

10055 NeedMoreDataOnLastCall On computing property '$propName$' the filter returned 

'NeedMoreData' though there is no more data. 

10056 WrongPropState $onPosition$: State of Property $propName$ is $propState$. 

10057 ZombieRuleElemIsExecuted $rule$ (name: '$name$', id: '$id$') could not be executed because it 

is a zombie. Reason: '$reason$'. 

10058 SetPropertyFailed $onPosition$: Setting of Property/Variable $propName$ failed. 

Reason: $reason$. 

10059 EventError $onPosition$: Error in Rule '$ruleName$': Event could not be 

evaluated. Reason: $reason$. 


Table A-2 List of error IDs (continued) 



Error ID Error name Error message 

10100 ErrorDuringOperation $onPosition$: Error while $operation$ the $objName$. Reason: 

$reason$. 

10101 InitializeFailed $onPosition$: Could not initialize/create $objName$. Reason: 

$reason$. 

11000 NoLicense The requested functionality '$func$' is not covered by your license. 

12000 CannotOpenPipe Cannot open pipe. 

12001 CannotOpenFile Cannot open file '$name$' in mode '$mode$' with errno '$errno$'. 

13000 NoUser No user available. 

14000 AVError Error in AntivirusFilter: $reason$ 

14001 AVScanFailedFull Cannot call McAfee Gateway Anti-Malware engine. All connections in 

use. 

15000 TSDatabaseExpired Global Threat Intelligence system database expired error: database is 

expired. '$desc$'. 

15001 TSInvalidURL The URL '$url$' is invalid. In function $func$. 

15002 TSBinaryNotProperlyLoaded Binary could not be loaded from '$path$'. In function $func$. 

15003 TSCommon Global Threat Intelligence system error (code: $errorCode$). In 

function $func$. 

15004 TSBinaryDoesNotExist Global Threat Intelligence system library is not yet available. In 


15005 TSDatabaseNotProperlyLoaded Database was not properly loaded. In function $func$. 

15006 TSNoMem Global Threat Intelligence system is out of memory in function $func$. 

15007 TSInsufficientSpace Insufficient space in buffer for Global Threat Intelligence system. In 


15008 TSNetLookup Global Threat Intelligence system net error (code: TS_NET_ERROR). 

In function $func$. 

15009 TSCommonNetLookup Global Threat Intelligence system net error (code: $errorCode$). In 


15010 TSPipe Cannot open Global Threat Intelligence system pipe. In function 

$func$. 

16000 NoICAPServerAvailable No ICAP server available from list: $list$ dyx 

20000 CheckLongRunningConnection Check for long running connections 





The following table provides a list of the events that can be configured in web security rules on the 

appliance. 

The events are listed in alphabetical order. 

Table A-3 List of events 

Name Description Parameters 

Authentication. 

AddMethod 


Adds an authentication method 1. String: Name of an 


2. String: Value for an 


3. Boolean: If true, an existing 

method is overwritten 


ClearCache 

Clears the cache 


ClearMethodList 

Clears the authentication methods list 


ClearNTMLCache 

Clears the NTML cache 

BlockingSession. 

Activate 

Activates a blocking session 

Body.Insert Inserts a string into body of a message 1. Number: Byte position where 

insertion begins 

2. String: Pattern 

a. string embedded in double 

quotes (“ ...”, can also contain 

hex values preceded by \) 

or: 

b. sequence of hex values 

Body.Remove Removes a number of bytes from a body 1. Number: Byte position where 

the removal begins 

2. Number: Number of bytes to 

remove 

Body.Replace Replaces a portion of a body with a string 1. Number: Byte position where 

replacement begins 


a. string embedded in double 

quotes (“ ...”, can also contain 

hex values preceded by \) 

or: 

b. sequence of hex values 

Connection.Mark Sets a connection mark Number: Number of a connection 

Email.Send Sends an email 1. String: Recipient 

2. String: Subject 

3. String: Body 

Enable Cache Enables web cache 

Enable Composite 

Opener 

Enables composite opener 

Enable Data Trickling Enables data trickling 

Enable HTML Opener Enables HTML opener 

Enable Next Hop Proxy Enables use of next-hop proxies 

Enable Progress Page Enables display of a progress page 

Enable RuleEngine 

Tracing 

Enables tracing of the rule processing module

Table A-3 List of events (continued) 

Enable SSL Client 

Context with CA 

Enable SSL Client 

Context without CA 

Enables sending of client certificates issued by a 

certificate authority 

Enables sending of client certificates not issued by a 





Enable SSL Scanner Enables module for SSL scanning 

Enable 

SafeSearchEnforcer 

Enables SafeSearchEnforce. 

Enable Workaround Enables a workaround 

FileSystemLogging. Writes a debugging entry 1. String: Debugging entry 

WriteDebugEntry 

2. Boolean: If true, entry is 

written to stdout 

FileSystemLogging. 

WriteLogEntry 

Writes an entry into a log String: Log entry 

HTMLElement. 

Inserts an attribute into an HTML element 1. String: Attribute name 

InsertAttribute 

2. String: Attribute value 

HTMLElement. 

RemoveAttribute 

Removes an attribute from an HTML element String: Attribute name 

HTMLElement. 

Sets an attribute to a value 1. String: Attribute name 

SetAttributeValue 

2. String: Value to set attribute to 

Header.Add Adds a header to a request or response 1. String: Header name 

2. String: Header value 

Header.AddMultiple Adds a header with a list of values to a request or 1. String: Header name 

response 

2. List of String: List of header 

values 

Header.Block.Add Adds a block header to a request or response 1. String: Header name 


Header.Block. 

Adds a block header with a list of values to a request 1. String: Header name 

AddMultiple 

or response 


values 

Header.Block. 

Removes all block headers with a given name from a String: Header name 

RemoveAll 

request or response. 

Header.ICAP.Response. Adds a header to an ICAP response 1. String: Header name 

Add 


Header.ICAP.Response. Adds a header with a list of values to an ICAP 1. String: Header name 

AddMultiple 

response 


values 

Header.ICAP.Response. Removes all headers with a given name from an ICAP String: Header name 

RemoveAll 

response 

Header.RemoveAll Removes all headers with a given name from a 

request or response 

String: Header name 

ICAP. 

Adds information to an ICAP request 1. String: Name of the request 

AddRequestInformation 

2. String: Added information 

MediaType.Header. Replaces a media type header with an appropriate 

FixContentType 

header when it is found after inspection of the media 

body that the original header does not match the 

body 

Notice Writes an entry with notice level into syslog String: Log entry 

PDStorage. 

Adds global variable of type Boolean 1. String: Variable key 

AddGlobalData.Bool 

2. Boolean: Variable value 

PDStorage. 

Adds global variable of type Category 1. String: Variable key 

AddGlobalData. 

Category 

2. Category: Variable value 






PDStorage. 

Adds global variable of type Dimension 1. String: Variable key 


Dimension 

2. Dimension: Variable value 

PDStorage. 

Adds global variable of type Hex 1. String: Variable key 

AddGlobalData.Hex 

2. Hex: Variable value 

PDStorage. 

Adds global variable of type IP 1. String: Variable key 

AddGlobalData.IP 

2. IP: Variable value 

PDStorage. 

Adds global variable of type IPRange 1. String: Variable key 


IPRange 

2. IPRange: Variable value 

PDStorage. 

Adds global variable of type List of Category 1. String: Variable key 

AddGlobalData.List. 

Category 

2. List of Category: Variable value 

PDStorage. 


Dimension 

PDStorage. 

AddGlobalData.List.Hex 

PDStorage. 

AddGlobalData.List.IP 

PDStorage. 


IPRange 

PDStorage. 


MediaType 

PDStorage. 


Number 

PDStorage. 


String 

PDStorage. 


Wildcard 

PDStorage. 


MediaType 

PDStorage. 

AddGlobalData.Number 

PDStorage. 

AddGlobalData.String 

PDStorage. 


Wildcard 

PDStorage. 

AddUserData.Bool 

PDStorage. 

AddUserData.Category 

PDStorage. 

AddUserData. 

Dimension 


Adds global variable of type List of Dimension 1. String: Variable key 

2. List of Dimension: Variable 

value 

Adds global variable of type List of Hex 1. String: Variable key 

2. List of Hex: Variable value 

Adds global variable of type List of IP 1. String: Variable key 

2. List of IP: Variable value 

Adds global variable of type List of IPRange 1. String: Variable key 

2. List of IPRange: Variable value 

Adds global variable of type List of MediaType 1. String: Variable key 

2. List of MediaType: Variable 

value 

Adds global variable of type List of Number 1. String: Variable key 

2. List of Number: Variable value 

Adds global variable of type List of String 1. String: Variable key 

2. List of String: Variable value 

Adds global variable of type List of Wildcard 

Expression 

1. String: Variable key 

2. List of Wildcard Expression: 

Variable value 

Adds global variable of type MediaType 1. String: Variable key 

2. MediaType: Variable value 

Adds global variable of type Number. 1. String: Variable key 

2. Number: Variable value 

Adds global variable of type String 1. String: Variable key 

2. String: Variable value 

Adds global variable of type Wildcard Expression 1. String: Variable key 

2. Wildcard Expression: Variable 

value 

Adds user variable of type Boolean 1. String: Variable key 

2. Boolean: Variable value 

Adds user variable of type Category 1. String: Variable key 

2. Category: Variable value 

Adds user variable of type Dimension 1. String: Variable key 

2. Dimension: Variable value





PDStorage. 

Adds user variable of type Hex 1. String: Variable key 

AddUserlData.Hex 

2. Hex: Variable value 

PDStorage. 

Adds user variable of type IP 1. String: Variable key 

AddUserData.IP 

2. IP: Variable value 

PDStorage. 

Adds user variable of type IPRange 1. String: Variable key 

AddUserData.IPRange 

2. IPRange: Variable value 

PDStorage. 

Adds user variable of type List of Category 1. String: Variable key 

AddUserData.List. 

Category 

2. List of Category: Variable value 

PDStorage. 


Dimension 

PDStorage. 

AddUserData.List.Hex 

PDStorage. 

AddUserData.List.IP 

PDStorage. 


IPRange 

PDStorage. 


MediaType 

PDStorage. 


Number 

PDStorage. 


String 

PDStorage. 


Wildcard 

Adds user variable of type List of Dimension 1. String: Variable key 

2. List of Dimension: Variable 

value 

Adds user variable of type List of Hex 1. String: Variable key 

2. List of Hex: Variable value 

Adds user variable of type List of IP 1. String: Variable key 

2. List of IP: Variable value 

Adds user variable of type List of IPRange 1. String: Variable key 

2. List of IPRange: Variable value 

Adds user variable of type List of MediaType 1. String: Variable key 

2. List of MediaType: Variable 

value 

Adds user variable of type List of Number 1. String: Variable key 

2. List of Number: Variable value 

Adds user variable of type List of String 1. String: Variable key 

2. List of String: Variable value 

Adds user variable of type List of Wildcard Expression 1. String: Variable key 

2. List of Wildcard Expression: 

Variable value 

PDStorage. 

Adds user variable of type MediaType 1. String: Variable key 

AddUserData. 

MediaType 

2. MediaType: Variable value 

PDStorage. 

Adds user variable of type Number 1. String: Variable key 

AddUserData.Number 

2. Number: Variable value 

PDStorage. 

Adds user variable of type String 1. String: Variable key 

AddUserData.String 

2. String: Variable value 

PDStorage. 

Adds user variable of type Wildcard Expression 1. String: Variable key 

AddUserData.Wildcard 

2. Wildcard Expression: Variable 

value 

PDStorage.Cleanup Cleans up persistently stored data 

PDStorage. 

DeleteAllUserData 

Deletes all permanently stored user data 

PDStorage. 

Deletes all permanently stored global variables of a String: Variable key 

DeleteGlobalData given type 

PDStorage. 

Deletes all permanently stored user variables of a String: Variable key 

DeleteUserData 

given type 

SNMP.Send.Trap. Sends an SNMP trap message with application 

Application 

information 

SNMP.Send.Trap. Sends an SNMP trap message with system 

System 

information 






SNMP.Send.Trap.User Sends an SNMP trap message with user information 1. Number: User ID 

2. String: Message body 

SNMP.Send.Trap. Sends an SNMP trap message with information on 1. Number: User ID 

UserHost 

host of a user 

2. String: Message body 

3. IP: IP address of the host 

Statistics.Counter. Increments a counter 1. String: Counter name 

Increment 

2. Number: Increment value 

Statistics.Counter. 

