Web Gateway 7.1.5 Product Guide - McAfee
Web Gateway 7.1.5 Product Guide - McAfee
Web Gateway 7.1.5 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Product</strong> <strong>Guide</strong><br />
<strong>McAfee</strong> ®<br />
version <strong>7.1.5</strong><br />
<strong>Web</strong> <strong>Gateway</strong>
COPYRIGHT<br />
Copyright © 2011 <strong>McAfee</strong>, Inc. All Rights Reserved.<br />
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language<br />
in any form or by any means without the written permission of <strong>McAfee</strong>, Inc., or its suppliers or affiliate companies.<br />
TRADEMARK ATTRIBUTIONS<br />
<strong>McAfee</strong>, the <strong>McAfee</strong> logo, Avert, ePO, ePolicy Orchestrator, Foundstone, Global Threat Intelligence, GroupShield, IntruShield,<br />
LinuxShield, MAX (<strong>McAfee</strong> SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor,<br />
SmartFilter, Total Protection, Type Enforcement, VirusScan, and <strong>Web</strong>Shield are registered trademarks or trademarks of <strong>McAfee</strong>, Inc.<br />
or its subsidiaries in the United States and other countries.<br />
LICENSE INFORMATION<br />
License Agreement<br />
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU<br />
PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO<br />
NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR<br />
PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS<br />
PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU<br />
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT<br />
INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL<br />
REFUND.<br />
2 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Contents<br />
Preface 9<br />
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Find product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1 Introduction 13<br />
Comprehensive web security for your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Main functions of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
Main administrator activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14<br />
Deployment of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Network integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Administration and updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Main components of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Appliance subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16<br />
Operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Filtering rules on the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Rule sets for filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Lists and modules for filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17<br />
Modifying the filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18<br />
Chapters of this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2 Setup and logon 21<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
Setting up a physical appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
Setting up a virtual appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24<br />
Installing the appliance software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
Logging on to the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
Implement a web security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
Import a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
Working with the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
Main elements of the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31<br />
Configuration support functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
Setting up system management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33<br />
Platform Confidence Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33<br />
SNMP Subagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
Remote Management Module and Baseboard Management Controller . . . . . . . . . . . . . . . . . . . . . 34<br />
Active System Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35<br />
3 Proxies and caching 37<br />
Intercepting web traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
Proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
<strong>Web</strong> cache settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
Network modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
Explicit proxy mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
Transparent bridge mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45<br />
Transparent router mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 3
Contents<br />
Common proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Configure common proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Proxies (HTTP(S), FTP, ICAP, and IM) system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Reverse HTTPS proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60<br />
Redirect HTTPS traffic in a transparent bridge or router configuration . . . . . . . . . . . . . . . . . . . . . 60<br />
Let the appliance listen to requests redirected by DNS entries . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
Handling SSL certificates in a reverse HTTPS proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
Optional settings for a reverse HTTPS proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
Providing proxy auto-configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70<br />
Make a .pac file available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70<br />
Make a wpad.dat file available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70<br />
Helix proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
Preventing data leaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
Data Leakage Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73<br />
Configure the ICAP server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74<br />
ICAP Client engine settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74<br />
<strong>Web</strong> caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
Rules for the web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75<br />
Bypass lists for web caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77<br />
Verify the enabling of the web cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79<br />
4 Rules and rule sets 81<br />
Filtering controlled by rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
About filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
Modules for delivering filtering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
About rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
Main elements of a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86<br />
Rules on the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87<br />
Complex criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89<br />
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90<br />
About rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
Rules in rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
Rule set cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
Rule set criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
Rule set library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
Nested rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
Implementing a rule set system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
Rule set systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
Rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96<br />
Rule Sets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96<br />
Adding a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98<br />
Create a sample rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104<br />
Sample rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105<br />
Rule set configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
Import a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
Add a new rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109<br />
List maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111<br />
Lists tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111<br />
List types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112<br />
Add a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113<br />
Add list entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113<br />
Inline lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114<br />
Action and engine settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115<br />
Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115<br />
Types of settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
Add settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
Access restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117<br />
5 Authentication and access management 119<br />
Filtering users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119<br />
Authentication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119<br />
4 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Contents<br />
Standard authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124<br />
Rules for authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124<br />
Module for authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127<br />
Membership in a Windows domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138<br />
Instant messaging authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140<br />
IM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140<br />
Modules for authenticating users of an instant messaging service . . . . . . . . . . . . . . . . . . . . . . . 142<br />
Cookie authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143<br />
Cookie Authentication (rule set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143<br />
Module for cookie authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146<br />
Quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<br />
Restricting web usage through quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<br />
Rules for quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149<br />
Module settings for quota management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160<br />
Quota system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
Administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
Internal management of administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
Administrator roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166<br />
Configure external account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
6 <strong>Web</strong> filtering 169<br />
Filtering web objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
Administering the filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
Functions for filtering web objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
Virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
Virus and malware filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
Rules for virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172<br />
Whitelists for virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177<br />
Module for virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
URL filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187<br />
Rules for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188<br />
Whitelist and blocking lists for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191<br />
Extended Lists for blocking URLs per category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193<br />
Module for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195<br />
Different versions of URL category sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199<br />
Media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
Rules for media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
Lists for media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
Rules for HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207<br />
Sample lists for HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212<br />
Module for opening objects embedded in HTML pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213<br />
Global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
Rules for global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
Global whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
Rules for SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
Lists for SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221<br />
Modules for SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
Supporting functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
Progress Indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228<br />
Bandwidth throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231<br />
Next-hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233<br />
User messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
Message templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
Adapt a user message template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
Template Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
Settings for message templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242<br />
7 System configuration 245<br />
Configuring the appliance system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
Initial setup system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 5
Contents<br />
System configuration after the initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246<br />
System settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
Appliances tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
Configure the system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248<br />
Date and Time system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
DNS system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
File Server system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
License system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251<br />
Network system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251<br />
Network Protection system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253<br />
Port Forwarding system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253<br />
Static Routes system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254<br />
User Interface system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254<br />
System files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
File Editor tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
Database updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
Update database information manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
Schedule automatic engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
Automatic Engine Updates system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
Central management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
Configure central management settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
Add an appliance to a central management configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
Central Management system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262<br />
8 Monitoring 269<br />
Monitoring the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
Monitoring functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269<br />
Troubleshooting functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
Access the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
Alerts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
Charts and Tables tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273<br />
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277<br />
Log file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277<br />
View log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278<br />
Log file handling using rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278<br />
Sample logging rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279<br />
Create a sample logging rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280<br />
Create a log handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282<br />
Use self-configured log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282<br />
Use of a property in a logging rule to record blocking key words . . . . . . . . . . . . . . . . . . . . . . . 283<br />
Configuring log file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
Log file settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292<br />
Log handler rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295<br />
Performance measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
View performance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
Properties for logging performance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
Using properties in rules to log performance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298<br />
Events for measuring performance in rule set processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298<br />
Using events in rules to measure processing time for rule sets . . . . . . . . . . . . . . . . . . . . . . . . . 299<br />
Properties for logging rule set processing time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300<br />
Transferring data to an ePO server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301<br />
Configure the data transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301<br />
ePolicy Orchestrator system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302<br />
Bypass ePO Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302<br />
Event monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303<br />
Configure SNMP monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
SNMP system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
Error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305<br />
View the rule sets for error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305<br />
Error handling using error IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305<br />
Error handling using incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305<br />
Rule sets for error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307<br />
6 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Contents<br />
Create an error handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314<br />
9 Troubleshooting 315<br />
Troubleshooting appliance problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315<br />
Files for recording appliance behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315<br />
Network tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315<br />
Backup and restore files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316<br />
Create a feedback file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316<br />
Enable the creation of core files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316<br />
Enable the creation of connection tracing files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317<br />
Create a packet tracing file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317<br />
Use network tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318<br />
Back up and restore the appliance configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318<br />
Appendix: Configuration lists 319<br />
List of actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319<br />
List of error IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320<br />
List of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322<br />
List of incident IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327<br />
List of properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330<br />
Wildcard expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367<br />
Test a wildcard expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367<br />
List of important special glob characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368<br />
List of important special regex characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369<br />
Index 373<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 7
Contents<br />
8 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Preface<br />
About this guide<br />
This <strong>Product</strong> <strong>Guide</strong> describes the features and capabilities of <strong>McAfee</strong> ®<br />
<strong>Web</strong> <strong>Gateway</strong> version <strong>7.1.5</strong>,<br />
providing an overview of the product, as well as detailed instructions on how to set it up, configure, and<br />
maintain it.<br />
Audience<br />
This guide is intended for network and security administrators. It assumes familiarity with system<br />
administration, operating systems, networks, the Internet, and related terminology.<br />
Conventions<br />
When this guide mentions the appliance, this refers to the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance. Other<br />
conventions used in the text are as follows:<br />
Table i-1 Conventions<br />
Convention Description<br />
Monospace bold Identifies commands and key words you type at a system prompt<br />
Monospace italic Indicates a placeholder for text you type<br />
Monospace plain Used to show text that appears on a computer screen<br />
Plain text italics Identifies the names of files and directories<br />
Also used for emphasis (for example, when introducing a new term)<br />
Plain text bold Identifies buttons, field names, and tabs that require user interaction<br />
[ ] Signals conditional or optional text and instructions (for example, instructions that pertain<br />
only to a specific configuration)<br />
Note: Used for a helpful suggestion or a reference to material not covered elsewhere in the guide<br />
Note: The screen captures and graphics used in this guide are for illustration purposes only. They are not<br />
intended to represent a complete or appropriate configuration for your specific needs. Features may be<br />
enabled in screen captures to make them clear, however, not all features are appropriate or desirable for<br />
your setup.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 9
About this guide<br />
Acronyms<br />
Acronyms used in this guide:<br />
Table i-2 Acronyms<br />
Acronym Description<br />
AC Alternating Current<br />
ASC Active System Console<br />
BMC Baseboard Management Controller<br />
BOS Basic OSCAR Service<br />
CA Certificate Authority<br />
CGI Common <strong>Gateway</strong> Interface<br />
CIDR Classless Inter-Domain Routing<br />
CLI Command Line Interface<br />
CN Common Name<br />
CPU Central Processing Unit<br />
CRL Certificate Revocation List<br />
DC Domain Controller<br />
DLP Data Leakage Prevention<br />
DHCP Dynamic Host Configuration Protocol<br />
DN Distinguished Name<br />
DNS Domain Name Server<br />
EDH Ephemeral Diffie-Hellman<br />
EFI Enhanced Firmware Interface<br />
ePO ePolicy Orchestrator<br />
FIPS Federal Information Processing Standard<br />
FTP File Transfer Protocol<br />
HA High Availability<br />
HTML Hypertext Markup Language<br />
HTTP Hypertext Transfer Protocol<br />
HTTPS Hypertext Transfer Protocol – Secure<br />
ICAP Internet Content Adaptation Protocol<br />
ICQ “I seek you” (Network Protocol)<br />
ID Identity, Identification, Identifier<br />
IM Instant Messaging/Messenger<br />
IP Internet Protocol<br />
ISO International Standards Organization<br />
JRE Java Runtime Environment<br />
LAN Local Area Network<br />
LDAP Lightweight Directory Access Protocol<br />
LOM Lights Out Management<br />
LRU Least Recently Used<br />
MIB Management Information Base<br />
MIME Multi-Purpose Internet Mail Extension<br />
MLOS <strong>McAfee</strong> Linux Operating System<br />
MTU Maximum Transmission Unit<br />
NAT Network Address Translation<br />
NTLM New Technology LAN Manager<br />
10 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table i-2 Acronyms (continued)<br />
Acronym Description<br />
NTP Network Time Protocol<br />
OID Object ID<br />
OSCAR Open System for Communication in Real Time<br />
PAC Proxy Auto-Configuration<br />
PCT Platform Confidence Tool<br />
PD Persistent Database<br />
PEM Privacy-Enhanced Mail<br />
RAM Random Access Memory<br />
Regex Regular Expression<br />
RFC Request for Comments<br />
RMM Remote Management Module<br />
RTSP Real-Time Streaming Protocol<br />
SB Switchboard<br />
SMI Structure of Management Information<br />
SNMP Simple Network Management Protocol<br />
SSH Secure Socket Shell<br />
SSL Secure Socket Layer<br />
TSL Transport Layer Security<br />
TTL Time to Last<br />
URI Uniform Resource Identifier<br />
URL Uniform Resource Locator<br />
UUID Universal Unique Identifier<br />
VRRP Virtual Router Redundancy Protocol<br />
WCCP <strong>Web</strong> Cache Communication Protocol<br />
WPAD <strong>Web</strong> Proxy Auto-Discovery<br />
Find product information<br />
You can find additional product information at the following locations:<br />
Table i-3 Additional product information<br />
Find product information<br />
Information Location<br />
<strong>Product</strong> Documentation 1 Go to the <strong>McAfee</strong> Technical Support ServicePortal at:<br />
(ServicePortal)<br />
http://mysupport.mcafee.com<br />
2 Under Self Service, click <strong>Product</strong> Documentation.<br />
3 Select a <strong>Product</strong>, then a Version.<br />
4 Select a document.<br />
<strong>Product</strong> Documentation 1 Go to the Extranet for <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> at:<br />
(Extranet)<br />
https://extranet.webwasher.com/documentation_mwg7<br />
2 Enter your user name and password.<br />
3 Select a document.<br />
KnowledgeBase Answers 1 Go to the <strong>McAfee</strong> Technical Support ServicePortal at:<br />
and Articles<br />
http://mysupport.mcafee.com<br />
2 Click one of the following:<br />
• Search the KnowledgeBase for answers to your product questions.<br />
• Browse the KnowledgeBase for articles listed by product and version.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 11
Find product information<br />
12 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
1 Introduction<br />
Contents<br />
Comprehensive web security for your network<br />
Deployment of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Main components of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Filtering rules on the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Chapters of this guide<br />
Comprehensive web security for your network<br />
The <strong>McAfee</strong> ®<br />
<strong>Web</strong> <strong>Gateway</strong> appliance ensures comprehensive web security for your network. It protects<br />
your network against threats arising from the web, such as viruses and other malware, inappropriate<br />
content, data leaks, and related issues. It also ensures regulatory compliance and a productive work<br />
environment.<br />
The appliance is installed as a gateway that connects your network to the web. Following the<br />
implemented web security rules, it filters the requests that users send to the web from within your<br />
network.<br />
Responses sent back from the web and embedded objects sent with requests or responses are also<br />
filtered. Malicious and inappropriate content is blocked, while useful matter is allowed to pass through.<br />
Figure 1-1 Filtering web traffic<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 13
1<br />
Introduction<br />
Comprehensive web security for your network<br />
Main functions of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Filtering web traffic is a complex process. The main functions of the appliance contribute to it in<br />
different ways:<br />
• Filtering web objects — Special anti-virus and anti-malware functions on the appliance scan and<br />
filter web traffic and block web objects when they are infected. Other functions filter requested URLs,<br />
using information from the Global Threat Intelligence system, or do media type and HTML filtering.<br />
They are supported by functions that do not filter themselves, but do such jobs as counting user<br />
requests or indicating the progress made in downloading web objects.<br />
• Filtering users — This is done by the authentication functions of the appliance, using information<br />
from internal and external databases and methods such as NTLM, LDAP, RADIUS, Kerberos, and<br />
others. In addition to filtering normal users, the appliance also gives you control over administrator<br />
rights and responsibilities.<br />
• Intercepting web traffic — This is a prerequisite for any filtering of web objects or users. It is<br />
achieved by the gateway functions of the appliance, using different network protocols, such as HTTP,<br />
HTTPS, FTP, Yahoo, ICQ, and Windows Live Messenger. As a gateway, the appliance can run in explicit<br />
proxy mode or in transparent bridge or router mode.<br />
• Monitoring the filtering process — The monitoring functions of the appliance provide a continuous<br />
overview of the filtering process. They include a dashboard, displaying information on alerts, web<br />
usage, filtering activities, and system behavior, as well as logging and tracing functions and options<br />
to forward data to an ePolicy Orchestrator or do event monitoring with an SNMP agent.<br />
Main administrator activities<br />
The following are the main activities you need to complete when administering the appliance:<br />
• Perform the initial setup — You can set up the appliance on a physical hardware platform or on a<br />
virtual machine. The setup procedure includes the initial configuration of system parameters, such as<br />
host name and IP address, implementing an initial system of filtering rules, and licensing.<br />
Two wizards are available in this phase: one for the initial configuration, another for the filtering<br />
rules.<br />
• Configure the gateway functions — After the initial setup, explicit proxy mode and the HTTP<br />
protocol are preconfigured on the appliance. You can modify this and also configure other network<br />
components that the appliance communicates with.<br />
• Modify filtering rules — The filtering rules are the building blocks of your web security policy. You<br />
can review the system of filtering rules that has been implemented during the initial setup and modify<br />
it. Authentication is not implemented by default.<br />
Working on the filtering rules includes maintaining the lists that these rules use and configuring<br />
the settings for rule actions and for the modules involved in the filtering processs.<br />
• Monitor the appliance — When you have configured the appliance according to your requirements,<br />
you can monitor it to see how it performs the filtering process. You can also monitor system functions,<br />
such as CPU and memory usage, number of active connections, and others.<br />
14 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Deployment of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Introduction<br />
Deployment of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance 1<br />
Before you set up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance, consider how you want to use it. There are<br />
different options regarding the platform on which you can run it and for integrating it into your network.<br />
You can also set up multiple appliances and administer them as nodes in a central management<br />
configuration.<br />
Platform<br />
You can run the appliance on different platforms.<br />
• Hardware-based appliance — On a physical hardware platform<br />
• Virtual appliance — On a virtual machine<br />
Network integration<br />
In your network, the appliance can intercept, filter, and transmit web traffic in different modes.<br />
• Explicit proxy mode — The clients that the appliance communicates with are aware of it. You must<br />
configure them “explicitly” to direct their traffic to the appliance.<br />
• Transparent modes — The clients are not aware of the appliance.<br />
• Transparent bridge — The appliance acts as an “invisible” bridge between its clients and the<br />
web. You need not configure the clients for this.<br />
• Transparent router — The appliance routes traffic according to a routing table, which you need<br />
to fill out.<br />
Administration and updates<br />
You can administer the appliance and have updates distributed in different ways.<br />
• Standalone — Administer the appliance separately and let it not receive updates from other<br />
appliances<br />
• Central management — Set up the appliance as a node in a complex configuration and administer<br />
other nodes on its user interface, including the distribution of updates<br />
You can then administer the appliance also on other nodes and let it receive updates from them.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 15
1<br />
Introduction<br />
Main components of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Main components of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
The <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance uses several subsystems to provide filtering and other functions,<br />
based on its operating system.<br />
Appliance subsystems<br />
The subsystems of the appliance and their modules do the following:<br />
• Core subsystem — Provides a proxy module for intercepting web traffic and a rule module for<br />
processing the filtering rules that make up your web security policy<br />
This subsystem furthermore provides the modules (also known as engines) that do special jobs for<br />
the filtering rules and can be configured by you, for example, the Anti-Malware engine, the URL<br />
Filter engine, or the Authentication engine<br />
A flow manager module ensures efficient cooperation between the modules.<br />
• Coordinator subsystem — Stores all configuration data processed on the appliance<br />
This subsystem also provides update and central management functions.<br />
• Configurator subsystem — Provides the user interface (internal subsystem name is Konfigurator).<br />
Figure 1-2 Appliance subsystems and modules<br />
16 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Operating system<br />
Introduction<br />
Filtering rules on the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance 1<br />
The subsystems of the appliance rely on the functions of its operating system, which is MLOS (<strong>McAfee</strong><br />
Linux Operating System) version 1.0.<br />
The operating system provides functions for executing the actions that the filtering rules trigger, file<br />
and network reading and writing, and access control.<br />
A configuration daemon (sysconfd daemon) implements changed configuration settings in the operating<br />
system.<br />
Filtering rules on the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Rules control the filtering process on the appliance. Reviewing these rules lets you understand what the<br />
appliance does to ensure web security. You need not set up these rules yourself, a wizard can do this<br />
for you, according to your instructions, or a default system of rules is implemented. You can then still<br />
modify every detail of the implemented system.<br />
It is the job of the filtering rules to look at web objects before users of your network are allowed to<br />
access them and also at these users. These rules check the properties of objects and users and if, for<br />
example, an object is virus-infected or a user not in an allowed user group, they block access to the<br />
object or let the user not complete further activities.<br />
Rule sets for filtering<br />
A rule usually works with other rules to do its job. For example, a whitelisting rule can work with a few<br />
blocking rules to do URL filtering. The whitelisting rule says which URLs are allowed and the blocking<br />
rules say which are not. Together, these rules are in a URL filtering rule set.<br />
The implemented system of rule sets is displayed on the Rule Sets tab of the user interface. When you<br />
review it, you will see rule sets there for URL filtering, virus and malware filtering, media type filtering,<br />
and other purposes. When you open a rule set, you will see the individual rules that are contained in it.<br />
Even a rule that works on its own, like a global whitelisting rule might do, is embedded in a rule set.<br />
Some rule sets have other rule sets nested within them. This way, for example, media type filtering can<br />
be split up between a nested rule set that filters media type uploads and another nested rule set that<br />
filters the downloads.<br />
Lists and modules for filtering<br />
Rules are interested in the properties of web objects and users. A blocking rule for URLs needs to know<br />
which categories URLs belong to, so it can block, for example, a URL that is in the online-shopping<br />
category and prevent the users of your network from accessing it.<br />
To get at the information they need, rules rely on:<br />
• Filter lists — A list can, for example, contain URLs of web sites for online shopping. When a user<br />
requests access to a particular URL, a blocking rule goes through the list to see if that URL is on it.<br />
• Special modules — Information on URL categories can be retrieved from the Global Threat<br />
Intelligence system. A module on the appliance communicates with this system and tells the blocking<br />
rule about its findings.<br />
Other modules scan web objects for infections, inspect certificates, check user credentials for<br />
authentication, or perform other activities related to web and user filtering.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 17
1<br />
Introduction<br />
Chapters of this guide<br />
Modifying the filtering process<br />
You can modify the filtering process by working with the rules and rule sets that control it, as well as<br />
with the filter lists and the settings of the modules involved in this process. This includes:<br />
• Modifying filtering rules and rule sets — You can modify blocking, whitelisting, and other rules<br />
and group them in rule sets as is appropriate for your network.<br />
• Maintaining filter lists — You can add new items to blocking lists and whitelists, as they emerge,<br />
and remove others that do not need special attention anymore.<br />
• Configuring module settings — You can configure settings to determine the way the modules on<br />
the appliance do their jobs, for example, use particular methods for detecting malware.<br />
The chapters of this guide provide information on all these activities. They explain general concepts,<br />
give step-by-step descriptions of key procedures, and inform you about the details of individual rules,<br />
lists, and module settings.<br />
Chapters of this guide<br />
The chapters of this guide deal with the main functions of the appliance and related subject matter in<br />
the following ways:<br />
• About the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance — Introduces the appliance and provides overviews<br />
of main functions, administrator activities, deployment options, and system architecture<br />
• Setup and Logon — Explains how you setup the appliance and complete first steps up to the point<br />
where you configure proxy, authentication, and filtering functions<br />
This includes information on the installation and the initial configuration of system parameters.<br />
The chapter goes on to explain how you log on to the appliance and implement an initial system of<br />
filtering rules. An overview of the user interface is also provided.<br />
• Proxies and Caching — Explains how you configure the gateway functions of the appliance to let it<br />
run in explicit proxy or transparent mode, using different network protocols<br />
This enables the appliance to intercept web traffic and apply authentication and other filtering<br />
functions to it. Use of the web cache is also explained.<br />
• Rules and Rule Sets — The authentication and filtering functions that give you control over who<br />
accesses the web from within your network and what web objects can be accessed, depend on the<br />
implemented web security rules.<br />
This chapter explains in general how these rules work. It provides information on the rule sets that<br />
contain them and the filtering process that they contribute to. It tells you how to modify and<br />
create rules and rule sets and how to maintain and configure the lists and modules that the rules<br />
rely on.<br />
• Authentication and Account Management — Explains how you configure rules, lists, and modules<br />
for the authentication functions of the appliance<br />
The options for setting up accounts and privileges for administrators are also explained.<br />
• <strong>Web</strong> Filtering— Explains how you configure rules, lists, and modules for filtering web objects on the<br />
appliance<br />
The filtering process uses main functions, such as virus and malware or URL filtering, and<br />
supporting functions like counting user requests or progress indication for downloads. Messages to<br />
users that inform them about filtering activities of the appliance are also explained.<br />
18 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Introduction<br />
Chapters of this guide 1<br />
• System Configuration — Explains how you configure functions of the appliance system, such as<br />
domain name services, port forwarding, or static routes<br />
Some of these are already configured at the initial setup. Functions for running appliance systems<br />
as nodes in a central management configuration are also explained.<br />
• Monitoring — Explains how to monitor alerts, web usage, filtering activities, and key system<br />
parameters, using the dashboard and several log files, as well as external systems, such as the ePolicy<br />
Orchestrator<br />
• Troubleshooting — Explains the functions the appliance provides for troubleshooting, such as the<br />
use of core files or TCP dumps<br />
The chapter also explains how you create a backup of the appliance configuration.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 19
1<br />
Introduction<br />
Chapters of this guide<br />
20 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
2<br />
Setup and logon<br />
Contents<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Logging on to the user interface<br />
Working with the user interface<br />
Setting up system management tools<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
You can set up <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> as a physical or virtual appliance.<br />
Before setting up the appliance, make sure you read the release notes for the current product version,<br />
for example, <strong>7.1.5</strong>, which provide information on known issues.<br />
The release notes are available on the <strong>McAfee</strong> Technical Support ServicePortal at<br />
http://mysupport.mcafee.com.<br />
On this portal, proceed as follows:<br />
1 In the Self Service area, click <strong>Product</strong> Documentation.<br />
2 Select <strong>Web</strong> <strong>Gateway</strong> and version 7.1.<br />
3 From the document list that appears, select the current version of the Release Notes.<br />
Setting up a physical appliance<br />
When you have chosen to run <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> as a physical appliance, the appliance software is<br />
delivered to you on a hardware platform.<br />
If you do not want to use this software, you can also download a different software version from the<br />
Extranet for <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> and install it using a USB drive.<br />
Check your shipment<br />
Make sure you received the items needed for the setup:<br />
• <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance (models vary)<br />
• Power cord<br />
• Network cables<br />
• USB-PS/2 adapter cable (if you use a PS/2 keyboard for the initial configuration)<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 21
2<br />
Setup and logon<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Gather necessary materials<br />
You must provide the following:<br />
• Standard VGA monitor and PS/2 keyboard<br />
or Serial console<br />
• Administration system with:<br />
• Windows or Linux operating system<br />
• Java Runtime Environment (JRE) version 1.6 or later<br />
• Microsoft Internet Explorer version 6.0 or later<br />
or Mozilla Firefox version 2.0 or later<br />
• Network cables<br />
To perform the installation with:<br />
• The software that was delivered to you on the hardware platform, continue with Connect and turn on<br />
the appliance.<br />
• Software you downloaded from the Extranet, continue with Installing downloaded software using a<br />
USB drive.<br />
Connect and turn on the appliance<br />
To begin with the installation:<br />
1 Connect the appliance to power and the network.<br />
2 Connect a monitor and keyboard or a serial console to the appliance.<br />
3 Turn on the appliance. The installer menu appears.<br />
Continue with Installing the appliance software.<br />
Installing downloaded software using a USB drive<br />
If you do not want to use the software that was shipped to you on the hardware platform for setting up<br />
the appliance, you can download a different version from the Extranet for <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> and<br />
use a USB drive to install it.<br />
Tools for copying the appliance software to a USB drive<br />
To copy the appliance software to a USB drive, you can use different tools.<br />
For example, you can use the dd tool, which is provided with the Linux operating system. The command<br />
syntax is:<br />
dd if= of= bs=16k<br />
where bs is the size of a data chunk that is buffered in memory during the transfer.<br />
Note: You need to be logged in as root administrator to execute the command. Also be aware that the copy<br />
operation will completely overwrite everything that was stored on the drive.<br />
For cygwin (Windows), the syntax of the dd command is the same. You can use the following command<br />
to find out what the USB device name is for your appliance drive:<br />
cat /proc/partitions<br />
If you do not want to use cygwin, you may also obtain dd for Windows from the Intel Software Network<br />
site.<br />
22 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Setup and logon<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance 2<br />
Prepare installation from a USB drive<br />
To install the appliance software using a USB drive, begin with the following:<br />
1 Go to the Extranet for <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> and download a USB-format version of the appliance<br />
software.<br />
2 Copy the appliance software to a USB drive.<br />
For more information, see Tools for copying the appliance software to a USB drive.<br />
Install the appliance software from a USB drive<br />
When you have the appliance software on your USB drive ready for installation, continue as follows:<br />
1 Connect the appliance to power and the network.<br />
2 Connect a monitor and keyboard or a serial console to the appliance.<br />
3 Insert the USB drive into the appliance.<br />
4 Turn on the appliance. The installation starts.<br />
5 During the start phase, select the installation device:<br />
• If your appliance model is WG4500B, WG5000B, or WG5500B, press F6 to enter the Boot Manager<br />
and select USB Drive. The appliance software is installed on the appliance.<br />
• If your appliance model is WG4000B:<br />
a Press F2 to enter the BIOS setup menu.<br />
b Go to Boot Options.<br />
c Select Hard Disk Order and then the option that assigns the USB drive the highest priority.<br />
d Select the Exit tab.<br />
e Select Discard Changes.<br />
Note: Do not use Discard Changes and Exit here.<br />
f Go to Boot Manager.<br />
g Select USB Drive. The appliance software is installed on the appliance.<br />
• If your appliance model is not one of those specified above, press F11 to enter the Boot Manager and<br />
select USB Drive. The appliance software is installed on the appliance.<br />
Continue with Logging on to the user interface.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 23
2<br />
Setup and logon<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Setting up a virtual appliance<br />
To run <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> as a virtual appliance, you need to obtain an ISO image of the appliance<br />
system and install it on a virtual machine.<br />
Requirements for setting up a virtual appliance<br />
To set up <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> as a virtual appliance, you need the following:<br />
• One of the following VMware ®<br />
types:<br />
• VMware ESX ®<br />
• VMware ESXi ®<br />
• VMware workstation version 5.5 or later<br />
• Virtual machine host system with the following requirements:<br />
• CPU: 64-bit capable<br />
• Virtualization extension: VT-x/AMD-V<br />
• Virtual machine with the following requirements:<br />
• Memory: 4 GB<br />
• Hard-disk space: 200 GB<br />
• CPU cores: 2 (minimum)<br />
Set up a new virtual machine<br />
When you have obtained the ISO image of the appliance system, you can install it on a virtual machine.<br />
1 Start VMware.<br />
2 Set up a new virtual machine.<br />
The procedures for setting up a virtual machine differ for each VMware type. When setting up<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> as a virtual appliance, make sure you configure the settings listed in the<br />
following table.<br />
Note: For parameters that are not listed, use the default values given in the procedures. Parameter names<br />
can also differ in each procedure.<br />
Table 2-1 Virtual machine settings<br />
Parameter Value<br />
Configuration type Typical | Advanced (recommended for virtual appliance setup)<br />
Installation mode Install from disk | ISO image (required for virtual appliance setup) | Install later<br />
Operating system Linux (64 bit) version 2.6<br />
Memory 4 GB (recommended)<br />
Hard-disk space 200 GB (recommended)<br />
Number of processors 1 | 2 (minimum requirement) | 4 | ...<br />
Note: The number of processors provided for selection depends on the equipment<br />
of the host system that is used for setting up the virtual appliance.<br />
Network connection mode Bridged (recommended) | NAT | ...<br />
CD/DVD drive with assigned<br />
ISO image<br />
/<br />
SCSI controller (for some<br />
ESX versions)<br />
BusLogic Controller (recommended) | LSI Logic Controller<br />
3 Turn on the virtual machine. The installer menu appears.<br />
Continue with Installing the appliance software.<br />
24 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Installing the appliance software<br />
Setup and logon<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance 2<br />
After turning on the appliance, the installer menu appears. It includes an option for using a wizard to<br />
implement your own initial configuration settings.<br />
Before you select an installation mode, review the default settings. They are implemented on the<br />
appliance if you do not use with the wizard.<br />
The following table shows these settings:<br />
Table 2-2 Default settings for the initial configuration<br />
Parameter Value<br />
Primary network interface eth0<br />
Autoconfiguration with DHCP yes<br />
Host name mwgappl<br />
Root password webgateway<br />
Remote root logon with SSH off<br />
Default gateway <br />
DNS server <br />
Select a mode and install the appliance software<br />
The installer menu allows you to select a mode for installing the appliance software.<br />
The following table explains the menu options:<br />
Table 2-3 Installer menu<br />
Option Definition<br />
1 – serial console<br />
System output is displayed on a serial console.<br />
(with configuation wizard) When the appliance software is successfully installed in standard mode, the<br />
appliance restarts and displays a wizard for implementing the initial configuration<br />
settings.<br />
2 – video console<br />
System output is displayed on a video console.<br />
(with configuration wizard) When the appliance software is successfully installed in standard mode, the<br />
appliance restarts and displays a wizard for implementing the initial configuration<br />
settings.<br />
3 – serial console System output is displayed on a serial console.<br />
When the appliance software is successfully installed in standard mode, the<br />
appliance restarts and waits for your confirmation to complete the installation.<br />
4 – video console System output is displayed on a video console.<br />
When the appliance software is successfully installed in standard mode, the<br />
appliance restarts and waits for your confirmation to complete the installation.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 25
2<br />
Setup and logon<br />
Setting up the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance<br />
Table 2-3 Installer menu (continued)<br />
Option Definition<br />
5 – FIPS 140-2 level 2 Opens a submenu for installing the appliance software in FIPS compliant mode:<br />
1 – FIPS 140-2 level 2 (serial)<br />
Installation in this mode disables logon to the appliance using SSH or from a<br />
console and implements other features required for FIPS compliance. System<br />
output is displayed on a serial console.<br />
When the appliance software is successfully installed, the appliance waits for<br />
your confirmation to complete the installation.<br />
2 – FIPS 140-2 level 2 (Configuration Wizard/serial)<br />
As option 1, but with configuration wizard.<br />
3 – FIPS 140-2 level 2 (Enforce Self Failed Test/serial)<br />
Recovers the appliance when a FIPS self-test has failed after starting<br />
option 1 or 2. After the recovery, use one of these options to repeat the<br />
installation.<br />
4 – FIPS 140-2 level 2 (video)<br />
As option 1, but with system output on a video console.<br />
5 – FIPS 140-2 level 2 (Configuration Wizard/video)<br />
As option 4, but with configuration wizard.<br />
6 – FIPS 140-2 level 2 (Enforce Self Failed Test/video)<br />
Recovers the appliance when a FIPS self-test has failed after starting<br />
option 4 or 5. After the recovery, use one of these options to repeat the<br />
installation.<br />
9 – Boot from hard disk The appliance restarts with software that is already installed on a hard disk of the<br />
appliance.<br />
To install the appliance software:<br />
1 Select a mode and press ENTER. The appliance software is installed on the appliance.<br />
2 Complete the installation:<br />
• If you have selected a mode without configuration wizard, confirm when prompted to complete the<br />
installation. The appliance runs with default initial configuration settings.<br />
Continue with Logging on to the user interface.<br />
• If you have selected a mode with configuration wizard, continue with Implement your own initial<br />
configuration settings.<br />
Implement your own initial configuration settings<br />
If you have selected an installation mode with configuration wizard to implement your own initial<br />
configuration settings, the wizard appears after the appliance software is installed.<br />
To implement your own settings:<br />
1 Use the wizard windows to configure the following:<br />
• Primary network interface<br />
• IP address, entered manually or configured dynamically by DHCP<br />
• Host name<br />
• DNS server<br />
26 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
2 Review the summary that is displayed after configuring the host name.<br />
Setup and logon<br />
Logging on to the user interface 2<br />
• If you approve of the summary, confirm and configure the remaining settings:<br />
• Root password<br />
Note: In a FIPS-compliant mode, this option is not available.<br />
• Remote logon with SSH<br />
Note: In a FIPS-compliant mode, this option is not available.<br />
The initial configuration is completed with your settings and the IP address is displayed.<br />
Continue with Logging on to the user interface.<br />
• If you need to make changes, click Cancel and return to step 1.<br />
Logging on to the user interface<br />
You log on to the user interface and administer the appliance through a browser on an administration<br />
system.<br />
The first time you log on, you also need to implement a web security policy and import a license.<br />
To log on to the user interface:<br />
1 Open the browser of your administration system and go to:<br />
http://:4711<br />
or https://:4712<br />
using the address configured during the initial configuration.<br />
Note: Under HTTPS, accept the self-signed certificate that appears.<br />
A logon window opens.<br />
2 Enter admin as the user name and webgateway as the password.<br />
After a successful logon, proceed as follows:<br />
Note: While being logged on, you should not use your browser to log on to the same appliance again.<br />
Continue with Implement a web security policy.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 27
2<br />
Setup and logon<br />
Logging on to the user interface<br />
Implement a web security policy<br />
The first time you log on to the user interface after the initial configuration of the appliance, a policy<br />
creation wizard appears. You can use this wizard to create a web security policy for your network,<br />
according to your selections.<br />
You can also choose not to make any selections and have a default policy implemented.<br />
In the wizard window, do one of the following to implement a policy:<br />
• Select values for organization, location, and a level of permission or restriction. Then click OK. A web<br />
security policy is implemented accordingly.<br />
Note: Your location and organization selections are used to implement standard whitelists and<br />
recommended blocking lists. Your selection regarding permission or restriction is used to implement<br />
filtering rules.<br />
• Click Default. A default web security policy is implemented.<br />
Figure 2-1 Policy creation wizard<br />
Continue with Import a license.<br />
28 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Import a license<br />
Setup and logon<br />
Logging on to the user interface 2<br />
The first time you log on to the user interface after the initial configuration of the appliance, you also<br />
need to import a license. This is done after implementing a web security policy.<br />
To import a license:<br />
1 On the user interface, go to Configuration | Appliances and select License. Settings for importing<br />
a license appear on the settings pane.<br />
2 Under Import License, click end user license agreement and review the agreement. Then select<br />
the checkbox in the same line. The License File input field and the Browse button become available.<br />
3 Click Browse and browse to the location where your license file is stored. Select the file and click<br />
Activate. The license is imported and license information appears below the input field.<br />
An automatic update of important information for the appliance modules, for example, virus signatures,<br />
is started after the initial configuration. It can take several minutes.<br />
Note: During this update, you cannot use the appliance as a proxy to access the web from the user interface.<br />
Attempts to do so will lead to an error message stating that a module, for example, the Anti-Malware engine,<br />
cannot be loaded (because updated information is needed for this).<br />
For more information on how to administer the appliance on the user interface, see Working with the<br />
user interface.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 29
2<br />
Setup and logon<br />
Working with the user interface<br />
Working with the user interface<br />
The main elements of the user interface are the system information line, several bars and buttons, the<br />
navigation pane, and the settings pane.<br />
System —<br />
information line<br />
Top-level —<br />
menu bar<br />
Tab bar —<br />
Toolbar (on tab) —<br />
Navigation pane —<br />
(on tab)<br />
Figure 2-2 Main elements of the user interface<br />
30 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
— Logout and<br />
Help buttons<br />
— Search and<br />
Save<br />
Changes<br />
buttons<br />
— Settings<br />
pane<br />
(on tab)
Main elements of the user interface<br />
The following table describes the main elements of the user interface.<br />
Table 2-4 Main elements of the user interface<br />
Option Definition<br />
System information<br />
line<br />
Displays system and user information<br />
Top-level menu bar Lets you select one of the following menus:<br />
Setup and logon<br />
Working with the user interface 2<br />
Dashboard — Provides an overview of alerts, web usage, filtering activities,<br />
and system behavior<br />
For more information, see Dashboard.<br />
Policy — For configuring your web security policy<br />
For more information, see Rule Sets tab, Lists tab, and Settings tab.<br />
Configuration — For configuring the system settings of the appliance<br />
For more information, see System configuration.<br />
Accounts — For managing administrator accounts<br />
For more information, see Administrator accounts.<br />
Troubleshooting — For solving problems on the appliance<br />
For more information, see Troubleshooting.<br />
Tab bar Provides the tabs of the currently selected top-level menu<br />
Toolbar (on tab) Provides varying tools (depending on the selected tab)<br />
Navigation pane Provides tree structures of configuration items, such as rules, lists, and settings<br />
Settings pane Provides the settings of the item currently selected on the navigation pane for editing<br />
Logout Lets you log off from the user interface<br />
Opens the online help<br />
The chapters and sections of this <strong>Product</strong> <strong>Guide</strong> are provided there. You can browse through<br />
its pages or navigate on a tree structure and perform a full text search or search for index<br />
terms.<br />
Search Opens the Search window with the following options:<br />
• Search for objects — Lets you search for rule sets, rules, lists, and settings. Typing a<br />
search term in the input field displays all objects with names matching the search term.<br />
• Search for objects referring to — Lets you select a list, property, or settings and<br />
displays all rules that use the selected item.<br />
Save Changes Lets you save your changes.<br />
For more information, see Configuration support functions.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 31
2<br />
Setup and logon<br />
Working with the user interface<br />
Configuration support functions<br />
The user interface provides several functions to support your configuration activities.<br />
Table 2-5 Configuration support functions<br />
Option Definition<br />
Input reminder<br />
Appears attached to the name of a list that is still empty and needs to be filled by you<br />
Some filter lists are created, but not filled by the wizard because they are too<br />
sensitive.<br />
Input information<br />
Yellow text insert Appears when you move your mouse pointer over an item on the user interface<br />
providing information on the meaning and usage of the item<br />
Input responses<br />
Appears in a window when the input you entered is valid<br />
32 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Appears in a window when the input you entered is invalid<br />
Message text Appears with the red symbol providing information on your invalid input<br />
Light red color of input field<br />
Change reminders<br />
An input field is filled out in light red if you enter invalid input.<br />
Save Changes The button turns red when you change an item. It turns gray again when you have<br />
saved your changes.<br />
Appears attached to tabs, icons, and list entries when you have changed an item and<br />
not yet saved<br />
For example, when you have changed a rule, the small red triangle appears:<br />
• In the row of the rule entry<br />
• On the symbol of the rule set<br />
• On the projection of the rule sets tab<br />
• On the Policy icon of the top-level menu bar<br />
Unsaved Changes message Appears if you attempt to log out without having saved your changes<br />
You have two options then:<br />
• Yes — Log out without saving<br />
• No — Acknowledge and save
Setting up system management tools<br />
Setup and logon<br />
Setting up system management tools 2<br />
When setting up a physical appliance, you can also set up several tools for managing the appliance<br />
system:<br />
• Platform Confidence Test (PCT)<br />
• Simple Network Management Protocol (SNMP) Subagent<br />
Additionally available for the WG5000B and WG5500B appliance models are:<br />
• Remote Management Module (RMM)<br />
• Baseboard Management Controller (BMC)<br />
• Active System Console (ASC)<br />
Platform Confidence Test<br />
The Platform Confidence Test tool (PCT) assists you in detecting hardware errors. For each appliance<br />
model, there is a particular version of the tool.<br />
Set up PCT<br />
To set up the Platform Confidence Test tool:<br />
1 Download the appropriate tool version from the <strong>McAfee</strong> Extranet for <strong>Web</strong> <strong>Gateway</strong>.<br />
Note: Tool versions are available there in zipped format.<br />
2 Extract the content of the downloaded zip file into the root directory of a USB drive. The drive must<br />
be formatted in Microsoft DOS mode.<br />
3 Attach the USB drive to your appliance.<br />
4 Restart the appliance.<br />
5 When prompted, press F2 to enter the setup menu.<br />
6 Go to Server Management | Console Redirection and make sure Console Redirection is disabled.<br />
7 Go to Boot Manager and select EFI Shell.<br />
The appliance is restarted in EFI shell mode. EFI runs the startup.nsh procedure from the USB<br />
drive and displays a diagnostics menu.<br />
To terminate the diagnostic cycle, press F10.<br />
Retrieve diagnostic information with PCT:<br />
To retrieve diagnostic information with the Platform Confidence Test tool:<br />
1 From the diagnostics menu of the tool, select a test type.<br />
Note: The network test requires that the appliance is not plugged in to any network. To test the network<br />
interface ports, you can connect any port to another port in the same system using a cross-over cable.<br />
The test is executed and the result written into a log file on a RAM disk. The name of the log file is<br />
result.log.<br />
It is recommended that after the comprehensive or comprehensive looping test you do a full AC<br />
power cycle (by removing power from the system) before you continue. This resets all controllers<br />
and ensures they are running in an expected mode.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 33
2<br />
Setup and logon<br />
Setting up system management tools<br />
2 Copy the result.log file to the USB drive:<br />
a Run the map command.<br />
b Identify your USB drive in the list that is displayed. Then enter the following command:<br />
cp result.log blk0: <br />
In the above command, blk0 is a device parameter that is required when using a USB drive.<br />
Different device parameters can be be specified here in some cases.<br />
SNMP Subagent<br />
When SNMP (Simple Network Management Protocol) monitoring is implemented on your appliance, you<br />
can use the SNMP Subagent to retrieve additional information on hardware parameters, such as<br />
general status and sensor values.<br />
The SNMP Subagent provides object IDs (OIDs) that belong to a MIB (Management Information Base)<br />
tree structure for hardware items. These can be queried using the SNMP functions on your appliance.<br />
To enable the subagent, run the following command from a system console:<br />
snmpsa-enable<br />
Note: Running this command can cause the appliance to stop processing web traffic for a few seconds.<br />
To disable the subagent, use the snmpsa-disable command.<br />
For more information on SNMP monitoring, see Event monitoring with SNMP.<br />
Remote Management Module and Baseboard Management Controller<br />
The Remote Management Module (RMM) is available on the WG5000 and WG5500 appliances. Its<br />
current version is RMM3. The tool provides functions for remote access to the appliance system and<br />
monitoring key functions.<br />
Together with this tool, you can set up the Baseboard Management Controller (BMC), which delivers<br />
information that is used both by the Remote Management Module and the Active Console System.<br />
The user interface of the Remote Management Module includes tabs for system overview, server health,<br />
and other monitoring functions.<br />
On the Remote Console tab, you find a remote access console, which you can use for completing<br />
remote jobs, for example, LOM (Lights Out Management) jobs. The console also allows you to mount<br />
local drives remotely or distribute ISO images.<br />
The console is completely Java-based. It works well on Micorosoft Windows and Linux operating<br />
systems, but not on the Apple MAC OSX. The systems you want to access from the console must have<br />
Java Runtime Environment (JRE) version 1.6 installed.<br />
Set up the RMM and BMC tools<br />
To set up the Remote Management Module and Baseboard Management Controller:<br />
1 Connect the RMM and BMC on the rear panel of your appliance box to the network.<br />
2 Restart the appliance.<br />
3 During the start phase, press F2. The setup menu appears.<br />
4 Go to Server Management and select BMC LAN Configuration.<br />
5 Under Baseboard LAN configuration, configure an IP address, a subnet mask, and a gateway IP<br />
address.<br />
6 Under Intel (R) RMM3 LAN configuration, configure an IP address, a subnet mask, and a gateway<br />
IP address.<br />
34 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Setup and logon<br />
Setting up system management tools 2<br />
7 Under User configuration, configure a user name and password to allow an initial user access to<br />
the Remote Management Module.<br />
8 Press F10 and in the dialog window that appears, click Yes to save your changes.<br />
The Remote Management Module is now available for system management activities. You can access<br />
the tool through the IP address you configured.<br />
For information on where the RMM and BMC interfaces are located on the rear panels of the WG5000<br />
and WG5500 appliance boxes, see the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> Port Identification <strong>Guide</strong>.<br />
For more information on the Remote Management Module, refer to: http://www.intel.com/products<br />
/server/software/rmm/rmm-overview.htm.<br />
Active System Console<br />
The Active System Console (ASC) is a web-based debugging tool. It provides information on hardware<br />
errors involving chassis, storage, cooling, processors, memory, power supply, and other functions.<br />
Errors are detected by the BMC (Baseboard Management Controller) through accessing the system<br />
event log and sensor data records on your appliance.<br />
The tool also enables you to send hardware data to the <strong>McAfee</strong> support team. Furthermore, it allows<br />
you to configure some BMC functions, such as the IP address or trap and email communication.<br />
Set up ASC<br />
To set up the Active System Console tool:<br />
1 On a system console, run the following command:<br />
asc-enable<br />
2 When prompted, create an administrator password.<br />
Note: If a message on strong password setting is displayed, respond according to your requirements.<br />
After the password has been set, the Active System Console is started.<br />
3 Use a web browser to access the ASC user interface under:<br />
https://:9393<br />
When the appliance is started next time, the Active System Console is automatically started with<br />
it.<br />
To disable the Active System Console, use the asc-disable command.<br />
For more information, see the help information on the ASC user interface and the user documentation<br />
that is provided with the new hardware platforms.<br />
Information on the Active System Console and other system management tools for use on your<br />
appliance is also available at: http://www.intel.com/<strong>Product</strong>s/Server/Software/sysmgmt<br />
/sysmgmt-overview.htm.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 35
2<br />
Setup and logon<br />
Setting up system management tools<br />
36 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
3<br />
Proxies and caching<br />
Contents<br />
Intercepting web traffic<br />
Network modes<br />
Common proxy settings<br />
Reverse HTTPS proxy configuration<br />
Providing proxy auto-configuration files<br />
Helix proxy configuration<br />
Preventing data leaks<br />
<strong>Web</strong> caching<br />
Intercepting web traffic<br />
The <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance is installed as a gateway that intercepts and filters web traffic to<br />
ensure web security for your network. It does this in explicit proxy mode or in transparent mode, using<br />
particular network protocols.<br />
The sections of this chapter tell you how to configure the use of network modes and protocols. They<br />
also tell you how to configure the web cache, which stores frequently requested objects locally to speed<br />
up browsing.<br />
Proxy settings<br />
You can review and modify the settings for the proxy functions on the Appliances tab of the<br />
Configuration top-level menu under Proxies (HTTP(S), FTP, ICAP, and IM).<br />
After the initial setup, these settings have preconfigured values. The most important are:<br />
• Network mode — Explicit proxy<br />
• Network protocol — HTTP<br />
If you keep the explicit proxy mode, you need to configure the clients of the appliance, so that they<br />
direct their requests for web access to it. This applies also to a proxy-chain configuration when the<br />
appliance is not immediately connected to a client.<br />
If you modify the preconfigured settings, you might not need to configure clients in this way, but other<br />
network components that are then involved.<br />
For more information, see Network modes and Common proxy settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 37
3<br />
Proxies and caching<br />
Network modes<br />
Network modes<br />
<strong>Web</strong> cache settings<br />
The web cache settings are part of the proxy settings. You can review and modify both on the same tab<br />
of the user interface.<br />
The web cache is by default enabled after the initial setup, but its use is controlled by web security<br />
rules. A web cache rule set must be implemented with rules for writing to the cache and reading from<br />
it.<br />
You can review the implemented rule sets on the Rule Sets tab of the Policy top-level menu. If no<br />
web cache rule set is implemented, you can import one from the rule set library or create a web cache<br />
rule set with rules of your own.<br />
For more information, see <strong>Web</strong> caching.<br />
The appliance can operate in different network modes to intercept and filter web traffic. This section<br />
explains these modes and tells you how to configure them.<br />
• Explicit proxy mode — In this mode, the clients of the appliance are generally aware of its<br />
existence. You can use one of the following options to implement this mode:<br />
• Proxy — This is the explicit proxy mode proper. It is preconfigured on the appliance.<br />
Optionally, you can configure this mode to let it use several transparent features.<br />
For example, you can configure the use of WCCP services. Requests sent from clients can then<br />
be directed to the appliance by these services and back from web servers to the appliance. The<br />
clients are not aware of these redirections.<br />
You can also configure a method for using client IP addresses that is known as IP address<br />
spoofing (IP spoofing). Client requests that are intercepted on the appliance are then passed on<br />
to web servers with their original source addresses, not with that of the appliance.<br />
• Proxy HA — The appliance operates as an explicit proxy that is configured as a part of a<br />
high-availability configuration.<br />
• Transparent bridge mode — Clients are unware of the appliance, which serves as an (invisible)<br />
bridge between a firewall and the rest of your network.<br />
• Transparent router mode — Clients are unware of the appliance, which serves as a router in your<br />
network, directing web traffic according to a routing table.<br />
38 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Explicit proxy mode<br />
Proxies and caching<br />
Network modes 3<br />
This section explains the explicit proxy mode and how to configure it on the appliance and its clients.<br />
In this mode, the clients that have their web traffic filtered by the appliance “know” they are connected<br />
to it. They must explicitly be configured to direct their web traffic to the appliance.<br />
If this is ensured, it is less important where the appliance is deployed within your network. Typically, it<br />
is placed behind a firewall and connected to its clients and the firewall by a router.<br />
The following diagram shows a configuration in explicit proxy mode:<br />
Figure 3-1 Explicit proxy mode<br />
Configure the explicit proxy mode<br />
This section tells you how to configure the explicit proxy mode for the appliance.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure settings for and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 Under Network Setup, select one of the options for the explicit proxy mode:<br />
• Proxy — For the explicit proxy mode proper<br />
Note: This option is preconfigured after the initial setup. When it is selected, specific settings for<br />
configuring a proxy mode with transparent features appear below the Network Setup settings.<br />
• Proxy HA — For an explicit proxy mode with high-availability functions<br />
Note: After selecting this option, specific Proxy HA settings appear below the Network Setup settings.<br />
4 Configure specific and common settings for the selected option as needed.<br />
5 Click Save Changes.<br />
For more information, see Transparent Proxy and Common proxy settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 39
3<br />
Proxies and caching<br />
Network modes<br />
Transparent Proxy<br />
Settings for configuring a proxy mode with transparent features<br />
Supported client redirection methods — Methods for intercepting web traffic and directing it to the<br />
appliance<br />
• WCCP — When selected, client requests sent to web servers under the IPv4 protocol are intercepted<br />
by an additional network device and directed to the appliance using the WCCP protocol. In the same<br />
way responses from web servers are directed back to the appliance. The clients are not aware of this<br />
redirection, it remains transparent for them.<br />
Note: WCCP version 2 must be used on the appliance.<br />
To use the WCCP redirection method, you need to configure one or more WCCP services on the<br />
appliance. You also need to configure the network device that intercepts the client requests and<br />
server responses. This device can be configured as a switch or router.<br />
After selecting this option, the following list is displayed for configuring and adding WCCP services:<br />
• WCCP Services — List of services for directing web traffic to the appliance under the WCCP<br />
protocol<br />
Note: Version 2 of the WCCP services must be used on the appliance.<br />
IP addresses of clients that have their requests directed to the appliance must be “visible”<br />
there. They must not be converted using the NAT (Network Address Translation) method.<br />
The following table describes the list entries. For information on maintaining a list of this type,<br />
see Inline lists.<br />
Table 3-1 WCCP Services list<br />
Option Definition<br />
Service ID ID of a service that directs web traffic to the appliance under the WCCP protocol<br />
WCCP router<br />
Multicast IP address and DNS name of a router (or switch with routing functions) that<br />
definition<br />
uses a WCCP service to direct web traffic to the appliance<br />
40 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Note: You can configure multiple routers here, separating entries by commas.<br />
Ports to be redirected Ports on web servers that data packets must have in their destination addresses to<br />
be redirected<br />
Note: You can specify up to eight port numbers here, separated by commas.<br />
Ports to be redirected<br />
are source ports<br />
Proxy listener IP<br />
address<br />
Displays whether the ports that are to be redirected are source ports<br />
IP address of the appliance when running in explicit proxy mode with WCCP services<br />
and listening to client requests<br />
Proxy listener port Port for listening to client requests<br />
MD5 authentication<br />
key<br />
Note: The default port number is 9090.<br />
Password used under the MD5 algorithm for signing and verifying control data<br />
packets<br />
The Set button opens a window for setting the password.<br />
Note: The password can have up to eight characters.