Reset 

Resets a counter String: Counter name 

Stopwatch.Reset Sets an internal watch that measures processing 

time for rule sets to zero 

String: Rule set name 

Stopwatch.Start Starts an internal watch that measures processing 

time for rule sets 


Stopwatch.Stop Stops an internal watch that measures processing 

time for rule sets 


Syslog Writes an entry into syslog 1. Number: Log level 

0 – Emergency 

1 – Alert 

2 – Critical 

3 – Error 

4 – Warning 

5 – Notice 

6 – Info 

7 – Debugging 

2. String: Log entry 





The following table provides a list of the incident IDs that can be used in web security rules on the 

appliance. 

The incident IDs are grouped in numerical ranges as follows: 

1–199: Incidents related to the appliance system 

200–299: Core subsystem incidents 

300–399: Update module incidents 

500–599: Log File Manager incidents 

600–699: sysconfd daemon incidents 

700–799: Proxy module incidents 

800–899: Virus and malware filtering incidents 

900-999: Authentication incidents 

1000–1099: URL filtering incidents 

1600–1699: SSL certification incidents 

3000–3200: Central management incidents 

For more information on how to use incident IDs and other incident properties, see Error handling using 

incidents. 

For individual incident properties, see List of properties. 

Table A-4 List of incident IDs 

Incident ID Description Origin number and name Severity 

5 A rule that uses an incident property has been executed. 1 System 7 

20 RAID monitoring reports critical status or failure of one 1 Health monitor 4 (or 3 for 

or more hard disks. 

hard-disk 

failure) 

21 S.M.A.R.T health check reports an error on a HDD hard 

disk. 

1 Health monitor 4 

22 File system usage exceeds a configured limit. 1 Health monitor 4 

23 Memory usage exceeds a configured limit. 1 Health monitor 4 

24 System load exceeds a configured limit. 1 Health monitor 4 

200 The license expiration date has been checked. 2 Core 6 

201 The appliance has successfully completed all FIPS 140-2 

self-tests. 

2 Core 6 

301 Download of update files was stopped because there is 

not enough disk space. 

3 Updater 3 

302 Download of product x failed for node y in central 

management. 

3 Updater 3 

303 The update module reports that update of product x 

failed on node y in central management. 

3 Updater 3 

304 The update module received a report from an update 

server that status of product x is up-to-date. 

3 Updater 3 

305 The update module could not connect to an update 

server. 

3 Updater 3 

501 The Log File Manager failed to push log files. 5 Log File Manager 3 

601 Data packages involved in a yum update require an 

restart of the appliance to become effective. 

6 mwg-update 4 

666 A FIPS 140-2 self-test failed on node y in central 

management. The node is running in non-FIPS mode. 

1 FIPS 0 




Table A-4 List of incident IDs (continued) 


700 The number of concurrent connections exceeds a 

configured overload limit. The appliance enters overload 

state. Requests sent to the appliance are accepted with 

delay. 

2 Proxy 2 

701 The appliance is in overload state for more than 30 

seconds. Requests sent to the appliance are accepted 

with delay. 

702 The appliance has left overload state. Requests sent to 

the appliance are again accepted without delay. 

703 The number of concurrent connections exceeds a 

configured high load limit. The appliance enters high load 

state. Requests sent to the appliance are accepted with 

a delay. 

704 The appliance is in high load state for more than 30 

seconds. Requests sent to the appliance are accepted 

with a delay. 

705 The number of concurrent connections has dropped 

below 85 % of a configured high load limit. The appliance 

is still in high load state. Requests sent to the appliance 

are accepted with a delay. 


2 Proxy 2 

2 Proxy 4 

2 Proxy 4 

2 Proxy 4 

2 Proxy 6 

710 A next-hop proxy server is down and will not be available 

for n seconds. 

2 Proxy 4 

711 The appliance cannot connect to a next-hop proxy 

server. 

2 Proxy 4 

712 A next-hop proxy server has moved back from error 

state to normal operation. 

2 Proxy 6 

720 The listener on IP address x, port y could not be opened. 2 Proxy 2 

730 A changed proxy mode configuration requires restart of 


2 Proxy 2 

850 An update of the Anti-Malware module was completed 

successfully. 

2 Anti-Malware Filter 6 

851 An update of the Anti-Malware module failed. 2 Anti-Malware Filter 3 

852 Download or verification of update files for the 

Anti-Malware module failed. 

2 Anti-Malware Filter 3 

853 The Anti-Malware module version is up-to-date. 2 Anti-Malware Filter 6 

901 The appliance is connected to n servers for NTML 

authentication in Windows domain x. 

2 Core 6 

902 The appliance cannot connect to n servers for NTML 

authentication in Windows domain x. 

2 Core 4 

903 The appliance cannot contact Windows domain x for 

NTLM authentication. 

2 Core 3 

910 The appliance is connected to the LDAP server with 

configuration ID n. 

2 Core 6 

912 The appliance is disconnected from the LDAP server with 


2 Core 4 

913 The appliance cannot connect to any LDAP server with 


2 Core 3 

920 A response has been received on the appliance from 

RADIUS server x after attempting to start 

communication with this server to retrieve user 

information for authentication purposes. 

2 Core 6 

921 A response has again been received on the appliance 

from RADIUS server x after communication with this 

server had been interrupted. 

2 Core 6 

923 An authentication request sent from the appliance to 

RADIUS server x has led to a timeout. 

2 Core 3 

931 The appliance is connected to NTLM-Agent server x. 2 Core 6

Table A-4 List of incident IDs (continued) 




932 The appliance is disconnected from NTLM-Agent 

server x. 

2 Core 3 

933 The appliance cannot connect to NTLM-Agent server x. 2 Core 3 

1050 An update of the URL Filter module was completed 

successfully. 

2 URL Filter 6 

1051 An update of the URL Filter module failed. 2 URL Filter 3 

1052 Download or verification of update files for the URL Filter 

module failed. 

2 URL Filter 3 

1053 URL Filter module status is up-to-date. 2 URL Filter 6 

1650 An updated Certificate Revocation List (CRL) was 

downloaded and loaded successfully on the appliance. 

2 Certificate Chain Filter 6 

1651 An updated Certificate Revocation List (CRL) was 

downloaded onto the appliance, but could not be loaded 

there. 


1652 An updated Certificate Revocation List (CRL) could not 

not be downloaded onto the appliance. 

1653 All Certificate Revocation Lists (CRLs) used by the SSL 

Scanner module have up-to-date status. 

3000 At least one node in central management is not in 

synchronized state (regarding storage and 

configuration). The number of unsynchronized nodes 

changes. This incident is only recorded on the root node. 

3001 After incident 3000 has occurred, all nodes in central 

management are in synchronized state again (regarding 

storage and configuration). 

3004 At least one node in central management did not respond 

properly after shared data was sent out. The number of 

not properly responding nodes changes. This incident is 

only recorded on the root node and only if the shared 

data was intended to go to all nodes. 

3005 After incident 3004 has occurred, all nodes in central 

management have properly responded to the sending of 

shared data to them. 

2 Certificate Chain Filter 


3 Centralized Management 3 








The following table provides a list of properties that can be configured in web security rules on the 

appliance. 

The properties are listed in alphabetical order. The listing considers, however, the parts of the property 

names, which are separated by full stops. For example, SSL.Server.Certificate.DaysExpired is listed 

before SSL.Server.CertificateChain.ContainsExpiredCA. 

Note: To view an example of how a property is used in a rule or rule set, click the name of a rule or rule set 

that appears under Description. Use the search function of the user interface to view a list of all rules that use 

a given property. 

Table A-5 List of properties 

Name Type Description Parameters 

Antimalware.Infected Boolean If true, a web object has been found to 

be infected 

Used in rule: Block if virus was found 

Antimalware.Proactive. 

Number Probability that a web object is malware 

Probability 

(in percent) 

Antimalware.VirusNames List of String List with names of viruses that a web 

object has been found to be infected 

with 

Authentication.Authenticate Boolean If true, the authentication engine has 

been called to apply the configured 

method, for example, NTLM, to the 

credentials of a user and the user has 

successfully been authenticated 

Values have also been set for the 

Authentication.IsAuthenticated and 

Authentication.UserName properties. 

If false, it was not possible to apply the 

configured authentication method 

successfully, for example, because no 

credentials or incorrect credentials were 

submitted 

Used in rule: Authenticate with User 

Database 

Authentication.Failed Boolean If true, credentials were provided by a 

user, but authentication has failed 

Used in criteria of rule set: Authenticate 

with User Database 

Authentication.FailureReason Number Number identifying the reason why 

authentication has failed for a user 

Authentication.GetUserGroups List of String List of user groups that the 

authentication process isapplied to 

Authentication.IsAuthenticated Boolean If true, a user has been successfully 

authenticated 


with User Database 


Boolean If true, cookie authentication has been 

IsLandingOnServer 

applied for a user 

Authentication.IsServerRequest Boolean If true, authentication has been 

requested for a user under the 

Authentication Server method. 

Authentication.Method String Method used for authenticating a user, 

for example, LDAP 


Table A-5 List of properties (continued) 




Authentication.RawCredentials String Credentials of a user in the format 

originally received on the appliance 

from a client or other instances of the 

network 

Using this property for rule 

configuration will speed up processing 

because it saves the time used for 

converting user credentials to a human 

readable format, as it is done for the 

simple Authentication.UserName 

property. 

Authentication.RawUserName String Name of a user in the format originally 

received on the appliance from a client 

or other instances of the network 




converting the user name to a human 


simple Authentication.UserName 

property. 

Authentication.Realm String Authentication realm, for example, a 

Windows domain 

Authentication.UserGroups List of String List of user groups that the 

authentication process is applied to 

Used in rule: Only allow users of 

Allowed User Groups 

Authentication.UserName String Name of a user that the authentication 

process is applied to 

Block.ID Number ID of an action that blocked a request 

Block.Reason String Name of the reason for an action that 

blocked a request 

BlockingSession.IsBlocked Boolean If true, a blocking session has been 

activated for a user 

Used in rule: Block user if blocking 

session is active 

BlockingSession. 

RemainingSession 

Number Remaining time of a blocking session (in 

minutes) 

BlockingSession.SessionLength Number Time length of a blocking session (in 

minutes) 

Body.ChangeHeaderMime Boolean If true, the header sent in MIME format 

with the body of a web object has been 

changed 

Body.ClassID String ID for a class of web objects 

Body.Equals Boolean If true, the body of a web object 

matches the pattern specified by the 

property parameters 

Body.FileName String Name of a file that is embedded in the 

body of a web object, for example, an 

archived file 

1. Number: Position 

of byte where pattern 

begins 


a. String embedded 

in double quotes 

(“ ...”, can also 

contain hex values 

preceded by \) 

or: 

b. Sequence of hex 

values 






Body.FullFileName String Name of a file that is embedded in the 

body of a web object, including also the 

names of the embedding entities, such 

as documents or archives 

Name parts are separated by the | 

(pipe) symbol, for example, 

test.zip|test.doc. 

Body.HasMimeHeader Boolean If true, the body of an extracted 

multi-part object sent in MIME format 

has a specified header 


Body. 

HasMimeHeaderParameter 


Boolean If true, the body of an extracted 

multi-part object sent in MIME format 

has a specified header parameter 

Body.IsAboveSizeLimit Boolean If true, the body of a web object is 

above a size limit 

Body.IsCompleteWithTimeout Boolean If true, the body of a web object has 

been completely sent to the appliance 

before the time (in milliseconds) 

specified by the property parameter has 

elapsed 

Body.IsCorrupted Object Boolean If true, an archive contained in the body 

of a web object is corrupted 

Body.IsEncrypted Object Boolean If true, an archive contained in the body 

of a web object is encrypted. 

Body.IsMultiPartObject Boolean If true, an archive contained in the body 

of a web object is complex, including 

multiple parts 

Body.IsSupportedByOpener Boolean If true, an opener device is available on 

the appliance for the body of a web 

object that is composite, for example, 

the body of an archive 

Body. 