Table 3-1 WCCP Services list (continued)<br />
Option Definition<br />
Input for load<br />
distribution<br />
Proxies and caching<br />
Network modes 3<br />
This main item does not appear in the list, but is visible in the Add and Edit windows.<br />
The following four elements are related to it, specifying what is used in a data packet<br />
as the criteria for load distribution.<br />
When running multiple appliances, load distribution can be configured for the proxies<br />
on them. Data packets can be distributed to these proxies based on the masking of<br />
source or destination IP addresses and port numbers or on a hash algorithm.<br />
• Source IP — When selected, load distribution relies on the masking of source IP<br />
addresses<br />
• Destination IP — When selected, load distribution relies on the masking of<br />
destination IP addresses<br />
• Source port — When selected, load distribution relies on the masking of source<br />
port numbers<br />
• Destination port — When selected, load distribution relies on the masking of the<br />
destination port numbers<br />
Assignment method This main item does not appear in the list, but is visible in the Add and Edit windows.<br />
The following elements are related to it, specifying the method used for load<br />
distribution.<br />
• Assignment by mask — When selected, masking of the parameter specified above<br />
is used for load distribution<br />
• Assignment by hash — When selected, a hash algorithm is used for load<br />
distribution<br />
Assignment weight Value determining how much load is assigned to a proxy<br />
Use this value to assign more load to a proxy on an appliance that has more CPU<br />
capacity. 0 means no load is distributed to a proxy.<br />
Forwarding method This main item does not appear in the list, but is visible in the Add and Edit windows.<br />
The following two elements are related to it, specifying the forwarding method.<br />
• GRE-encapsulated — When selected, data packets are encapsulated by the router<br />
before being redirected<br />
• L2-rewrite to local NIC — When selected, data packets are redirected to the<br />
appliance by replacing the MAC address of the next device (on the route to the<br />
web server) with that of the appliance<br />
This is done on layer two (L2) of the standard communication model.<br />
L2-redirect target Network interface on an appliance that data packets are redirected to<br />
Magic (Mask<br />
Setting to assign a mask for use in redirecting web traffic<br />
assignment)<br />
Comment Plain-text comment on the WCCP service<br />
• L2 transparent — When selected, client requests sent to a web server under the IPv4 and IPv6<br />
protocols are intercepted by an additional network device and directed to the appliance using the<br />
Layer 2 redirection method<br />
Under this method, client requests are accepted on the appliance even if their destination IP<br />
addresses are not addresses of the appliance. The redirection is transparent to the clients.<br />
You need to enter the original ports for those client requests that are to be intercepted and<br />
redirected in a list on the appliance together with the ports that these requests are redirected to.<br />
The additional network device must be configured accordingly.<br />
Note: When this option is selected, requests can not be transmitted using a connection in active FTP<br />
mode. Only the passive FTP mode is then available.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 41
3<br />
Proxies and caching<br />
Network modes<br />
After selecting this option, the following list is displayed for entering ports:<br />
• Port Redirects — List of ports that are involved in the redirection using the Layer 2 method<br />
The following table describes the list entries. For information on maintaining a list of this type,<br />
see Inline lists.<br />
Table 3-2 Port Redirects list<br />
Option Definition<br />
Original destination<br />
port<br />
Port that the data packets belonging to a client request were originally directed to<br />
Destination proxy<br />
port<br />
Port that data packets are redirected to<br />
Comment Plain-text comment on the port<br />
Advanced Outgoing Connection Settings<br />
Settings specifying methods for handling information contained in client requests sent to web servers<br />
that are requirements for the network environment of the appliance<br />
IP spoofing (HTTP, HTTPS, FTP) — When selected, the appliance keeps the client IP address that is<br />
contained in a client request as the source address and uses it in communication with the requested<br />
web server under various protocols<br />
When WCCP services are used for intercepting web traffic and directing it to the appliance, you need to<br />
configure two services for each port on the appliance that listens to client requests: one for the<br />
requests that come in from the clients, and one for responses to these requests that are sent by the<br />
web servers.<br />
When this option is not selected, the appliance chooses a source port and uses it in this communication.<br />
• IP spoofing for explicit proxy connections — When selected, client addresses are kept in explicit<br />
proxy communication, in which web traffic is not intercepted by an additional device<br />
• Use same source port as client for IP spoofing — When selected, client source ports are kept<br />
and used in addition to client source addresses for communication with web servers<br />
When this option is not selected, the appliance chooses a random source port and uses it in this<br />
communication.<br />
HTTP(S): Host header has priority over original destination address (transparent proxy) —<br />
When selected, the appliance uses the destination address that is included in the host header of a client<br />
request under the HTTP or HTTPS protocol for communication with the requested web server<br />
For more information on the WCCP services needed to perform IP spoofing, see WCCP service settings<br />
for IP spoofing.<br />
42 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Network modes 3<br />
WCCP service settings for IP spoofing<br />
You can use IP spoofing in a configuration with WCCP services that intercept web traffic and direct it to<br />
the appliance. In this case, you need to configure two services for all ports on the appliance that listen<br />
to client requests.<br />
One of these services is for the requests that come in from the clients and another one for responses to<br />
these requests that are sent by the web servers.<br />
The table below shows sample parameters for two services.<br />
Table 3-3 WCCP services for IP spoofing<br />
Option Service for incoming requests Service for web server responses<br />
Service ID 51 52<br />
WCCP router<br />
definition<br />
10.150.107.254 10.150.107.254<br />
Ports to be redirected 80, 443 80, 443<br />
Ports to be redirected<br />
are source ports<br />
false true<br />
Proxy listener IP<br />
address<br />
10.150.107.251 10.150.107.251<br />
Proxy listener port 9090 9090<br />
MD5 authentication<br />
key<br />
����� �����<br />
Input for load<br />
This main item does not appear in the settings list, but is visible in the Add and Edit<br />
distribution<br />
windows. The following four elements are related to it<br />
Source IP false false<br />
Destination IP true true<br />
Source port false false<br />
Destination port false false<br />
Assignment method This main item does not appear in the settings list, but is visible in the Add and Edit<br />
windows. The Assignment by mask and Assignment by hash elements are related to<br />
it.<br />
Assignment by mask true true<br />
Assignment by hash false false<br />
Assignment weight 100 100<br />
Forwarding method This main item does not appear in the settings list, but is visible in the Add and Edit<br />
windows. The GRE-encapsulated and L2-rewrite to local NIC elements are related to<br />
it.<br />
GRE-encapsulated false false<br />
L2-rewrite to local<br />
NIC<br />
true true<br />
L2-redirect target eth1 eth1<br />
Magic (Mask<br />
assignment)<br />
Comment<br />
-1 -1<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 43
3<br />
Proxies and caching<br />
Network modes<br />
Proxy HA<br />
Settings for the appliance when running as a proxy in a high-availability configuration<br />
Port Redirects — List of ports that requests sent by users are redirected to<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-4 Port Redirects list<br />
Option Definition<br />
Protocol name Name of the protocol used for data packets coming in when a user sends a request<br />
Original destination<br />
ports<br />
Ports that redirected data packets were originally sent to<br />
Destination proxy<br />
port<br />
Port that data packets sent to the above ports originally are redirected to<br />
Comment Plain-text comment on the port<br />
Director priority — Priority (ranging from 0 to 99) an appliance takes in directing data packets<br />
The highest value prevails. 0 means the appliance never directs data packets, but only filters them.<br />
In a high-availability configuration, two appliances are typically configured as director nodes with a<br />
priority higher than zero to direct data packets, providing fail-over functions for each other. The<br />
remaining nodes are configured with zero priority (also known as scanning nodes).<br />
The priority value is set on a slider scale.<br />
Management IP — Source IP address of the appliance that directs data packets when sending<br />
heartbeat messages to other appliances<br />
Virtual IPs — List of virtual IP addresses<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
F<br />
Table 3-5 Virtual IPs list<br />
Option Definition<br />
Virtual IP address Virtual IP address (in CIDR notation)<br />
Network interface Network interface on the appliance that data packets with the virtual IP address are routed<br />
through<br />
Comment Plain-text comment on the virtual IP address<br />
Virtual router ID — ID of a virtual router<br />
VRRP interface — Network interface on the appliance for sending and receiving heartbeat messages<br />
Configure the appliance as a proxy on a client<br />
This section tells you how to configure the appliance as a proxy on each of its clients, so that they direct<br />
their web traffic to it. You need to do this when running the appliance in explicit proxy mode.<br />
1 From the menu system of the client browser, select the Network/Connection tab.<br />
2 On this tab, add an HTTP, HTTPS, or FTP proxy, according to the protocol you want to use for<br />
communication between the client and the appliance.<br />
3 Configure an IP address and port number for connecting to the appliance. Use the values<br />
configured during the initial setup of the appliance.<br />
Note: If you use the Microsoft Internet Explorer on your clients and a Windows Active Directory to administer<br />
them, you can configure the appliance as a proxy on all your clients in a single procedure.<br />
44 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Transparent bridge mode<br />
Proxies and caching<br />
Network modes 3<br />
This section explains the transparent bridge mode and tells you how to configure it on the appliance.<br />
In this mode, the clients of the appliance are unaware that they are connected to it. They need not be<br />
configured to direct their web traffic to the appliance. The appliance is placed between a firewall and a<br />
router, where it serves as an (invisible) bridge.<br />
The following diagram shows a configuration in transparent bridge mode:<br />
Figure 3-2 Transparent bridge mode<br />
Configure the transparent bridge mode<br />
This section tells you how to configure the transparent bridge mode for the appliance.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure the transparent bridge mode for<br />
and select Proxies (HTTP(S), FTP, ICAP, and IM).<br />
3 Under Network Setup, select Transparent Bridge.<br />
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup<br />
settings.<br />
4 Configure specific and common settings for this mode as needed.<br />
5 Click Save Changes.<br />
For more information, see Transparent Bridge settings and Common proxy settings.<br />
For a sample configuration, see Sample configuration – Director and scanning nodes in transparent<br />
bridge mode.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 45
3<br />
Proxies and caching<br />
Network modes<br />
Transparent Bridge settings<br />
Settings for the appliance when running in transparent bridge mode<br />
Port Redirects — List of ports that requests sent by users are redirected to<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-6 Port Redirects list<br />
Option Definition<br />
Protocol name Name of the protocol used for data packets coming in when a user sends a request<br />
Original destination<br />
ports<br />
Ports that redirected data packets were originally sent to<br />
Destination proxy<br />
port<br />
Port that data packets sent to the above ports originally are redirected to<br />
Comment Plain-text comment on the port<br />
Director priority — Priority (ranging from 0 to 99) an appliance takes in directing data packets<br />
The highest value prevails. 0 means an appliance never directs data packets, but only filters them.<br />
The value for this priority is set on a slider scale.<br />
Management IP — Source IP address of the appliance that directs data packets when sending<br />
heartbeat messages to other appliances<br />
IP spoofing (HTTP, HTTPS) — When selected, the appliance keeps the client IP address that is<br />
contained in a client request as the source address and uses it in communication with the requested<br />
web server under various protocols<br />
The appliance does not verify whether this address matches the host name of the request.<br />
IP spoofing (FTP) — When selected, the appliance communicates with a web server under the FTP<br />
protocol in the same way as under the HTTP or HTTPS protocol to perform IP spoofing<br />
Note: For active FTP, this option must be enabled.<br />
46 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Network modes 3<br />
Sample configuration – Director and scanning nodes in transparent bridge mode<br />
This section describes a procedure for setting up two appliances in transparent bridge mode.<br />
One of them is configured as a director node that directs data packets, the other as a scanning node<br />
that only filters data packets, but does not direct them.<br />
Set up a director node<br />
To configure an appliance as a director node in transparent bridge mode, you need to enable this mode<br />
and configure at least one network interface for the transparent bridge functions. The director role is<br />
configured by giving the node an appropriate priority value.<br />
Complete the following procedure to set up a director node:<br />
1 Go to Configuration | Appliance.<br />
2 On the appliances tree, go to the appliance you want to set up as a director node and select Network.<br />
3 Select a still unused network interface of the appliance to use it as an interface of the transparent<br />
bridge. However, do not enable it yet.<br />
4 On the Advanced tab, select Bridge enabled for this interface.<br />
5 In the Name field, type ibr0 as the name of the interface.<br />
6 On the IPv4 tab, under IP Settings, select Disable IPv4.<br />
7 Click Save Changes. You are logged out and logged on to the appliance again.<br />
8 Go to Configuration | Appliances and select Network again. An additional network interface<br />
named ibr0 is now available. Select this interface.<br />
9 On the IPv4 tab, configure an IP address, a subnet mask, and a default route for ibr0. Then select<br />
the checkbox next to ibr0 to enable this interface.<br />
10 Select the interface that is currently used to access the appliance to assign it to ibr0.<br />
11 On the Advanced tab, select Bridge enabled.<br />
12 In the Name field, type ibr0 as the name of the interface.<br />
13 On the IPv4 tab, under IP Settings, select Disable IPv4.<br />
14 Enable the network interface you assigned to ibr0 in step 3.<br />
15 Select Central Management.<br />
16 In the Central Management Settings section, add the IP address you configured for ibr0 to the<br />
list provided under IP address for Central Management communication.<br />
17 Select Proxies (HTTP(S), FTP, ICAP, and IM).<br />
18 Under Network Setup, select Transparent Bridge.<br />
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup<br />
settings.<br />
19 Set Director priority to a value > 0.<br />
20 Configure proxy ports and port redirects for HTTP and FTP as needed.<br />
21 Configure also IP spoofing as needed.<br />
22 In the Management IP field, type the IP address you configured for ibr0.<br />
23 Click Save Changes.<br />
If you are going to configure another appliance as a director node, be sure to configure the same proxy<br />
ports and port redirects as for the initial director node and to add the port redirects in the same order<br />
as for that node.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 47
3<br />
Proxies and caching<br />
Network modes<br />
Set up a scanning node<br />
To configure an appliance as a scanning node in transparent bridge mode, you need to enable this<br />
mode and configure an IP address that allows the node to access the network interface of the director<br />
node. The scanning role is configured by giving the node 0 as a priority value.<br />
Complete the following procedure to set up a scanning node:<br />
1 Go to Configuration | Appliance.<br />
2 On the appliances tree, go to the appliance you want to set up as a scanning node and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 Under Network Setup, select Transparent Bridge.<br />
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup<br />
settings.<br />
4 Set Director priority to 0.<br />
5 Configure the same HTTP and FTP proxy ports and port redirects as for the director node.<br />
6 Configure also IP spoofing in the same way as for the director node.<br />
7 Click Save Changes.<br />
48 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Transparent router mode<br />
Proxies and caching<br />
Network modes 3<br />
This section explains the transparent router mode and tells you how to configure it on the appliance.<br />
This is also a transparent mode, so the clients are unware of the appliance and need not be configured<br />
to direct their web traffic to it.<br />
The appliance is placed as a router immediately behind a firewall. It can use a switch for connecting to<br />
its clients. A routing table is used to direct the traffic.<br />
The following diagram shows a configuration in transparent router mode:<br />
Figure 3-3 Transparent router mode<br />
Configure the transparent router mode<br />
This section tells you how to configure the transparent router mode for the appliance.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure settings for and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 Under Network Setup, select Transparent Router.<br />
Note: After selecting this option, specific Transparent Router settings appear below the Network Setup<br />
settings.<br />
4 Configure specific and common settings for this mode as needed.<br />
5 Click Save Changes.<br />
For more information, see Transparent Router settings and Common proxy settings.<br />
For a sample configuration, see Sample configuration – Director and scanning nodes in transparent<br />
router mode.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 49
3<br />
Proxies and caching<br />
Network modes<br />
Transparent Router settings<br />
Settings for the appliance when running in transparent router mode<br />
Port Redirects — List of ports that requests sent by users are redirected to<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-7 Port Redirects list<br />
Option Definition<br />
Protocol name Name of the protocol used for data packets coming in when a user sends a request<br />
Original destination<br />
ports<br />
Ports that redirected data packets were originally sent to<br />
Destination proxy<br />
port<br />
Port that data packets sent to the above ports originally are redirected to<br />
Comment Plain-text comment on the port<br />
Director priority — Priority (ranging from 0 to 99) an appliance takes in directing data packets<br />
The highest value prevails. 0 means an appliance never directs data packets, but only filters them.<br />
The value is set on a slider scale.<br />
Management IP — Source IP address of the appliance that directs data packets in a given<br />
high-availaibility configuration when sending heartbeat messages to other appliances<br />
Virtual IPs — List of virtual IP addresses<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-8 Virtual IPs list<br />
Option Definition<br />
Virtual IP address Virtual IP address (in CIDR notation)<br />
Network interface Network interface on the appliance used for heartbeats under VRRP (Virtual Router<br />
Redundancy Protocol)<br />
Comment Plain-text comment on the virtual IP address<br />
Virtual router ID — ID of a virtual router<br />
VRRP interface — Network interface on the appliance for sending and receiving heartbeat messages<br />
IP spoofing (HTTP, HTTPS) — When selected, the appliance keeps the client IP address that is<br />
contained in a client request as the source address and uses it in communication with the requested<br />
web server under various protocols<br />
The appliance does not verify whether this address matches the host name of the request..<br />
IP spoofing (FTP) — When selected, the appliance communicates with a web server under the FTP<br />
protocol in the same way as under the HTTP or HTTPS protocol to perform IP spoofing.<br />
Note: For active FTP, this option must be enabled.<br />
50 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Network modes 3<br />
Sample configuration – Director and scanning nodes in transparent router mode<br />
This section describes a procedure for setting up two appliances in transparent router mode.<br />
One of them is configured as a director node that directs data packets, the other as a scanning node<br />
that only filters data packets, but does not direct them.<br />
Set up a director node<br />
To configure an appliance as a director node in transparent router mode, you need to enable this mode<br />
and configure network interfaces for inbound and outbound web traffic. The director role is configured<br />
by giving the node an appropriate priority value.<br />
Complete the following procedure to set up a director node:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to set up as a director node and select Network.<br />
3 Configure network interfaces as is suitable for your network. You need at least one interface for<br />
inbound and one for outbound web traffic.<br />
4 Click Save Changes. You are logged out and logged on to the appliance again.<br />
5 Go to Configuration | Appliances.<br />
6 On the appliances tree, go to the appliance you are setting up as a director node and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
7 Under Network Setup, select Transparent Router.<br />
Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup<br />
settings.<br />
8 Set Director priority to a value > 0.<br />
9 Configure proxy ports and port redirects for HTTP and FTP as needed.<br />
10 Configure virtual IP addresses for the inbound and outbound network interfaces, using free IP<br />
addresses for this purpose.<br />
11 In the Management IP field, type an IP address for reaching the scanning node.<br />
12 Leave the number under Virtual router ID as it is.<br />
13 From the VRRP interface list, select the interfaces for heartbeats under this protocol.<br />
14 Configure IP spoofing as needed.<br />
15 Click Save Changes.<br />
16 Configure the clients of your network to let them direct their web traffic to the virtual IP addresses<br />
you configured for the inbound network interfaces.<br />
If you are going to configure another appliance as a director node, be sure to configure the same virtual<br />
IP addresses as for the initial director node. The proxy ports and port redirects and the order of the port<br />
redirects must also be the same as for that node.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 51
3<br />
Proxies and caching<br />
Network modes<br />
Set up a scanning node<br />
To configure an appliance as a scanning node in transparent router mode, you need to enable this<br />
mode and configure at least one network interface for outbound web traffic. The scanning role is<br />
configured by assigning the node 0 as its priority value.<br />
Complete the following procedure to set up a scanning node:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to set up as a scanning node and select<br />
Network.<br />
3 Configure network interfaces as is suitable for your network. You need at least one interface for<br />
outbound web traffic.<br />
4 Click Save Changes. You are logged out and logged on to the appliance again.<br />
5 Go to Configuration | Appliances.<br />
6 On the appliances tree, go to the appliance you want to set up as a scanning node and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
7 Under Network Setup, select Transparent Router.<br />
Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup<br />
settings.<br />
8 Set Director priority to 0.<br />
9 Configure the same HTTP and FTP proxy ports and port redirects as for the director node.<br />
10 Configure also IP spoofing in the same way as for the director node.<br />
11 Click Save Changes.<br />
52 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Common proxy settings<br />
Proxies and caching<br />
Common proxy settings 3<br />
You can configure settings for the proxy functions of the appliance and use them in all network modes.<br />
This section describes these settings and the procedure for configuring them.<br />
Configure common proxy settings<br />
This section tells you how configure the proxy settings of the appliance that are common to all network<br />
modes.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure settings for and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 Configure these settings as needed.<br />
• Network Setup — Settings for selecting a network mode<br />
• HTTP Proxy, FTP Proxy (and other settings) — Settings for the network protocols<br />
• <strong>Web</strong> Cache — Setting for enabling or disabling the web cache<br />
• Timeouts for HTTP(S), FTP, ICAP — Settings for timeouts applying to some protocols<br />
• Advanced Settings — Settings for advanced proxy functions<br />
4 Click Save Changes.<br />
For more information on these settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system settings.<br />
Proxies (HTTP(S), FTP, ICAP, and IM) system settings<br />
This section describes the Proxies (HTTP(S), FTP, ICAP, and IM) system settings. You can configure<br />
these settings to modify the proxy functions of the appliance.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Network Setup<br />
Settings for selecting a network mode<br />
Proxy (optional WCCP) — When selected, the explicit proxy mode proper is used and WCCP services<br />
can redirect web traffic to the appliance<br />
Proxy HA — When selected, the explicit proxy mode with high-availability features is used<br />
Transparent router — When selected, the transparent router mode is used<br />
Transparent bridge — When selected, the transparent bridge mode is used<br />
In addition to the settings that are common to all these modes, specific settings exist for each of them,<br />
except for the explicit proxy mode proper.<br />
For more information, see Transparent Proxy, WCCP service settings for IP spoofing, Transparent<br />
Bridge settings and Transparent Router settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 53
3<br />
Proxies and caching<br />
Common proxy settings<br />
HTTP Proxy<br />
Settings for the appliance when running as a proxy under HTTP<br />
This protocol is used for transferring web pages and other data (providing SSL-encryption for enhanced<br />
security).<br />
Enable HTTP proxy — When selected, the appliance runs as a proxy under the HTTP protocol<br />
HTTP Port Definition list — List of ports on the appliance that listen to client requests<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-9 HTTP Port Definition list<br />
Option Definition<br />
Listener address Local IP address of the appliance running as an HTTP proxy and port for listening to client<br />
requests<br />
Serve transparent When selected, the HTTP proxy processes also client requests sent in transparent mode<br />
requests<br />
Ports treated as SSL Ports on destination servers indicating to the HTTP proxy that requests with these numbers<br />
are SSL-secured<br />
Note: It can be necessary to specify these numbers when the appliance processes<br />
requests in transparent mode since there is then no CONNECT header to indicate a request<br />
is SSL-secured.<br />
Transparent common<br />
name handling for<br />
proxy requests<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong><br />
uses passive FTP over<br />
HTTP connections<br />
Anonymous login for FTP over HTTP — User name for logging on as an anonymous user when<br />
requests are transmitted to an FTP server by the appliance running as an HTTP proxy<br />
Password for anonymous login for FTP over HTTP — Password for the above user name<br />
54 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
When selected, the HTTP proxy does not use the destination IP address of a request to<br />
create a common name for the certificate it issues<br />
Instead, it copies the common name of the certificate that the destination server delivered.<br />
This might cause a problem if there is a common name mismatch in this certificate.<br />
When selected, the HTTP proxy uses connections in passive mode for transmitting requests<br />
to an FTP server<br />
Note: The passive mode might be required for the data connection (used under FTP in<br />
addition to the control connection). In some cases, an FTP server is not allowed to use the<br />
data connection in active mode, for example, when a firewall rule enforces this in a<br />
company network.<br />
Comment Plain-text comment on the HTTP proxy port
Proxies and caching<br />
Common proxy settings 3<br />
FTP Proxy<br />
Settings for the appliance running as a proxy under FTP<br />
This protocol is used for transferring files, using separate connections for control functions and data<br />
transfer.<br />
Enable FTP proxy — When selected, the appliance runs as a proxy under the FTP protocol<br />
FTP Port Definition list — List of ports on the appliance that listen to client requests<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-10 FTP Port Definition List<br />
Option Definition<br />
Listener address Local IP address of the appliance running as an FTP proxy and port for listening to client<br />
requests<br />
Data port Port number sent with the source IP address of the FTP proxy when it opens a data<br />
connection to a client<br />
Port range for client Range of numbers for the ports on the FTP proxy that listen to client requests<br />
listener<br />
Port range for server Range of numbers for the ports on the FTP proxy that listen to responses from web servers<br />
listener<br />
Allow clients to use<br />
passive FTP<br />
connections<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong><br />
uses passive FTP<br />
connections<br />
When selected, clients can send requests to the FTP proxy in passive mode, which is an<br />
option of the FTP protocol<br />
Note: The passive mode can be required for the data connection (used under FTP in<br />
addition to the control connection). In some cases, FTP clients are not allowed to use the<br />
data connection in active mode, for example, when a firewall rule has been implemented<br />
in a company network to enforce this.<br />
When selected, the FTP proxy uses connections in passive mode for transmitting requests<br />
to an FTP server<br />
Note: The passive mode can be required for the data connection (used under FTP in<br />
addition to the control connection). In some cases, the FTP server is not allowed to use the<br />
data connection in active mode, for example, when a firewall rule has been implemented<br />
in a company network to enforce this.<br />
Comment Plain-text comment on the FTP proxy port<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 55
3<br />
Proxies and caching<br />
Common proxy settings<br />
ICAP Server<br />
Settings for the appliance when running as an ICAP server that modifies requests and responses in<br />
communication with ICAP clients<br />
Enable ICAP server — When selected, the appliance takes the role of an ICAP server<br />
ICAP Port Definition list — List of ports on the appliance that listen to requests from ICAP clients<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 3-11 ICAP Port Definition list<br />
Option Definition<br />
Listener address Local IP address of the appliance running as an ICAP server and port for requests from ICAP<br />
clients<br />
Send early 204<br />
responses<br />
Wait for complete<br />
ICAP request<br />
Maximal concurrent<br />
REQMOD connections<br />
Maximal concurrent<br />
RESPMOD<br />
connections<br />
<strong>Web</strong> Cache (setting)<br />
Setting for enabling the appliance web cache<br />
Enable cache — When selected, the web cache is enabled<br />
You can then use by an appropriate rule set to control reading from and writing to the cache.<br />
For more information, see <strong>Web</strong> caching.<br />
56 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
When selected, the appliance sends 204 responses early to clients before a request is fully<br />
transferred<br />
Note: Some clients do not support early 204 responses.<br />
(The main item does not appear in the table, but is visible in the Add and Edit windows. The<br />
following four elements in the table are related to it, specifying when the ICAP server should<br />
wait until a request is complete.)<br />
Waiting for the complete request can be necessary when clients are not capable of receiving<br />
parts of the filtered data in response while other parts of the request are still being sent to<br />
the server. The normal behavior for the ICAP server is to try to filter and send back data<br />
chunk by chunk to reduce latency time.<br />
• Never — When selected, the ICAP server never waits<br />
• Only for REQMOD requests — When selected, the ICAP server waits if the mode for<br />
modifying requests is used<br />
• Only for REQMOD requests — When selected, the ICAP server waits if the mode for<br />
modifying requests is used<br />
• Always — When selected, the ICAP server always waits<br />
Maximum number of connections the ICAP server can use simultaneously when modifying<br />
requests<br />
Maximum number of connections the ICAP server can use simultaneously when modifying<br />
responses<br />
Preview size Size (in bytes) of the portion of a request sent by a client to the ICAP server at the beginning<br />
of the communication<br />
The server asks for more data or lets the rest of the data pass through unmodified.<br />
Comment Plain-text comment on the ICAP server port
Proxies and caching<br />
Common proxy settings 3<br />
Timeouts for HTTP(S), FTP, ICAP<br />
Settings for timeouts on connections under the HTTP(S), FTP, and ICAP protocols<br />
Initial connection timeout — Time (in seconds) to elapse before a newly opened connection is<br />
closed if no request is received<br />
Connection timeout — Time (in seconds) to elapse before a connection is closed if a client or server<br />
remains inactive during an uncompleted request communication<br />
Client connection timeout — Time (in seconds) to elapse before a connection from the appliance<br />
running as a proxy to a client is closed between one request and the next<br />
Maximum idle time for unused HTTP server connections — Time (in seconds) to elapse before a<br />
connection from the appliance running as a proxy to a server is closed between one request and the<br />
next<br />
DNS settings<br />
Settings for communication with a domain name server<br />
IP protocol version preference — Information on the version of the IP protocol that is used for the<br />
communication<br />
• (Version options:)<br />
• Same as incoming connection — When selected, the protocol version is used that is already in<br />
use on the incoming connection<br />
• IP4 — When selected, version 4 of the IP protocol is used<br />
• IP6 — When selected, version 6 of the IP protocol is used<br />
• Use other protocol version as fallback — When selected, the other protocol version is used if one<br />
of the two versions is not available<br />
Minimal TTL for DNS cache — Minimum time (in seconds) to elapse before data stored in the cache<br />
is deleted<br />
Maximal TTL for DNS cache — Maximum time (in seconds) to elapse before data stored in the cache<br />
is deleted<br />
Yahoo<br />
Settings for instant messaging under the Yahoo! ®<br />
protocol<br />
Enable Yahoo proxy — When selected, the appliance runs as a proxy for instant messaging under the<br />
Yahoo protocol<br />
Listener address — IP address of the proxy and number of the port for listening to client requests<br />
Support file transfer over 0.0.0.0:80 — When selected, requests for file transfers can use this IP<br />
address and port<br />
Login server — Host name and port number of the server that users log on to before sending requests<br />
Relay server (Japan)— Host name and port number of the server used as a relay station when<br />
transferring files<br />
Yahoo client connection timeout — Time (in seconds) to elapse before an inactive connection from<br />
the appliance running as a proxy to a client is closed<br />
Yahoo server connection timeout — Time (in seconds) to elapse before an inactive connection from<br />
the appliance running as a proxy to a server is closed<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 57
3<br />
Proxies and caching<br />
Common proxy settings<br />
ICQ<br />
Settings for instant messaging under the OSCAR (Open System for Communication in Real Time)<br />
protocol<br />
Enable ICQ proxy — When selected, the appliance runs as a proxy for instant messaging under<br />
OSCAR<br />
Login and file transfer proxy port — IP address of the appliance running as a proxy and number of<br />
the port for handling logon and file transfer<br />
• Enable additional file transfer proxy port — When selected, the an additional port can be used<br />
for handling file transfers<br />
• Additional file transfer proxy port — Additional IP address and port number for handling file<br />
transfers<br />
BOS listener port — IP address of the proxy and number of the port for listening to BOS (Basic<br />
OSCAR Service) requests, which include chat messages, as opposed to, for example, file transfers<br />
ICQ login server — Host name and port number of the server that users log on to before sending<br />
requests<br />
ICQ service request server — Host name and port number of the server that handles requests<br />
ICQ file transfer proxy — Host name and port number of the server that handles file transfers<br />
ICQ client connection timeout — Time (in seconds) to elapse before an inactive connection from the<br />
appliance running as a proxy to a client is closed<br />
ICQ server connection timeout — Time (in seconds) to elapse before an inactive connection from<br />
the appliance running as a proxy to a server is closed<br />
Windows Live Messenger<br />
Settings for instant messaging under the Windows Live Messenger protocol<br />
Enable Windows Live Messenger proxy — When selected, the appliance runs as a proxy for instant<br />
messaging under Windows Live Messenger<br />
Windows Live Messenger NS proxy listener 1 — IP address of the appliance running as a proxy<br />
and number of the first port that listens to client requests<br />
Windows Live Messenger NS proxy listener 2 — IP address of the appliance running as a proxy<br />
and number of the second port that listens to client requests<br />
Windows Live Messenger SB proxy port — IP address of the appliance running as a proxy and<br />
number of the port that listens to client requests sent in SB (Switchboard) mode<br />
Windows Live Messenger client connection timeout — Time (in seconds) to elapse before an<br />
inactive connection from the appliance running as a proxy to a client is closed<br />
Windows Live Messenger server connection timeout — Time (in seconds) to elapse before an<br />
inactive connection from the appliance running as a proxy to a server is closed<br />
58 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Common proxy settings 3<br />
Advanced Settings<br />
Settings for advanced proxy functions<br />
Maximal number of client connections — Maximum number of connections from the appliance<br />
running as a proxy to its clients<br />
Specifying 0 means no maximum number is configured.<br />
Number of working threads — Number of threads used when the appliance is running as a proxy for<br />
filtering and transmitting web objects<br />
Number of threads for AV scanning — Number of threads used when the appliance is running as a<br />
proxy to scan web objects for infections by viruses and other malware<br />
Use TCP no delay — When selected, delays on a proxy connection are avoided by not using the Nagle<br />
algorithm to assemble data packets<br />
This algorithm enforces that packets are not sent before a certain amount of data has been collected.<br />
Maximal TTL for DNS cache in seconds — Maximum time (in seconds) for storing host name<br />
information in the DNS cache<br />
Timeout for errors for long running connections in minutes — Time (in minutes) to elapse<br />
before a long running connection that is inactive due to an error is closed<br />
Check interval for long running connections — Time (in minutes) to elapse between check<br />
messages sent on long running connections<br />
Internal path ID — ID of the path the appliance uses to forward internal requests (not requests<br />
received from clients), for example, requests for style sheets to display error messages<br />
Bypass RESPmod for responses that must not contain a body — When selected, responses sent<br />
in communication under the ICAP protocol are not modified according to the RESPMOD mode if they do<br />
not include a body<br />
Call log handler for progress page updates and objects embedded in error templates —<br />
When selected, the rules in the log handler rule set that is implemented on the appliance are processed<br />
to deal with the specified updates and objects<br />
Allow connections to use local ports using proxy — When selected, local ports can be used for<br />
requests on the appliance that is running as a proxy<br />
HTTP(S): Remove all hop-by-hop headers — When selected, hop-by-hop headers are removed<br />
from requests received on the appliance that is running as an HTTP or HTTPs proxy<br />
HTTP(S): Inspect via headers to detect proxy loops — When selected, via headers in requests<br />
received on the appliance that is running as an HTTP or HTTPS proxy are inspected to detect loops<br />
HTTP(S): Host from absolute URL has priority over host header — When selected, the host<br />
names corresponding to absolute URLs in requests received on the appliance that is running as an HTTP<br />
or HTTPS proxy are preferred to the host names contained in the request headers<br />
Proxy-Generated Error Messages<br />
Settings for a template used to send messages about proxy errors to users<br />
Language — Settings for selecting the language of a user message<br />
• Auto (Browser) — When selected, the message is in the language of the browser request that<br />
caused a proxy error was sent from<br />
• Force to — When selected, the message is in the language chosen from the list provided here<br />
Collection — List for selecting a template collection<br />
• Add — Opens the Add Template Collection window for adding a template collection<br />
• Edit — Opens the Template Editor for editing a template collection<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 59
3<br />
Proxies and caching<br />
Reverse HTTPS proxy configuration<br />
Reverse HTTPS proxy configuration<br />
You can use a reverse HTTPS proxy configuration to prevent clients from uploading unwanted data,<br />
such as malware or particular media types, to particular web servers under the HTTPS protocol. This<br />
section explains such a configuration and tells you how to set it up.<br />
In a reverse HTTPS proxy configuration, HTTPS traffic is redirected to the appliance, which serves as a<br />
proxy that inspects the traffic and eventually forwards or blocks it, according to the rules that are<br />
implemented.<br />
You can configure this in the following ways:<br />
• A transparent bridge or router configuration<br />
• A DNS configuration that points directly to the appliance when access to a particular web server is<br />
requested<br />
Note: The redirection to the appliance can also be achieved by configuring proxy-aware connections relying<br />
on the use of CONNECT headers.<br />
However, this method would require an additional network device to assemble these headers for incoming<br />
requests, so it is not recommended and further explained here.<br />
In addition to configuring your network in one of these ways, you need to configure the handling of SSL<br />
certificates. Optionally, you can configure some additional settings that are not SSL-related to ensure a<br />
smooth operation of the reverse HTTPS proxy configuration.<br />
Redirect HTTPS traffic in a transparent bridge or router configuration<br />
In a transparent bridge or router configuration, you can use a port redirect rule to direct HTTPS traffic<br />
to the proxy port on the appliance.<br />
Note: The term port forwarding rule is also used for a port redirect rule.<br />
Furthermore, you need to ensure that the redirected requests are treated as SSL-secured<br />
communication.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to redirect traffic to and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 In the Network Setup section, select Transparent bridge (or Transparent router). The section<br />
with the transparent bridge (or router) settings appears.<br />
4 Under Port redirects, click Add. The Add Port Redirects window opens.<br />
5 Configure the following for the new port redirect rule:<br />
• Protocol name — http<br />
Note: This setting covers connections under both the HTTP and HTTPS protocols.<br />
• Original destination ports — 443<br />
Note: If the web servers that are the destinations for requests can be reached under the HTTP protocol<br />
as well, you can add port 80 here (separated by a comma). This type of traffic is then also directed to<br />
the appliance.<br />
• Destination proxy port — 9090<br />
Note: This is by default the proxy port on the appliance.<br />
6 Click OK. The window closes and the new port redirect rule is added to the list.<br />
7 Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add. The Add HTTP<br />
Proxy Port window opens.<br />
60 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
8 Make sure the following is configured:<br />
• Serve transparent SSL connections — Selected<br />
• Ports treated as SSL — 443<br />
Proxies and caching<br />
Reverse HTTPS proxy configuration 3<br />
9 Leave the other settings at their default values and click OK. The window closes and an appropriately<br />
configured HTTP proxy port is added to the list.<br />
10 Click Save Changes.<br />
For more information on setting up a transparent bridge or router configuration, see Transparent bridge<br />
mode and Transparent router mode.<br />
Let the appliance listen to requests redirected by DNS entries<br />
When web server requests under the HTTPS protocol are redirected to the appliance according to DNS<br />
entries, you can configure the appliance as a proxy that listens directly on the appropriate port. You<br />
also need to ensure that only SSL-secured connections are served.<br />
Note: A port redirect rule cannot be applied here since its purpose would be forwarding requests for other<br />
destinations to the appliance. However, due to the DNS entries, the appliance is already the destination.<br />
Before you begin to configure the appliance in this way, make sure of the following:<br />
• The host names of the web servers are not resolved to the appliance when the appliance does a DNS<br />
lookup.<br />
You can achieve this by entering the IP adresses of the web servers into the /etc/hosts file on the<br />
appliance or by using an appropriately configured internal DNS server.<br />
• A rule set that handles content inspection is implemented on the appliance and enabled.<br />
This rule set is typically provided as part of an overall SSL Scanner rule set under the default rule<br />
set system, as well as in the rule set library.<br />
To let the appliance listen to the redirected requests:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance that should listen to requests and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add. The Add HTTP<br />
Proxy Port window opens.<br />
4 Configure the following settings:<br />
• Listener address — 0.0.0.0:443<br />
This setting lets the appliance listen to requests for any web servers, regardless of their IP<br />
addresses. You can also specify a particular IP address here and restrict the appliance to<br />
listening for requests to the server in question.<br />
If you are running several network interface cards on your appliance, you can specify IP<br />
addresses (separated by commas) for as many web servers as there are network interface<br />
cards.<br />
• Serve transparent SSL connections — Selected<br />
• Ports treated as SSL — *<br />
5 Leave the other settings at their default values and click OK. The window closes and an appropriately<br />
configured HTTP proxy port is added to the list.<br />
Note: If a web server should also be accessible under the HTTP protocol, you need to add another HTTP<br />
proxy port with listener address 0.0.0.0:80 or the address of a particular web server.<br />
6 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 61
3<br />
Proxies and caching<br />
Reverse HTTPS proxy configuration<br />
Handling SSL certificates in a reverse HTTPS proxy configuration<br />
For conducting SSL-secured communication with a client in a reverse HTTPS proxy configuration, the<br />
appliance sends the original SSL certificate of the web server that the client requested. To enable the<br />
appliance to send this certificate, you need to import it from the web server and add it to the appliance<br />
configuration.<br />
SSL-secured communication in a reverse HTTPS proxy configuration<br />
In a reverse HTTPS proxy configuration, the appliance communicates in SSL-secured mode with its<br />
clients. The SSL certificate that the appliance sends to the clients during the SSL handshake cannot be<br />
issued, however, by its SSL Scanner module. Therefore, the appliance uses the original certificates of<br />
the web servers that the clients of your network request access to.<br />
A reverse HTTPS proxy configuration is usually set up to protect only a limited number of particular web<br />
servers against the upload of unwanted data by clients. You need to import certificates for these<br />
servers and add them to the appliance configuration.<br />
You can import the web server certificates when configuring the Enable Client Context without CA<br />
settings, which are part of the SSL Scanner settings. To find out which certificate should be sent in a<br />
given situation, the appliance scans the list of imported certificates. On this list, certificates are mapped<br />
to the host names of the web servers they belong to. The appliance will send the certificate that is<br />
mapped to the name of the host that a client requested access to.<br />
In an explicit proxy setup, this host name would be transmitted in the header of the CONNECT request.<br />
In a transparent setup, the appliance uses the following methods to detect the appropriate host names:<br />
• If the client sends an SNI extension, the host name can be found in a way that is similar to detecting<br />
it in an explicit proxy configuration.<br />
• If client requests are redirected to the appliance through DNS entries, the host name is known by the<br />
IP address that you specified when configuring redirection.<br />
In this case, you also need to configure a rule set with rules that set the URL.Host property to the<br />
appropriate value for every IP address the appliance has been configured to listen to. This is to let<br />
the appliance know where to forward a request to when it has been filtered and allowed.<br />
• If the transparent setup does not use redirection by DNS entries, the appliance will send a handshake<br />
message to the web server that a client requested, extract the common name from the certificate it<br />
receives from the web server, and use this common name to detect the appropriate host name.<br />
This method requires that the appliance and the web server communicate in SSL-secured mode,<br />
too. You can configure a setting on the appliance to ensure this mode is used.<br />
62 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Reverse HTTPS proxy configuration 3<br />
Configure SSL certificate handling in a reverse HTTPS proxy configuration<br />
When the appliance sends SSL certificates to its clients in a reverse HTTPS proxy configuration, they<br />
must be the original certificates of the web servers that the clients request access to. You need to<br />
import these certificates to the appliance to make them available there.<br />
1 Go to Policies | Settings.<br />
2 On the Engines branch of the settings tree, select Enable SSL Client Context without CA.<br />
3 Click Add above the settings tree. The Add Settings window opens.<br />
4 In the Name field, enter a name for the settings you want to add, for example, Imported web server<br />
certificates.<br />
5 In the Define SSL Client Context (Without Certificate Authority) section, click Add under<br />
Select server certificate by host or IP. The Add Host to Certificate Mapping window opens.<br />
6 Under Define Mapping, configure settings that map the host name of a web server to its certificate.<br />
Then click OK. The window closes and the new mapping settings are added to the list.<br />
Note: Repeat this step to add mapping settings for multiple host names and certificates.<br />
7 [Optional] Do one of the following to configure the connection from the appliance to the web server:<br />
• If you do not want the server connection to be SSL-secured, select SSL-Scanner functionality<br />
applies only to client connection.<br />
Note: In this case, you also need to set up a rule that changes the network protocol from HTTPS to<br />
HTTP.<br />
• If you want the server connection to be SSL-secured, deselect SSL-Scanner functionality<br />
applies only to client connection.<br />
8 Click Save Changes.<br />
Create a rule set for setting the URL.Host property<br />
To create a rule set with rules that set the URL.Host property to the appropriate value for the IP<br />
addresses the appliance listens to, proceed as follows:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the position where you want to insert the rule set.<br />
3 Above the tree, click Add and select Rule Set. The Add New Rule Set window opens.<br />
4 Under Name, enter a suitable name for the new rule set, for example, Set URL.Host property<br />
according to particular IP addresses.<br />
5 Make sure Enable is selected.<br />
6 Under Applies to select Requests and IM.<br />
7 Under Apply this rule set, select Always.<br />
8 [Optional] Under Comment, type a plain-text comment on the rule set.<br />
Click OK. The window closes and the new rule set is inserted in the rule sets tree.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 63
3<br />
Proxies and caching<br />
Reverse HTTPS proxy configuration<br />
Create rules for setting the URL.Host property<br />
To create rules that set the URL.Host property to the appropriate value for the IP addresses the<br />
appliance listens to, proceed as follows:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set you have created for the new rules, for example, Set<br />
URL.Host property according to particular IP addresses.<br />
3 Click Add Rule. The Add Rule window opens.<br />
4 Under Name, enter a name for the new rule, for example, Set URL.Host property for IP address<br />
10.141.101.51.<br />
5 Under Rule Criteria, select If the following criteria is matched and click Add. The Add Criteria<br />
window opens.<br />
6 Configure the rule criteria as follows:<br />
• From the Property list, select URL.Destination.IP.<br />
• From the Operator list, select equals.<br />
• In the Value field under Parameter, type the IP address you want to match to a host name, for<br />
example, 10.141.101.51l.<br />
7 Click OK. The window closes and the new criteria appears under Rule Criteria.<br />
8 Under Action, select Continue and leave the default settings for this action.<br />
9 Under Events, click Add and then Set Property Value. The Add Set Property window opens.<br />
10 Set a property as follows:<br />
• Under Set this property, select URL.Host.<br />
• Under To concatenation of these strings, click Add. The Please enter a string window opens.<br />
• In the Value field, type the host name you want the IP address to match.<br />
11 Click OK. The window closes and the new event appears under Events.<br />
12 Click Finish. The Add Rule window closes and the new rule is inserted in the rule set you configured<br />
for it.<br />
13 [Optional] Repeat Steps 3 to 12 for every other rule you want to add.<br />
14 Click Save Changes.<br />
64 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Reverse HTTPS proxy configuration 3<br />
Optional settings for a reverse HTTPS proxy configuration<br />
In addition to configuring the network setup and the SSL certificate handling, you can complete some<br />
optional activities to ensure the smooth operation of a reverse HTTPS proxy configuration:<br />
• Deactivate proxy loop detection<br />
• Restrict access to appliance ports<br />
• Restrict access to web servers<br />
• Address multiple web servers<br />
Deactivate proxy loop detection<br />
The appliance can detect proxy loops by evaluating the Via header of a client request. It is<br />
recommended that you deactivate this detection process in a reverse HTTPS proxy configuration.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to deactivate proxy loop detection for and select<br />
Proxies (HTTP(S), FTP, ICAP, and IM).<br />
3 In the Advanced Settings section, deselect HTTP(S): Inspect Via header to detect proxy<br />
loops.<br />
4 Click Save Changes.<br />
Restrict access to appliance ports<br />
In a reverse HTTPS proxy configuration, access should be restricted to the proxy ports of the appliance.<br />
You need to configure the user interface and file server settings accordingly.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to restrict port access for and select User<br />
Interface.<br />
3 Under HTTP Connector Port, enter the appliance proxy port (default: 9090).<br />
4 Select File Server.<br />
5 Under HTTP Connector Port, enter the appliance proxy port (default: 9090).<br />
6 Click Save Changes.<br />
Restrict access to web servers<br />
The purpose of a reverse HTTPS proxy configuration is to protect a limited number of particular web<br />
servers against unwanted data uploads. For this configuration, you should therefore allow access to<br />
these servers only and block it for others. After access to others servers has been requested and<br />
blocked, it is also recommended that you let the appliance close these connections.<br />
To implement this you need to:<br />
• Create a list of the web servers you want to protect<br />
• Create a rule set for a blocking rule<br />
• Create a rule that blocks access to other web servers and closes connections to clients after blocking<br />
their requests<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 65
3<br />
Proxies and caching<br />
Reverse HTTPS proxy configuration<br />
Create a list of web servers<br />
To create a list of the protected web servers in a reverse HTTPS proxy configuration:<br />
1 Go to Policy | Lists.<br />
2 Above the lists tree, click Add. The Add List window opens.<br />
3 Specify the following settings to create a new list:<br />
• Name — , for example, Protected web servers<br />
• [Optional] Comment — A plain-text comment on the new list<br />
• Type — Wildcard Expression<br />
4 Click OK. The window closes and the new list appears on the lists tree under Custom Lists | Wild Card<br />
Expression.<br />
5 To fill the list with entries for web servers, click Add above the settings pane (right side of the user<br />
interface). The Add Wildcard Expression window opens.<br />
Note: To add multiple entries at once, click Add Multiple.<br />
6 Enter one or more URLs for the web servers you want to address. Separate multiple entries by<br />
commas.<br />
7 Click OK. The window closes and your entries are added to the list.<br />
8 Click Save Changes.<br />
Create a rule set for a blocking rule<br />
To create a rule set for the rule thats blocks access to web servers in a reverse HTTPS proxy<br />
configuration:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the position where you want to insert the rule set.<br />
3 Above the tree, click Add and select Rule Set. The Add New Rule Set window opens.<br />
4 Under Name, enter a name for the new rule set, for example, Block web servers in a reverse<br />
HTTPS proxy configuration.<br />
5 Make sure Enable is selected.<br />
6 Under Applies to, select Requests and IM.<br />
7 Under Apply this rule set, select If the following criteria is matched, then click Add. The Add<br />
Criteria window opens.<br />
8 Configure the rule set criteria as follows:<br />
• From the Property list, select URL.Protocol.<br />
• From the Operator list, select equals.<br />
• Under Operand, type https.<br />
• [Optional] Under Comment, type a plain-text comment on the new rule set<br />
9 Click OK. The window closes and the new rule set is inserted in the rule sets tree.<br />
66 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Reverse HTTPS proxy configuration 3<br />
Create a rule to block access to web servers<br />
To create a rule for blocking access to web servers when these are not on the list of protected servers<br />
in a reverse HTTPS proxy configuration, proceed as follows:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set you have created for the new blocking rule, for example,<br />
Block web servers in a reverse HTTPS proxy configuration.<br />
3 Click Add Rule. The Add Rule window opens.<br />
4 Under Name, enter a name for the new rule, for example, Allow access only to protected web<br />
servers.<br />
5 Under Rule Criteria, select If the following criteria is matched and click Add. The Add Criteria<br />
window opens.<br />
6 Configure the rule criteria as follows:<br />
• From the Property list, select URL.Host.<br />
• From the Operator list, select matches in list.<br />
• From the Value list under Parameter, select the web server list you configured, for example,<br />
Protected web servers.<br />
7 Click OK. The window closes and the new criteria appears under Rule Criteria.<br />
8 Under Action, select Block and leave the default settings for this action.<br />
9 Under Events, click Add and then Event. The Add Event window opens.<br />
10 Configure an event as follows:<br />
• From the Event list, select Enable Workaround.<br />
• From the Settings list, select Do not keep connection to client persistent.<br />
11 Click OK. The window closes and the new event appears under Events.<br />
12 Click Finish. The Add Rule window closes and the new rule is inserted in the rule set you configured<br />
for it.<br />
13 Click Save Changes.<br />
Address multiple web servers<br />
The appliance can forward consecutive requests to different destinations to achieve load balancing and<br />
ensure redundancy. A rule that triggers the Enable Next Hop Proxy event is used to let the appliance<br />
behave in this way.<br />
To implement this, you need to:<br />
• Import the Next Hop Proxy rule set from the rule set library<br />
• Create a list of next hop proxies<br />
• Create a rule that triggers the Enable Next Hop proxy event when a web server from the list of<br />
protected servers is requested<br />
Note: You can use the list here that you created to restrict access to these servers.<br />
For more information, see the following subsections, as well as Import a rule set and Create a list of<br />
web servers.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 67
3<br />
Proxies and caching<br />
Reverse HTTPS proxy configuration<br />
Create a list of next hop proxies<br />
To create a list of the web servers that are addressed as next hop proxies when a suitable rule triggers<br />
the Enable Next Hop Proxy event, proceed as follows:<br />
1 Go to Policy | Lists.<br />
2 Above the lists tree, click Add. The Add List window opens.<br />
3 Specify the following settings to create a new list:<br />
• Name — , for example, Protected web servers as next hop proxies<br />
• [Optional] Comment — A plain-text comment on the new list<br />
• Type — NextHopProxy<br />
4 Click OK. The window closes and the new list is inserted on the lists tree under Custom Lists |<br />
NextHopProxy.<br />
5 To fill the list with entries for web servers, click Add above the settings pane (right side of the user<br />
interface). The Add Wildcard Expression window opens.<br />
Note: To add multiple entries at once, click Add Multiple.<br />
6 Enter one or more URLs for the web servers you want to address. Separate multiple entries by<br />
commas.<br />
7 Click OK. The window closes and your entries are added to the list.<br />
8 Click Save Changes.<br />
Create next hop proxy settings<br />
To create a list of the web servers that are addressed as next hop proxies when a suitable rule triggers<br />
the Enable Next Hop Proxy event, proceed as follows:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to Enable Next Hop Proxy and click Add. The Add<br />
Settings window opens.<br />
3 Specify the following to create new settings:<br />
• Name — , for example, Protected web servers<br />
• [Optional] Comment — A plain-text comment on the new settings<br />
• Under Next Hop Proxy Servers configure the following:<br />
• From the List of next hop proxy servers, select the next hop proxy list you created, for<br />
example, Protected web servers as next hop proxies.<br />
• Make sure Round Robin is selected.<br />
• Deselect Proxy style requests.<br />
4 Click OK. The window closes and the new settings appear on the settings tree under Custom Lists |<br />
NextHopProxy.<br />
5 Click Save Changes.<br />
68 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Reverse HTTPS proxy configuration 3<br />
Create a rule for the Enable Next Hop proxy event<br />
To create a rule that triggers the Enable Next Hop proxy event when a server from the list of protected<br />
web servers is requested, proceed as follows:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the Next Hop Proxy rule set. The rules within this rule set appear on<br />
the settings pane.<br />
3 Click Add Rule. The Add Rule window opens.<br />
4 Under Name, enter a name for the new rule, for example, Address protected web servers as next<br />
hop proxies.<br />
5 Under Rule Criteria, select If the following criteria is matched, then click Add. The Add Criteria<br />
window opens.<br />
6 Configure the rule criteria as follows:<br />
• From the Property list, select URL.Host.<br />
• From the Operator list, select does not match in list.<br />
• From the Value list under Parameter, select the web server list you configured, for example,<br />
Protected web servers.<br />
7 Click OK. The window closes and the new criteria appears under Rule Criteria.<br />
8 Under Action, leave Continue (default).<br />
9 Under Events, click Add and then Event. The Add Event window opens.<br />
10 Configure an event as follows:<br />
• From the Event list, select Enable Next Hop Proxy.<br />
• From the Settings list, select the settings you configured, for example, Protected web servers.<br />
11 Click OK. The window closes and the new event appears under Events.<br />
12 Click Finish. The Add Rule window closes and the new rule is added to the rules of the Next Hop Proxy<br />
rule set.<br />
13 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 69
3<br />
Proxies and caching<br />
Providing proxy auto-configuration files<br />
Providing proxy auto-configuration files<br />
You can provide one or more proxy auto-configuration (PAC) files on the appliance. <strong>Web</strong> browsers on<br />
the clients can use them to find proxies that enable them to access particular web pages. This section<br />
tells you how to make these files available to the client browsers.<br />
A proxy auto-configuration file usually has .pac as its file name extension. There can be several of them<br />
on the appliance, for example, a proxy.pac and a webgateway.pac.<br />
When a proxy auto-configuration file follows the WPAD (<strong>Web</strong> Proxy Auto-Discovery) protocol, it must<br />
have wpad.dat as its file name. Therefore, it can exist on the appliance only once.<br />
Make a .pac file available<br />
To make a .pac file available to a browser on a client:<br />
1 Store the .pac file in the /opt/mwg/files folder on your appliance.<br />
2 Start the browser and go to the network configuration settings. For example, on a Mozilla Firefox<br />
browser, version 3.6, you can find these settings under Edit | Preferences | Advanced | Network.<br />
3 In the Connection section, click Settings.<br />
4 Select Automatic proxy configuration URL, then enter the path and file name for the .pac file, for<br />
example, http://mwgappl.webwasher.com:4711/files/proxy.pac.<br />
Note: If you want the clients to use a dedicated port for downloading the file, you must first configure this<br />
port. If no dedicated port is used, clients are directed to the HTTP port for the user interface (default:<br />
4711, as specified above).<br />
5 Click OK.<br />
For more information on configuring a dedicated download port, see File Server system settings.<br />
Make a wpad.dat file available<br />
When a wpad.dat file is made available to a browser on a client, the browser uses auto-detection to find<br />
the host where it is stored. A port forwarding rule enables the browser to go to the appropriate port on<br />
this host to download the file.<br />
Before you configure this feature, make sure of the following:<br />
• The wpad.dat file is stored in the /opt/mwg/files folder on your appliance.<br />
• The following has been entered as a DNS host or alias name for the appliance: wpad., for example, wpad.domain.com or wpad.subdomain.domain.com.<br />
• [Conditional] If you want the clients to use a dedicated port for downloading the file, you must first<br />
configure this port. If no dedicated port is used, clients are directed to the HTTP port for the user<br />
interface (default: 4711).<br />
For more information on configuring a dedicated download port, see File Server system settings.<br />
70 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Proxies and caching<br />
Providing proxy auto-configuration files 3<br />
Configure a port forwarding rule for downloading a wpad.dat file<br />
To enable the download of a wpad.dat file by a client browser, you need to configure a rule that<br />
forwards the download request to the appropriate port on the appliance.<br />
1 On the user interface of the appliance, go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance the wpad.dat file is made available on and select Port<br />
Forwarding.<br />
3 Under Port Forwarding Rules, click Add. The Add AppliancePortForwarding window opens.<br />
4 Configure a port forwarding rule as follows:<br />
• Source Host — 0.0.0.0<br />
• Target Port — 80<br />
• Destination Host — 127.0.0.1<br />
• Destination Port — <br />
As , enter either the HTTP port for the user interface (default: 4711) or<br />
the dedicated port you have configured.<br />
5 Click OK. The window closes and the port forwarding rule is added to the list.<br />
Configure auto-detection of a wpad host<br />
To let a browser use auto-detection for finding the appliance as the host where a wpad.dat file is<br />
stored:<br />
1 Start the browser and go to the network configuration settings. For example, on a Mozilla Firefox<br />
browser, version 3.6, you can find these settings under Edit | Preferences | Advanced | Network.<br />
2 In the Connection section, click Settings.<br />
3 Select Auto-detect proxy settings for this network.<br />
4 Click OK.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 71
3<br />
Proxies and caching<br />
Helix proxy configuration<br />
Helix proxy configuration<br />
The Helix proxy is a third-party proxy for handling real-time streaming data. It is preinstalled on the<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance. This section tells you how to use this proxy on the appliance.<br />
The Helix proxy is initially not accessed from the user interface of the appliance, but using a command<br />
line interface, which is, for example, provided by your administration system. Later on, you can<br />
administer the proxy on its own user interface.<br />
Complete the following procedure to set up the Helix proxy for use on the appliance:<br />
1 On the command line interface, enter the activation command, for example, as follows:<br />
service helix-proxy activate<br />
You are asked to enter a user name and password for the initial administrator account.<br />
2 Enter both. The Helix proxy is started.<br />
Note: After the start, you can find configuration files for the proxy in the /opt/helix-proxy folder on the<br />
appliance and modify them manually as needed.<br />
3 Connect to the user interface of the proxy:<br />
http://:21774/admin/index.html<br />
The user interface appears and displays a logon window.<br />
4 Enter the user name and password from step 2.<br />
After a successful logon, the user interface of the proxy is available.<br />
5 Configure your real-player application to use the appliance as a proxy, for example, as follows:<br />
a Start the real player.<br />
b On its user interface, go to the proxy settings.<br />
c In the appropriate input field, for example, the RTSP (Real-Time Streaming Protocol) field, enter<br />
the IP address of the appliance with 554 as the port number.<br />
For more information, refer to the user documentation of the Helix proxy.<br />
72 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Preventing data leaks<br />
Proxies and caching<br />
Preventing data leaks 3<br />
When you are running the appliance together with a DLP (Data Leakage Prevention) solution that uses<br />
an ICAP server for the filtering process, you can implement a rule set to ensure the smooth flow of data<br />
between the appliance and the ICAP server. This section describes the rule set and the settings that are<br />
implemented with it.<br />
The DLP solution that you can run together with the appliance is named nDLP. Its purpose is to filter<br />
data that users want to upload from your network to the web in order to prevent data leaks. An ICAP<br />
server is used by the solution for the filtering process. The data flow is as follows:<br />
• Data sent from the client systems of your users is forwarded to the appliance.<br />
• The appliance provides an ICAP client that sends REQMOD requests with the user data to the ICAP<br />
server that is part of the DLP solution.<br />
• The requests are filtered on the server by modifying them according to the ICAP protocol and passed<br />
on to the web servers that are the destinations of the requests.<br />
After importing the Data Leakage Prevention rule set from the rule set library, rules are executed on<br />
the appliance to handle the sending of requests to the ICAP server.<br />
According to these rules, a request is not forwarded if:<br />
• The body of the request contains no data and the request does not include URL parameters.<br />
• The body of the request exceeds a given size (default: 50 MB).<br />
Together with the rule set, settings are imported that you need to configure. These include a list of the<br />
ICAP servers that the appliance can forward requests to. You can also configure the ICAP client on the<br />
appliance not to open more connections for sending requests than a particular ICAP server can handle<br />
at the same time.<br />
For more information, see Import a rule set and Data Leakage Prevention.<br />
Data Leakage Prevention<br />
This section describes the rules in the Data Leakage Prevention library rule set.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Data Leakage Prevention<br />
Criteria — URL.Host does not equal “ ”<br />
Cycles — Requests (and IM) and embedded objects<br />
The rule set criteria specifies that the rule set applies when a host name can be found for a URL that is<br />
sent in a request to the appliance.<br />
The rule set contains the following rules:<br />
Skip requests that do not carry information<br />
Body.Size equals 0 AND ListOfString.IsEmpty(URL.Parameters) equals true –> Stop Rule Set<br />
The rule uses the Body.Size property to check whether a request has a body that is empty. It also<br />
uses the ListOfString.IsEmpty property to check whether a request has URL parameters. If one of<br />
the two parts of this criteria is matched, processing of the rule set stops and the request is not<br />
forwarded to the ICAP server.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 73
3<br />
Proxies and caching<br />
Preventing data leaks<br />
Skip body that is greater than 50 MB<br />
Body.Size greater than 50 –> Stop Rule Set<br />
The rule uses the Body.Size property to check whether the body of a request does not exceed 50<br />
MB. If it does, processing of the rule set stops and the request is not forwarded to the ICAP server.<br />
Call ReqMod server<br />
ICAP.ReqMod.Satisfaction equals true –> Stop Cycle<br />
When a request has passed filtering according to the first two rules of the rule set, it is forwarded<br />
to the ICAP server. If this has been done, the value of the ICAP.ReqMod.Satisfaction property is<br />
true. The rule checks whether this is the case for a request and eventually stops processing the<br />
current cycle.<br />
Configure the ICAP server list<br />
When running the appliance with a DLP solution such as nDLP that uses ICAP servers for filtering data,<br />
you need to configure a list of these servers.<br />
To configure an ICAP server list:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to ICAP Client and select the ReqMod settings.<br />
3 Configure the the ICAP server list that is provided under these settings as needed.<br />
4 Click Save Changes.<br />
For more information, see ICAP Client engine settings.<br />
ICAP Client engine settings<br />
The ICAP Client engine settings are used for configuring communication in REQMOD mode between an<br />
ICAP client on the appliance and ICAP servers.<br />
Note: These settings are configured under ICAP Client on the Settings tab of the Policy top-level menu.<br />
Reqmod settings<br />
Settings for configuring the REQMOD mode of ICAP communication<br />
ICAP Service<br />
Settings for sending a request in REQMOD mode to an ICAP server<br />
List of ICAP servers — List of servers that the ICAP client on the appliance can send requests to in<br />
REQMOD mode<br />
The following table describes the list entries. For general information on how to maintain lists, see List<br />
maintenance.<br />
Table 3-12 ICAP Servers list<br />
Option Definition<br />
URI URI of an ICAP server<br />
Format: ICAP://:<br />
Respect max concurrent When selected, the ICAP client on the appliance will not open more connections at<br />
connections limit<br />
the same time for sending requests than the ICAP server can handle<br />
Comment Plain-text comment on the ICAP server<br />
74 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> caching<br />
Proxies and caching<br />
<strong>Web</strong> caching 3<br />
A web cache is provided on the appliance for storing web objects to speed up responses to client<br />
requests. This section explains the handling of this cache.<br />
Use of the web cache is controlled by rules for reading objects from it or writing them to it. This means<br />
a rule set must must be implemented that contains such rules. Bypass lists can contain web objects<br />
that should not be cached. In addition to this, the web cache must be enabled as an option of the<br />
common proxy settings.<br />
Rules for the web cache<br />
Use of the appliance web cache is controlled by rules in a rule set. This section explains the handling of<br />
a web cache rule set and describes a web cache rule set from the library.<br />
To find out whether a web cache rule set is implemented on your appliance, review the system of rule<br />
sets on the Rule Sets tab of the Policy top-level menu.<br />
If none is implemented, you can import the <strong>Web</strong> Cache library rule set. After importing this rule set,<br />
you can review and modify it on the Rule Sets tab to make it suit your network. Alternatively, you can<br />
create a rule set with rules of your own.<br />
A web cache rule set typically contains rules for reading objects from the cache and writing them to it.<br />
Additionally, there can be bypass rules that exclude objects from being read or written.<br />
For more information, see Import a rule set and <strong>Web</strong> caching.<br />
<strong>Web</strong> Cache<br />
This section describes the rules in the <strong>Web</strong> Cache library rule set.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — <strong>Web</strong> Cache<br />
Criteria — Always<br />
Cycle — Requests (and IM) and responses<br />
The following rule sets are nested in this rule set:<br />
• Read from Cache<br />
• Write to Cache<br />
Read from Cache<br />
This nested rule set enables the reading of web objects from the cache and forbids it for URLs that are<br />
on a bypassing list.<br />
Nested library rule set — Read from Cache<br />
Criteria — Always<br />
Cycles — Requests (and IM)<br />
The rule set contains the following rules:<br />
Skip caching URLs that are in <strong>Web</strong> Cache URL Bypass List<br />
URL matches in list <strong>Web</strong> Cache URL Bypass List –> Stop Rule Set<br />
The rule uses the URL property to check for requested URLs whether they are on the specified<br />
bypass list. If they are, processing of the rule set stops. The rule that enables writing to the cache<br />
is then not processed. Processing continues with the next rule set.<br />
Note: The rule is not enabled by default.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 75
3<br />
Proxies and caching<br />
<strong>Web</strong> caching<br />
Enable <strong>Web</strong> Cache<br />
Always –> Continue — Enable <strong>Web</strong> Cache<br />
The rule is always processed unless it is skipped because the bypassing rule placed before it in the<br />
rule set applies. It enables the web cache, so objects stored in it can be read. Processing continues<br />
with the next rule set.<br />
Write to Cache<br />
This nested rule set enables the writing of web objects to the cache and forbids it for large objects, as<br />
well as for URLs and media types on particular bypassing lists.<br />
Nested library rule set — Write to Cache<br />
Criteria — Always<br />
Cycles — Responses<br />
The rule set contains the following rules:<br />
Skip caching URLs that are in <strong>Web</strong> Cache URL Bypass List<br />
URL matches in list <strong>Web</strong> Cache URL Bypass List –> Stop Rule Set<br />
The rule uses the URL property to check for a URL sent from the web whether it is on the specified<br />
bypass list.<br />
If it is, processing of the rule set stops. The rule that enables writing to the cache is then not<br />
processed. Processing continues with the next rule set.<br />
Note: The rule is not enabled by default.<br />
Skip caching objects that are larger than X bytes<br />
String.ToNumber (Header.ResponseGet (“Content-Length”)) greater than 8388608<br />
–> Stop Rule Set<br />
The rule uses the String.ToNumber property to convert a string in a response header that is sent<br />
with an object to indicate its content length into a numerical value. Then it checks whether this<br />
value is greater than the number specified here.<br />
If it is, processing of the rule set stops and the writing rule of the rule set is not processed.<br />
Processing continues with the next rule set.<br />
Note: The rule is not enabled by default.<br />
Skip caching media types that are in <strong>Web</strong> Cache Media Type Blocklist<br />
MediaType.FromHeader is in list <strong>Web</strong> Cache Media Type Blocklist –> Stop Rule Set<br />
The rule uses the MediaType.FromHeader property to check for media whether the type they<br />
belong to is on the specified bypass list. The type is taken from the header information of the<br />
request sent for accessing the media.<br />
If the media type is on the list, processing of the rule set stops. The writing rule of the rule set is<br />
then not processed. Processing continues with the next rule set.<br />
Note: This rule is not enabled by default.<br />
Enable web cache<br />
Always –> Continue — Enable <strong>Web</strong> Cache<br />
The rule is always processed unless it is skipped because the rules preceding it it in the rule set<br />
apply. It uses an event to enable the web cache, so objects can be written to it. Processing<br />
continues with the next rule set.<br />
76 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Bypass lists for web caching<br />
Proxies and caching<br />
<strong>Web</strong> caching 3<br />
You can fill bypass list with entries for web objects, such as URLs, media types, and others, to exclude<br />
these objects from caching. This section tells you how to work with these lists and describes some<br />
sample lists.<br />
There must be rules in a web cache rule set that use bypass lists and let the rules for reading from and<br />
writing to the cache not be processed.<br />
Note: This means that when you edit a bypass list, you also modify the rule that uses it. You should therefore<br />
make sure you know which rule uses a list that you edit. You can do this, for example, by reviewing the rules<br />
of the web cache rule set to see which list names appear in rule names and criteria.<br />
When you import a web cache rule set from the library, bypass lists are implemented with the rule set.<br />
You can edit these lists and also create lists of your own.<br />
The procedures used to maintain bypass lists differ according to the list type. For example, you can add<br />
wildcard expressions to a whitelist for URLs by typing them into the list. For example, you can add URLs<br />
to a bypass list for URLs by typing them into the list. When adding media types, however, you select<br />
them from folders with media type groups.<br />
For more information one the sample lists, see Sample lists for web caching.<br />
For the list activities, see Add a wildcard expression for URLs to a web cache bypassing list, and Add a<br />
media type to a web cache bypassing list.<br />
Sample lists for web caching<br />
This section describes two sample bypass lists for use with the web cache rules.<br />
When you import the <strong>Web</strong> Cache rule set from the library, these lists are also imported. You can find<br />
them on the Lists tab of the Policy top-level menu, sorted by their types and names.<br />
For general information on how to maintain lists, see List maintenance.<br />
<strong>Web</strong> Cache URL Bypass List<br />
Library list of wildcard expressions for URLs that should not be read to or written from the web cache.<br />
Type: Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 3-13 <strong>Web</strong> Cache URL Bypass List<br />
Option Definition<br />
Wildcard Expression Wildcard expresssion for URLs that should not be cached<br />
Comment Plain-text comment on the wildcard expression<br />
<strong>Web</strong> Cache Media Type Blocklist<br />
Library list of media types that should not be read to or written from the web cache.<br />
Type: Media type<br />
Initial entries: application/mpegurl — MP3 Playlist File<br />
application/x-pn-realaudio — RealMedia streaming file<br />
video/x-la-asf — Streaming Audio/Video File<br />
The following table describes the list entries.<br />
Table 3-14 <strong>Web</strong> Cache Media Type Blocklist<br />
Option Definition<br />
Media type Media type that should not be cached<br />
Comment Plain-text comment on the media type<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 77
3<br />
Proxies and caching<br />
<strong>Web</strong> caching<br />
Add a wildcard expression for URLs to a web cache bypassing list<br />
You can add a wildcard expression to a bypassing list in a web cache rule to exclude URLs from web<br />
caching.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for web caching , for example <strong>Web</strong> Cache.<br />
The rules appear on the settings pane.<br />
3 Find the rule that uses a bypassing list to exclude URLs from caching, for example, Skip caching<br />
URLs that are in <strong>Web</strong> Cache URL Bypass List, and click on the list name.<br />
Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries.<br />
The Edit List (Wildcard Expression) window opens.<br />
4 Click Add. The Add Wildcard Expression window opens.<br />
5 In the Wildcard expression field, type a wildcard expression.<br />
Note: To add multiple wildcard expressions at once, click Add multiple and type every wildcard<br />
expression in a new line.<br />
6 [Optional] In the Comment field, type a comment on the wildcard expression.<br />
7 Click OK. The window closes and the wildcard expression appears on the whitelist.<br />
8 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance. For the types of wildcard<br />
expressions that are allowed in the list, see Wildcard expressions.<br />
Add a media type to a web cache bypassing list<br />
You can add a media type to a bypassing list used in a web cache rule to exclude web objects of this<br />
type from web caching.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for web caching , for example <strong>Web</strong> Cache.<br />
The rules appear on the settings pane.<br />
3 Find the rule that uses a bypassing list to exclude web objects that belong to a particular media type<br />
from caching, for example, Skip caching media types that are in <strong>Web</strong> Cache Media Type<br />
Blocklist, and click on the list name.<br />
The Edit List (MediaType) window opens.<br />
4 Click Edit. And Edit window opens. It displays a list of group folders with media types.<br />
5 Expand the group folder with the media type you want to add, for example, Document, and select<br />
the media type, for example, application/vnd/ms-excel.<br />
Note: To add multiple media types at once, select multiple media types or one or multiple group folders.<br />
6 Click OK. The window closes and the media type appears on the whitelist.<br />
7 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance.<br />
78 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Verify the enabling of the web cache<br />
Proxies and caching<br />
<strong>Web</strong> caching 3<br />
This section tells you how to verify whether the web cache is enabled. The relevant setting is a part of<br />
the common proxy settings.<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to verify the enabling for and select Proxies<br />
(HTTP(S), FTP, ICAP, and IM).<br />
3 Scroll down to the <strong>Web</strong> Cache section and see whether Enable Cache is selected. If necessary,<br />
enable this option.<br />
4 If necessary, click Save Changes.<br />
5 For more information on the proxy settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system<br />
settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 79
3<br />
Proxies and caching<br />
<strong>Web</strong> caching<br />
80 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
4<br />
Rules and rule sets<br />
Contents<br />
Filtering controlled by rules<br />
About rule elements<br />
About rule sets<br />
Rule configuration<br />
Rule set configuration<br />
List maintenance<br />
Action and engine settings<br />
Access restrictions<br />
Filtering controlled by rules<br />
Whenever the appliance takes a filtering action to ensure web security for your network, it is executed<br />
according to a rule. The sections of this chapter explain how you can work with these rules. They<br />
describe the filtering process they are used in, their elements, and the rule sets that contain them.<br />
They also explain how to work with the lists and modules that rules rely on for retrieving filter<br />
information.<br />
About filtering<br />
This section explains some basic concepts of the filtering process that goes on when the implemented<br />
rules are processed on the appliance.<br />
In this process, the appliance “filters” web traffic. It blocks some objects and lets others pass through,<br />
like a tea sieve or strainer that catches the tea leaves and allows the liquid to flow through its<br />
perforations.<br />
So how does the appliance tell the tea leaves from the liquid? The tea strainer obviously uses dimension<br />
as a key concept. If something is too big, it cannot pass through.<br />
Similarly, the appliance uses all kinds of properties that web objects can have or that are related in<br />
some way to web objects to make its filtering decisions.<br />
Properties of filtered objects<br />
Properties of web objects checked in the filtering process are, for example, “being virus-infected” or<br />
“belonging to a URL category” or “having a particular IP address”.<br />
The following can then be asked about these properties:<br />
• For a given web object, what value does property p have?<br />
• And: If this value is x, what action is required?<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 81
4<br />
Rules and rule sets<br />
Filtering controlled by rules<br />
Giving an answer to the second question leads to a rule:<br />
If the value of property p is x, action y is required.<br />
A property is a key element in every rule on the appliance. Understanding the property is essential to<br />
understanding the rule.<br />
When you are creating a rule, begin by thinking about the property you want to use. Using a property<br />
of an already existing rule as an example, you might consider something like the following:<br />
I want to filter viruses and other malware. I use the property “being virus-infected” and build a rule<br />
around it. I let this rule require a blocking action to be taken if a given object has this property.<br />
This rule could look as follows:<br />
If “being virus-infected” has the value “true” (for a given object), block this object.<br />
The object could, for example, be a file that a web server has sent because a user of your network<br />
requested it and that is intercepted and filtered on the appliance.<br />
Properties can be related to web objects, but also to the users that request them. For example, a rule<br />
could use the property “user groups that user is member of” to block requests sent by users who are<br />
not in an allowed group:<br />
If “user groups that user is member of” (for a given user) are not on the list of allowed groups,<br />
block requests sent by this user.<br />
Note: Properties and rules are explained in this section using normal language. However, the format they<br />
have on the user interface of the appliance does not differ from this very much.<br />
Filtering cycles<br />
The filtering process on the appliance has three cycles: the request cycle, the response cycle, and the<br />
embedded objects cycle. Only one of these can go on at a given moment.<br />
The request cycle is used for filtering requests that users of your network send to the web (1), the<br />
response cycle is for the responses received upon these requests from the web (2).<br />
Figure 4-1 Filtering requests and responses<br />
82 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Rules and rule sets<br />
Filtering controlled by rules 4<br />
When embedded objects are sent with requests or responses (3), the embedded objects cycle is used<br />
as an additional cycle of processing.<br />
Figure 4-2 Filtering embedded objects<br />
An embedded object could, for example, be a file sent with a request to upload a file and embedded in<br />
this file. The filtering process begins with the request cycle, filtering the request and checking the file<br />
that is requested for uploading. Then the embedded objects cycle is started for the embedded file.<br />
Similarly, the response cycle and the embedded objects cycle are started one after another for a file<br />
that is sent in response from a web server and has another file embedded in it.<br />
For every rule on the appliance, it is specified in which cycle it is processed. However, the cycle is not<br />
specified individually for a rule, but for the rule set that contains it. A rule set can be processed in just<br />
one cycle or in a combination of cycles.<br />
Process flow<br />
In the filtering process, the implemented rules are processed one after another, according to the<br />
positions they take in their rule sets. The rule sets themselves are processed in the order of the rule set<br />
system, which is shown on the Rule Sets tab of the user interface.<br />
In each of the three cycles, the implemented rule sets are looked up one after another to see which<br />
must be processed in this cycle.<br />
When a rule is processed and found to apply, it triggers an action. The action executes a filtering<br />
measure, such as blocking a request to access a web object or removing a requested object. In addition<br />
to this, an action has an impact on the filtering process. It can specify that the filtering process must<br />
stop completely, or skip some rules and then continue, or simply continue with the next rule.<br />
Processing also stops after all implemented rules have been processed.<br />
Accordingly, the process flow can be as follows:<br />
All rules have been processed for<br />
each of the cycles and no rule has<br />
been found to apply.<br />
–> Processing stops.<br />
In the request cycle, the request is allowed to pass<br />
through to the appropriate web server.<br />
In the response cycle, the response sent from the web is<br />
forwarded to the appropriate user.<br />
In the embedded objects cycle, the embedded object is<br />
allowed to pass through with the request or response it<br />
was sent with.<br />
Processing begins again when the next request is<br />
received.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 83
4<br />
Rules and rule sets<br />
Filtering controlled by rules<br />
A rule applies and specifies that<br />
processing must stop completely.<br />
A rule applies and specifies that<br />
processing must stop for the current<br />
rule set.<br />
A rule applies and specifies that<br />
processing must stop for the current<br />
cycle.<br />
A rule applies and specifies that<br />
processing continues with the next<br />
rule.<br />
84 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
–> Processing stops.<br />
An example of a rule that stops processing completely is a<br />
rule with a blocking action.<br />
If, for example, a request is blocked because the<br />
requested URL is on a blocking list, it is no use to process<br />
anything else. No response is going to be received<br />
because the request was blocked and not passed on to the<br />
appropriate web server. Filtering an embedded object that<br />
might have been sent with the request is also not needed<br />
because the request is blocked anyway.<br />
A message is sent to the user who is affected by the<br />
action, for example, to inform this user that the request<br />
was blocked and why.<br />
Processing begins again when the next request is<br />
received.<br />
–> Processing stops for this rule set. The rules that follow the<br />
stopping rule in the rule set are skipped.<br />
An example of a rule that stops the processing of a rule set<br />
is a whitelisting rule followed by a blocking rule in the<br />
same rule set. When a requested object is found on a<br />
whitelist, the request is allowed to pass through without<br />
further filtering. Therefore the rule set is not processed<br />
any further and the rule that eventually blocks the object<br />
is skipped.<br />
Processing continues with the next rule set.<br />
The next rule set can contain rules that, for example,<br />
block a request, although it was allowed to pass through<br />
the preceding rule set.<br />
–> Processing stops for this cycle. The rules and rule sets that<br />
follow the stopping rule in the cycle are skipped.<br />
An example of a rule that stops the processing of a cycle is<br />
a global whitelisting rule. When a requested object is found<br />
on a global whitelist, the request is allowed to pass through<br />
to the appropriate web server. To ensure the request is not<br />
blocked eventually by any of the following rules and rule<br />
sets, the request cycle is not processed any further.<br />
Processing continues with the next cycle.<br />
–> Processing continues with the next rule.<br />
This can be the next rule in the current rule set or the first<br />
rule in the next rule set or cycle.<br />
An example of a rule that lets the filtering process<br />
continue unimpeded is a statistics rule. This rule just<br />
counts requests by increasing a counter and does<br />
otherwise nothing.