MimeHeaderParameterValue 

String Value of a header parameter in the body 

of a web object sent in MIME format 

Body.MimeHeaderValue String Value of a header in the body of a web 

object sent in MIME format 

Body.Modified Boolean If true, an appliance module has 

modified the body of a web object 

Body.NestedArchive Level Number Current level of an archive part in an 

archive 

Body.NotEquals Boolean If false, the body of a web object 

matches the pattern specified by the 

property parameters 

Body.NumberOf Children Number Number of objects embedded in the 

body of a web object 

1. String: Header 

name 


parameter name 

1. Number: Time 

allowed to send 

object completely (in 

milliseconds) 


name 


parameter value 

String: Header value 


of byte where pattern 

begins 




(“ ...”, can also 



or: 


values





Body.PositionOfPattern Number Position of the byte where the search for 

a pattern in the body of a web object 

begins 

Returns -1 if the pattern is not found 

Body.Size Number Size of the body of a web object (in 

bytes) 

Body.Text String Text in the body of a web object 

Used in rule: Set 

User-Defined.listOfWords 

Body.ToNumber Number Part of the body of a web object 

converted into a number (maximum 8 

bytes beginning at a specified position) 

The big-endian or little-endian format 

can be used for the conversion. 

Body.ToString String Part of the body of a web object 

converted into a string 

Body.Uncompressed Size Number Size of the body of an archived web 

object (in bytes) after having been 

extracted from the archive 

1. String: Pattern to 

search for 



(“ ...”, can also 



or: 


values 


of byte where search 

for pattern begins 

3. Number: Search 

length (in bytes, 0 

means search from 

offset to end of 

object) 


of byte where 

converted part 

begins 

2. Number: Length 

of converted part (in 

bytes, maximum 8) 

0 for the first 

parameter and the 

respective value of 

the Body.Size 

property for the 

second means the 

whole body is 

converted. 

3. Boolean: If true, 

little-endian format is 

used for conversion, 

otherwise big-endian 


of byte where 

converted part 

begins 

2. Number: Length of 

converted part (in 

bytes) 

0 for the first 

parameter and the 

respective value of 

the Body.Size 

property for the 

second means the 

whole body is 

converted. 






BooleanToString String Boolean value converted into a string Boolean: Boolean 

value to convert 

BytesFromClient Number Number of bytes received in a request 

from a client 

BytesFromServer Number Number of bytes received in a response 

from a web server 

BytesToClient Number Number of bytes in a web server 

response that is forwarded to a client 

BytesToServer Number Number of bytes in a client request that 

is forwarded to a web server 

Cache.IsCacheable Boolean If true, an object sent in response from 

a web server can be stored in the web 

cache 

Cache.IsFresh Boolean If true, an object stored in the web 

cache has either been downloaded from 

the web or has been verified 

Cache.Status String Cache status for a web object 

Values: 

• TCP_HIT - A web object was 

requested by a user and found in the 

cache. 

• TCP_MISS - A web object was 

requested by a user and not found in 

the cache. 

• TCP_MISS_RELOAD - A web object 

was requested by a user, but was 

not taken from the cache because 

the user required it to be fetched 

directly from the web server in 

question by clicking the Refresh 

button. The object was then entered 

into the cache again. 

• TCP_MISS_VERIFY - A web object 

was requested by a user and existed 

in the cache, but verification 

information from the web server in 

question showed it was outdated. An 

updated version of the object was 

received from the server and 

entered in the cache. 

Category.ToShortString String URL category converted into a string 

that is the category abbreviation 


Category: Category 

to convert 

Category.ToString String URL category converted into a string Category: Category 

to convert 

Client.IM.Login String ID used by a client to log on to the 

appliance under an instant messaging 

protocol 

Client.IM.ScreenName String Screen name of of a client 

communicating with the appliance 

under an instant messaging protocol 

Client.IP IP IP address of a client 

Used in rules: 

Client IP is in list Allowed Clients 

Need to authorize Client IP? 

Client.NumberOfConnections Number Number of connections from a client to 

the appliance at the same time





Command.Categories List of String List of categories that a command 

belongs to, for example, to the FTP 

command category 

Command.Name String Name of a command 

Command.Parameter String Parameter of a command 

Connection.Aborted Boolean If true, communication on a connection 

has finally failed and the connection is 

closed 

Connection.IP IP IP address used on a connection 

Connection.Protocol String Protocol used for communication on a 

connection, for example, HTTP 


and Authorize 

Connection.Protocol.IsIM Boolean If true, communication on a connection 

uses an instant messaging protocol 

Connection.RunTime Number Time (in seconds) a connection has 

been running since it was opened until 

the current second 

Connection.SSL. 

TransparentCNHandling 

Boolean If true, communication on a connection 

is SSL-secured and runs in transparent 

mode 

Used in criteria of rule set: Verify 

Common Name (transparent setup) 

Cycle.LastCall Boolean If true, processing of data is complete 

for a cycle 

Cycle.Name String Name of a processing cycle 

Cycle.TopName String Name of a cycle (Requests or 

Responses) that is processed before a 

web object is processed in the 

Embedded Objects cycle 

Used in rule: Remove partial content 

for HTTP requests 

DataTrickling.Enabled Boolean If true, data trickling is used for 

downloading web objects 

DateTime.Date. 

MonthDayNumber 

Number Number of day in month 

DateTime.Date.MonthNumber Number Number of month 






DateTime.Date.ToString String String representing current date (in the 

format specified by the property 

parameters) 

DateTime.Date. 

WeekDayNumber 

Number Number of day in week (1 is Sunday) 

DateTime.Date.Year Number Year (four digits) 

DateTime.Date.YearTwoDigits Number Year (last two digits) 

DateTime.Time.Hour Number Hour (in 24-hours format, for example, 

1 p. m. is 13) 

DateTime.Time.Minute Number Minute in hour 

DateTime.Time.Second Number Second in minute 


String including the 

following three parts: 

1. %YYYY (for the 

year) 

or: 

%YY (last two digits) 

or: 

%Y (last two digits, 

but only one digit if 

the last two digits 

begin with 0, for 

example, 9 for 2009) 

2. %MM (for the 

month number with 0 

inserted before 

one-digit numbers) 

or: 

%M (0 is not 

inserted, for 

example, 3 for March 

and 12 for 

December) 

3. %DD (for the day) 

or: 

%D 

If no parameter is 

specified, the format 

is: 

%YYYY/%MM /%DD





DateTime.Time.ToString String String representing current time (in the 

format specified by the property 

parameters) 

DateTime.ToGMTString String String representing current date and 

time in Greenwich Mean Time format 

For example, “Mon, 22 March 2010 

11:45:36 GMT” 

DateTime.ToISOString String String representating current date and 

time in ISO format 

For example, "2010-03-22 11:45:12" 

DateTime.ToNumber Number Number of seconds since beginning of 

1/1/1970 (UNIX epoch time) 

DateTime.ToString String String representing current date and 

time (in the format specified by the 

property parameters) 

DateTime. 

ToWebReporterString 

String String representing current date and 

time in Web Reporter format 

For example, “29/Oct/2010:14:28:15 

+0000” 


following three parts: 

1. %h (for the hour) 

or: 

%hh (with 0 inserted 

before a one-digit 

hour) 

2. %m (for the 

minute) 

or: 

%mm 

3. %s (for the 

second) 

or: 

%ss 



is: 

%hh:%mm:%ss 


part of the DateTime. 

Date.ToString and 

DateTime.Time. 

ToString properties 



is: 

%YYYY/%MM /%DD 

%hh:%mm:%ss 

Dimension.ToString String Dimension converted into a string Dimension: 

Dimension to convert 

DNS.Lookup List of IP List of IP addresses found in a DNS 

lookup for a host name 

String: Host name 

DNS.Lookup.Reverse List of String List of host names found in a reverse 

DNS lookup for an IP address 

IP: IP address 

Error.ID Number ID of an error 

Used in rule: Block if Anti-Malware 

engine is overloaded 

Used in criteria of rule set: Long 

Running Connections 

Error.Message String Message text describing an error 






FileSystemLogging.Make 

Anonymous 


String String made anonymous by encryption String: String to 

encrypt 

GTI.RequestSentToCloud Boolean If true, a lookup request for URL 

category information was sent to the 

Global Threat Intelligence server 

Header.Block.Exists Boolean If true, a specified block header exists String: Header name 

Header.Block.Get String First value found for a specified block 

header 


Header.Block.GetMultiple List of String List of values found for a specified block 

header 


Header.Exists Boolean If true, a specified header is contained 

in a request or response that is 

processed on the appliance 

It depends on the current processing 

cycle whether it is actually a request or 

response that contains the header. 


Header.Get String First value found for the specified 

header in a request or response that is 

processed on the appliance. 




Header.GetMultiple List of String List of values found for a specified 

header in a request or response that is 

processed on the appliance. 




Header.ICAP.Request.Exists Boolean If true, a specified header is contained 

in a request sent in ICAP 

communication 

Header.ICAP.Request.Get String First value found for a specified header 

in a request sent in ICAP 


Header.ICAP.Response.Exists Boolean If true, a specified header is contained 

in a response received in ICAP 

communication 

Header.ICAP.Response.Get String First value found for a specified header 

in a response received in ICAP 








Header.Request.Exists Boolean If true, a specified header is contained 

in a request 


Header.Request.Get String First value found for a specified header 

in a request 


Header.Request.GetMultiple List of String List of values found for a specified 

header in a request 


Header.Response.Exists Boolean If true, a specified header is contained 

in a response 


Header.Response.Get String First value found for a specified header 

in a response 


Header.Response.GetMultiple List of String List of values found for a specified 

header in a response 


Hex.ToString String Hex value converted into a string Hex: Hex value to 

convert 

HTML.Element.Attribute String String representing an attribute of an 

HTML element 

Used in rule: Java applets


ICAP.ReqMod.ResponseHeader. 

Get 

ICAP.ReqMod.ResponseHeader. 

GetMultiple 




HTML.Element.Dimension Dimension Dimension of an HTML element (width 

and height) 

HTML.Element.HasAttribute Boolean If true, an HTML element has a specified String: Attribute 

attribute 

Used in rule: Java applets 

name 

HTML.Element.Name String Name of an HTML element 

Used in rule: Java applets 

HTML.Element.ScriptType String Script type of an HTML element, for 

example, JavaScript or Visual Basic 

Script 

Used in rule: JavaScript 

ICAP.Policy String Name of a policy included in an ICAP 

request for a URL 

ICAP.ReqMod.ResponseHeader. Boolean If true, a response sent from an ICAP String: Header name 

Exists 

server in REQMOD mode contains a 

specified header 

String First value found for a specified header 

in a REQMOD response 

List of String List of values found for a specified 

header in a REQMOD response 

ICAP.ReqMod.Satisfaction Boolean If true, an ICAP server has replaced a 

request with a response 

The ICAP server does this after sending 

a message that a particular request is 

blocked. 

Used in rule: Call ReqMod server 

ICAP.RespMod.Encapsulated 

HTTPChanged 

ICAP.RespMod. 

ResponseHeader.Exists 

ICAP.RespMod. 

ResponseHeader.Get 

ICAP.RespMod. 

ResponseHeader.GetMultiple 

Boolean If true, an ICAP server has changed the 

HTTP state for a response sent in 

RESPMOD mode 

Boolean If true, a response sent from an ICAP 

server in RESPMOD mode contains a 

specified header 

String First value found for a specified header 

in a RESPMOD response 

List of String List of values found for a specified 

header in a RESPMOD response 

IM.Direction String Direction of a chat message sent or a 

file transferred under an instant 

messaging protocol and processed on 

the appliance 

For a chat message sent from a client to 

the appliance, the direction could, for 

example, be specified as out, for a 

message sent from a server to the 

appliance it could be specified as in. 

IM.FileName String Name of a file transferred under an 

instant messaging protocol 

IM.FileSize Number Size of a file transferred under an 

instant messaging protocol (in bytes) 











IM.MessageCanSendBack Boolean If true, a block message or other 

message can be sent from the appliance 

to a user of an instant messaging 

service 

A block message is, for example, sent 

back to a user who submitted a chat 

message during a time interval that is 

not allowed for chatting. 

A message can typically not be sent 

before a user has completed the 

procedure for logging on to the instant 

messaging service. 

IM.Notification String Name of a template used for sending a 

notification from the appliance to a user 

of an instant messaging service, for 

example, a block message 

IM.Recipient String Name of a client that receives a chat 

message or file under an instant 

messaging protocol 

This name can also be a group name 

(group ID) when a chat message is sent 

to a group of recipients. 