Modules for delivering filtering information<br />
Rules and rule sets<br />
About rule elements 4<br />
This section explains what special modules do for rules in the filtering process.<br />
Before a rule can trigger a particular action, it needs to know what the value of a particular property is.<br />
Consider, for example, a rule that blocks virus-infected objects:<br />
If “being virus-infected” has the value “true” (for a given object), block this object.<br />
The rule needs to know what the value for “being virus-infected” is for a given object. Only then can it<br />
block access to the object. How does the rule get this information?<br />
It gets the information by calling a special module. This module scans the object and tells the rule what<br />
value the property has for the object, for example, if “being virus-infected” is true for it or not.<br />
For a virus and malware filtering rule, the special module is the Anti-Malware module (also known as<br />
Anti-Malware engine). It can run with different settings and accordingly use different methods for<br />
completing its scanning job. For example, it can evaluate only virus signatures or use also proactive<br />
methods that are suitable for detecting viruses and other malware for which no signatures are known<br />
yet.<br />
Although the scanning module is used in the filtering process, it is not a filtering module in a strict<br />
sense. The filtering is not done by the module, but by the corresponding rule, based on the delivered<br />
information.<br />
About rule elements<br />
This section explains the elements of a web security rule.<br />
The general structure of a rule can be rendered very simply as follows:<br />
If a is the case, then do b.<br />
For web security rules on the appliance, this simple structure can be filled with a little more detail:<br />
If property p has the value x, do y.<br />
The property mentioned in the rule is the property of a web object or a user. It is checked, for example,<br />
when a user requests access to an object.<br />
An example of a rule like this is (in normal language):<br />
If “being virus-infected” has the value “true” (for a given object), block this object.<br />
or paraphrased even more simply:<br />
If an object is virus-infected, block it.<br />
Other examples are:<br />
If “category that a URL belongs to” has the value “on list x”, block the URL.<br />
If “user groups that user is member of” has the value “not on allowed groups list x”, block<br />
requests from this user.<br />
paraphrased more simply as:<br />
If the category of a URL is on a particular list, block the URL.<br />
If a user is not a member of an allowed user group, block requests from this user.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 85
4<br />
Rules and rule sets<br />
About rule elements<br />
Main elements of a rule<br />
A web security rule on the appliance has three main elements:<br />
(1) Criteria:<br />
If the category of a URL is on list x, ...<br />
Note: Instead of criteria, the term condition is used in other rule syntaxes.<br />
(2) Action that is executed if the criteria is matched:<br />
... block the URL<br />
The third element is optional:<br />
(3) Event (or more than one) that is to happen if the criteria is matched.<br />
... and log this action.<br />
Criteria<br />
If the category of a<br />
URL is on list x, ...<br />
Rule<br />
–><br />
The criteria has again three elements:<br />
(a) Property (of a web object or user)<br />
the category of a URL ...<br />
(b) Operator that links the property to an operand<br />
... is on list<br />
(c) Operand specifying with the operator a value for the property<br />
... x (list name)<br />
Note: The operand is also known as parameter on the appliance.<br />
86 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Action<br />
(Event)<br />
... block the URL (and) ... log this action.<br />
Property Operator Operand<br />
the category of a URL ... ... is on list ... x (list name)<br />
Criteria
Rules on the user interface<br />
On the user interface, a web security rule appears in the following format:<br />
Figure 4-3 Sample rule on the user interface<br />
Rules and rule sets<br />
About rule elements 4<br />
The rule blocks a URL if its category is on a blocking list, notifies the user who requested access to the<br />
URL of the blocking, and records the blocking by incrementing a counter.<br />
The following table provides an overview of the individual rule elements and their meanings.<br />
Table 4-1 Overview of rule elements<br />
Option Definition Comment<br />
Enabled Allows you to enable or disable the rule<br />
Name Name of the rule<br />
• Block URLs ... Name text<br />
• Category BlockList In name text: List used by the rule Clicking on the list name opens the list<br />
for editing.<br />
• Yellow triangle Next to a list name: Indicates that the list is<br />
initially empty<br />
Criteria Criteria of the rule The criteria is only visible after clicking<br />
the toggle button Show Details.<br />
• URL.Categories Property<br />
• Settings of the module that retrieves a value Clicking on the settings name opens the<br />
for the property (here: the URL Filter settings for editing.<br />
module)<br />
The module name is not visible in the<br />
rule. It appears, however, in the Edit<br />
window for the rule criteria.<br />
• at least one in list Operator<br />
• Category BlockList Operand, also known as parameter (here: a Clicking on the list name opens the list<br />
list used by the rule)<br />
for editing.<br />
The list name appears both in the rule<br />
name and the criteria to let it be<br />
available when the criteria is not visible.<br />
• Yellow triangle Next to a list name: Indicates that the list is<br />
initially empty<br />
Action Action of the rule<br />
• Block Name of the action The symbol varies with the action.<br />
• Settings of the action (here: settings Clicking on the settings name opens the<br />
specifying that a block message is sent to<br />
the user who is affected by the blocking)<br />
settings for editing.<br />
Events One (or more) events of the rule The events are only visible in full after<br />
clicking the toggle button Show<br />
Details.<br />
• Statistics.Counter.<br />
Increment<br />
Name of the event<br />
• “BlockedByURLFilter, Parameters of the event (here: the name of<br />
1”<br />
a counter and an increment)<br />
• Settings of the module that handles the Clicking on the settings name opens the<br />
event<br />
settings for editing.<br />
For more information on these elements, see the following sections.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 87
4<br />
Rules and rule sets<br />
About rule elements<br />
Complex criteria<br />
The criteria of a rule can be made complex by configuring it with two or more parts. Each of the parts<br />
then has a property with operator and operand. The parts are linked by AND or OR.<br />
The following is an example of complex criteria:<br />
AND/OR Property Operator Operand<br />
URL.Categories at least one in list Drugs<br />
OR URL.Categories at least one in list Games/Gambling<br />
The criteria is matched if a filtered URL belongs to a category that is on any of the two specified<br />
category lists (or on both).<br />
If you configure criteria with three or more parts and use both AND and OR between them, you also<br />
need to put brackets to indicate how the parts are logically connected. For example, (a AND b) OR c<br />
differs in meaning from a AND (b OR c).<br />
When you add a third criteria part on the user interface, lowercase letters appear before the parts and<br />
an additional field is inserted at the bottom of the configuration window.<br />
The field displays your criteria parts in short, for example, a AND b OR c. You can then type brackets<br />
into the field as needed.<br />
ID AND/OR Property Operator Operand<br />
a URL.Categories at least one in list Drugs<br />
b AND URL.Categories at least one in list Games/Gambling<br />
c OR Antimalware.Infected<br />
<br />
Criteria Combination (a AND b) OR c<br />
Properties<br />
A property is a key element in every rule. If it has a particular value, the criteria of the rule is matched<br />
and the rule applies, which means that the rule action is triggered.<br />
For example, if the property Antimalware.Infected has the value true in the criteria of a particular rule<br />
for virus and malware filtering, the rule triggers its blocking action.<br />
A property in a rule is a property of a web object or of something that is related to a web object, such<br />
as the user who requests it. For example, Antimalware.Infected is the property of a web object that is<br />
requested by a user or sent in response by a web server or embedded in another object.<br />
A property has a name, a type, and a value. For every property, a particular range of values is possible.<br />
A value within this range is found for it during the filtering process by running a special module or by<br />
going through a particular list.<br />
In the following, some examples of properties are given.<br />
Property of a web page or a file<br />
Property — Antimalware.Infected<br />
Type — Boolean<br />
Values — true | false<br />
The meaning of this property can be paraphrased as “being infected by a virus or other malware”.<br />
A rule using this property could apply if its value is true. The Anti-Malware module scans web objects<br />
when the rule is processed to find out what the value of the property is.<br />
88 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
equals true
Property of a URL<br />
Property — URL.Categories<br />
Type — List of categories<br />
Values — Lists of URL categories<br />
Rules and rule sets<br />
About rule elements 4<br />
The meaning of this property can be paraphrased as “belonging to (one or more) URL categories”.<br />
A rule using this property could apply if one of these categories is on a blocking list. The URL Filter<br />
module retrieves information from the Global Threat Intellegience on which category or categories a<br />
given URL belongs to.<br />
Property of a website or page<br />
Property — URL<br />
Type — String<br />
Values — Lists of URLs<br />
The meaning of this property can be paraphrased as “having a URL”.<br />
A rule using this property could apply if a URL is on a blocking list. During the filtering process, it is<br />
looked up whether the URL is on the list. No special module is needed for this lookup.<br />
For a list of available properties with explanations, see the List of properties in the appendix.<br />
Actions<br />
An action is the element of a rule that is executed if the criteria of the rule is matched.<br />
For example, if an object sent by a web server in response to a user request is found to be<br />
virus-infected, the criteria of a particular rule for virus and malware filtering is matched, and the rule<br />
triggers the Block action.<br />
Settings can be configured for some actions to determine the way they are executed. For example, the<br />
Block action has settings that specify a corresponding user message. The settings can also specify the<br />
blocking reason for logging purposes.<br />
Every action has an impact on the filtering process. This process can be stopped by an action, or the<br />
remaining rules in a rule set or cycle are skipped when an action has been executed, or the process just<br />
continues after an action.<br />
In the following, some examples of actions are given.<br />
Action — Block<br />
Settings — Specifying a message template and the blocking reason<br />
Impact — Stops the filtering process<br />
The blocking effect of this action is achieved by stopping the filtering process. If, for example, a request<br />
is blocked, processing stops completely and the request is not passed on to the appropriate web server.<br />
The user who sent the request is informed of the blocking. Different settings can be configured for the<br />
action, according to whether the blocking reason was a found virus or an inappropriate URL category,<br />
or something else.<br />
Action — Stop Rule Set<br />
Settings — None<br />
Impact — Stops processing of the current rule set and lets processing<br />
continue with the next rule set.<br />
This action can be used by a whitelisting rule to skip a blocking rule that follows it in the same rule set.<br />
Since this action does not affect the user, no settings for a user message are required.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 89
4<br />
Rules and rule sets<br />
About rule elements<br />
Action — Continue<br />
Settings — None<br />
Impact — Lets processing continue with the next rule after the rule that<br />
triggered this action.<br />
This action does not affect a user and accordingly no settings are needed for a user message.<br />
For a list of the available actions, see the List of actions in the appendix.<br />
Events<br />
If the criteria of a rule matches, an event or several of them can optionally be triggered. For example,<br />
if an object is found to be virus-infected and blocked, an event can be triggered that writes an entry for<br />
the blocking action into a log file.<br />
The way an event is executed can be configured through parameters and settings. For example, the<br />
text of a log file entry can be specified as an event parameter and rotation of the log files as part of the<br />
event settings.<br />
Other activities executed by events are, for example:<br />
• Setting a value<br />
• Adding a request header<br />
• Incrementing a counter<br />
For a list of the available events, see the List of events in the appendix.<br />
90 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
About rule sets<br />
Rules and rule sets<br />
About rule sets 4<br />
<strong>Web</strong> security rules are grouped and contained in rule sets on the appliance. This section provides some<br />
general information about these rule sets and the rule set systems they are included in.<br />
After the initial setup, a system of rule sets is implemented on the appliance. If you use the policy<br />
creation wizard, this system will match your selections. Rules, rule sets and filter lists are then<br />
implemented according to the type of your organization, your region, and the strictness you want to<br />
impose on the users of your network. If you choose not to make such selections, the default rule set<br />
system is implemented.<br />
In both cases, you can review and modify what has been implemented. You can modify rule sets and<br />
individual rules, including the filter lists, the settings of the modules used in the filtering process, and<br />
the settings of the actions that are triggered when rules apply.<br />
You can edit or delete all these items, move rules and rule sets to different positions, copy rules to<br />
insert them into other rule sets, and create new items of all types. You can also import rule sets from<br />
the internal library, move them to other positions, and modify them.<br />
Rules in rule sets<br />
A rule cannot stand on its own, it must be included in a rule set. A rule set can include just a single rule<br />
or several of them or one or more nested rule sets. If it includes nested rule sets, it can, but need not<br />
include individual rules on the same level as the nested rule sets.<br />
Rule sets usually include rules that work together to provide a particular function for ensuring web<br />
security. For example, a virus and malware filtering rule set might include a rule that blocks infected<br />
rule sets and one or several others that whitelist objects to let them skip the blocking rule and ensure<br />
users can access them.<br />
Another rule set might filter URLs and include rules for blocking individual URLs and URL categories, as<br />
well as whitelisting rules.<br />
You can modify the implemented system and group rules in rule sets to build functional units in<br />
whatever way is suitable for your network.<br />
Rule set cycles<br />
Rule sets are processed, with their rules, in the three cycles of the filtering process. A rule set can be<br />
processed in any combinations of these cycles, for example, only in the request cycle, in the response<br />
and embedded objects cycle, and also in all three cycles.<br />
The cycles of a rule set are at the same time those of the individual rules contained in it. A rule cannot<br />
differ with regard to cycles from its rule set.<br />
Rule set criteria<br />
Like rules, rule sets have criteria and are applied if these match. A rule set has criteria in addition to the<br />
criteria of its individual rules and usually these criteria differ from each other. For a rule to apply, both<br />
its own criteria and the criteria of its rule set must match.<br />
Rule set library<br />
The rule set library provides rule sets for you to import into your implemented rule set system. You can<br />
do this to add a function that is missing in your system or when the implemented rule sets do not suit<br />
your network in all respects.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 91
4<br />
Rules and rule sets<br />
About rule sets<br />
Nested rule sets<br />
Rule sets can have other rule sets nested within them. A nested rule set has its own criteria. Regarding<br />
cycles, it can only be processed in the cycles of the nesting rule set, but need not be processed in all of<br />
them.<br />
This way, a nested rule set can be configured to deal especially with a particular cycle, while another<br />
nested rule set deals with a different cycle.<br />
For example, a media type filtering rule set could apply to all cycles, but have nested rule sets that are<br />
not processed in all of them:<br />
Media Type Filtering rule set (for requests, responses, and embedded objects)<br />
• Nested rule set Media Type Upload (only for requests)<br />
• Nested rule set Media Type Download (only for responses and embedded objects)<br />
Implementing a rule set system<br />
A system of rule sets can be implemented in the following ways:<br />
• Use of the policy creation wizard — When using this wizard, you can select values for the type of<br />
your organization, your region, and a level of strictness. A system of rule sets is implemented<br />
accordingly.<br />
• Default configuration — If you make no selections, the default system of rule sets is implemented.<br />
• Own configuration — You can create rule sets of your own, fill them with rules of your own and add<br />
them to a system that was created using the wizard or to the default system. If you find that a<br />
completely individual solution is best suited for your network, you can also use only rules and rule<br />
sets of your own to filter web traffic.<br />
• Logging and error handling rule sets — The appliance provides default rule sets for logging and<br />
error handling. These are part of every initial configuration, regardless of whether you use the wizard<br />
or implement the default system. They can be reviewed and modified like all other rule sets.<br />
Rule set systems<br />
This section gives an overview of the rule sets that can be implemented on your appliance by using the<br />
policy creation wizard or accepting the default. It also gives an overview of the rule set library.<br />
What rule sets are actually implemented on your appliance depends:<br />
• On the version of the appliance software<br />
• On whether you used the policy creation wizard (with particular selections) or accepted the default<br />
rule set system<br />
• On the modifications you made to the rule set system that was initially implemented<br />
92 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Rules and rule sets<br />
About rule sets 4<br />
Sample wizard rule set system<br />
When using the policy creation wizard to implement a rule set system, you might have made the<br />
following selections:<br />
Type of organization: commercial<br />
Location: Europe<br />
Level of strictness; limited (medium)<br />
The wizard then creates, for example, the following rule set system (nested rules sets are not shown):<br />
Table 4-2 Sample wizard rule set system (commercial – Europe – limited)<br />
Rule set Description<br />
Global Whitelist Lets whitelisted IP addresses, URLs, and responses with empty bodies skip all further<br />
filtering.<br />
Global Block Blocks IP addresses, authenticated users, and URLs entered in blocking lists.<br />
Media Type Filtering Controls media type filtering with nested rule sets for uploading and downloading media<br />
types.<br />
Content Filter Exempts users if entered in a whitelist. Blocks users if entered in a blocking list. Blocks URLs<br />
belonging to various categories.<br />
<strong>Gateway</strong> AntiMalware Controls virus and malware filtering.<br />
SSL Scanner Prepares SSL-secured web traffic for processing by other filtering functions with nested rule<br />
sets for certificate verification and inspection enabling.<br />
Default rule set system<br />
The default rule set system is implemented if you do not use the wizard.<br />
The following table shows the default rule set system (nested rule sets are not shown):<br />
Table 4-3 Default rule set system<br />
Rule set Description<br />
SSL Scanner Prepares SSL-secured web traffic for processing by other filtering functions with nested rule<br />
sets for certificate verification and inspection enabling.<br />
Global Whitelist Lets requests that are sent from clients with whitelisted IP address or are directed to<br />
websites with whitelisted URLs skip all further filtering.<br />
Common Rules Provides functions that support the filtering process, such as web caching, progress<br />
indication, and opening of archives.<br />
Authenticate and<br />
Authorize<br />
Content Filter for<br />
Unauthenticated User<br />
Content Filter for<br />
User Group “internet”<br />
Content Filter for<br />
User Group<br />
“internet_strict”<br />
Asks unauthenticated users to authenticate and blocks users who are not in an allowed user<br />
group with nested rule sets for both functions.<br />
Controls filtering of individual URLs, URL categories, and media types for unauthenticated<br />
users.<br />
Controls filtering of individual URLs, URL categories, and media types for users belonging<br />
to a particular user group.<br />
Controls filtering of individual URLs, URL categories, and media types for users belonging<br />
to a user group that has a stricter blocking level applied to it. This can be achieved, for<br />
example, by using block lists containing more or different entries compared to the lists used<br />
for other groups.<br />
<strong>Gateway</strong> Antimalware Controls virus and malware filtering using virus signatures and proactive methods.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 93
4<br />
Rules and rule sets<br />
About rule sets<br />
Rule set library<br />
The following table shows the rule sets of the rule set library (nested rule sets are not shown):<br />
Note: Many of the rule sets that are provided in the library are also part of the default system of rule sets.<br />
However, there can be differences between a default system rule set and the corresponding library rule set.<br />
For example, the URL Filtering rule set appears as a nested rule set in several Content Filter rule sets of the<br />
default system. In each of these rule sets, the rules of the URL Filter use different whitelists and blocking<br />
lists.<br />
Table 4-4 Rule set library<br />
Rule set Description<br />
Access Log Logs user requests for web access.<br />
Access Log With Cache<br />
Status<br />
Logs user requests for web access and cache status.<br />
Authentication Server Controls authentication on an authentication server<br />
Authorized Override Allows users continued access to web pages when the configured quota is exceeded.<br />
Block on All Errors Blocks requests when an internal error has occurred on the appliance.<br />
Block on Antimalware Blocks requests when the anti-malware filter module cannot be loaded or is<br />
Engine Errors<br />
overloaded.<br />
Block on URL Filter Errors Blocks requests when the URL filter module cannot be loaded or an internal error<br />
occurred with this module.<br />
Blocking Sessions Blocks users for some period of time after trying to access web objects against<br />
configured restrictions.<br />
Bypass ePO Requests Lets connection requests received from an ePO server skip filtering.<br />
Coaching Ask users to confirm usage of web pages before they are allowed to continue<br />
Common Rules Provides functions that support the filtering process, such as web caching, progress<br />
indication, and opening of archives.<br />
Cookie Authentication Controls authentication using cookies and retrieving information from an<br />
authentication server.<br />
Cookie Authentication with Controls authentication using cookies and retrieving information from an<br />
Login Page<br />
authentication server when users provide their credentials on a logon page.<br />
Common Rules Provides functions that support the filtering process, such as web caching, progress<br />
indication, and opening of archives.<br />
Data Leakage Prevention Controls traffic flow between the appliance and a DLP solution.<br />
Direct Proxy Authenticate Asks unauthenticated users to authenticate and blocks users who are not in an allowed<br />
and Authorize<br />
user group with nested rule sets for both functions.<br />
Enable Opener Enables the module that opens multi-part objects, such as archives.<br />
Found Viruses Log Logs the names of viruses found by the anti-malware module.<br />
<strong>Gateway</strong> Antimalware Controls virus and malware filtering using virus signatures and proactive methods.<br />
Global Block Blocks requests when the requested URLs or IP addresses are on block lists.<br />
Global Whitelist Lets requests for whitelisted URLs or IP addresses skip further filtering.<br />
Handle Special Sites Handles communication with special whitelisted web servers and provides solutions<br />
for some communication problems.<br />
Handle Update Incidents Logs incidents concerning updates and sends various kinds of notifications.<br />
HTML Filtering Filters HTML pages and uses its nested rule sets to remove embedded objects, such<br />
as Java scripts and others, from these pages.<br />
ICAP Client Controls traffic flow between the appliance and an ICAP server.<br />
IM Authentication Controls authentication for users who communicate with the appliance using an<br />
instant messaging protocol.<br />
IM Logging Records requests received on the appliance under an instant messaging protocol.<br />
Log File Manager Incidents Logs incidents concerning the Log File Manager and sends various kinds of<br />
notifications.<br />
Long Running Connections Enables you to keep long running connections alive.<br />
94 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table 4-4 Rule set library<br />
Rule set Description<br />
Lookup User Name from<br />
Proxy Authorization Basic<br />
Header<br />
Rules and rule sets<br />
About rule sets 4<br />
Retrieves information for authenticating users by a lookup based on the proxy<br />
authorization header.<br />
Media Type Filtering Controls media type filtering with nested rule sets for uploading and downloading<br />
media types.<br />
Monitoring Checks CPU overload, cache partitions, and request overload.<br />
Next Hop Proxy Ensures that internal hosts are used as next-hop proxy servers for internal requests.<br />
Progress Indication Enables display of progress page and data trickling as means of indicating download<br />
progress to the user.<br />
Remove Header Removes “via” information from the a request header.<br />
Script Filter Filters web pages for embedded script code and removes it.<br />
SiteAdvisor Enterprise Blocks request to force SiteAdvisor Enterprise into stand-down mode.<br />
Interlock<br />
SSL Scanner Prepares SSL-secured web traffic for processing by other filtering functions with<br />
nested rule sets for certificate verification and inspection enabling.<br />
Time Quota Allows users web usage only for a configured period of time per day, week, or other<br />
time units.<br />
Try Cookie Authentication<br />
Using Default Name<br />
Try-Auth Asks unauthenticated users to authenticate and blocks users who are not in an allowed<br />
user group with nested rule sets for both functions.<br />
URL Filtering Controls filtering of individual URLs and URL categories.<br />
Volume Quota Allows users web usage only as long as a configured amount of bytes per day, week,<br />
or other time units is not exceeded.<br />
<strong>Web</strong> Cache Controls caching of web objects with nested rule sets for reading from and writing to<br />
the cache.<br />
Welcome Page Controls display of a welcome page to users.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 95
4<br />
Rules and rule sets<br />
Rule configuration<br />
Rule configuration<br />
Rules and rules sets are implemented on the appliance to ensure web security. This section explains<br />
how you can work with them to make them even more suitable for your network. It explains some<br />
sample rules and provides detailed information on how to modify and create rules and rule sets.<br />
Rule Sets tab<br />
Use the Rule Sets tab to work with rules and rule sets on the appliance. It is selected from the Policy<br />
top-level menu.<br />
Rule sets<br />
toolbar —<br />
Rule sets<br />
tree —<br />
Rule sets<br />
menu —<br />
Figure 4-4 Rule Sets tab<br />
The main elements of the tab are:<br />
• Rule sets toolbar — Items for working with the rule sets on the rule sets tree<br />
• Rule sets tree — Tree structure displaying the rule sets of the appliance configuration<br />
• Rule sets menu — Buttons for displaying tree structures of:<br />
• (General) rule sets<br />
• Log handler rule sets<br />
• Error handler rule sets<br />
• User-defined properties (for use in rule set criteria, rule criteria, and rule events)<br />
• Rules toolbar — Items for working with list entries<br />
• Rules — Rules of the currently selected rule set<br />
96 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
— Rules<br />
toolbar<br />
— Rules
The Rule Sets toolbar provides the following options:<br />
Table 4-5 Rule Sets toolbar<br />
The Rules toolbar provides these options:<br />
Rules and rule sets<br />
Rule configuration 4<br />
Option Definition<br />
Add Opens a menu or a window for adding an item, depending on what is currently selected<br />
from the Rule sets menu:<br />
• (Rule Sets is selected) — Opens a menu, from which you can select:<br />
• Rule Set from Library — Opens the Add from Rule Set Library window for<br />
importing a rule set from the rule set library<br />
• Rule Set — Opens the Add New Rule Set window to let you add a rule set to the<br />
appliance configuration<br />
• Top-Level Rule Set — Opens the Add New Top-Level Rule Set window for<br />
adding a rule set at the top level of the rule sets tree<br />
• (Log Handler is selected) — Lets you select Log Handler from a menu as the only<br />
accessible item to open the Add New Log Handler window for adding a new Log<br />
Handler rule set<br />
• (Error Handler is selected) — Lets you select Error Handler from a menu as the<br />
only accessible item to open the Add New Error Handler window for adding a new<br />
Error Handler rule set<br />
• (User-Defined Property is selected) — Lets you select User-Defined Property to<br />
open the Add New User-Defined Property window for adding a property<br />
Export Opens the Export Rule Set window for exporting a rule set to the library or into a file<br />
Edit Opens the Edit Rule Set window for editing a selected rule set<br />
Delete Deletes a selected rule set. A window opens to let you confirm the deletion<br />
Move up Moves a rule set up among other rules sets on the same level<br />
Move down Moves a rule set down among other rule sets on the same level<br />
Move out of Moves a rule out of its nesting rule set and onto the same level as the nesting rule set<br />
Move into Moves a rule set out of its nesting rule set and into the rule set following this rule set<br />
Expand all Expands all collapsed items on the rule sets tree<br />
Collapse all Lets all expanded items on the rule sets tree collapse<br />
The following three items above the Rules toolbar are also for handling rule sets<br />
Edit Opens the Edit Rule Set window for editing a selected rule set (same function as the<br />
corresponding item above the rule sets tree)<br />
Enabled Allows you to enable or disable a selected rule set<br />
Criteria Displays the criteria of a selected rule set<br />
Table 4-6 Rules toolbar<br />
Option Definition<br />
Add Rule Opens the Add Rule window for adding a rule<br />
Edit Opens the Edit Rule window for editing a selected rule<br />
Delete Deletes a selected rule. A window opens to let you confirm the deletion<br />
Move up Moves a rule up within its rule set<br />
Move down Moves a rule set down within its rule set<br />
Copy Copies a selected rule<br />
Paste Pastes a copied rule<br />
Show Details Shows or hides details of a rule entry including the criteria<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 97
4<br />
Rules and rule sets<br />
Rule configuration<br />
Adding a rule<br />
This section describes the Add Rule window and explains in detail the steps you can complete to add a<br />
new rule to a rule set.<br />
Use the Add Rule window to add new rules to rule sets. It opens after clicking Add Rule on the Rules<br />
toolbar of the Rule Sets tab.<br />
Note: There is also an Edit Rule window where the same options can be used for editing a rule.<br />
Figure 4-5 Add Rule window<br />
The following table describes the window.<br />
Table 4-7 Add Rule window<br />
Option Definition<br />
Steps For adding:<br />
• Name, Comment, and Enabling<br />
• Criteria<br />
• Action<br />
• Events<br />
• Summary (for reviewing your settings)<br />
Note: You can select a step by clicking it or use Next and Back to navigate.<br />
Main window area Provides different items for completing each step<br />
Message field Assists you in completing the steps with messages and symbols<br />
Back Takes you back to the previous step<br />
Next Takes you to the next step<br />
Finish Finishes the procedure<br />
Cancel Leaves the procedure without adding a rule<br />
To add a rule, complete the steps in the window. For more information, see:<br />
• Add name, comment, and enabling<br />
• Add the criteria<br />
• Add an action<br />
• Add an event<br />
Note: You can at any time select the Summary step to review your settings.<br />
98 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Add name, comment, and enabling<br />
Complete the following procedure to add general settings to a rule:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select a rule set for the new rule.<br />
3 Click Add Rule. The Add Rule window opens with the first step selected.<br />
4 Add the following:<br />
• Name — Name of the rule<br />
• Enable rule — When selected, the rule is enabled<br />
• [Optional] Comment — Plain-text comment on the rule<br />
Rules and rule sets<br />
Rule configuration 4<br />
Continue with another step, preferably with Add the criteria, or click Finish and then Save Changes.<br />
Add the criteria<br />
Complete the following procedure to add the criteria to a rule:<br />
1 In the Add Rule window, select Rule Criteria.<br />
Figure 4-6 Add Rule – Criteria<br />
2 In the Apply this rule section, configure when the rule is applied:<br />
• Always — The rule is always applied.<br />
• If the following criteria is matched — The rule is applied if the criteria configured below is<br />
matched.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 99
4<br />
Rules and rule sets<br />
Rule configuration<br />
3 In the Criteria section, click Add. The Add Criteria window opens.<br />
Figure 4-7 Add Criteria window (with property selected)<br />
4 In the Property area, use the following items to configure a property:<br />
• Property — List for selecting a property (property types shown in brackets)<br />
• Search — Opens the Property Search window to let you search for a property<br />
• Parameter — Opens the Property Parameters window for adding up to three parameters, see<br />
Step 5<br />
Note: The icon is grayed out if the property has no parameters.<br />
• Settings — List for selecting the settings of the module that delivers a value for the property<br />
(module name shown in brackets)<br />
Note: The icon is grayed out if no settings are required for the property and (not needed) is added.<br />
• Add — Opens the Add Settings window for adding new settings to the list<br />
• Edit — Opens the Edit Settings window for editing the selected settings<br />
If no parameters need to be configured for the property, click OK and continue with Step 6.<br />
5 [Conditional] To add property parameters:<br />
a Click Parameter. The Property Parameters window opens.<br />
Figure 4-8 Property Parameters window<br />
100 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Add as many parameters as needed. A parameter can be a:<br />
Rules and rule sets<br />
Rule configuration 4<br />
• Value (String, Boolean, or numerical) — Configure it in the Value area. Then click OK.<br />
• Property — Follow the instructions for configuring properties, beginning again with Step 4.<br />
6 From the Operator list, select an operator.<br />
7 In the Parameter area, add a parameter (also known as operand). This can be a:<br />
• Value (String, Boolean, or numerical) — Configure it in the Value area.<br />
• Property — Follow the instructions for editing properties, beginning again with Step 4.<br />
8 Click OK to close the Add Criteria window.<br />
Note: Repeat steps 3 to 8 to add more criteria parts for complex criteria. Connect them by AND or OR<br />
(these options are then provided) and, for three or more criteria parts, type brackets to indicate how they<br />
are logically connected in the Criteria Combination field (appears then).<br />
9 Continue with another adding procedure, preferably with Add an action, or click Finish and then Save<br />
Changes.<br />
Add an action<br />
Complete the following procedure to add an action to a rule:<br />
1 In the Add Rule window, select Action.<br />
Figure 4-9 Add Rule – Action<br />
2 Use the following items to configure an action:<br />
• Action — List for selecting an action:<br />
• Continue — Continues with processing the next rule<br />
• Block — Blocks access to an object and stops processing rules<br />
• Redirect — Redirects the client that requested access to an object to another object<br />
• Authenticate — Stops processing the current cycle and sends an authentication request<br />
• Stop Rule Set — Stops processing the current rule set and continues with the next rule set<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 101
4<br />
Rules and rule sets<br />
Rule configuration<br />
• Stop Cycle — Stops processing the current cycle, but does not block access to the requested<br />
object<br />
• Remove — Removes the requested object and stops processing the current cycle<br />
• Settings — List for selecting settings for the Block, Redirect, and Authenticate actions<br />
Note: The list is grayed out if no settings are required for an action and (not needed) is added.<br />
• Add — Opens the Add Settings window for add new settings to the list<br />
• Edit — Opens the Edit Settings window for editing the selected settings<br />
Continue with another adding procedure, preferably with Add an event, or click Finish and then Save<br />
Changes.<br />
Add an event<br />
Complete the following procedure to add an event (or more than one) to a rule:<br />
1 In the Add Rule window, select Events.<br />
Figure 4-10 Add Rule – Events<br />
2 In the Events section, click Add. A drop-down menu opens.<br />
102 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
3 Select Event. The Add Event window opens.<br />
Figure 4-11 Add Event window<br />
4 Use the following items to configure an event:<br />
Note: Repeat this part of the procedure to add more than one event.<br />
• Event — List for selecting an event (event types shown in brackets)<br />
Rules and rule sets<br />
Rule configuration 4<br />
• Parameters — Opens the Property Parameters window for adding up to three parameters, see<br />
Step 5<br />
Note: The icon is grayed out if the event has no parameters.<br />
• Settings — List for selecting settings for an event<br />
Note: The icon is grayed out if no settings are required for an event.<br />
• Add — Opens the Add Settings window for adding new settings to the list<br />
• Edit — Opens the Edit Settings window for edit ing the selected settings<br />
If no parameters need to be configured for the event, click OK and continue with Step 6.<br />
5 [Conditional] To add parameters to an event:<br />
a Click Parameters. The Property Parameters window opens:<br />
b Add parameters as needed. A parameter can be a:<br />
• Value (String, Boolean, or numerical): — Configure it inthe Value area. Then click OK.<br />
• Property — Configure it in the Property area. Then click OK.<br />
6 [Conditional] If this is the last of the adding procedures:<br />
a [Optional] In the Add Rule window, select Summary to review what you have configured.<br />
b Click Finish and then Save Changes.<br />
Otherwise continue with another adding procedure.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 103
4<br />
Rules and rule sets<br />
Rule configuration<br />
Create a sample rule<br />
This section explains in detail how to create a sample rule. Creating new rules is one of the activities<br />
you can complete to modify the implemented rule set system.<br />
Note: The rule already exists in one of the library rule sets, but under a slightly different name (Block if virus<br />
was found).<br />
Rule<br />
Name<br />
Block if virus was detected<br />
Criteria Action<br />
Antimalware.Infected equals true –> Block<br />
Procedure<br />
Complete the following procedure to create this rule:<br />
Note: Comments in italics explain what you are doing through the step or steps that follow.<br />
1 Go to Policy | Rule Sets.<br />
Choosing a rule set for the rule<br />
2 From the rule sets tree, select <strong>Gateway</strong> Antimalware as the rule set for the rule. The rule set and<br />
its current rules appear on the settings pane.<br />
Opening the Add Rule window<br />
3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In<br />
the main window area, items appear for adding a name and other general settings.<br />
Adding general settings<br />
4 Add the following general settings:<br />
a Name — Type Block if virus was detected.<br />
b Enable rule — Deselect this checkbox, so the sample rule gets not enabled.<br />
c Comment — Skip this optional substep.<br />
Adding the criteria<br />
5 Select Rule Criteria. Items for adding the criteria appear.<br />
6 Click Add. The Add Criteria window opens.<br />
7 Add the criteria of the rule (Antimalware.Infected ... equals true):<br />
a From the Property list, select Antimalware.Infected.<br />
b In the Settings list, leave the default, which is <strong>Gateway</strong> Antimalware .<br />
The Anti-Malware module runs with these settings when it scans web objects, using virus<br />
signatures and proactive methods.<br />
c In the Operator list, leave equals, the default value.<br />
d In the Parameter area, select true from the Value list as operand (parameter) for the criteria.<br />
Note: (Boolean) is displayed in brackets next to Parameter. Antimalware.Infected is a property of the<br />
Boolean type. When it is selected, its parameter must have the same type.<br />
8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area.<br />
104 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Adding the action<br />
9 Select Action. Items for adding an action appear in the main window area.<br />
10 Add an action with special settings (Block):<br />
a From the Action list, select Block.<br />
b From the Settings list, select Virus Found.<br />
Rules and rule sets<br />
Rule configuration 4<br />
Under these settings, a block message is sent to the user who requested an object when the<br />
object is blocked.<br />
Reviewing the rule<br />
11 Skip the Events step and select Summary to review what you have configured.<br />
Completing the sample configuration<br />
12 Click Finish. The Add Rule window closes and the new rule appears in the <strong>Gateway</strong> Antimalware rule<br />
set.<br />
Note: The rule is grayed out because it is not enabled.<br />
13 Click Save Changes.<br />
For more information, see About rule sets, Adding a rule, and Block if virus was found (Sample rule).<br />
Sample rules<br />
This section explains in detail three sample rules from the library rule sets of the appliance:<br />
• Do not filter URLs in Global Whitelist<br />
• Block URLs whose category is in Category BlockList<br />
• Block if virus was found<br />
Note: The Block if virus was found rule is also used in another section of this guide as an example for<br />
explaining step by step how a rule is created. For more information, see Create a sample rule.<br />
Do not filter URLs in Global Whitelist (Sample rule)<br />
This rule can be included in rule set for global whitelisting.<br />
Rule<br />
Name<br />
Do not filter URLs in Global Whitelist<br />
Criteria Action<br />
URL matches in list GlobalWhitelist –> Stop Cycle<br />
In plain text, the rule could be rendered as follows:<br />
If a URL is on a particular global whitelist, stop the current processing cycle.<br />
Purpose of the rule<br />
The rule is implemented to provide you with a means of ensuring that particular URLs can be accessed<br />
by the users of your network and are not blocked by any other rules. To achieve this, URLs are entered<br />
on a whitelist. If a whitelist URL is requested, the rule stops processing the request cycle. This means<br />
all following rules of this cycle, including those that might eventually block the URL, are not processed.<br />
When this rule and its rule set are implemented in a rule set system, it should obviously be placed at<br />
the beginning of the system to ensure there are no rule sets before it that block URLs. In this case, the<br />
whitelisting rule is truly global. It overrules all other measures that might be taken for URLs by the<br />
implemented rule set system.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 105
4<br />
Rules and rule sets<br />
Rule configuration<br />
Property and Criteria<br />
The property used in the criteria of the rule is URL. Its meaning can be paraphrased as “being a URL”.<br />
If a requested web object is a URL, then the rule is processed to see if it is on a particular whitelist.<br />
The whitelist is specified in the rule criteria as Global Whitelist. For looking up whether a given URL is<br />
on it, no special module is needed. Therefore the criteria includes no settings for a module.<br />
Action<br />
If the criteria of the rule matches, the rule applies and the Stop Cycle action is executed, with the<br />
impact that is the purpose of the rule. All measures that might prevent users from accessing the URL<br />
are avoided.<br />
The Stop Cycle action stops the request cycle when a request for access to the URL has been received.<br />
Since the rule set of the rule is processed in all three cycles of the filtering process, the Stop Cycle<br />
action can also stop the response or the embedded object cycle if a whitelisted URL is involved in these.<br />
The Stop Cycle action does not affect a user in the way that a blocking action would do. If the action<br />
and its rule work as intended, the user is allowed to access the requested URL. No message to the user<br />
is therefore needed, so the action of this rule has no settings to specify such a message.<br />
Process flow<br />
If processing the rule leads to the result that a URL is on the specified whitelist, the current cycle of the<br />
filtering process stops, according to what the rule says. Other cycles of the process can go on. For<br />
example, if an embedded object was sent with the request, the embedded object cycle could be started<br />
to filter this object.<br />
If the request cycle is stopped after the whitelisted URL has been sent, the request is passed on the<br />
appropriate web server. The appliance then waits for a response from this server, and if this is<br />
received, the response cycle of the filtering process is started to process this reponse.<br />
Block URLs whose category is in Category BlockList (Sample rule)<br />
This rule can be included in a rule set for URL filtering.<br />
Rule<br />
Name<br />
Block URLs whose category is in Category BlockList<br />
Criteria Action<br />
URL.Categories at least on in list Category Blacklist –> Block<br />
In plain text, the rule could be rendered as follows:<br />
If the category of a URL is on a particular blocking list, block access to this URL.<br />
Purpose of the rule<br />
This rule is for blocking URLs not individually, but per category. All URLs that are related to, for<br />
example, drugs or online shopping are blocked. To achieve this, URL categories are entered on a<br />
blocking list.<br />
If a requested URL falls under a category that is on the list, the rule stops processing completely. The<br />
request is not passed on to the appropriate web server and the user who requested the URL cannot<br />
access it. In this sense, the URL is blocked.<br />
Property and criteria<br />
The property used in this rule is URL.Categories. Its meaning could be paraphrased as “belonging to a<br />
URL category”. If a requested web object is a URL, it is checked whether its categories are on the<br />
specified blocking list. If the URL belongs to more than one category, only one of them on the list is<br />
sufficient to trigger the blocking, as the rule says it: at least one in list.<br />
106 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Rules and rule sets<br />
Rule configuration 4<br />
Information about URL categories is retrieved by a special module from a Global Threat Intelligence<br />
server. The settings of this module are therefore specified in the criteria of the rule. You can configure<br />
these settings to modify the way the module retrieves the information, for example, by using Global<br />
Threat Intelligence information retrieved earlier on and stored in a local database of the appliance. This<br />
can reduce latency.<br />
Action<br />
If the URL belongs to a category on the blocking list, the blocking action is executed. The settings of the<br />
action specify that a block message is sent to the user who requested the URL and is affected by the<br />
blocking action.<br />
Process flow<br />
The blocking action also stops the filtering process completely. When the request for the URL is<br />
received on the appliance, it is processed in the request cycle. Since the request is not forwarded to a<br />
web server, no response needs to be processed and looking for embedded objects that might have<br />
been sent with a request is also not needed because the request is blocked anyway.<br />
Processing can therefore be stopped completely. It continues when the next request is received on the<br />
appliance.<br />
Block if virus was found (Sample rule)<br />
This rule can be included in a rule set for virus and malware filtering.<br />
Rule<br />
Name<br />
Block if virus was found<br />
Criteria Action<br />
Antimalware.Infected equals true –> Block<br />
In plain text, the rule could be rendered as follows:<br />
If a web object is infected, block it.<br />
Purpose of the rule<br />
This is a key rule of the filtering process on the appliance. It blocks access to web objects that are<br />
infected by viruses or other malware. It blocks this access in all cycles of the process.<br />
Whether an infected object is sent by a web server in response to a user request, or a user requests to<br />
upload an infected object from your network to the web, or an infected object is sent embedded with a<br />
request or response, all these attempts are blocked by the rule.<br />
Property and criteria<br />
The property used in the rule is Antimalware.Infected, which means “infected by a virus or other<br />
malware”. To detect an infection in a web object, a special module is needed, the Antivirus module (or<br />
engine). Settings for the modules are specified with the property.<br />
Action<br />
The blocking action that is executed if an infected object is detected affects the user who sent a request<br />
for access to the object. The action settings therefore specify that a message is sent to inform the user,<br />
in the same way, as it is done when a request is blocked by a URL filtering rule.<br />
Process flow<br />
Like in URL filtering, the blocking action of the virus and malware filtering rule stops the filtering<br />
process completely. When the next request is received on the appliance, the process continues.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 107
4<br />
Rules and rule sets<br />
Rule set configuration<br />
Rule set configuration<br />
Rule sets are the building blocks of your web security policy. This section tells you how to add rule sets<br />
to your configuration by importing them from a rule set library. It also explains step by step how you<br />
create a rule set on your own.<br />
Import a rule set<br />
A rule set library provides complete rule sets, which you can import if a particular function is missing in<br />
your implemented rule set system or the implemented rule sets do not suit your requirements.<br />
Complete the following procedure to import a rule set from the library:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule set tree, navigate to the position where you want to insert the new rule set.<br />
3 From the Add drop-down menu, select Rule Set from Library. A window with a list of the library<br />
rule sets opens.<br />
4 Select the rule set you want to import, for example, the <strong>Gateway</strong> Antimalware rule set.<br />
If conflicts arise when importing this rule set, they are displayed in the window.<br />
Note: Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist<br />
in an appliance configuration.<br />
5 Use one of the following methods to solve conflicts:<br />
• Click Auto-Solve Conflicts and choose one of the following strategies for all conflicts:<br />
• Solve by referring to the existing objects — If rules of the imported rule set refer to objects<br />
existing in the appliance configuration under the same names, references are made to apply to<br />
these existing objects.<br />
• Solve by copying and renaming to suggested — If rules of the imported rule set refer to<br />
objects existing in the appliance configuration under the same names, these objects are also<br />
used, but are renamed, so as to avoid conflicts.<br />
• Click the listed conflicts one after another and solve them individually by choosing either of the two<br />
above strategies each time.<br />
6 Click OK. The rule set is inserted in the rule sets tree. It is enabled by default.<br />
Note: Together with the rule set, lists and settings can be implemented in your configuration. The rules of<br />
the rule set need these items to make decisions on blocking and other actions.<br />
7 If necessary, use the blue arrows above the rule sets tree, to move the rule set to where you want it<br />
to be.<br />
8 Click Save Changes.<br />
108 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Add a new rule set<br />
You can also create rule sets of your own to add them to the appliance configuration.<br />
Complete this procedure to add a new rule set:<br />
1 Go to Policy | Rule Sets.<br />
Rules and rule sets<br />
Rule set configuration 4<br />
2 On the rule set tree, navigate to the position where you want to insert the new rule set.<br />
3 Click Add above the rule set tree. A drop-down menu opens.<br />
4 Select Rule Set. The Add New Rule Set window opens.<br />
Figure 4-12 Add New Rule Set window<br />
5 Configure the following general settings for the rule set:<br />
• Name — Name of the rule<br />
• Enable — When selected, the rule set is enabled<br />
• [Optional] Comment — Plain-text comment on the rule set<br />
6 In the Applies to section, configure the processing cycles. You can select only one cycle, or any<br />
combination of these three:<br />
• Requests — The rule set is processed when requests from the users of your network are received<br />
on the appliance.<br />
• Responses — The rule set is processed when responses from web servers are received.<br />
• Embedded objects — The rule set is processed for embedded objects sent with requests and<br />
responses.<br />
7 In the Apply this rule set section, configure when the rule set is applied:<br />
• Always — The rule set is always applied.<br />
• If the following criteria is matched — The rule set is applied if the criteria configured below is<br />
matched.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 109
4<br />
Rules and rule sets<br />
Rule set configuration<br />
8 In the Criteria section, click Add. The Add Criteria window opens.<br />
Figure 4-13 Add Criteria window (with property selected)<br />
9 In the Property area, use the following items to configure a property:<br />
• Property — List for selecting a property (property types shown in brackets)<br />
• Search — Opens the Property Search window to let you search for a property<br />
• Parameter — Opens the Property Parameters window for adding up to three parameters, see<br />
Step 10<br />
Note: The icon is grayed out if the property has no parameters.<br />
• Settings — List for selecting the settings of the module that delivers a value for the property<br />
(module names shown in brackets)<br />
Note: The icon is grayed out if no settings are required for the property and (not needed) is added.<br />
• Add — Opens the Add Settings window for adding new settings to the list<br />
• Edit — Opens the Edit Settings window for editing the selected settings<br />
If no parameters need to be configured for the property, click OK and continue with Step 11.<br />
10 [Conditional] To add property parameters:<br />
a Click Parameter. The Property Parameters window opens.<br />
b Add as many parameters as needed. A parameter can be a:<br />
• Value (String, Boolean, or numerical) — Configure it in the Value area. Then click OK.<br />
• Property — Follow the instructions for configuring properties, beginning with Step 4.<br />
11 From the Operator list, select an operator.<br />
12 In the Parameter area, add a parameter (also known as operand). This can be a:<br />
• Value (String, Boolean, or numerical) — Configure it in the Value area.<br />
• Property — Follow the instructions for editing properties, beginning with Step 4.<br />
13 Click OK to close the Add Criteria window.<br />
14 (Optional] Select the Permissions tab and configure who is allowed to access the new rule set.<br />
15 Click OK to close the Add New Rule Set window. The rule set is inserted in your rule set system.<br />
16 Click Save Changes.<br />
For more information, see Access restrictions.<br />
110 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
List maintenance<br />
Rules and rule sets<br />
List maintenance 4<br />
<strong>Web</strong> security rules use lists, such as whitelists and blocking lists, for retrieving information on web<br />
objects and users. This section tells you how to maintain these lists.<br />
There are several ways to access a list:<br />
• Lists tab — Select the Lists tab and navigate to a list.<br />
• Rules Sets tab — Select the Rule Sets tab and click a list name in a rule name or rule criteria.<br />
• Search function — Click the Search button and use the Search objects function for lists.<br />
Lists tab<br />
Use the Lists tab to maintain lists on the appliance. It is selected from the Policy top-level menu.<br />
Lists<br />
toolbar —<br />
Lists tree —<br />
Figure 4-14 Lists tab<br />
The main elements of the tab are:<br />
• Lists toolbar — Items for working with the lists on the Lists tree<br />
• Lists tree — Tree structure displaying the lists of the appliance configuration<br />
• List entries toolbar — Items for working with list entries<br />
• List entries — Entries of the currently selected list<br />
— List<br />
entries<br />
toolbar<br />
— List<br />
entries<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 111
4<br />
Rules and rule sets<br />
List maintenance<br />
The Lists toolbar provides the following options:<br />
Table 4-8 Lists toolbar<br />
Option Definition<br />
Add Opens the Add List window for adding a list<br />
Edit Opens the Edit List window for editing a selected list<br />
Delete Deletes a selected list. A window opens to let you confirm the deletion<br />
View Opens a menu to let you display the lists in different ways (A-Z, Z-A, by list type, with<br />
or without list types for which currently no lists exist)<br />
Expand all Expands all collapsed items on the Lists tree<br />
Collapse all Lets all expanded items on the Lists tree collapse<br />
The List entries toolbar provides these options:<br />
Table 4-9 List entries toolbar<br />
Option Definition<br />
Add Opens the Add window for adding a list entry, for example, the Add Regex<br />
window<br />
Add multiple Opens the Add window for adding multiple list entries if this is possible for<br />
a list type<br />
Edit Opens the Edit window for editing a selected list entry, for example, the<br />
Edit String window<br />
Delete Deletes a selected list entry<br />
A window opens to let you confirm the deletion.<br />
Move up Moves an entry up the list<br />
Move down Moves an entry down the list<br />
Filter Input field for typing a filtering term to display only matching list entries<br />
The filtering functions works as soon as you type a character in the field.<br />
List types<br />
The following types of lists exist on the appliance:<br />
• Custom lists — These lists can be modified by you. They are displayed on the upper branch of the<br />
Lists tree on the Lists tab.<br />
Custom lists include string, number, category, and other types of lists. Different list types can<br />
require different methods of maintaining them.<br />
• System lists — These lists cannot be modified. They are displayed on the lower branch of the Lists<br />
tree on the Lists tab.<br />
System lists include category and media type lists.<br />
• Inline lists — These lists can also be modified, but they do not appear on the Lists tab. They appear<br />
“inline” as part of the settings of a configuration item, for example, as part of the settings of a network<br />
protocol.<br />
112 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Add a list<br />
Complete the following procedure to add a list to the appliance configuration:<br />
1 Go to Policy | Lists.<br />
2 On the lists tree, go to the position where you want to add the list.<br />
Rules and rule sets<br />
List maintenance 4<br />
3 Click Add on the toolbar. The Add List window opens, with the Add List tab selected.<br />
4 Use the following items to configure general settings for the list:<br />
• Name — Name of the list<br />
• Comment — [Optional] Plain-text comments on the list<br />
• Type — List for selecting the a list type<br />
5 [Optional] Select the Permissions tab and configure who is allowed to view the list and edit it.<br />
6 Click OK. The Add List window closes and the new list appears on the Lists tree.<br />
7 Click Save Changes.<br />
You can now fill the list with entries.<br />
For more information, see Access restrictions and Add list entries.<br />
Add list entries<br />
Complete the following procedure to add entries to a list:<br />
1 Go to Policy | Lists.<br />
2 From the lists tree, select the list you want to add entries to.<br />
3 Click Add above on the settings pane. The Add window opens, for example, the Add<br />
String window.<br />
Note: It depends on the list type, how an entry can be added to a list. For example, if the type is String,<br />
you can add entries by typing strings in the String field of the Add String window. If the type is MediaType,<br />
you need to select an entry from a media type folder, which is part of a system of folders.<br />
For the String and Wildcard Expression types, there is the option to add multiple entries in one go by<br />
clicking Add multiple and typing text for each entry in a new line.<br />
For wildcard expressions, there is also an option to test it by using the Test button in the corresponding<br />
window.<br />
4 Add an entry in the way it is done for a particular type.<br />
5 [Optional] In the Comment field, type a plain-text comment on the list entry.<br />
6 Click OK. The Add window closes and the entry is added to the list.<br />
For more entries, repeat steps 3 to 6 as often as needed.<br />
7 Click Save Changes.<br />
For more information on handling wildcard expressions, see Wildcard expressions.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 113
4<br />
Rules and rule sets<br />
List maintenance<br />
Inline lists<br />
Inline lists do not appear on the Lists tab, they appear “inline” on the settings pane as a part of the<br />
settings for a configuration item. Their handling does not differ much from that of normal lists. This<br />
section gives an example of an inline list and shows you how to work with it.<br />
Sample inline list<br />
The sample inline list described here is the Port Forwarding Rules list. It contains rules for directing web<br />
traffic from one host to another. The list appears after clicking Port Forwarding on the Appliances tab<br />
of the Configuration top-level menu.<br />
On a toolbar, items are provided for working with the list. Other inline lists provide the same items<br />
(some do not provide all of them). The subject matter involved when working with these items varies,<br />
but the way of handling them is the same for all inline lists.<br />
Work with a sample inline list<br />
Complete the following procedure to work with a sample inline list:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure settings for and select, for example,<br />
Port Forwarding, which is an item with settings that include an inline list. The sample inline list<br />
appears on the settings pane.<br />
3 Use the items on the toolbar to work with the sample inline list.<br />
Table 4-10 Items on the toolbar above the sample inline list (Port Forwarding Rules)<br />
Option Definition<br />
Add Opens a window for adding a list entry<br />
Edit Opens a window for editing a selected list entry<br />
Delete Deletes a selected list entry. A window opens to let you confirm the deletion<br />
Move up Moves an entry up the list<br />
Move down Moves an entry down the list<br />
Filter Input field for typing a filtering term to display only matching list entries<br />
Note: The filtering functions works as soon as you type a character in the field.<br />
When adding or editing the rules in an inline list, you need to know the meanings of the elements<br />
that a list entry can have. For the sample inline list, they are described in the following table.<br />
Note: You also find this description in the section on port forwarding in the System Configuration chapter<br />
of this guide.<br />
Table 4-11 Sample inline list (Port Forwarding Rules)<br />
Option Definition<br />
Source Host IP address of the host that is the source of web traffic in a port forwarding rule<br />
Source Port Port used on this host for outgoing web traffic<br />
Destination Host IP address of the host that web traffic from the source host should be directed to<br />
Destination Port Port used on this host for web traffic coming in from the source host and port<br />
Comment Plain-text comment on the port forwarding rule<br />
Similar tables are provided in sections on other functions when their configuration involves the use<br />
of an inline list.<br />
4 Click Save Changes.<br />
114 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Action and engine settings<br />
Rules and rule sets<br />
Action and engine settings 4<br />
<strong>Web</strong> security rules rely on special modules (also known as engines) to deliver information they need to<br />
know before triggering actions. Settings determine the way in which these modules retrieve the<br />
information and the actions are executed. This section tells you how to configure these settings.<br />
Settings tab<br />
Use the Settings tab to configure actions and engines on the appliance. It is selected from the Policy<br />
top-level menu.<br />
Settings<br />
toolbar —<br />
Settings<br />
tree —<br />
Figure 4-15 TSettings tab<br />
The main elements of the tab are:<br />
• Settings toolbar — Items for working with the actions and engines on the Settings tree<br />
• Settings tree — Tree structure displaying actions and engines of the appliance configuration<br />
• Settings — Settings of the currently selected item on the Settings tree<br />
The Settings toolbar provides the following options:<br />
Table 4-12 Settings toolbar<br />
Option Definition<br />
Add Opens the Add Settings window for adding a setting<br />
Edit Opens the Edit Settings window for editing a selected setting<br />
Delete Deletes a selected setting. A window opens to let you confirm the deletion<br />
Expand all Expands all collapsed items on the settings tree<br />
Collapse all Lets all expanded items on the settings tree collapse<br />
— Settings<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 115
4<br />
Rules and rule sets<br />
Action and engine settings<br />
Types of settings<br />
Two types of settings can be configured on the Settings tab of the user interface:<br />
• Action settings — Settings for the actions that rules execute, for example, Block or Authenticate<br />
These settings are mainly configured for specifying the user messages that are sent when actions<br />
affect users. Actions that do not affect users have no settings, for example, Continue or Stop Rule<br />
Set.<br />
You can access these settings on the upper branch of the settings tree on the tab.<br />
Note: When settings of this type are described in this guide, the section title always contains the words<br />
action settings, for example, Authenticate action settings.<br />
• Engine settings — Settings for the modules (or: engines) that retrieve information for rules<br />
For example, the URL Filter module retrieves information to deliver values for the URL.Categories<br />
property in URL filtering rules.<br />
You can access these settings on the lower branch of the settings tree on the tab.<br />
Note: When settings of this type are described in this guide, the section title always contains the words<br />
engine settings, for example, Antimalware engine settings.<br />
A third type of settings is not configured on the Settings tab:<br />
• System settings — Settings of the appliance system, for example, network interface settings or<br />
domain name server settings<br />
You can access these settings on the Appliances tab of the Configuration top-level menu.<br />
Note: When settings of this type are described in this guide, the section title always contains the words<br />
system settings, for example, DNS system settings.<br />
For more information on action and system settings, see User messages and System configuration.<br />
For more information on engine settings, see the sections on functions with rules using these engines,<br />
for example, Virus and malware filtering.<br />
Add settings<br />
When adding settings to the appliance configuration, you do not create them completely new, but use<br />
existing settings that you give a new name and modify as needed.<br />
Complete the following procedure to add settings:<br />
1 Go to Policy | Settings.<br />
2 From the Actions or Engines branch of the settings tree, select the settings you want to use as the<br />
starting point for creating new settings.<br />
3 Click Add above the Settings tree. The Add Settings window opens with an empty name field and the<br />
values of the selected settings in the other fields.<br />
Note: If you want to select not these, but other settings, you can also do this in the window. The Settings<br />
for pane provides a list of settings to choose from.<br />
4 In the Name field, type a name for the new settings.<br />
5 [Optional] In the Comment field, type a plain-text comment on the settings.<br />
6 Modify the existing values of the settings as needed.<br />
7 [Optional] Select the Permissions tab and configure who is allowed to view the settings and edit<br />
them.<br />
8 Click OK and then Save Changes.<br />
116 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Access restrictions<br />
Rules and rule sets<br />
Access restrictions 4<br />
When you add or edit a new list, new settings, or a new rule set to your configuration, you can restrict<br />
access to them for users and roles.<br />
Complete the following procedure to restrict access for a newly added item:<br />
1 Go to Policy | Lists (or Rule Sets).<br />
2 On the tree structure, go to the position where you want to add the new item.<br />
3 Click Add above the tree structure. The adding window opens.<br />
4 Complete the steps for adding a new item. Then select the Permissions tab.<br />
Three modes of access can be configured: Read and Write, Read, and No Access.<br />
5 Click Add under the Read and Write pane. The Add Role or User window opens.<br />
6 Select a role or a user (or more than one of each type at once) from the list in the corresponding pane.<br />
Or type a wildcard expression as name of a role or user in the Wildcard field.<br />
7 Add as many entries to the Read and Write list as needed. Use the Delete button under the pane to<br />
delete entries.<br />
8 Fill the Read and No Access panes in the same way.<br />
9 Use the radio buttons under All others have to configure access for all roles and users that are not<br />
included in one of the lists on the tab.<br />
10 Click OK and then Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 117
4<br />
Rules and rule sets<br />
Access restrictions<br />
118 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
5<br />
Filtering users<br />
Authentication and access management<br />
Contents<br />
Filtering users<br />
Standard authentication<br />
Instant messaging authentication<br />
Cookie authentication<br />
Quota management<br />
Administrator accounts<br />
Users can be “filtered” on the appliance, which means you can allow web access only for those who are<br />
able to authenticate. Administrators need to have accounts with roles and privileges. This gives you<br />
control over who is active in your network.<br />
The sections of this chapter explain the authentication process and how to configure it, for example, by<br />
joining the appliance to a Windows domain to retrieve user information, or by using a database on an<br />
LDAP or RADIUS server, or on another server.<br />
They also explain how to guide users by configuring quotas for their web usage. Furthermore, they tell<br />
you how to set up accounts and roles for administrators and grant them privileges.<br />
Authentication process<br />
This section explains what happens on the appliance during the authentication process. Understanding<br />
this process should help you when you begin to configure authentication according to your own<br />
requirements.<br />
Authentication usually takes place in the request cycle of the filtering process. When users send<br />
requests to the web, for example, to view a web page or download a file, the appliance intercepts these<br />
requests and “considers” whether to block or allow them.<br />
There can be many reasons for not allowing a request, for example, the URL of a requested website<br />
could be on a blocking list. However, authentication usually does not look at the requested object, it<br />
looks at the user. Can information be found in a directory or database to prove that the user can be<br />
trusted? If yes, the user is authenticated.<br />
This is what the authentication rules of the appliance check. A special authentication module retrieves<br />
user information and passes it on to these rules to let them trigger actions, like asking an<br />
unauthenticated user to authenticate or forwarding a request of an authenticated user to further<br />
filtering. The methods the authentication module uses to retrieve the user information can be<br />
configured under its settings.<br />
Looking at the user need not be the only thing that happens in the authentication process. The rules for<br />
this process can also include the checking of web objects. Then authentication can also happen in the<br />
response cycle. For example, a rule might specify that when a web object is sent from the web in<br />
response to a request, a user must authenticate to be allowed access to the object.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 119
5<br />
Authentication and access management<br />
Filtering users<br />
Process flow for authenticating a user<br />
When a user sends a request to the web, the appliance intercepts it and begins processing the<br />
implemented rules. If these include authentication rules, the request is also checked by them. To<br />
trigger an action, an authentication rule needs to know whether the user who sent the request is<br />
authenticated. The authentication module retrieves user information and tells the rule about its<br />
findings.<br />
If the module has found that the user is not authenticated, the process flow is as follows:<br />
User is authenticated? – No.<br />
–><br />
The user is informed that authentication is required and asked to provide credentials<br />
for authenticating.<br />
–> Processing of requests stops. The appliance waits until the next request is sent.<br />
When the user sends an authentication request including credentials, all implemented rules of the<br />
request cycle are processed again. When it comes to processing the authentication rules, the<br />
credentials are checked to see if they are sufficient to authenticate the user. If this is the case, the<br />
process continues as follows:<br />
–> User is authenticated? – Yes.<br />
–><br />
Processing continues with the next rules in the request cycle.<br />
If not blocked by any of these, the request is passed on the appropriate web server.<br />
The authentication process uses the elements of an authentication rule in different ways. The rule<br />