IM.Sender String Name of a client that sends a chat 

message or file under an instant 

messaging protocol 

Incident.AffectedHost IP IP address of a host that is involved in 

an incident, for example, a web server 

that the appliance cannot connect to 

Incident.Description String Plain-text description of an incident 

Incident.ID Number ID of an incident 

For a list of these IDs, see List of 

incident IDs 

Incident.Origin Number Number specifying the appliance 

component that is the origin of an 

incident 

The following are some origin numbers 

that are presently in use: 

1 - Appliance system 

2 - Core subsystem 

3 - Coordinator subsystem 

4 - Anti-Malware process 

5 - Log File Manager 

6 - sysconf daemon 

9 - Unidentified origin 

The origin of an incident is further 

specified by the Incident.OriginName 

property. 






Incident.OriginName String Name of an appliance component that is 

the origin of an incident 

The origin name can also specify a 

subcomponent that is a part of the 

component specified by the origin 

number. 

For example, origin number 2 (Core) 

can be further specified by the origin 

name as: 

• Core 

• Proxy 

• Anti-Malware Filter 

• URL Filter 

• and other names of subcomponents 

Incident.Severity Number Severity of an incident 

Severity levels are as follows: 

0 - Emergency 

1 - Alert 

2 - Critical 

3 - Error 

4 - Warning 

5 - Notice 

6 - Informational 

7 - Debug 

These levels are the same as those used 

in syslog entries. 

IP.ToString String IP address converted into a string IP: IP address to 

convert 

IPRange.ToString String Range of IP addresses converted into a 

string 

License.RemainingDays Number Remaining time until license expires (in 

days) 

IPRange: Range of IP 

addresses to convert 






List.LastMatches String String containing all elements that have 

been found to match when two lists are 

compared using an operator such as at 

least one in list or all in list 

Matches are only added to the list as 

long it has not yet been decided 

whether the relationship between the 

lists that the operator evaluates exists 

or not. 

For example, list a contains the 

elements 1, 2, 3, list b contains 1, 2, 4. 

Both lists are compared using the at 

least one in list operator. 

To find out that list a actually contains 

at least one element of list b, the 

operator only needs to compare 

element 1 in both lists and detect that 

they match. 

List.LastMatches then contains 1 

because it has been found to be a 

match. 

2 is also a match in the two lists, but is 

not contained in List.LastMatches 

because it was not evaluated by the 

operator and found to be a match. 

This was not done because the operator 

had already found out after evaluating 

the 1 in both lists that at least one 

element of list a was also in list b. 

Used in modification of rule: Write 

access.log 

List.OfCategory.Append List of Category List of URL categories that a category is 

appended to 

List.OfCategory.ByName List of Category List of URL categories (specified by its 

name) 

List.OfCategory.Erase List of Category List of URL categories with specified 

category erased 

List.OfCategory. 

EraseElementRange 


List of Category List of URL categories with specified 

range of categories erased 

List.OfCategory.EraseList List of Category List of URL categories with categories 

that are also on other list erased 

1. List of Category: 

List to append 

category to 

2. Category: 

Category to append 

String: List name 


List with category to 

erase 


of category to erase 


List with categories 

to erase 


of first category to 

erase 


of last category to 

erase 


List with categories 

to erase 


List of categories to 

erase on first list





List.OfCategory.Find Number Position of a URL category on a list 1. List of Category: 

List with category to 

find position for 

2. Category: 

Category to find 

position for 

List.OfCategory.Get Category URL category (specified by its position 

on a list) 

List.OfCategory. 

GetElementRange 

List of Category List of URL categories (extracted from 

other list) 

List.OfCategory.Insert List of Category List of URL categories with specified 

category inserted 

List.OfCategory.IsEmpty Boolean If true, the specified list is empty 

Used in rule: Allow uncategorized URLs 

List.OfCategory.Join List of Category List of URL categories created by joining 

two lists 

List.OfCategory.Reverse List of Category List of URL categories that has its 

original order reverted 


List containing 

category 


of category on list 

1. Category List: List 

with categories to 

extract 


of first category to 

extract 


of last category to 

extract 


List to insert 

category in 

2. Category: 

Category to insert 

List of Category: List 

to check for being 

empty 


First list to join 


Second list to join 


in original order 

List.OfCategory.Size Number Number of URL categories on a list List of Category: List 

to provide number of 

categories for 

List.OfCategory.Sort List of Category List of URL categories sorted in 

alphabetical order 

List.OfCategory.ToShortString String List of URL categories converted into a 

list of their abbreviated name forms 

List.OfCategory.ToString String List of URL categories converted into a 

string 

List.OfDimension.Append List of 

Dimension 

List.OfDimension.ByName List of 

Dimension 

List.OfDimension.Erase List of 

Dimension 

List of dimensions that a dimension is 

appended to 

List of dimensions (specified by its 

name) 

List of dimensions with specified 

dimension erased 


to sort 


to convert 


to convert 

1. List of Dimension: 


dimension to 

2. Dimension: 

Dimension to append 



List with dimension to 

erase 


of dimension to erase 






List.OfDimension. 


List of 

Dimension 

List.OfDimension.EraseList List of 

Dimension 


List of dimensions with specified range 

of dimensions erased 

List of dimensions with dimensions that 

are also on other list erased 


List with dimension 

range to erase 


of first dimension to 

erase 


of last dimension to 

erase 


List with dimensions 

to erase 


List of dimensions to 

erase on first list 

List.OfDimension.Find Number Position of a dimension on a list 1. List of Dimension: 

List with dimension to 


2.List of Dimension: 

Dimension to find 

position for 

List.OfDimension.Get Dimension Dimension (specified by its position on a 

list) 

List.OfDimension. 


List of 

Dimension 

List.OfDimension.Insert List of 

Dimension 

List of dimensions (extracted from other 

list) 

List of dimensions with specified 

dimension inserted 



dimension 


of dimension on list 


List with dimensions 

to extract 


of first dimension to 

extract 


of last dimension to 

extract 


List to insert 

dimension in 

2. Dimension: 

Dimension to insert 

List.OfDimension.IsEmpty Boolean If true, the specified list is empty List of Dimension: 

List to check for 

being empty 

List.OfDimension.Join List of 

Dimension 

List.OfDimension.Reverse List of 

Dimension 

List of dimensions created by joining 

two lists 

List of dimensions that has its original 

order reverted 



2. Dimension List: 


List of Dimension: 

List in original order 

List.OfDimension.Size Number Number of dimensions on a list List of Dimension: 

List to provide 

number of 

dimensions for 

List.OfDimension.Sort List of 

Dimension 

List of dimensions sorted in alphabetical 

order 

List.OfDimension.ToString String List of dimensions converted into a 

string 


List to sort 


List to convert





List.OfHex.Append List of Hex List of hex values that a hex value is 

appended to 

List.OfHex.ByName List of Hex List of hex values (specified by its 

name) 

List.OfHex.Erase List of Hex List of hex values with specified value 

erased 

List.OfHex.EraseElementRange List of Hex List of hex values with specified range of 

values erased 

List.OfHex.EraseList List of Hex List of hex values with values that are 

also on other list erased 

1. List of Hex: List to 

append hex value to 

2. Hex: Hex values to 

append 


1. List of Hex: List 

with hex value to 

erase 


of hex value to erase 


with hex values to 

erase 


of first hex value to 

erase 


of last hex value to 

erase 



erase 

2. List of Hex: List of 

hex values to erase 

on first list 

List.OfHex.Find Number Position of a hex value on a list 1. List of Hex: List 

with hex value to find 

position for 

2. Hex: Hex value to 


List.OfHex.Get Hex Hex value (specified by its position on a 

list) 

List.OfHex.GetElementRange List of Hex List of hex values (extracted from other 

list) 

List.OfHex.Insert List of Hex List of hex values with specified value 

inserted 


containing hex value 


of hex value on list 



extract 


of first hex value to 

extract 


of last hex value to 

extract 

1. List of Hex: List to 

insert hex value in 

2. Hex: Hex value to 

insert 

List.OfHex.IsEmpty Boolean If true, the specified list is empty List of Hex: List to 

check for being 

empty 

List.OfHex.Join List of Hex List of hex values created by joining two 

lists 

List.OfHex.Reverse List of Hex List of hex values that has its original 


1. List of Hex: First 

list to join 

2. List of Hex: 


List of Hex: List in 

original order 






List.OfHex.Size Number Number of hex values on a list List of Hex: List to 

provide number of 

hex values for 

List.OfHex.Sort List of Hex List of sorted hex values List of Hex: List to 

sort 

List.OfHex.ToString String List of hex values converted into a 

string 

List.OfIP.Append List of IP List of IP addresses that an IP address 

is appended to 

List.OfIP.ByName List of IP List of IP addresses (specified by its 

name) 

List.OfIP.Erase List of IP List of IP addresses with specified 

address erased 

List.OfIP.EraseElementRange List of IP List of IP addresses with specified range 

of addresses erased 

List.OfIP.EraseList List of IP List of IP addresses with addresses that 

are also on other list erased 


List of Hex: List to 

convert 

1. List of IP: List to 

append IP address to 

2. IP: IP address to 

append 


1. List of IP: List with 

IP address to erase 


of IP address to erase 


IP addresses to erase 


of first IP address to 

erase 


of last IP address to 

erase 



2. List of IP: List of 


on first list 

List.OfIP.Find Number Position of an IP address on a list 1. List of IP: List with 

IP address to find 

position for 

2.IP: IP address to 


List.OfIP.Get IP IP address (specified by its position on a 

list) 

List.OfIP.GetElementRange List of IP List of IP addresses (extracted from 

another list) 

List.OfIP.Insert List of IP List of IP addresses with specified 

address inserted 

1. List of IP: List 

containing IP address 


of IP address on list 


IP addresses to 

extract 


of first IP address to 

extract 


of last IP address to 

extract 

1. List of IP: List to 

insert IP address in 

2. IP: IP address to 

insert 

List.OfIP.IsEmpty Boolean If true, the specified list is empty List of IP: List to 


empty





List.OfIP.Join List of IP List of IP addresses created by joining 

two lists 

List.OfIP.Reverse List of IP List of IP addresses that has its original 


1. List of IP: First list 

to join 

2. List of IP: Second 

list to join 

List of IP: List in 


List.OfIP.Size Number Number of IP addresses on a list List of IP: List to 

provide number of IP 

addresses for 

List.OfIP.Sort List of IP List of sorted IP addresses List of IP: List to sort 

List.OfIP.ToString String List of IP addresses converted into a 

string 

List.OfIPRange.Append List of IPRange List of IP address ranges that an IP 

address range is appended to 

List.OfIPRange.ByName List of IPRange List of IP address ranges (specified by 

its name) 

List.OfIPRange.Erase List of IPRange List of IP address ranges with specified 

range erased 

List.OfIPRange. 


List of IPRange List of IP address ranges with specified 

ranges erased 

List.OfIPRange.EraseList List of IPRange List of IP address ranges with ranges 

that are also on other list erased 

List of IP: List to 

convert 

1. List of IPRange: 


IP address range to 

2. IPRange: 

IP address range to 

append 



List with IP address 



of IP address range 

to erase 



ranges to erase 


of first IP address 



of last IP address 






List of IP address 

ranges to erase from 

first list 

List.OfIPRange.Find Number Position of an IP address range on a list 1. List of IPRange: 


range to find position 

for 

2.IPRange: IP 

address range to find 

position for 

List.OfIPRange.Get IPRange IP address range (specified by its 

position on a list) 


List containing IP 

address range 


of IP address range 

on list 






List.OfIPRange. 



List of IPRange List of IP address ranges (extracted 

from other list) 

List.OfIPRange.Insert List of IPRange List of IP address ranges with specified 

range inserted 



ranges to extract 


of first IP address 

range to extract 


of last IP address 

range to extract 


List to insert IP 

address range in 

2. IP: IP address 

range to insert 

List.OfIPRange.IsEmpty Boolean If true, the specified list is empty List of IPRange: List 


empty 

List.OfIPRange.Join List of IPRange List of IP address ranges created by 

joining two lists 

List.OfIPRange.Reverse List of IPRange List of IP address rangess that has its 






List of IPRange: List 


List.OfIPRange.Size Number Number of IP address ranges on a list List of IPRange: List 


IP address ranges for 

List.OfIPRange.Sort List of IPRange List of sorted IP address ranges List of IPRange: List 

to sort 

List.OfIPRange.ToString String List of IP address ranges converted into 

a string 

List.OfMediaType.Append List of 

MediaType 

List.OfMediaType.ByName List of 

MediaType 

List.OfMediaType.Erase List of 

MediaType 

List.OfMediaType. 