criteria is processed to find out whether a user is already authenticated. The rule action eventually<br />
requests the user to authenticate.<br />
120 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Filtering users 5<br />
Sample authentication rule<br />
In the following, an example of an authentication rule is explained. This rule can be included in a rule<br />
set of the appliance library. It is shown in a notation that comes close to how the rule appears on the<br />
user interface.<br />
Name<br />
Authenticate with User Database<br />
Criteria Action<br />
Authentication.Authenticate equals false –> Authenticate<br />
In plain text, this rule could be rephrased as follows:<br />
If the user has not yet been authenticated (through information from the user database), ask this<br />
user to submit credentials for authentication.<br />
Criteria and action<br />
The structure of the rule is the same as for all other rules on the appliance. It has two main elements,<br />
the criteria and the action.<br />
If the criteria is matched, the action is taken. The user is not authenticated – if this is matched, the<br />
Authenticate action is taken.<br />
The criteria has three elements:<br />
Property Operator Value of the property<br />
Authentication.Authenticate equals false<br />
The meaning of the Authentication.Authenticate property could be rendered as “having been<br />
authenticated”. The criteria could then be rephrased as follows:<br />
Having been authenticated is false (for the user who sent the request).<br />
Property<br />
A property is something related to a web object or a user. In this rule, “having been authenticated” is a<br />
property of the user who sent a request.<br />
Property names usually have two or more parts. For the Authentication.Authenticate property, the<br />
Authentication indicates that the property has something to do with authentication in general. The<br />
Authenticate part denotes a particular aspect of authentication like “having been authenticated”.<br />
Settings<br />
The sample rule also contains two terms in angle brackets: and .<br />
Terms in angle brackets are alway settings in rules on the appliance. The settings<br />
appear next to the property Authentication.Authenticate. They are the settings of the module that this<br />
property relies on for being assigned a value.<br />
The authentication module retrieves information from a database to let the rule know that<br />
Authentication.Authenticate (“being authenticated”) has the value false for a given user.<br />
The module settings are in this rule, which means the module is to retrieve user<br />
information from the local user database.<br />
The rule action, which is Authenticate, has as its settings. Settings of an action are mainly<br />
for specifying a particular message that is sent to users who are affected by the action.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 121
5<br />
Authentication and access management<br />
Filtering users<br />
Options for retrieving user information<br />
This section explains how to retrieve information for authenticating users yourself instead of having<br />
them provided by the default process.<br />
You might want to use the options described here when dealing, for example, with user requests that<br />
provide no header information on the user name and password, or when you use an authentication<br />
method, such as Kerberos, that provides no user group information.<br />
Filling the Authentication.RawCredentials property with values<br />
Configuring authentication basically means to configure a rule that evaluates user credentials, using the<br />
Authentication.Authenticate property, and executes the Authenticate action, which asks a user to<br />
submit credentials if the evaluation shows that this user is not authenticated.<br />
Note: The logon window for submitting authentication credentials is presented to the user by the<br />
Authenticate action. This is not part of processing the Authentication.Authenticate property, which is only the<br />
criteria that must be matched to let the Authenticate action be executed.<br />
The Authentication.Authenticate property gets the credentials it evaluates from the<br />
Authentication.RawCredentials property. This property is internally “filled” with these values by the<br />
proxy module. The proxy module gets the values from the relevant header of the request that a user<br />
sends.<br />
You can fill the Authentication.RawCredentials property with a user name and password yourself. For<br />
this purpose, you need to encode these values in Base64 format.<br />
You might do this to handle requests that do not include a header with user name and password.<br />
However, if you know that a given user sends requests from a client with a particular IP address, you<br />
can configure a rule that sets the Authentication.RawCredentials property to the relevant user name<br />
and password when a request with that address is received.<br />
Another rule, which includes the Authentication.Authenticate property, can then evaluate the<br />
credentials and eventually execute the Authenticate action.<br />
The two rules could look as follows:<br />
Name<br />
Set values for Authentication.RawCredentials<br />
Criteria Action Event<br />
Client.IP equals 10.143.104.45 –> Continue — Set Authentication.RawCredentials =<br />
“Basic Ym9ic21pdGg6dGVzdHBhc3M=”<br />
and:<br />
Name<br />
Authenticate with User Database<br />
Criteria Action<br />
Authentication.Authenticate equals false –> Authenticate<br />
122 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Filtering users 5<br />
Using the Authentication.GetUserGroups property to retrieve user information<br />
By default, values providing user information are retrieved when the Authentication.Authenticate<br />
property is processed within a rule. They are then available as the values of the<br />
Authentication.UserName and Authentication.ISAuthenticated properties, which can again be used in<br />
an appropriate rule.<br />
To retrieve user information, you can also use the Authentication.GetUserGroupsproperty in a rule. You<br />
might do this when using more than one database to retrieve information for the authentication<br />
process. For example, you use a Kerberos database to evaluate user credentials, but the Kerberos<br />
authentication method does not provide user group information. This information is on an LDAP server,<br />
however.<br />
When working with the Authentication.GetUserGroups property, you also need to set a value for the<br />
Authentication.RawUsername property, which is used as the key for the attribute lookup on the<br />
database in question. You need to set a key yourself because you do not know where the user name<br />
and other relevant information is stored on this database.<br />
Note: You can use this method to retrieve attributes only when the database in question is the internal User<br />
Database or an LDAP server.<br />
For example, you want to look up information about the user group on an LDAP server. Depending on<br />
this information, you block or allow requests that users send. The IP address of the client that a request<br />
is sent from serves as the key for the lookup.<br />
The rules for this could look as follows:<br />
Name<br />
Set key for database lookup<br />
Criteria Action Event<br />
Always –> Continue — Set Authentication.RawUsername = “10.134.103.43”<br />
and:<br />
Name<br />
Block if user is not in user group on LDAP server<br />
Criteria Action<br />
Authentication.GetUserGroups does not contain testgroup –> Block<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 123
5<br />
Authentication and access management<br />
Standard authentication<br />
Standard authentication<br />
To authenticate users on the appliance information is retrieved mainly from internal and external<br />
databases. This section describes the rules that control standard authentication and the settings for the<br />
module that handles the authentication process.<br />
Differerent methods can be configured on the appliance for authenticating users. With each of them,<br />
authentication information is retrieved in a different way.<br />
• NTLM — Uses a database on a Windows domain server<br />
• NTLM Agent — Uses an external agent on a Windows-based system for applying the NTLM<br />
authentication method<br />
• User database — Uses an internal database on the appliance<br />
• LDAP — Uses a database on an LDAP server<br />
• Novell eDirectory — Uses data from a directory on a server that takes the role of an LDAP server<br />
• RADIUS — Uses a database on a RADIUS server<br />
• Kerberos — Uses a database on a Kerberos server<br />
• SSL client certificate authentication — Uses a certificate that a client sends in SSL-secured<br />
communication<br />
• Authentication server — Uses a database on another external server<br />
An authentication rule includes settings for the module that retrieves the information. By configuring<br />
these settings you can specify which method should be used.<br />
Rules for authenticating users<br />
Rules for authenticating users are contained in an authentication rule set. This section describes an<br />
authentication rule set and explains how to modify one if its rules to implement a particular<br />
authentication method.<br />
An authentication rule set might not be implemented on the appliance after the initial setup, but you<br />
can import one from the rule set library.<br />
Note: If the library contains no rule set for authenticating user, it can still be part of the default system of rule<br />
sets. As usual, you can also configure an authentication rule set with rules of your own.<br />
Authenticate and Authorize<br />
This section describes the Authenticate and Authorize library rule set. The rules in this rule set control<br />
the authentication of users and allow only authorized users access to the web.<br />
Library rule set — Authenticate and Authorize<br />
Criteria — Connection.Protocol equals HTTP OR Connection.Protocol equals HTTPS<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when the protocol used on the connection for<br />
sending a request is either HTTP or HTTPs.<br />
The following rule sets are nested in this rule set:<br />
• Authenticate with User Database<br />
• Authorize<br />
124 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Standard authentication 5<br />
The rule set has also two rules of its own, which are processed before the nested rule sets:<br />
Need to authorize Client IP?<br />
Client.IP is in range list Unauthorized IPs –> Stop Rule Set<br />
The rule uses the Client.IP property to check whether a request was sent from a client with an IP<br />
address that is in the range list for unauthorized IP addresses. If this is the case, processing the<br />
rule set stops. No activities are then carried out to authenticate a user. Processing continues with<br />
the next rule set.<br />
Note: This rule is not enabled by default.<br />
Need to authorize URL?<br />
URL is in list Unauthorized URLs –> Stop Rule Set<br />
The rule uses the URL property to check whether a URL that access was requested is in the list of<br />
unauthorized URLs. If this is the case, processing the rule set stops. No activities are then carried<br />
out to authenticate a user. Processing continues with the next rule set.<br />
Authenticate with User Database<br />
This nested rule set asks unauthenticated users to authenticate. Its authentication method is retrieving<br />
information from the internal user database.<br />
Nested library rule set — Authenticate with User Database<br />
Criteria — Authentication.IsAuthenticated equals false OR<br />
Authentication.Failed equals false<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user has not yet been authenticated or<br />
has undergone the authentication process, but authentication failed.<br />
The rule set contains the following rule:<br />
Authenticate with User Database<br />
Authentication.Authenticate equals false –> Authenticate<br />
The rule uses the Authentication.Authenticate property to check whether a user who sends a<br />
request for web access is authenticated. The settings that go with the property are the settings of<br />
the Authentication module. They specify that retrieving information from the internal user<br />
database on the appliance is used as the authentication method.<br />
If a user has not been authenticated by information from the internal database, the rule applies<br />
and the Authenticate action is executed. Processing stops and a message is displayed, asking the<br />
user to authenticate. The settings of the action specify that the message is displayed with default<br />
values.<br />
Processing continues when the next request is received on the appliance, which can be an<br />
authentication request by the same user.<br />
For information on how to modify the settings for the Authentication module to let the rule use a<br />
different authenticaiion method, such as NTM, LDAP, or others, see Implement an authentication<br />
method.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 125
5<br />
Authentication and access management<br />
Standard authentication<br />
Authorize<br />
The Authorize rule set allows only requests from users who are members of a whitelisted user group.<br />
Nested library rule set — Authorize<br />
Criteria — Always<br />
Cycle — Requests (and IM)<br />
The rule set contains the following rule:<br />
Only allow users of Allowed User Groups<br />
Authentication.UserGroups none in list Allowed User Groups –> Block<br />
The rule uses the Authentication.UserGroups property to allow only users access who are members<br />
of a group on the specified whitelist. If a user is not in one of the groups on the list, the rule<br />
applies and stops processing of all rules. The request is not passed on to a web server and blocked<br />
this way.<br />
The action settings specify that a notification is sent to the requesting user. Processing continues<br />
when the next request is received.<br />
Implement an authentication method<br />
If you do not want to keep the User Database authentication method, which is used by default in a rule<br />
of the Authentication and Authorize rule set, you can implement a different authentication method,<br />
such as NTLM, LDAP, and others. This section tells you how to modify the rule to implement this<br />
change.<br />
To implement a different authentication method:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the rule set that contains rules for authenticating users, for example, the<br />
default Authentication and Authorize rule set and select the nested Authenticate with User<br />
Database rule set. The rules of the nested rule set appear on the settings pane.<br />
3 Select the rule Authenticate with User Database and in the rule criteria click User Database.<br />
The Edit Settings window opens.<br />
4 From the list provided under Authentication Method, select an authentication method, for<br />
example, NTLM.<br />
5 Configure common and specific parameters for the selected method as needed. When you are done,<br />
click OK to close the window.<br />
6 Click Save Changes.<br />
Note: It is recommended that after changing the authentication method, you rename the settings of the<br />
Authentication module, the authentication rule, and the nested rule set, accordingly.<br />
For example, after selecting NTLM, rename the settings to NTLM and both the rule and the nested rule set<br />
to Authenticate with NTLM.<br />
Instead of renaming the default settings, you can also keep several settings with different names and<br />
parameter values for the Authentication module<br />
For more information on the settings you can configure for authenticating users, see Module for<br />
authenticating users.<br />
126 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Module for authenticating users<br />
Authentication and access management<br />
Standard authentication 5<br />
The Authentication module is called by the rules for authenticating users on the appliance to handle the<br />
authentication process. This section tells you how to configure the settings of this module, for example,<br />
to let it use a particular authentication method.<br />
Configure the Authentication module<br />
To configure settings for the authentication module:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the rule set that contains rules for authenticating users, for example, the<br />
default Authentication and Authorize rule set; and select the nested Authenticate with User<br />
Database rule set. The rules of the nested rule set appear on the settings pane.<br />
3 Select the rule that controls user authentication, for example, Authenticate with User Database<br />
and click the settings that are specified in the rule criteria, for example, User Database. The Edit<br />
Settings window opens.<br />
Note: You can also access these settings on the Settings tab of the Policy top-level menu.<br />
On the Engines branch of the settings tree, go to Authentication and select the settings you want to<br />
configure, for example, User Database.<br />
4 Configure these settings as needed. Then click OK to close the window.<br />
Note: Configuring these settings can include a change of the authentication method, for example, from<br />
User Database to NTLM.<br />
5 Click Save Changes.<br />
For more information, see Settings for the Authentication module and Membership in a Windows<br />
domain.<br />
Settings for the Authentication module<br />
This section describes the settings for the Authentication module.<br />
The User Database settings are by default provided for the Authentication module. If you have selected<br />
a different authentication method and renamed the default settings accordingly, there can be settings<br />
named after another authentication method, such as NTLM or LDAP.<br />
Another option is not to rename the default settings, but to keep several settings with different names<br />
and parameter values for the Authentication module.<br />
Note: The settings for the Authentication module are described in the following, beginning with User<br />
Database. This is followed by descriptions of the settings that can be configured for other authentication<br />
methods.<br />
The descriptions follow the order the respective methods take under Authentication Method, which is one of<br />
the sections within each of the settings for the Authentication module.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 127
5<br />
Authentication and access management<br />
Standard authentication<br />
User Database<br />
Settings specifying the User Database method to authenticate users<br />
Note: These settings are by default provided for the Authentication module.<br />
Authentication Method<br />
Settings for selecting an authentication method<br />
You can select one of the following:<br />
• NTLM<br />
• NTLM-Agent<br />
• User Database<br />
• LDAP<br />
• Novell eDirectory<br />
• RADIUS<br />
• Kerberos<br />
• SSL Client Certificate Authentication<br />
• Authentication Server<br />
After selecting a method, the settings that are specific to this method appear below the Common<br />
Authentication Parameters.<br />
Authentication Test<br />
Settings for testing whether a user with given credentials would be authenticated<br />
User — User name that is tested<br />
Password — Tested password<br />
Authenticate User — Executes the test<br />
Test result — Displays the outcome of the test<br />
Common Authentication Parameters<br />
Settings common to all authentication methods<br />
Proxy Realm — Location of the proxy that receives requests from users who are asked to authenticate<br />
Authentication attempt timeout — Time (in seconds) to elapse before the authentication process<br />
terminates if not completed successfully<br />
Use authentication cache — When selected, authentication information is stored in a cache<br />
Authentication is then based on this stored information, rather than on information retrieved from an<br />
authentication server or the internal user database.<br />
Authentication cache TTL — Time (in minutes) that authentication information is stored in the cache<br />
User Database Specific Parameters<br />
Settings for the User Database authentication method<br />
Send domain and machine name to the client — When selected, the names of the appliance and<br />
the domain it has been assigned to are sent to the client that a user who is to be authenticated sent a<br />
request from<br />
Enable basic authentication — When selected, the basic NTLM authentication method is applied to<br />
authenticate users<br />
Information that a user submits for authentication is then sent in plain-text format (less secure) to the<br />
Windows domain server.<br />
128 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Standard authentication 5<br />
Enable integrated authentication — When selected, the integrated NTLM authentication method is<br />
applied to authenticate users<br />
Information that a user submits for authentication is then encrypted before it is sent to the Windows<br />
domain server.<br />
Enable NTLM cache — When selected, NTLM authentication information is stored in this cache<br />
Authentication is then based on this stored information, rather on information retrieved from the<br />
Windows domain server.<br />
NTLM cache TTL — Time (in seconds) that authentication information is stored in this cache<br />
International text support — Set of characters used by default for a request sent from a client, for<br />
example, ISO-8859-1<br />
Advanced Parameters<br />
Settings for advanced configuration of this authentication method<br />
Always perform new evaluation of property values — When selected, a new evaluation to assign<br />
a value to a property is performed each time a rule containing this property is processed. If a value has<br />
been stored for a property in the cache, it is not used.<br />
While it is normally recommended to let cache values be used to improve performance, there can be<br />
situations where the new evaluation of a property is required.<br />
In these situations, the same property is used more than once within the authentication rules and with<br />
the same settings of the Authentication module. A new evaluation ensures the most current value is<br />
assigned to the property each time.<br />
NTLM<br />
Settings specifying the NTLM method to authenticate users<br />
Note: These settings are provided if you have selected the NTLM authentication method and configured the<br />
settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method, Authentication Test, Common Authentication Parameters, Advanced<br />
Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
NTLM Specific Parameters<br />
Settings for the NTLM authentication method<br />
Default NTLM domain — Name of the default Windows domain used for looking up authentication<br />
information<br />
Note: This is one of the domains you have configured on the Appliances tab of the Configuration top-level<br />
menu.<br />
Get global groups — When selected, information on global user groups is searched for on the<br />
Windows domain server<br />
Get local groups — When selected, information on local user groups is searched for on the Windows<br />
domain server<br />
Prefix group name with domain name (domain\group) — When selected, the name of the<br />
Windows domain appears before the name of the user group when authentication information on this<br />
group is sent from the domain server<br />
Enable basic authentication — When selected, the basic NTLM authentication method is applied to<br />
authenticate users. Information that a user submits for authentication is then sent in plain-text format<br />
(less secure) to the Windows domain server<br />
Enable integrated authentication — When selected, the integrated NTLM authentication method is<br />
applied to authenticate users. Information that a user submits for authentication is then encrypted<br />
before it is sent to the Windows domain server<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 129
5<br />
Authentication and access management<br />
Standard authentication<br />
Enable NTLM cache — When selected, NTLM authentication information is stored in this cache<br />
Authentication is then based on this stored information, rather on information retrieved from the<br />
Windows domain server.<br />
NTLM cache TTL — Time (in seconds) that authentication information is stored in this cache<br />
International text support — Set of characters used by default for a request sent from a client, for<br />
example, ISO-8859-1<br />
NTLM Agent<br />
Settings specifying the NTLM Agent method to authenticate users<br />
Note: These settings are provided if you have selected the NTLM Agent authentication method and configured<br />
the settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method, Authentication Test, Common Authentication Parameters, Advanced<br />
Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
NTLM Agent Specific Parameters<br />
Settings for the NTLM Agent authentication method<br />
Use secure agent connection — When selected, the connection used for communicating with the<br />
NTML Agent is SSL-secured<br />
Authentication connection timeout in seconds — Time (in seconds) to elapse before the<br />
connections to the NTLM-Agent is closed if no activities occur on it<br />
Agent Definition — List of agents that are available for performing NTLM authentication<br />
The following table describes the list entries. For general information on how to maintain lists, see List<br />
maintenance.<br />
Table 5-1 Agent Definition list<br />
Option Definition<br />
String Name of an NTLM agent<br />
Comment Plain-text comment on the NTLM agent<br />
Default NTLM domain, Get global groups, ... — The remaining parameters have the same usage<br />
and meanings as for the NTML authentication method.<br />
For more information, see User Database Specific Parameters.<br />
130 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
LDAP<br />
Settings specifying the LDAP method to authenticate users<br />
Authentication and access management<br />
Standard authentication 5<br />
Note: These settings are provided if you have selected the LDAP authentication method and configured the<br />
settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method, Authentication Test, Common Authentication Parameters, Advanced<br />
Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
LDAP Specific Parameters<br />
Settings for the LDAP authentication method<br />
LDAP server(s) to connect to — List of LDAP servers to retrieve authentication information from<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 5-2 LDAP servers list<br />
Option Definition<br />
String Name of an LDAP server<br />
Comment Plain-text comment on the LDAP server<br />
List of certificate authorities — List of certificate authorities for providing certificates when a Secure<br />
LDAP (S-LDAP) connection is used for communication with the LDAP server<br />
The following table describes the list entries. For general information on how to maintain lists, see List<br />
maintenance.<br />
Table 5-3 Certificate authorities list<br />
Option Definition<br />
Certificate authority Name of a certificate authority<br />
Certificate revocation list List with information on when the certificate becomes invalid and URI used to access<br />
it<br />
Trusted Information on whether the certificate is trusted on the appliance<br />
Comment Plain-text comment on the certificate authority<br />
Credentials — User name of the appliance for logging on to the LDAP server<br />
Password — Password for that user name<br />
Clicking Set opens a window for configuring a new password.<br />
International text support — Set of characters used by default for a request sent from a client, for<br />
example, ISO-8859-1<br />
Enable LDAP version 3 — When selected, version 3 of the LDAP protocol is used<br />
Allow LDAP library to follow referrals — When selected, the lookup of user information can be<br />
redirected from the LDAP server to other servers<br />
Connection live check — Time (in minutes) to elapse between checks to see whether the connection<br />
to the LDAP server is still active<br />
LDAP operation timeout — Time (in seconds) to elapse before the connection to the LDAP server is<br />
closed if no communication occurs<br />
Base distinguished name to user objects — Distinguished name (DN) in the directory on the LDAP<br />
server where the lookup of user attributes should begin<br />
Map user name to DN — When selected, the name of the user who asks for authentication must map<br />
to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 131
5<br />
Authentication and access management<br />
Standard authentication<br />
Filter expression to locate a user object — Filtering term for restricting the lookup of user<br />
attributes<br />
To substitute the user name in the filtering term, u% is used as a variable.<br />
Get user attributes — When selected, user attributes are looked up on the LDAP server to<br />
authenticate a user<br />
User attributes to retrieve — List of user attributes to retrieve from the LDAP server<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 5-4 User attributes list<br />
Option Definition<br />
String User attribute<br />
Comment Plain-text comment on the user attribute<br />
Attributes concatenation string — String for separating user attributes found by the lookup, for<br />
example, / (slash)<br />
Get groups attributes — When selected, user group attributes are also looked up on the LDAP server<br />
to authenticate a user<br />
Base distinguished name to group objects — Distinguished name (DN) in the directory on the<br />
LDAP server where the lookup of group attributes should begin<br />
Filter expression to locate a group object — Filtering term for restricting the lookup of group<br />
attributes<br />
To substitute the user name in the filtering term, u% is used as a variable<br />
Group attributes to retrieve — List of group attributes to retrieve from the LDAP server<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 5-5 Group attributes list<br />
Option Definition<br />
String Group attribute<br />
Comment Plain-text comment on the group attribute<br />
Attributes concatenation string — String for separating group attributes found in the lookup, for<br />
example, / (slash)<br />
132 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Novell eDirectory<br />
Settings specifying the Novell eDirectory method to authenticate users<br />
Authentication and access management<br />
Standard authentication 5<br />
Note: These settings are provided if you have selected the Novell eDirectory authentication method and<br />
configured the settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method, Common Authentication Parameters, Advanced Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
Novell eDirectory Specific Parameters<br />
Settings for the Novell eDirectory authentication method<br />
LDAP server(s) to connect to — List of the eDirectory servers that take the role of LDAP servers to<br />
provide authentication information<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 5-6 LDAP server list<br />
Option Definition<br />
String Name of an LDAP server<br />
Comment Plain-text comment on the LDAP server<br />
List of certificate authorities, Credentials ... — Meaning and usage of other parameters for the<br />
Novell eDirectory authentication method are the same as for the LDAP authentication method.<br />
For more information, see LDAP.<br />
In addition to these, you need to configure the following parameters:<br />
eDirectory network address attribute — Name of the attribute that provides the network<br />
addresses used for the eDirectory server<br />
eDirectory network login time attribute — Name of the attribute that provides the logon time used<br />
on the eDirectory server<br />
eDirectory network minimal update interval — Time to elapse (in seconds) before information<br />
from the eDirectorry server is updated<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 133
5<br />
Authentication and access management<br />
Standard authentication<br />
RADIUS<br />
Settings specifying the RADIUS method to authenticate users<br />
Note: These settings are provided if you have selected the RADIUS authentication method and configured the<br />
settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method, Authentication Test, Common Authentication Parameters, Advanced<br />
Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
RADIUS Specific Parameters<br />
Settings for the RADIUS authentication method<br />
RADIUS server definition — List of RADIUS servers that authentication information is retrieved from<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 5-7 RADIUS server list<br />
Element Description<br />
String Name of a RADIUS server<br />
Comment Plain-text comment on the RADIUS server<br />
Default domain name — Name of the domain that information is retrieved from if no other domain is<br />
specified<br />
Shared secret — Password used by the appliance to get access to the RADIUS server<br />
Radius connection timeout in seconds — Time (in seconds) to elapse before the connection to the<br />
RADIUS server is closed if no traffic occurs<br />
International text support — Set of characters used by default for a request sent from a client, for<br />
example, ISO-8859-1<br />
Value of attribute with code — Code value for the attribute retrieved with the user group<br />
information, according to RFC 2865<br />
For example, 25 is the code for the “class” attribute.<br />
Vendor specific attribute with vendor ID — Vendor ID for retrieving vendor-related data in the<br />
search for user group information<br />
According to RFC 2865, the vendor ID is a part of the vendor attribute, followed by a number of<br />
subattributes. Its code value is 26.<br />
Vendor subattribute type — Code value for the type of subattributes included in a vendor attribute.<br />
according to RFC 2865<br />
Since not all vendors adhere to this structure, it is recommended to specify 0 as value here. This allows<br />
the authentication module to retrieve all available vendor information.<br />
134 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Kerberos<br />
Settings specifying the Kerberos method to authenticate users<br />
Authentication and access management<br />
Standard authentication 5<br />
Note: These settings are provided if you have selected the Kerberos authentication method and configured<br />
the settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method<br />
Settings for selecting an authentication method<br />
For more information, see User Database.<br />
Kerberos Specific Parameters<br />
The specific settings of the parameters for the Kerberos authentication method are not configured as<br />
settings of the authentication module, but as settings of the appliance system.<br />
They can be accessed on the Appliances tab of the Configuration top-level menu under Kerberos<br />
Administration.<br />
After selecting Kerberos in the Authentication Method section of the Kerberos settings, you need to go<br />
to the Appliances tab and continue the configuration there.<br />
For more information, see Kerberos Administration system settings.<br />
Kerberos Administration system settings<br />
Settings for the Kerberos authentication method<br />
Key tab file — Input field for entering the file that contains the master key required to access the<br />
Kerberos server<br />
Note: You can type a file name or use the Browse button to browse to the file and enter its name in the field.<br />
When a ticket is issued for authentication according to the Kerberos method, the master key is read on<br />
the appliance and used to verify the ticket.<br />
If you are running a load balancer that directs web requests to the appliance, tickets are issued for the<br />
load balancer and verified on the appliance. It is then not checked whether a request is directed to the<br />
appliance.<br />
Kerberos realm — Administrative domain configured for authentication purposes<br />
Within the boundaries of this domain the Kerberos server has the authority to authenticate a user who<br />
submits a request from a host or using a service.<br />
Note: The realm name is case sensitive, however. normally only uppercase letters are used and it is good<br />
practice to make the realm name the same as that of the relevant DNS domain.<br />
Maximal time difference between appliance and client — Maximal time (in seconds) that the<br />
system clocks on the appliance and its clients are allowed to differ<br />
Note: Configuring Kerberos as the authentication method can lead to problems when particular browsers are<br />
used for sending requests:<br />
– When the Microsoft Internet Explorer is used in a version lower than 7.0, Kerberos authentication might not<br />
be possible at all.<br />
– When this explorer runs on Windows XP, Kerberos authentication might not work as expected.<br />
– When Mozilla Firefox is used, Kerberos authentication must be configured in the browser settings to enable<br />
this authentication method.<br />
Enable replay cache — When selected, a ticket that is issued for authentication cannot be used more<br />
than once<br />
Note: Selecting this option reduces authentication performance.<br />
Advanced Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 135
5<br />
Authentication and access management<br />
Standard authentication<br />
SSL Client Certificate<br />
Settings specifying the SSL Client Certificate authentication method to authenticate users<br />
Note: These settings are provided if you have selected the SSL Client Certificate authentication method and<br />
configured the settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method<br />
Settings for selecting an authentication method<br />
For more information, see User Database.<br />
Client Certificate Specific Parameters<br />
Settings for the SSL Client Certificate authentication method<br />
User name — Name of the user and other user-related information provided in the certificate that a<br />
client sends for authentication in SSL-secured communication<br />
This information is contained in the Subject section of the certificate. The client is required to send the<br />
certificate under this authentication method, which is also known as x.509 Authentication method.<br />
When the certificate is read on the appliance, user name information is checked according to what you<br />
specify here and assigned as a value to the Authentication.Username property.<br />
You can use the following variables to specify the user name information:<br />
• $O$ – Organization<br />
• $OU$ – Organizational unit<br />
• $U$ – Unit<br />
• $CN$ – Common name<br />
• $L$ – Location<br />
• $ST$ – State<br />
• $C$ – Country<br />
In addition to the variables, you can specify plain-text characters here, for example, backslashes to<br />
separate different pieces of information.<br />
Realm name — Name of the realm and other realm-related information provided in the certificate that<br />
a client sends for authentication in SSL-secured communication<br />