List of 

MediaType 

List.OfMediaType.EraseList List of 

MediaType 

List of media types that a media type is 

appended to 

List of media types (specified by its 

name) 

List of media types with specified type 

erased 

List of media types with specified range 

of types erased 

List of media types with types that are 


List of IPRange: List 

to convert 

1. List of MediaType: 

List to append media 

type to 

2. MediaType: Media 

type to append 



List with media type 

to erase 


of media type to 

erase 



to erase 


of first media type to 

erase 


of last media type to 

erase 


List with media types 

to erase 


List of media types to 

erase on first list





List.OfMediaType.Find Number Position of a media type on a list 1. List of MediaType: 


to find position for 


type to find position 

for 

List.OfMediaType.Get MediaType Media type (specified by its position on 

a list) 

List.OfMediaType.GetElems List of 

MediaType 

List.OfMediaType.Insert List of 

MediaType 

List of media types (extracted from 

other list) 

List of media types with specified type 

inserted 


List containing media 

type 


of media type on list 


List with media types 

to extract 


of first media type to 

extract 


of last media type to 

extract 


List to insert media 

type in 


type to insert 

List.OfMediaType.IsEmpty Boolean If true, the specified list is empty List of MediaType: 

List to check for 

being empty 

List.OfMediaType.Join List of 

MediaType 

List.OfMediaType.Reverse List of 

MediaType 

List of media types created by joining 

two lists 

List of media types that has its original 






List of MediaType: 

List in original order 

List.OfMediaType.Size Number Number of media types on a list List of MediaType: 

List to provide 

number of media 

types for 

List.OfMediaType.Sort List of 

MediaType 

List of media types sorted in 

alphabetical order 

List.OfMediaType.ToString String List of media types converted into a 

string 

List.OfNumber.Append List of Number List of numbers that a number is 

appended to 


List to sort 


List to convert 

1. List of Number: 


number to 

2. Number: Number 

to append 

List.OfNumber.ByName List of Number List of numbers (specified by its name) String: List name 

List.OfNumber.Erase List of Number List of numbers with specified number 

erased 


List with number to 

erase 


of number to erase 






List.OfNumber. 



List of Number List of numbers with specified range of 

numbers erased 

List.OfNumber.EraseList List of Number List of numbers with numbers that are 



List with numbers to 

erase 


of first number to 

erase 


of last number to 

erase 



erase 


List of numbers to 

erase from first list 

List.OfNumber.Find Number Position of a number on a list 1. List of Number: 

List with number to 




List.OfNumber.Get Number Number (specified by its position on a 

list) 

List.OfNumber. 

GetElememtRange 

List of Number List of numbers (extracted from other 

list) 

List.OfNumber.Insert List of Number List of numbers with specified number 

inserted 



number 


of number on list 



extract 


of first number to 

extract 


of last number to 

extract 


List to insert number 

in 


to insert 

List.OfNumber.IsEmpty Boolean If true, the specified list is empty List of Number: List 


empty 

List.OfNumber.Join List of Number List of numbers created by joining two 

lists 

List.OfNumber.Reverse List of Number List of numbers that has its original 






List of Number: List 


List.OfNumber.Size Number Number of numbers on a list List of Number: List 


numbers for 

List.OfNumber.Sort List of Number List of sorted numbers List of Number: List 

to sort 

List.OfNumber.ToString String List of numbers converted into a string Number List: List to 

convert 

List.OfString.Append List of String List of strings that a string is appended 

to 

1. List of String: List 

to append string to 

2. String: String to 

append





List.OfString.ByName List of String List of strings (specified by its name) String: List name 

List.OfString.Erase List of String List of strings with specified string 1. List of String: List 

erased 

with string to erase 


of string to erase 

List.OfString. 

List of String List of strings with specified range of 1. List of String: List 


strings erased 

with strings to erase 


of first string to erase 


of last string to erase 

List.OfString.EraseList List of String List of strings with strings that are also 1. List of String: List 

on other list erased 

with strings to erase 


of strings to erase on 

first list 

List.OfString.Find Number Position of a string on a list 1. List of String: List 

with string to find 

position for 



List.OfString.Get String String (specified by its position on a list) 1. List of String: List 

containing string 


of string on list 

List.OfString.GetElementRange List of String List of strings (extracted from other list) 1. String List: List 

with regular 

expressions to 

extract 


of first string to 

extract 


of last string to 

extract 

List.OfString.Insert List of String List of strings with specified string 1. List of String: List 

inserted 

to insert string in 


insert 

List.OfString.IsEmpty Boolean If true, the specified list is empty List of String: List to 


empty 

List.OfString.Join List of String List of strings created by joining two 1. List of String: First 

lists 

list to join 

2. List of String: 


List.OfStringMapInList List of String String specified by a parameter and 1. List of String: List 

contained in a list with an index for the containing string 

position this string has in another list 


If the specified string is not contained in containing string 

the first list or does not exist as a 

position in the second list, the string is 

empty. 

3. String: String 

contained in first and 

seconds lists or 

empty string 

List.OfString.Reverse List of String List of strings that has its original order List of String: List in 

reverted 







List.OfString.Size Number Number of strings on a specified list List of String: List to 


strings for 

List.OfString.Sort List of String List of strings sorted in alphabetical 

order 


List of String: List to 

sort 

List.OfString.ToString String List of strings converted into a string List of String: List to 

convert 

List.OfWildcard.Append List of Wildcard 

Expression 

List.OfWildcard.ByName List of Wildcard 

Expression 

List.OfWildcard.Erase List of Wildcard 

Expression 

List.OfWildcard. 


List of Wildcard 

Expression 

List.OfWildcard.EraseList List of Wildcard 

Expression 

List of wildcard expressions that an 

expression is appended to 

List of wildcard expressions (specified 

by its name) 

List of wildcard expressions with 

specified expression erased 


specified range of expressions erased 


expressions that are also on other list 

erased 

List.OfWildcard.Find Number Position of a wildcard expression on a 

list 

List.OfWildcard.Get Wildcard 

Expression 

Wildcard expression (specified by its 

position on a list) 

1. List of Wildcard 

Expression: List to 

append wildcard 

expression to 

2. Wildcard 

Expression: Wildcard 

expression to append 



Expression: List with 

wildcard expression 

to erase 

2. Number: 

Position of wildcard 

expression to erase 



wildcard expressions 

to erase 


of first wildcard 



of last wildcard 





to erase 

2. Wildcard 

Expression: List of 


to erase on first list 





2. Wildcard 


Expression to find 

position for 


Expression: List 

containing wildcard 

expression 

2. Number: 

Position of wildcard 

expression on list


List.OfWildcard. 



Expression 

List.OfWildcard.Insert List of Wildcard 

Expression 




List of wildcard expressions (extracted 

from other list) 


specified expression inserted 




to extract 


of first wildcard 

expression to extract 


of last wildcard 

expression to extract 



insert wildcard 

expression in 

2. Wildcard 


expression to insert 

List.OfWildcard.IsEmpty Boolean If true, the specified list is empty List of Wildcard 



empty 

List.OfWildcard.Join List of Wildcard 

Expression 

List.OfWildcard.Reverse List of Wildcard 

Expression 

List of wildcard expressions created by 

joining two lists 

List of wildcard expressions that has its 



Expression: First list 

to join 


Expression: Second 

list to join 


Expression: List in 


List.OfWildcard.Size Number Number of wildcard expressions on a list List of Wildcard 




for 

List.OfWildcard.Sort List of Wildcard 

Expression 

List of sorted wildcard expressions List of Wildcard 


sort 

List.OfWildcard.ToString String List of wildcard expressions converted 

into a string 



convert 

Math.Abs Number Absolute value of specified number Number: Number 

that absolute value is 

provided for 

Math.Random Number Random number between specified 

minimum and maximum values 

(including these values) 

MediaStreamProbability Number Probability that the streaming media in 

question matches the found media type 

(in percent) 

MediaType.EnsuredTypes List of 

MediaType 

List of media types that are ensured for 

the respective media with a probability 

of more than 50% 


Block types from list Upload Media 

Type Blocklist 

Block types from Download Media Type 

Blocklist 

1. Number: Minimum 

value 

2. Number: 

Maximum value 






MediaType.FromFileExtension List of 

MediaType 

MediaType.FromHeader List of 

MediaType 


List of media types that are found using 

the file extension of the media 

List of media types that are found using 

the content-type header sent with the 

media 

MediaType.HasOpener Boolean If true, an opener module is available on 

the appliance for media of a given type 

MediaType.IsCompositeObject Boolean If true, media of a given type is a 

composite object, for example, is an 

archive 

MediaType.MagicBytes 

Mismatch 

MediaType.NotEnsuredTypes List of 

MediaType 

Boolean If true, the media type specified in the 

header sent with the media does not 

match the type that was found on the 

appliance by examining the magic bytes 

actually contained in the media 

List of media types that are ensured for 

the respective media with a probability 

of less than 50% 

MediaType.ToString String Media type converted into a string MediaType: Media 

type to convert 

Message.Language String Name of language for messages sent to 

users in short form, for example, en, de, 

ja 

Message.TemplateName String Name of a template for messages sent 

to users 

Number.ToString String Number converted into a string Number: Number to 

convert 

Number.ToVolumeString String Number of bytes that a volume amounts 

to converted into a string 

NumberOfClientConnections Number Number of connections to clients that 

are open on the appliance at the same 

time 

PDStorage.GetAllData List of String List containing all permanently stored 

data in string format 

PDStorage.GetAllGlobalData List of String List containing all permanently stored 

global data in string format 

PDStorage.GetAllUserData List of String List containing all permanently stored 

user data in string format 

Number: Byte 

number to convert 

PDStorage.GetGlobalData.Bool Boolean Global variable of type Boolean String: Variable key 

PDStorage.GetGlobalData. 

Category 

Boolean Global variable of type Category String: Variable key 


Dimension 

Boolean Global variable of type Dimension String: Variable key 

PDStorage.GetGlobalData.Hex Hex Global variable of type Hex String: Variable key 

PDStorage.GetGlobalData.IP IP Global variable of type IP String: Variable key 


IPRange 

IPRange Global variable of type IPRange String: Variable key 

PDStorage.GetGlobalData.List. 

Category 

List of Category Global variable of type List of Category String: Variable key 

PDStorage.GetGlobalData.List. List of 

Global variable of type List of Dimension String: Variable key 

Dimension 

Dimension 


Hex 

List of Hex Global variable of type List of Hex String: Variable key 


IP 

List of IP Global variable of type List of IP String: Variable key



IPRange 


MediaType 


Number 


String 


Wildcard 


MediaType 


Number 


String 


Wildcard 




List of IPRange Global variable of type List of IPRange String: Variable key 

List of 

MediaType 

Global variable of type List of 

MediaType 

String: Variable key 

List of Number Global variable of type List of Number String: Variable key 

List of String Global variable of type List of String String: Variable key 


Expression 

Global variable of type List of Wildcard 

Expression 


MediaType Global variable of type MediaType String: Variable key 

Number Global variable of type Number String: Variable key 

String Global variable of type String String: Variable key 

Wildcard 

Expression 

Global variable of type Wildcard 

Expression 


PDStorage.GetUserData.Bool Boolean User variable of type Boolean String: Variable key 

PDStorage.GetUserData. 

Category 

Category User variable of type Category String: Variable key 


Dimension 

Dimension User variable of type Dimension String: Variable key 

PDStorage.GetUserData.Hex Hex User variable of type Hex String: Variable key 

PDStorage.GetUserData.IP IP User variable of type IP String: Variable key 


IPRange 

IPRange User variable of type IPRange String: Variable key 

PDStorage.GetUserData.List. 

Category 

List of Category User variable of type List of Category String: Variable key 

PDStorage.GetUserData.List. List of 

User variable of type List of Dimension String: Variable key 

Dimension 

Dimension 


Hex 

List of Hex User variable of type List of Hex value String: Variable key 

PDStorage.GetUserData.List.IP List of IP User variable of type List of IP String: Variable key 


IPRange 

List of IPRange User variable of type List of IPRange String: Variable key 

PDStorage.GetUserData.List. List of 

User variable of type List of MediaType String: Variable key 

MediaType 

MediaType 


Number 

List of Number User variable of type List of Number String: Variable key 


String 

List of String User variable of type List of String String: Variable key 

PDStorage.GetUserData.List. List of Wildcard User variable of type List of Wildcard Variable Key: String 

Wildcard 

Expression Expression 


MediaType 

MediaType User variable of type MediaType String: Variable key 


Number 

Number User variable of type Number String: Variable key 

PDStorage.GetUserData.String String User variable of type String String: Variable key 

PDStorage.GetUserData. Wildcard User variable of type Wildcard 


Wildcard 

Expression Expression 

PDStorage.HasGlobalData Boolean If true, permanently stored global data 

is available 







PDStorage.HasUserData Boolean If true, permanently stored user data is 

available 


ProgressPage.Enabled Boolean If true, download progress is indicated 

to the user by a progress page 

Protocol.FailureDescription String String containing description of a 

connection error under the current 

protocol 

Proxy.EndUserURL String String representing URL for display to a 

user 

Proxy.IP IP IP address of connection 

Proxy.Port Number Number of port used for a connection 

Quota.AuthorizedOverride. 

IsActivationRequest 


JS.ActivateSession 




SessionExceeded 


SessionLength 

Quota.Coaching. 



JS.ActivateSession 






Boolean If true, an authorized user has chosen 

to continue with a authorized override 

session after session time has been 

exceeded 

Used in rule: Redirect after 

authenticating for authorized override 

String String in JavaScript code calling the 

function that is executed when an 

authorized user chooses to start a new 

session by clicking the appropriate 

button in the authorized override 

template. 

The code is provided when the template 

is created and displayed to the user. 

Number Remaining time for an authorized 

override session (in seconds) 

Boolean If true, the time allowed for an 

authorized override session has been 

exceeded 

Used in rule: Check if authorized 

override session has been exceeded 

Number Time length for an authorized override 

session (in seconds) 

Boolean If true, a user has chosen to continue 

with a new coaching session after 

session time has been exceeded 

Used in rule: Redirecting after starting 

new coaching session 


function that is executed when a user 

chooses to start a new session by 

clicking the appropriate button in the 

coaching session template. 



Number Remaining time for a coaching session 

(in seconds) 

Boolean If true, the time allowed for a coaching 

session has been exceeded 

Used in rule: Check if coaching session 

has been exceeded 

Quota.Coaching.SessionLength Number Time length for a coaching session (in 

seconds) 

Quota.Time.Exceeded Boolean If true, the time quota has been 

exceeded 

Used in rule: Check if time quota has 

been exceeded


Quota.Time. 






with a new time session after session 

time has been exceeded 


new time session 

Quota.Time.JS.ActivateSession String String in JavaScript code calling the 




time session template. 



Quota.Time.RemainingDay Number Time remaining from the configured 

time quota for the current day (in 

seconds) 

Quota.Time.RemainingMonth Number Time remaining from the configured 

time quota for the current month 

Quota.Time.RemainingSession Number Remaining time for a time session (in 

seconds) 

Quota.Time.RemainingWeek Number Time remaining from the configured 

time quota for the current week (in 

seconds) 

Quota.Time.SessionExceeded Boolean If true, the time allowed for a time 


Used in rule: Check if time session has 

been exceeded 

Quota.Time.SessionLength Number Time length for a time session (in 

seconds) 

Quota.Time.SizePerDay Number Time allowed per day under the 

configured quota (in seconds) 

Quota.Time.SizePerMonth Number Time allowed per month under the 


Quota.Time.SizePerWeek Number Time allowed per week under the 


Quota.Volume.Exceeded Boolean If true, the volume quota has been 

exceeded 

Used in rule: Check if volume quota has 

been exceeded 

Quota.Volume. 


Quota.Volume.JS. 

ActivateSession 


with a new volume session after session 

time has been exceeded 


new volume session 





volume session template. 



Quota.Volume.RemainingDay Number Volume remaining from the configured 

volume quota for the current day (in 

bytes) 

Quota.Volume.RemainingMonth Number Volume remaining from the configured 

volume quota for the current month (in 

bytes) 

Quota.Volume. 


Number Remaining time for a volume session (in 

seconds) 






Quota.Volume.RemainingWeek Number Volume remaining from the configured 

volume quota for the current week (in 

bytes) 

Quota.Volume. 



Boolean If true, the time allowed for a volume 


Used in rule: Check if volume session 

has been exceeded 

Quota.Volume.SessionLength Number Time length for a volume session (in 

seconds) 

Quota.Volume.SizePerDay Number Volume allowed per day under the 


Quota.Volume.SizePerMonth Number Volume allowed per month under the 


Quota.Volume.SizePerWeek Number Volume allowed per week under the 


Redirect.URL String String representing a URL that a user is 

redirected to by an authentication or 

quota rule 

Reporting.URL.Categories List of Category List of all URL categories used on the 

appliance 

Reporting.URL.Reputation List of Number List of all reputation score values used 

on the appliance 

Request.Header.FirstLine String First line of a header sent with a request 

Request.ProtocolAndVersion String Protocol and protocol version used 

when a request is sent 

Response.ProtocolandVersion String Protocol and protocol version used 

when a response is sent 

Response.Redirect.URL String URL that a user is redirected to when a 

response is sent 

Response.StatusCode String Status code of a response 

Rules.CurrentRuleID String ID of the rule that is currently processed 

Rules.CurrentRuleName String Name of the rule that is currently 

processed 

Rules.CurrentRuleSetName String Name of the rule set that is currently 

processed 

Rules.EvaluatedRules List of String List of all rules that have been 

processed 

Rules.EvaluatedRules.Names List of String List with names of all rules that have 

been processed 

Rules.FiredRules List of String List of all rules that have applied 

Rules.FiredRules.Names List of String List with names of all rules that have 

applied 

SecureReverseProxy. 

Embedded Host 


Embedded Protocol 


Embedded URL 


GetDomain 

String Host name of a URL in an HTTP request 

that is embedded in an HTTPS request 

String Protocol of a URL in an HTTP request 

that is embedded in an HTTPS request 

String URL in an HTTP request that is 

embedded in an HTTPS request 

This is the URL for the host specified by 

the value of the SecureReverseProxy. 

EmbeddedHost property 

String Domain specified in the settings for the 

SecureReverseProxy module 

String: Host name of 

the URL 

S



IsValidReverseProxyRequest 


URLToEmbed 




Boolean If true, the URL submitted in a request 

has the format rrequired in a 

SecureReverseProxy configuration 

String URL submitted in a HTTP request that is 

embedded in a HTTPS request 

SecureToken.CreateToken String Encrypted string 

This string serves as a token for 

securing an IP address. An AES-128-bit 

algorithm is used to create the token. 

Depending on the value of a parameter 

in the settings of the SecureReverse 

Proxy module, the string includes a time 

stamp. 

SecureToken.IsValid Boolean If true, the specified token is valid and 

has not expired 

Depending on the on the value of a 

parameter in the settings of the 

SecureReverse Proxy module, the token 

string includes no time stamp. 

Expiration of the token is then not 

checked. 

SecureToken.GetString String String serving as a token for securing an 

IP address 

If the token is invalid or has expired, the 

string is empty. 

SNMP.Trap.Additional String Additional message sent to a trap under 

the SNMP protocol 

SSL.Certificate.CN.ToWildcard Wildcard 

Expression 

Common name in an SSL certificate 

converted into a wildcard expression 

SSL.ClientContext.IsApplied Boolean If true, parameters for setting the client 

context in SSL-secured communication 

have been configured 

SSL.Server.Certificate. 

AlternativeCNs 


Expression 

List of alternative common names for a 

web server as used in SSL certificates 

SSL.Server.Certificate.CN String Common name of a web server 

provided in a certificate for SSL-secured 

communication 

SSL.Server.Certificate.CN. 

HasWildcards 


DaysExpired 


HostAndCertificate 


SelfSigned 


SHA1Digest 

Boolean If true, the common name for a web 

server in an SSL certificate includes 

wildcards 

Used in rule: Allow wildcard certificates 

Number Number of days that an SSL certificate 

for a web server has expired 

Used in rule: Block expired server (7 

day tolerance) and expired CA 

certificates 

HostAnd 

Certificate 

Host name and certificate for a web 

server in SSL-secured communication 

Used in rule: Skip verification for 

certificates found in Certificate 

Whitelist 

Boolean If true, an SSL certificate for a web 

server is self-signed 

Used in rule: Block self-signed 

certificates 

String String representing an SHA1Digest of a 

SSL certificate for a web server 

String: String to 

encrypt 

String: Token to be 

checked 

Number: Time (in 

seconds) to elapse to 

let the token expire 

String: Token to be 

checked 

Number: Time (in 

seconds) to elapse to 

let the token expire 

String: Common 

name to convert 






SSL.Server.CertificateChain. 

AllRevocationStatiKnown 


ContainsExpiredCA 


ContainsRevoked 


FirstKnownCAIsTrusted 


FoundKnownCA 


IsComplete 


Length 


PathLengthExceeded 

SSL.Server.Handshake. 

IsRequested 


Boolean If true, it is known of all SSL certificates 

in a certificate chain for a web server 

whether they are revoked or not 

Boolean If true, an SSL certificate in a certificate 

chain for a web server has expired 

Used in rule: Block expired server (7 

day tolerance) and expired CA 

certificates 

Boolean If true, an SSL certificate in a certificate 

chain for a web server has been revoked 

Used in rule: Block revoked certificates 

Boolean If true, a the certificate authority for 

issuing SSL certificates that has been 

found first in a certificate chain for a 

web server is trusted 

Used in rule: Block untrusted certificate 

authorities 

Boolean If true, a known certificate authority for 

issuing SSL certificates has been found 

in a certificate chain for a web server 

Used in rule: Block unknown certificate 

authorities 

Boolean If true, the chain of SSL certificates for 

a web server is complete 

Number Number of SSL certificates in a 

certificate chain for a web server 

Boolean If true, the chain of SSL certificates for 

a web server exceeds the allowed 

length 

Used in rule: Block too long certificate 

chains 

Boolean If true, a handshake is requested for 

setting up a connection to web server in 

SSL-secured communication 

Statistics.Counter.Get Number Number of occurrences of an activity or 

situtation recorded on a counter 

Statistics.Counter.GetCurrent Number Number of occurrences of an activity or 

situtation recorded on a counter (fully 

completed) during the last minute 

Stopwatch.GetMacroSeconds Number Time measured for rule set processing 

in milliseconds 

Stopwatch.GetMilliSeconds Number Time measured for rule set processing 

in macroseconds 

String.BackwardFind Number Position where a substring begins that is 

found in a string by a backward search 

Returns -1 if the substring is not found 

String.Base64Decode String Decoded format of a string specified in 

base-64 encoded format 

String.Base64Encode String Base-64 encoded format of a specified 

string 

String: Name of 

counter 

String: Name of 

counter 

String: Name of rule 

set 

String: Name of rule 

set 


containing substring 

2. String: Substring 


where backward 

search for substring 

begins 

String: String in 

encoded format 


encode 

String.Concat String Concatenation of two specified strings 1. String: First string 

to concatenate 

2. String: Second 

string to concatenate





String.CRLF String Carriage-return line-feed 

String.Find Number Position where a substring begins that is 1. String: String 

found in a string by a forward search containing substring 

Returns -1 if the substring is not found 2. String: Substring 


where forward search 

for substring begins 

String.FindFirstOf Number Position of the first character of a 1. String: String 

substring found in a string 




where search for 

substring begins 

String.FindLastOf Number Position of the last character of a 1. String: String 

substring found in a string 




where search for 

substring begins 

String.GetWordCount Number Number of words in a string String: String to get 

number of words for 

String.IsEmpty Boolean If true, the specified string is empty String: String 

checked for being 

empty 

String.Length Number Number of characters in a string String: String to 

count characters for 

String.LF String Line-feed 

String.MatchWildcard List of String List of terms in a string that match a 1. String: String with 


matching terms 

2. Wildcard 


expression to match 

String.Replace String String having a substring replaced by a 1. String: String 

string as specified 


to replace 


where replacement 

begins 


of characters to 

replace 

4. String: Replacing 

string 

String.ReplaceAll String String having each occurrence of a 1. String: String 

substring replaced by string as specified containing substring 

to replace 


substring 


to replace 

String.ReplaceAllMatches String String having each occurrence of a 1. String: String 

substring that matches a wildcard containing substring 

expression replaced by a string as to replace 

specified 

2. Wildcard 




string 






String.ReplaceFirst String String having first occurrence of a 

substring replaced by a string as 

specified 

String.ReplaceFirstMatch String String having first occurrence of a 

substring that matches a wildcard 

expression replaced by a string as 

specified 

String.ReplaceIfEquals String String having every occurrence of a 

substring replaced by a string as 

specified 

String.SubString String Substring contained in a string specified 

by start position and length 

String.SubStringBetween String Substring of string extending between 

two other substrings of this string 

The search for this substring begins 

with looking for the first of other 

substrings. If this string is found, the 

search is continued with looking for the 

second substring. 

If the first substring is not found, the 

search has no result. If the second 

substring is not found, the wanted 

substring extends from the end of the 

first substring to the end of the main 

string. 




to replace 


string 


to replace 



to replace 

2. Wildcard 




substring 



to replace 


to replace 


string 




where substring 

begins 


of characters in 

substring 

If no number is 

specified, the substring 

extends to the 

end of the original 

string 


containing substrings 


ending immediately 

before the wanted 

substring 


beginning 

immediately after the 

wanted substring 

String.ToCategory Category String converted into a category String: String to 

convert 

String.ToDimension Dimension String converted into a dimension String: String to 

convert 

String.ToHex Hex String converted into a hex value String: String to 

convert 

String.ToIP IP String converted into an IP address String: String to 

convert 

String.ToIPRange IPRange String converted into a range of IP 

addresses 


convert 

String.ToMediaType MediaType String converted into a media type String: String to 

convert





String.ToNumber Number String converted into a number String: String to 

convert 

String.ToStringList List of String String converted into a string list 

The string list is a list of the elements in 

the string to convert. For example, the 

string to convert can be a text and the 

string list a list of the words in this text. 

The delimiter is a substring that 

separates elements in the string to 

convert. For example, in a normal text, 

the delimiter is the whitespace. The 

substring can be a single character, 

such as the whitespace, or multiple 

characters. To specify the whitespace, 

hit the space bar. 

A trim character is a character that 

appears at the beginning or end of an 

element in the string to convert, but not 

in the string list. A trim character can, 

for example, be a comma, a period, or 

an inverted comma (quotation mark). It 

can also be an “invisible” character, 

such as a tab stop or a line feed. 

To specify trim characters, type them in 

the input field that is provided on the 

user interface without separating them 

from each other. 

Use the following combinations to type 

invisible characters: 

\t – tab stop 

\r – carriage return 

\n – line feed 

\b – backspace 

\\ – backslash 

If you specify a character as a delimiter, 

it is also deleted from the resulting 

string list, so you need not specify it as 

a trim character. 

Used in rule: Set 

User-Defined.listOfWords 

String.ToWildcard Wildcard 

Expression 

String converted into a wildcard 

expression 

String.URLDecode String Standard format of a URL that was 

specified in encoded format 


convert 

2. String: Delimiter 

3. String: Trim 

character or 

characters 


convert 

String: URL in 

encoded format 

String.URLEncode String Encoded format of a URL String: URL to 

encode 

System.HostName String Host name of an appliance 

System.UUID String UUID of an appliance 

Timer.FirstReceivedFirstSent 

Client 

Number Processing time consumed between 

receiving the first byte from a client on 

the appliance and sending the first byte 

to this client within a transaction 

Note: Using this property is only 

supported when HTTP or HTTPS 

connections are involved, but not for 

FTP connections. 






Timer.FirstSentFirstReceived 

Server 



sending the first byte from the 

appliance to a web server and receiving 

the first byte from this server within a 

transaction 





Timer.HandleConnectToServer Number Processing time consumed for 

connecting to a web server within a 

transaction 

Timer.LastReceivedLastSent 

Client 

Timer.LastSentLastReceived 

FromServer 

Timer.ResolveHostNameVia 

DNS 

Timer.TimeConsumedByRule 

Engine 


receiving the last byte from a client on 

the appliance and sending the last byte 

to this client within a transaction 





Number Processing time comsumed between 

sending the last byte from the appliance 

to a web server and receiving the last 

byte from this server within a 

transaction 





Number Processing time consumed for looking 

up a host name on a DNS server within 

a transaction 

Note: Only lookups on external servers 

are considered. Cache lookups are 

disregarded. 

Number Time consumed by the rule engine to 

process a request throughout all 

relevant processing cycles 

Note: Processing a request through all 

relevant processing cycles is 

considered to be one transaction. 

Timer.TimeForTransaction Number Time consumed by the rule engine to 

process a request that has been 

received on the appliance through all 

relevant processing cycles 


supported when HTTP and HTTPS 



URL String URL of a web object 


Allow URLs that match in URL 

WhiteList, 

Block URLs with bad reputation 

URL.Categories List of Category List of URL categories that a URL 

belongs to 


Block URLs whose category is in URL 

Category BlockList 

Allow uncategorized URLs





URL.CategoriesForURL List of Category List of URL categories that a specified 

URL belongs to 

URL.DestinationIP IP IP address for a URL as found in a DNS 

lookup 

Used in rule: Use internal proxy for 

internal host 

URL.FileName String Name of a file that can be accessed 

through a URL 

URL.Geolocation String ISO 3166 code for the country where 

the host that a URL belongs to is located 

If a value is to be assigned to this 

property, the following option of the 

settings for the URL Filter module must 

be enabled: Only use online GTI web 

reputation and categorization services. 

String: URL in string 

format 

URL.GetParameter String Parameter of a URL in string format String: Parameter 

name 

URL.HasParameter Boolean If true, a specified parameter belongs to 

the parameters of a URL 

URL.Host String Host that a URL belongs to 


Allow URL hosts that match in list 

Antimalware URL Whitelist 

Tunneled hosts 

URL.HostIsIP Boolean If true, the URL that is submitted for 

access to a host is an IP address 

URL.IsHighRisk Boolean If true, the reputation score of a URL 

falls in the high risk range 

Used in rule: Block URLs with bad 

reputation 

URL.IsMediumRisk Boolean If true, the reputation score of a URL 

falls in the medium risk range 

URL.IsMinimalRisk Boolean If true, the reputation score of a URL 

falls in the minimal risk range 

URL.IsUnverifiedRisk Boolean If true, the reputation score of a URL 

falls in the unverified risk range 

URL.Parameters List of String List of URL parameters 

URL.ParametersString String String containing the parameters of a 

URL 

Note: If the URL has parameters, the 

string begins with the ? character. 

URL.Path String Path name for a URL 

URL.Port Number Number of a port for a URL 

Used in rule: Restrict destination ports 

to Allowed CONNECT Ports 

URL.Protocol String Protocol for a URL 

URL.Raw String URL in the format originally received on 

the appliance from a client or other 

instances of the network. 




converting URL code to a human 


simple URL property. 

URL.Reputation Number Reputation score for a URL 

String: Parameter 

name 






URL.ReputationForURL Number Reputation score for a specified URL String: URL in string 

format 

URL.ReputationString String String representing reputation score for 

a URL 

User-Defined.cacheMessage String Message text providing information on 

web cache usage 

Used in event of rule: Create 

notification message (on web cache 

usage) 

User-Defined.eventMessage String Message text providing information on 

an event 

User-Defined.loadMessage String Message text providing information on 

CPU overload 


notification message (on CPU overload) 

User-Defined.logLine String Entry written into a log file 

User-Defined. 

monitorLogMessage 

String Entry written into a log file 

User-Defined. 

notificationMessage 

User-Defined. 

requestLoadMessage 

User-Defined. 

requestsPerSecond 


String Text of a notification message 


notification message (on Log File 

Manager incident) 

String Message text providing information on 

request overload 


notification message (on request 

overload) 

Number Number of requests processed on the 

appliance per second 


notification message (on request 

overload) 

Wildcard.ToString String Wildcard expression converted into a 

string 

Wildcard Expression: 

Wildcard expression 

to convert




When completing configuration jobs on the appliance, you can use wildcard expressions for several 

purposes, for example, to match URLs on blocking lists and whitelists. 

There are two types of wildcard expressions you can use: 

• Glob expressions — Using these is the default. 

For information on some of the special characters used to create glob expressions, see List of 

important special glob characters. 

More information on using this type of expressions is, for example, provided on the following Linux 

man page: 

glob(7) 

• Regular expressions (Regex) — If you want to use these, you need to type the term regex first 

and then include the regular expression in round brackets, for example: 

regex(a*b) 

For information on some of the special characters used to create regular expressions, see List of 

important special regex characters. 

The regular expressions used on the appliance follow the Perl Regular Expression syntax. 

Information on this syntax is, for example, provided on the folIowing Linux man page: 

perlre(1) 

Test a wildcard expression 

When you add a wildcard expression to a list, you can test it before actually adding it. The Add Wildcard 

Expression window provides a Test button for this purpose. 

To test a wildcard expression: 


Note: You can also go to Policy | Rule Sets and access a list of the Wildcard Expression type by clicking its 

name in a rule name or in rule criteria. Then proceed as described in steps 3 and 4. 

2 On the lists tree, go to Wildcard Expressions and select a list. 

3 Click Add on the settings pane. The Add Wildcard Expression window opens. 

4 Type a wildcard expression in the input field and click Test. The Wildcard Expression Test window 

opens and provides information on the expression. 




List of important special glob characters 

The following table provides a list of important special characters for creating glob type wildcard 

expressions. 

Table A-6 List of important special glob characters 

Character Description 

? (If not between square brackets:) Matches any single character 

For example, ?est matches: 

best 

rest 

test 

and others 

* (If not between square brackets:) Matches any string, including the empty string 

For example, b* matches: 

b 

best 

binary3 

and others 

[...] Matches any of the single characters included in the square brackets 

? and * are normal characters between square brackets. 

For example, [a5?] matches: 

a 

5 

? 

Note: The first character must not be an ! (exclamation mark). 

! Matches any single character except those following the exclamation mark 

For example, [!ab] matches: 

c 

S 

% 

and others, but not: 

a 

b 

- Is used to denote a range of characters 

For example, [a-f A-F 0-5] matches: 

d 

F 

3 

and others 

/ Is not matched by ? or * and cannot be included in [...] or be part of a range 

This means, for example, that http://linux.die.net/* does not match the following 

pathname: 

http://linux.die.net/man/7/glob 

The pathname is, however, matched by: 

http://linux.die.net/*/*/* 


Table A-6 List of important special glob characters (continued) 


\ If preceding ?, *, or [, these are normal characters 

For example, [mn\*\[] matches: 

m 

n 

* 

[ 

. A file name beginning with a . (dot), must be matched explicitly. 

For example, the command: 

rm * 

will not remove the file .profile. 

However, the following command will: 

rm .* 

List of important special regex characters 



The following table provides a list of important special characters for creating regex type wildcard 

expressions. 

Note: The examples given here include the term regex and round brackets, as you need to use them when 

working with these expressions on the appliance. 

Table A-7 List of important special regex characters 


. Matches any single character 

For example, regex(.est) matches: 

best 

rest 

test 

and others 

* Matches the preceding character zero or more times 

For example, regex(a*b) matches: 

b 

ab 

aaaaaab 

and others 

+ Matches the preceding character one or more times 

For example, regex(c+d) matches: 

cd 

cccccd 

and others 

? Matches the preceding character zero or one times 

For example, regex(m?n) matches: 

n 

mn 

^ Matches the beginning of a line 

$ Matches the end of a line 




Table A-7 List of important special regex characters (continued) 


{...} 

Are used to match a character as many times as specified 

Options: 

– a{n} 

Matches a character n times 

For example, regex(a{3}) matches: 

aaa 

– a{n,} 

Matches a character n and more times 

For example, regex(p{4,}) matches: 

pppp 

pppppp 

and others 

– a{n,m} Matches a character between n and m times, including the limiting values 

For example, regex(q{1,3}) matches: 

q 

qq 

qqq 

| Matches alternative expressions 

For example, regex(abc|jkl) matches: 

abc 

jkl 

(...) Are used to group characters in an alternative expression 

For example, regex(de(r|st)) matches: 

der 

dest 

[...] Matches any of the single characters included in the square brackets 

For example, regex([bc3]) matches: 

b 

c 

3 

- Is used to denote a range of characters in a bracket expression 

For example, regex([c-f C-F 3-5]) matches: 

d 

F 

4 

and others 


Table A-7 List of important special regex characters (continued) 




^ Matches any single character in a bracket expression except those following the accent 

circonflexe 

For example, regex([^a-d]) matches: 

e 

7 

& 

and others, but not: 

a 

b 

c 

d 

\ (If preceding a special character:) Turns it into a normal character 

For example, regex(mn\+) matches: 

mn+ 

(If preceding some normal characters:) Matches a particular class of characters 

For information on these classes, refer to the perlre man page or other documentation. The 

following are examples of frequently used character classes. 

For example, regex(\d) matches all digits, such as: 

3 

4 

7 

and others 

regex(\w) matches all alphabetical characters, such as: 

a 

F 

s 

and others 

regex(\D) matches all characters that are not digits, such as: 

c 

T 

& 

and others 





Index 

A 

access restrictions 117 

action 

list of actions 319 

rule element 86 

samples 89 

settings 115 

Settings tab 115 

administrator 

accounts 165 

activities 14 

external accounts 167 

roles 166 

test account 166 

alerts 270 

anti-malware, see virus and malware filtering 

anti-virus, see virus and malware filtering 

appliance 

administration 14 

alerts 270 

authentication 119 

central management 260 

configurator 16 

coordinator 16 

core 16 

dashboard 270 

error handling 305 

filtering 81 

gateway 13 

help 30, 31 

license 29, 251 

logging 277 

logoff, see logout 

logon 27 

logout 30, 31 

main components 16 

main functions 14 

monitoring 269 

network 38 

operating system 17 

physical 21 

proxies 37 

setup 15, 21 

subsystems 16 

system architecture 16 

troubleshooting 315 

virtual 24 

web cache 75 

web filtering 169 

web security 13 

authentication 

advanced parameters 129 

Authenticate and Authorize rule set 124 

Authenticate with User Database rule set 125 

Authentication Server method 136, 137 

Authorize rule set 126 

common parameters 128 

cookies 143 

implement different method 126 

instant messaging 140 

join appliance to Windows domain 138 

Kerberos method 135 

LDAP method 131 

main rule set 124 

methods 124 

module 127 

module settings 142 

nested rule sets 124 

Novell eDirectory method 133 

NTLM method 129 

NTLM-Agent method 130 

process 119 

RADIUS method 134 

retrieve user information 122 

rules 124 

sample rule 121 

select method 128 

settings 127 

SSL client certificate 136 

test 128 

User Database method 128 

Windows domain 138 

Windows domain settings 139 

x.509 authentication 136 

Authentication Server, see authentication 

AV, see anti-virus 

Avira, see virus and malware filtering 

B 

bandwidth throttling 231 

C 

cache, see web cache 

central management 

add appliance 261 

advanced settings 262 

configure settings 261 

include node 263 

nodes 260 


Index 

scheduled jobs 264 

settings 262 

cluster, see central management 

configurator subsystem 16 

cookie authentication 

Authenticate Clients With Server rule set 144 

Authentication Server Request rule set 145 

configure module 146 

Cookie Authentication at Proxy rule set 144 

Cookie Authentication at Server rule set 145 

Cookie Authentication rule set 143 


module 146 



rules 143 

Set Cookie for Authenticates Clients rule set 144 

coordinator subsystem 16 

core subsystem 16 

criteria 

complex 88 

operand 86 

operator 86 

parameter 86 

property 86 


D 

dashboard 

access 270 

alerts 270 

charts and tables 273 

evolving data 273 

top scores 273 

data leakage prevention 

data flow 73 

Data Leakage Prevention rule set 73 

data trickling 228 

database updates 257 

date and time 249, 253 

DNS, see domain name server 

domain name server 

proxies 57 

system settings 250 

E 

engines, see modules 

ePolicy Orchestrator 301 

error handling 

list of error IDs 320 

rule sets 307 

user of error IDs in rules 305 

event 

list of events 322 


types 90 


explicit proxy mode 39 

F 

File Editor 256 

file server 250 

filtering 


concept 81 

cycles 82 

global whitelisting 214 


media type filtering 200 

modules 85 

process flow 83 

properties 81 

rules 81 


user filtering 119 

virus and malware filtering 171 

web filtering 169 

FTP, see proxies 

G 

gateway, see appliance 

glob expressions, see wildcard expressions 

Global Threat Intelligence, see URL filtering 

global whitelisting 

add wildcard expression to whitelist 215 

Global Whitelist rule set 214 

lists 215 

rules 214 

wildcard expressions 215 

H 

Helix proxy 72 

help 

button 30 

content 31 

high availability 44 


ActiveX controls 208 

advertising filter 208 

configure opener module 213 

embedded objects 208 

embedded scripts 208 

Enable HTML Filtering rule set 208 

HTML Filtering nested rule set 208 

HTML Filtering rule set 207 

lists 212 




opener module 213 

rules 207 

HTTP, see proxies

I 

ICAP server, see proxies 

ICQ, see instant messaging 

IM, see instant messaging 

incidents 

list of incident IDs 327 

logging rule set 306 

parameters 306 

properties 306 

use in rules 305 

inline lists 114 

instant messaging 


authentication module 142 

configure modules 142 


ICQ settings 58 

IM Authentication rule set 140 

IM Authentication Server rule set 140 

IM Proxy rule set 141 

logging module 142 

main authentication rule set 140 


Windows Live Messenger settings 58 

Yahoo settings 57 

K 

Kerberos, see authentication 

L 

LDAP, see authentication 

library 91, 94 

licensing 

initial setup 29 


lists 


add entries 113 

add list 113 

inline lists 114 

Lists tab 111 

maintain 111 

logging 

log blocking key words 283 

log file settings 291 

log file types 277 

log handler 282 

rule sample 279 

rules 278 

self-configured log files 282 

view log files 278 

logoff, see logout 

logon 27 

logout 30, 31 

M 

malware, see virus and malware filtering 

McAfee Web Gateway 7.1.5 Product Guide 375 

Index 

McAfee Web Gateway, see appliance 

media type filtering 

add media type to filter list 206 

change property in rule 204 

create filter list 203 

Download Media Types rule set 203 

lists 205 


Media Type Filtering rule set 202 

MIME data 201 

modify rule 203 


properties 201 

rules 200 

sample rule 200 

Upload Media Type rule set 202 

modules 

filtering 85 

settings 115 

Settings tab 115 

system architecture 16 

monitoring 

dashboard 270 

ePO server 301 

logging 277 

performance measurement 297 

SNMP 303 

N 

navigation pane 30, 31 

network interfaces 251 

network protection 253 

next-hop proxies 233 

Novell eDirectory, see authentication 

NTLM, see authentication 

NTLM-Agent, see authentication 

O 

online help, see help 


P 

performance measurement 297 

physical appliance 21 

policy creation 28 

port forwarding 253 

proactive scanning, see virus and malware filtering 

progress indication 

data trickling 228 

progress page 228 

progress page 228 

property 

concept 81 

list of properties 330 

rule element 85, 86 

samples 88 

types 88

Index 

values 88 

proxies 

advanced settings 59 

auto-configuration files 70 

common settings 53 

configure nodes in transparent bridge mode 47 

configure nodes in transparent router mode 51 

configure proxy on clients 44 

domain name server settings 57 

explicit proxy 39 

FTP proxy settings 55 

Helix proxy 72 

high availabilty 44 

HTTP proxy settings 54 

ICAP server settings 56 

ICQ settings 58 

initial settings 37 

instant messaging 53 

network modes 38 

reverse HTTPS proxy 60 

settings 37 

transparent bridge 45 

transparent proxy 40 

transparent router 49 

WCCP settings 40 

Windows Live Messenger settings 58 

Yahoo settings 57 

Q 

quota management 

authorized override 149 

Authorized Override rule set 155 

blocking sessions 149 

Blocking Sessions rule set 157 

coaching 148 

Coaching rule set 153 

combined functions 149 

configure time quotas 158 

configure volume quotas 159 


rules 149 

session time 148 


time quota 147 

Time Quota rule set 149 

volume quota 147 

Volume Quota rule set 151 

R 

RADIUS, see authentication 

regex, see regular expressions 

regular expressions, see wildcard expressions 

roles 166 

rule 


action 86 


add rule 98 

complex criteria 88 

configure 96 

create sample rule 104 

criteria 86 

cycle 82 

edit rule 98 

elements 85 

event 86 

format on user interface 87 

module 85 

operand 86 

operator 86 

parameter 86 

process flow 83 

property 81, 86 

rule set 91 

Rule Sets tab 96 

samples 105 

structure 85 

rule set 

access restrictons 117 

add new rule set 109 

criteria 91 

cycles 91 

default system 92, 93 

error handling 92 

implement 92 

import 108 

library 91, 94 

logging 92 

nested 92 

own 92 

Rule Sets tab 96 

rules 91 

system 92 

wizard-created 92, 93 

S 

Save Changes 

button 30 

functions 32 

options 31 

scheduled jobs 

add job 264 

settings 264 

search 

button 30 

functions 31 

settings pane 30, 31 

setup 

import license 29 

logon 27 

physical appliance 21 


virtual appliance 24

SNMP monitoring 303 

SSL scanning 

Certificate Chain module 223, 227 

Certificate Verification rule set 218 

CERTVERIFY call 220 

client certificate authentication 136 

common name (proxy setup) 219 

common name (transparent setup) 221 


CONNECT call 217 

Content Inspection rule set 220 


Handle CONNECT call rule set 217 

lists 221 


modules 223 


rule sets 218 

rules 216 

SSL Client Context module 223, 225 

SSL Scanner module 223 

SSL Scanner rule set 216 

Verify Common Name (proxy setup) rule set 219 

Verify Common Name (transparent setup) rule set 221 

static routes 254 

sysconf daemon 17 

system architecture 

authentication module 16 

configurator 16 

coordinator 16 

core 16 


filter modules 16 

flow manager 16 

opener modules 16 


proxy module 16 

rule processing module 16 

sysconf daemon 17 

system files 256 

system information line 30, 31 

system management tools 33 

system settings 

configure settings 248 

date and time 249, 253 

file server 250 

license 251 

list of settings 248 

network interfaces 251 

network protection 253 

port forwarding 253 

static routes 254 

types 246 

T 

tabs 

Administrator Accounts 165 

Alerts 270 

Appliances 247 

Charts and Tables 273 

File Editor 256 

Lists 111 

Rule Sets 96 

Settings 115 

Template Editor 238 

top-level menus 

Accounts 31 

Configuration 31 

Dashboard 31 

Policy 31 

positions 30 

Troubleshooting 31 

transparent modes 

bridge 45 

router 49 

troubleshooting 

back up and restore 318 

connection tracing 317 

core file 316 

feedback file 316 

files 315 

methods 315 

network tools 318 

packet tracing 317 

TCP dump 317 

tools 315 

McAfee Web Gateway 7.1.5 Product Guide 377 

Index 

U 

URL filtering 

add URL category to blocking list 193 


extended lists 193 

filtering process 187 

Global Threat Intelligence system 195 

lists 191 

modify rule to block uncategorized URLs 191 

module 195 


proxy settings 197 

rules 188 

uncategorized URLs 190 

URL Filtering rule set 189 

User Database, see authentication 

user interface 

configuration support 32 

Help 30, 31 

logon 27 

Logout 30, 31 

main elements 30, 31 

navigation pane 30, 31 

Save Changes 30, 31, 32 

Search 30, 31

Index 

settings pane 30, 31 

system information line 30, 31 


tabs 30, 31 

top-level menus 30, 31 

user messages 

adapt 238 

settings 242 

Template Editor 238 

templates 237 

user-defined properties 

location on Rule Sets tab 96 

use in rule events 308, 309, 310, 311, 312 

V 

virtual appliance 24 

virus and malware filtering 

add media type to whitelist 179 

add wildcard expression to URL whitelist 178 

add wildcard expression to user agent whitelist 179 

Anti-Malware module 181 

Avira 181 

change whitelist used by rule 180 


engine, see Anti-Malware module 

filtering process 171, 173 

Gateway Antimalware rule set 175 

lists 177 

McAfee Anti-Malware module 181 

McAfee Gateway Anti-Malware module 181 

media types 179 

mobile code 183 

module 181 


proactive scanning 181 

rules 172 

sample rules 174 

scanning mode 181 

scanning module 181 

select different scanning mode 182 

submodules 181 

URLs 178 

user agents 179 

view implemented rules 172 

virus signatures 181 

wildcard expressions 178, 179 

virus, see virus and malware filtering 

W 

WCCP, see proxies 

web cache 

add media type to filter list 78 

add wildcard expression for URLs to filter list 78 

enabling 78 

lists 77 

media types 78 



Read from Cache rule set 75 

rules 75 

URLs 78 

wildcard expressions 78 

Write to Cache rule set 76 

Web Gateway, see appliance 

web security 

filtering 81 

policy 28 

rules 81 


glob expressions 367 

list of special glob characters 368 

list of special Regex characters 369 

regular expressions 367 

test 367 

Windows domain 138 

Windows Live Messenger, see instant messaging 

wizards 

initial configuration 25, 26 


Y 

Yahoo, see instant messaging

700-3299A00

Web Gateway 7.1.5 Product Guide - McAfee

Create successful ePaper yourself

Delete template?

Save as template?