This information is contained in the Issuer section of the certificate.<br />
When the certificate is read on the appliance, realm information is checked according to what you<br />
specify here and assigned as a value to the Authentication.Realm property.<br />
You can specify the variables listed under User name here, as well as plain-text characters.<br />
Check extended key usage — When selected, the usage information belonging to the key for the<br />
certificate must contain Client Certificate as an entry<br />
Accept expired certificates for ... — Number of days during which a certificate is still accepted after<br />
it has expired<br />
Block certificates with unknown revocation status — When selected, certificates are not<br />
accepted on the appliance if their revocation status is not known<br />
Certificate Authorities — List of certificate authorities (CAs) that can issue a certificate used for<br />
authentication in SSL-secured communication<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
136 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table 5-8 Certificate Authorities list<br />
Authentication and access management<br />
Standard authentication 5<br />
Element Description<br />
Certificate authority Name of a certificate authority<br />
Certificate revocation Location where a certificate revocation list (CRL) can be found providing information on<br />
list URI<br />
which certificates have been revoked<br />
Trusted Information on whether a certificate authority is trusted<br />
Comment Plain-text comment on a certificate authority<br />
Advanced Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
Authentication Server<br />
Settings specifying the Authentication Server method to authenticate users<br />
Note: These settings are provided if you have selected the Authentication Server authentication method and<br />
configured the settings for the Authentication module accordingly. The settings name can vary.<br />
Authentication Method<br />
Settings for selecting an authentication method<br />
For more information, see User Database.<br />
Authentication Server Specific Parameters<br />
Settings for the Authentication Server method<br />
Authentication server URL — URL of the server used under this method to look up authentication<br />
information<br />
Require client ID — When selected, the authentication server requires the ID of the client that a user<br />
sent a request from<br />
Store authentication result in a cookie — When selected, the information retrieved from the<br />
authentication server is stored in a cookie<br />
If cookie authentication is implemented, the cookie is added to the next request sent by the respective<br />
user, so that this user need not authenticate again.<br />
Allow persistent cookie for the server — When selected, a cookie can be used persistently for<br />
sending multiple requests to the authentication server<br />
Cookie TTL for the authentication server in seconds — Time (in seconds ) that a cookie sent with<br />
a request to the server is stored<br />
Cookie prefix — Prefix provided by the appliance for a cookie, for example, MWG_Auth<br />
Advanced Parameters<br />
The meaning and usage of these settings are the same as for the User Database settings.<br />
For more information, see User Database.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 137
5<br />
Authentication and access management<br />
Standard authentication<br />
Membership in a Windows domain<br />
This section provides information on the membership of an appliance in a Windows domain.<br />
To use the NTLM method for authenticating users who send requests from clients, the appliance must<br />
be a member of a Windows domain. A machine account is created for the appliance within that domain,<br />
which is used to establish a connection between the appliance and the relevant Windows domain<br />
controller (DC). The appliance can then retrieve authentication information on users and user groups<br />
from that controller.<br />
You can run up to 10 connections from the appliance to different domain controllers within a domain at<br />
the same time. When the appliance receives authentication requests, it connects to the domain<br />
controllers that are configured and active. It measures the response time of each controller and<br />
distributes requests in such a way that the fastest controller gets the highest load to handle.<br />
Join the appliance to a Windows domain<br />
When you use the NTLM authentication method, you need to join the appliance to a Windows domain to<br />
let the authentication module retrieve user information stored on the domain server. The appliance can<br />
be joined to more than one domain.<br />
To join the appliance to a Windows domain:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to join and select Windows Domain<br />
Memberhship. A list of domains appears on the settings pane. It is initially empty.<br />
3 Click Join to enter a domain into the list. The Join domain window opens.<br />
4 Configure a domain name, a domain controller, and other settings in the window.<br />
5 Click OK. The window closes and the new domain appears in the list. The appliance is now a member<br />
of this domain.<br />
Repeat steps 3 to 5 to add multiple domains.<br />
6 Use the other icons on the toolbar to work with the list:<br />
• Modify — Opens a window to let you modify a domain entry<br />
• Leave — Removes a domain from the list and lets the appliance leave this domain<br />
• Filter — Lets you enter a filtering term to display only domains with matching names<br />
• Refresh — Refreshes the list<br />
For more information, see Windows Domain Membership system settings and Configure the<br />
Authentication module.<br />
138 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Standard authentication 5<br />
Windows Domain Membership system settings<br />
The Windows Domain Membership system settings must be configured when joining an appliance to a<br />
Windows domain or modify its membership in a domain. They provide a list of the domains that the<br />
appliance is a member of.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Join Domain window<br />
The Join Domain window provides options for configuring the Windows domains that the appliance is a<br />
member of.<br />
The following table describes the window.<br />
Table 5-9 Join Domain window<br />
Option Definition<br />
Windows domain name Name of the domain<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong><br />
account name<br />
Name of the account for an appliance<br />
Overwrite existing account When selected, an existing account is overwritten<br />
Use NTLM version 2 When selected, NTLM version 2 is used<br />
Timeout for requests to this<br />
NTLM domain<br />
Configured domain<br />
controllers<br />
Number of active domain<br />
controllers<br />
Time (in seconds) to elapse before processing of a request sent from the<br />
appliance to a domain controller stops if no response is received<br />
List of domain controllers that the appliance can connect to in order to<br />
retrieve authentication information<br />
Entries must be separated by commas.<br />
Maximum number of configured domain controllers that can be active at the<br />
same time<br />
The allowed range is from 1 to 10.<br />
Administrator name Is used with a password when the appliance is joined to the domain to<br />
create an account for it<br />
The credentials are only used for this purpose and not stored.<br />
Password For the above administrator<br />
List of Windows domains<br />
List of all Windows domains the appliance is a member of<br />
The list displays the settings of a domain as configured by you in the Join Domain window, except for<br />
the administrator name and password.<br />
In addition to these settings, the following is shown:<br />
Status — Status of the domain<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 139
5<br />
Authentication and access management<br />
Instant messaging authentication<br />
Instant messaging authentication<br />
Instant messaging service (IM service) users can be authenticated on the appliance according to the<br />
rules of an appropriate rule set. This section describes the rules in a rule set for instant messaging<br />
authentication and the settings for the modules that are called by these rules.<br />
When the appliance is configured to run as a proxy under an instant messaging protocol, it can also<br />
authenticate users who send chat messages and files from clients that are connected to the appliance.<br />
A rule set with rules for authenticating users of an instant messaging service must be implemented to<br />
control the authentication. You can import the IM Authentication rule set from the rule set library or<br />
configure a rule set of your own.<br />
You can also configure the settings the Authentication module runs with when used by the rules for<br />
instant messaging authentication, as well as the settings of the File System Logging module when it<br />
handles logging activities according to the rules for instant messaging authentication.<br />
For more information, see Import a rule set and IM Authentication.<br />
IM Authentication<br />
This section describes the IM Authentication library rule set. The rules in this rule set control the<br />
authentication of users of an instant messaging service sending chat messages and files from clients<br />
that are connected to the appliance.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — IM Authentication<br />
Criteria — Always<br />
Cycles — Requests (and IM), responses, embedded objects<br />
The following rule sets are nested in this rule set:<br />
• IM Authentication Server<br />
• IM Proxy<br />
IM Authentication Server<br />
This nested rule set handles authentication for instant messaging users under the User Database<br />
method.<br />
Nested library rule set — IM Authentication Server<br />
Criteria — Authentication.IsServerRequest equals true<br />
Cycle — Requests (and IM), responses, embedded objects<br />
The rule set criteria specifies that the rule set applies when authentication has been requested for a<br />
user of an instant messaging service.<br />
The rule set contains the following rules:<br />
Authenticate clients against user database<br />
Authentication.Authenticate equals false –><br />
Authenticate<br />
The rule uses the Authentication.Authenticate property to check whether a user who sends a chat<br />
message or file under an instant messaging protocol is authenticated. The settings that follow the<br />
property in the rule criteria specify the User Database method for this authentication.<br />
If a user is not authenticated under this method, processing stops and a message is displayed<br />
asking the user to authenticate. Processing continues when the next user request is received.<br />
140 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Instant messaging authentication 5<br />
The action settings specify that the IM Authentication template is used for displaying the<br />
authentication message to the user.<br />
Show Authenticated page<br />
Always –> Redirect —<br />
Set User-Defined.logEntry =<br />
“[”<br />
+ DateTime.ToISOString<br />
+ “]””<br />
+ URL.GetParameter (“prot”)<br />
+ ““auth””<br />
+ Authentication.Username<br />
+ ““ ””<br />
+ URL.GetParameter (“scrn”)<br />
+ “““<br />
FileSystemLogging.WriteLogEntry (User-Defined.logEntry)<br />
The rule redirects a request sent from a client by an instant messaging user to an authentication<br />
server and displays a message to inform the user about the redirect.<br />
The action settings specify that the Show IM Authenticated template is used for the message.<br />
The rule also uses an event to set values for a log entry on the authentication request. It uses a<br />
second event to write this entry into a log file. A parameter of this event specifies the log entry.<br />
The settings of the event specify the log file and the way it is maintained.<br />
IM Proxy<br />
This nested rule set handles authentication of instant messaging users under the Authentication Server<br />
method.<br />
Nested library rule set — IM Proxy<br />
Criteria — Connection.Protocol.IsIM equals true AND<br />
IM.MessageCanSendBack is true<br />
Cycle — Requests (and IM), responses, embedded objects<br />
The rule set criteria specifies that the rule set applies when a user sends a chat message or a file on a<br />
connection under an instant messaging protocol and a message can already be sent back from the<br />
appliance to the user.<br />
The rule set contains the following rule:<br />
Redirect not authenticated users to the authentication server<br />
Authentication.Authenticate equals false –> Authenticate<br />
The rule uses the Authentication.Authenticate property to check whether a user who sends a chat<br />
message or file under an instant messaging protocol is authenticated. The settings that follow the<br />
property in the rule criteria specify the Authentication Server method for this authentication.<br />
If a user is not authenticated under this method, processing stops and a message is displayed,<br />
asking the user to authenticate. Processing continues when the next user request is received.<br />
The action settings specify that the IM Authentication template is used for displaying the<br />
authentication message to the user.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 141
5<br />
Authentication and access management<br />
Instant messaging authentication<br />
Modules for authenticating users of an instant messaging service<br />
Two modules are called by the rules for authenticating users of an instant messaging service, the<br />
Authentication module and the File System Logging module. This section tells you how to configure the<br />
settings for these modules.<br />
Configure the authentication and logging modules<br />
Authentication for users of an instant messaging service and logging authentication activities involves<br />
the Authentication and the File System Logging modules.<br />
To configure settings for these modules:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the rule set that contains rules for authenticating users of an instant<br />
messaging service, for example, the IM Authentication rule set.<br />
3 Select the nested rule set with the rules containing the settings you want to configure.<br />
For example, select the nested IM Authentication Server rule set, which contains the rule<br />
Authenticate clients against the user database, and in the rule criteria, select the User<br />
Database at IM Authentication Server settings.<br />
The Edit Settings window opens.<br />
4 Configure these settings as needed. Then click OK to close the window.<br />
5 Click Save Changes.<br />
For information on these settings, see Settings for the authentication and logging modules.<br />
For more information on the configuration procedure, see Configure the Authentication module and<br />
Implement an authentication method.<br />
Settings for the authentication and logging modules<br />
This section deals with the settings for the Authentication and File System Logging modules that are<br />
related to authentication of instant messaging users.<br />
These settings are implemented when you import the IM Authentication rule set from the rule set<br />
library.<br />
Authentication Server IM<br />
Settings for the Authentication module specifying the Authentication Server method to authenticate<br />
users of an instant messaging service<br />
Meaning and usage of these settings are the same as for the settings specifying the Authentication<br />
Server method to authenticate users under the HTTP and HTTPS protocol.<br />
For information on these settings, see Advanced Parameters.<br />
User Database at IM Authentication Server<br />
Settings for the Authentication module specifying the User Database method to authenticate users of<br />
an instant messaging service<br />
Meaning and usage of these settings are the same as for the settings specifying the User Database<br />
method to authenticate users under the HTTP or HTTPS protocol.<br />
For information on these settings, see User Database.<br />
142 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Cookie authentication 5<br />
IM Logging<br />
Settings for the File System Logging module specifying the log file for logging activities related to<br />
instant messaging authentication and the way this log file is maintained<br />
Meaning and usage of these settings are the same as for other settings of the File System Logging<br />
Module.<br />
The settings include the default log file name. For the log file that entries on instant messaging<br />
authentication are written into, this name is im.log.<br />
For more information, see File System Logging Settings.<br />
Cookie authentication<br />
Users can be authenticated by cookies once they have successfully authenticated on the appliance. This<br />
section tells you how to configure cookie authentication. It describes a rule set and the settings of the<br />
module for this authentication.<br />
The rules in a rule set for cookie authentication say that a cookie is stored for a successfully<br />
authenticated user and what should be done when this user sends another request. Typically, the user<br />
does then not need to authenticate again.<br />
Note: The size of a cookie grows with the user information it contains. This can cause a problem for the<br />
browser you use to log on to the appliance.<br />
The Mozilla Firefox browser version 3.5 or higher does not support cookies bigger than 32 KB. So cookie<br />
authentication might not work for a user who is a member of many user groups.<br />
A cookie authentication rule set is not implemented after the initial setup of the appliance, but you can<br />
import one from the rule set library or create a rule set of your own.<br />
Like other authentication activities, cookie authentication is handled by the Authentication module.<br />
When the rule set for cookie authentication is imported from the library, settings for this module are<br />
also implemented.<br />
Cookie Authentication (rule set)<br />
This section describes the Cookie Authentication library rule set. The rules in this rule set control teh<br />
use of cookies for authenticating users who have already been authenticated successfully<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
i<br />
Library rule set — Cookie Authentication<br />
Criteria — Always<br />
Cycle — Requests (and IM)<br />
The following rule sets are nested in this rule set:<br />
• Cookie Authentication at HTTP(S) proxy<br />
• Set Cookie for Authenticated Clients<br />
• Authenticate Clients With Authentication Server<br />
• Cookie Authentication at Authentication Server<br />
• Authentication Server Request<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 143
5<br />
Authentication and access management<br />
Cookie authentication<br />
Cookie Authentication at HTTP(S) Proxy<br />
This nested rule set handles cookie authentication for users when the Authentication Server method is<br />
not applied.<br />
Nested library rule set — Cookie Authentication at HTTP(S) Proxy<br />
Criteria — Authentication.IsServerRequest equals false AND<br />
(Connection.Protocol equals “HTTP” or Connection.Protocol equals “HTTPS”) AND<br />
Command.Name does not equal “CONNECT” AND Command.Name does not equal “CERTVERIFY”<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request under the HTTP or<br />
HTTPS protocol and the request is not one for opening a connection or verifiying a certificate, as can be<br />
sent in SSL-secured communication, while the Authentication Server method is not required for<br />
authenticating the user.<br />
The following rule sets are nested in this rule set:<br />
• Set Cookie Authentication for Authenticated Clients<br />
• Authenticate Clients with Authentication Server<br />
Set Cookie for Authenticated Clients<br />
This nested rule set handles the setting of cookies for users once they have been successfully<br />
authenticated.<br />
Nested library rule set — Set Cookie for Authenticated Clients<br />
Criteria — Authentication.IsLandingOnServerLanding equals true<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user who sent a request from a client has<br />
been successfully authenticated.<br />
The rule set contains the following rule:<br />
Set cookie and redirect client to the requested URL<br />
Always –> Redirect<br />
The rule sets a cookie for a user who has been successfully authenticated and redirects the request<br />
the user sent from a client to the appropriate web server .<br />
The action settings specify a redirect message that is sent to the user.<br />
Processing continues with the next rule set.<br />
Authenticate Clients With Authentication Server<br />
This nested rule set asks users to authenticate if no valid cookie could be found for them and directs<br />
them to the authentication server.<br />
Nested library rule set — Authenticate Clients With Authentication Server<br />
Criteria — Always<br />
Cycle — Requests (and IM)<br />
The rule set contains the following rule:<br />
Redirect clients that do not have a valid cookie to the authentication server<br />
Authentication.Authenticate equals false –><br />
Authenticate<br />
144 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Cookie authentication 5<br />
The rule uses the Authentication.Authenticate property to check whether a cookie has been set for<br />
a user on the client that a request was sent from. If no cookie can be found, a message is<br />
displayed, asking the user to authenticate.<br />
The settings for the module that checks whether the user is authenticated are specified with the<br />
property.<br />
The action settings specify an authentication message that is sent to the user.<br />
Processing continues with the next rule set.<br />
Cookie Authentication at Authentication Server<br />
This nested rule set handles cookie authentication for users when the Authentication Server method is<br />
required.<br />
Nested library rule set — Cookie Authentication at Authentication Server<br />
Criteria — Always<br />
Cycle — Requests (and IM)<br />
The following rule set is nested in this rule set:<br />
• Authentication Server Request<br />
Authentication Server Request<br />
This nested rule set handles cookie authentication for users when the Authentication Server method is<br />
applied.<br />
Nested library rule set — Authentication Server Request<br />
Criteria — Authentication.IsServerRequest equals true<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when authentication of a user who sent a request<br />
requires the Authentication Server method.<br />
The rule set contains the following rules:<br />
Do not authenticate clients that have valid cookies<br />
Authentication.Authenticate equals true –> Redirect<br />
<br />
The rule uses the Authentication.Authenticate property to check whether a cookie has been set for<br />
a user on the client that a request was sent from. If a cookie could be found, the request is<br />
redirected to the appropriate web server and no more authentication is required for the user.<br />
The settings for the module that checks whether the user is authenticated are specified with the<br />
property.<br />
The action settings specify a redirect message that is sent to the user.<br />
Authenticate user against user database<br />
Authentication.Authenticate equals false –> Authenticate<br />
<br />
The rule uses the Authentication.Authenticate property to check whether a user has been<br />
successfully authenticated. If not, a message is displayed, asking the user to authenticate.<br />
The settings for the module that checks whether the user is authenticated are specified with the<br />
property.<br />
The action settings specify an authentication message that is sent to the user.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 145
5<br />
Authentication and access management<br />
Cookie authentication<br />
Redirect authenticated client back to the proxy<br />
Always — Redirect <br />
The rule redirects the request a user sent from a client.<br />
The action settings specify a redirect message that is sent to the user.<br />
Module for cookie authentication<br />
The rules for cookie authentication call the Authentication module to retrieve user information. This<br />
section tells you how to configure settings for this module.<br />
Configure the module for cookie authentication<br />
To configure settings for the module that handles cookie authentication:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the rule set that contains rules for cookie authentication, for example, the<br />
Cookie Authentication rule set.<br />
3 Select the nested rule set with the rules containing the settings you want to configure.<br />
For example, select the nested Authenticate Clients with Authentication Server rule set,<br />
which contains the rule Redirect clients that have no valid cookie to the authentication<br />
server, and in the rule criteria, select the Local Cookie Authentication Server settings.<br />
The Edit Settings window opens.<br />
4 Configure these settings as needed. Then click OK to close the window.<br />
5 Click Save Changes.<br />
For information on these settings, see Settings for the cookie authentication module.<br />
For more information on the configuration procedure, see Configure the Authentication module and<br />
Implement an authentication method.<br />
Settings for the cookie authentication module<br />
This section deals with settings for the Authentication module that are related to cookie authentication.<br />
These settings are implemented when you import the Cookie Authentication rule set from the rule set<br />
library.<br />
Authentication Server - Cookie Check<br />
Settings for the Authentication module when it looks for cookies under the Authentication Server<br />
method<br />
Meaning and usage of these settings are the same as for the settings of the module when it uses the<br />
Authentication Server method for standard authentication.<br />
For information on these settings, see Advanced Parameters.<br />
Local Cookie Authentication Server<br />
Settings for the Authentication module when it looks for cookies<br />
Meaning and usage of these settings are the same as for the settings of the module when it uses the<br />
Authentication Server method for standard authentication.<br />
For information on these settings, see Advanced Parameters.<br />
146 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
User Database at Authentication Server<br />
Settings for the Authentication module specifying the User Database method for cookie authentication.<br />
Meaning and usage of these settings are the same as for the settings of the module when it uses the<br />
Authentication Server method for standard authentication.<br />
For more information, see User Database.<br />
Quota management<br />
You can guide the users of your network by imposing time and volume quotas and other restrictions on<br />
their web usage. This section explains these restrictions and tells you how to configure them.<br />
Restricting web usage through quota management<br />
Quotas for restricting the web usage of users can be imposed in several ways. Like other functions on<br />
the appliance, quotas are implemented by rules that use lists and call modules to retrieve relevant<br />
information. This section provides an overview of quota restrictions and the appliance functions that are<br />
related to them.<br />
Time quota<br />
By configuring time quotas, you can limit the time that users of your network are allowed to spend for<br />
web usage. Time quotas can be related to several parameters:<br />
• URL categories — When time quotas are related to URL categories, users are allowed only a limited<br />
time for accessing URLs that fall into particular categories, for example, Online Shopping.<br />
• IP addresses — When time quotas are related to IP addresses, users who send requests from<br />
particular IP addresses are allowed only a limited time for web usage.<br />
• User names — When time quotas are related to user names, users are allowed only a limited time<br />
for web usage. Users are identified by the user names they submitted for authentication on the<br />
appliance.<br />
Note: These parameters are used by the rules in the library rule set for time quotas. You can create rules of<br />
your own that use other parameters in relation to time quotas.<br />
The time that users spend on web usage is stored on the appliance. When the configured time quota<br />
has been exceeded for a user, a request that this user sends is blocked. A message is displayed to the<br />
user stating why the request was blocked.<br />
Users are identified by the user names they submitted for authentication. If no user name is sent with<br />
a request, web usage is recorded and blocked or allowed for the IP address of the client system that the<br />
request was sent from.<br />
<strong>Web</strong> usage can be limited to time spent per day, per week, or per month.<br />
Volume quota<br />
By configuring volume quotas, you can limit the volume of web objects, measured in GB and MB, that<br />
the users of your network are allowed to download from the web. Volume quotas can be related to<br />
several parameters:<br />
• URL categories — Users are allowed to download only a limited volume of web objects through URLs<br />
that fall into particular categories, for example, Streaming Media.<br />
• IP addresses — Users who send download requests from particular IP addresses are allowed only a<br />
limited volume.<br />
• User names — Users are allowed to download web objects only up to a limited volume. Users are<br />
identified by the user names they submitted for authentication on the appliance.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 147
5<br />
Authentication and access management<br />
Quota management<br />
• Media types — Users are allowed to download web objects belonging to particular media types only<br />
up to a limited volume.<br />
Note: These parameters are used by the rules in the library rule set for volume quotas. You can create rules<br />
of your own that use other parameters in relation to volume quotas.<br />
Information on the volume that users download from the web is stored on the appliance. When the<br />
configured volume quota has been exceeded for a user, a request that this user sends is blocked. A<br />
message is displayed to the user stating why the request was blocked.<br />
Users are identified by the user names they submitted for authentication. If no user name is sent with<br />
a request, web usage is recorded and blocked or allowed for the IP address of the client system that the<br />
request was sent from.<br />
<strong>Web</strong> downloads can be limited to volume downloaded per day, per week, or per month.<br />
Session time<br />
You can configure session time for users. This is the time allowed for a single session that a user spends<br />
on web usage.<br />
Session time is configured separately and handled differently for time quotas, volume quotas, and other<br />
quota management functions.<br />
• Session time for time quotas — When configuring time quotas, you also need to configure a<br />
session time. Whenever session time has elapsed for a user, the amount of time that is configured as<br />
session time is deducted from the user’s time quota.<br />
As long as the time quota has not been used up, the user can start a new session. When the time<br />
quota has elapsed, a request that the user sends is blocked and a block message is displayed.<br />
• Session time for volume quotas — When configuring volume quotas, the session time has no<br />
impact on the volume quota for a user.<br />
You can still configure a session time to inform the user about the amount of time that has been<br />
used up for web access. When time has elapsed for a session, the user can start a new session, as<br />
long as the configured volume has not been consumed. If you set the session time to zero, no<br />
session time is configured and communicated to the user.<br />
• Session time for other quota management functions — Session time can be configured for<br />
other quota management functions, which include Coaching, Authorized Override, and Blocking<br />
Sessions. Accordingly, there can be a coaching, an authorized override, or a blocking session.<br />
When session time has elapsed for coaching and authorized overriding, a request that a user sends<br />
is blocked. A message is displayed to the user stating why the request was blocked. The user can<br />
start a new session unless time quota has also been configured and is used up.<br />
The session time that is configured for the blocking session function is the time during which<br />
requests sent by a particular user are blocked. When this time has elapsed, requests from the user<br />
are again accepted unless time quota has also been configured and is used up.<br />
Coaching<br />
For coaching the web usage of your users, you configure a coaching session with a particular length of<br />
time. When this session time has elapsed for a user, a block message is displayed. The user can then<br />
start a new session.<br />
You can configure coaching in relation to the parameters used in the Coaching library rule set, such as<br />
URL categories, IP addresses, and user names. You can also create rules of your own using other<br />
parameters.<br />
148 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Authorized Override<br />
You can configure session time for a session that allows authorized overriding. When this session time<br />
has elapsed, a user request is blocked and a block message is displayed. The message also asks for<br />
submission of a user name and password to start a new session.<br />
These credentials must be those of an authorized user. For example, in a classroom situation, a user<br />
who gets blocked after termination of an authorized override session could be a student, while the<br />
teacher is the authorized user.<br />
The block message also provides an option to specify the time length of the authorized override session<br />
for the user who was blocked.<br />
Note: The time length that is configured for this user should not exceed the time length configured for all<br />
other users as part of the module settings for authorized overriding.<br />
You can configure authorized overriding in relation to the parameters used in the Authorized Override<br />
library rule set, such as URL categories, IP addresses, and user names. You can also create rules of<br />
your own using other parameters.<br />
Blocking Sessions<br />
By configuring blocking sessions you can block requests sent by a user for a configured period of time<br />
after the user has sent a request that is blocked according to a configured rule, for example, a request<br />
for a URL that falls into a category on a list used by a blocking rule.<br />
This is a means of enforcing a web security policy that handles unwanted access to web objects with<br />
more strictness.<br />
You can configure blocking sessions in relation to the parameters that are used in the Blocking Sessions<br />
library rule set. You can also create rules of your own using other parameters.<br />
Combining quota management functions<br />
Using a particular quota management function to restrict web usage has no impact on the use of other<br />
quota management functions. For example, time quotas and volume quotas are configured and<br />
implemented separately on the appliance.<br />
You can, however, combine these functions in meaningful ways. For example, you can impose coaching<br />
on users’ access to some URL categories, while requesting authorized override credentials for other<br />
categories. For still another group of categories you could block users who attempt to access them over<br />
a configured period of time.<br />
Rules for quota management<br />
Rules for quota management are contained in several rule sets. Each rule set deals with a particular<br />
quota management function, such as time quota, volume quota, coaching, and others. This section<br />
describes the rules in these rule sets and explains how to configure them to implement quota<br />
management.<br />
Time Quota (rule set)<br />
This section describes the rules in a library rule set for implementing time quotas.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Time Quota<br />
Criteria — SSL.Client.Context.IsApplied equals true OR<br />
Command.Name does not equal “CONNECT”<br />
Cycle — Requests (and IM)<br />
The rule set criteria specify that the rule set applies to SSL-secured communication, as well as to other<br />
communication, where the CONNECT command is not used at the beginning.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 149
5<br />
Authentication and access management<br />
Quota management<br />
The following rule sets are nested in this rule set:<br />
• Time Quota With URL Configuration<br />
• Time Quota With IP Configuration<br />
Note: This nested rule set is not enabled by default.<br />
• Time Quota With Authenticated User Configuration<br />
Note: This nested rule set is not enabled by default.<br />
Time Quota With URL Configuration<br />
This nested rule set handles time quota management related to URL categories.<br />
Nested library rule set — Time Quota With URL Configuration<br />
Criteria — URL.Categories at least one in list URL<br />
Categories Blocklist for Time Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls<br />
into a category on the blocking list maintained especially for time quota management.<br />
The rule set contains the following rules:<br />
Redirecting after starting new time session<br />
Quota.Time.lsActivationRequest equals true –> Redirect<br />
The rule redirects a request to let a user again access a web object after session time has been<br />
exceeded and the user has chosen to continue with a new session.<br />
The action settings specify a message to the requesting user.<br />
Check if time session has been exceeded<br />
Quota.Time.Session.Exceeded equals true –><br />
Block<br />
The rule uses the Quota.Time.SessionExceeded property to check whether the configured session<br />
time has been exceeded for a user. If it has, the user’s request for web access is blocked.<br />
The URL Category Configuration settings, which are specified with the property, are the settings of<br />
the module for handling time quotas.<br />
The action settings specify a message to the requesting user.<br />
Check if time quota has been exceeded<br />
Quota.Time.Exceeded equals true –><br />
Block <br />
The rule uses the Quota.Time.Exceeded property to check whether the configured time quota has<br />
been exceeded for a user. If it has, the user’s request for web access is blocked.<br />
The settings of the module that handles time quotas are specified with the property.<br />
The action settings specify a message to the requesting user.<br />
150 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Time Quota With IP Configuration<br />
This nested rule set handles time quota management related to IP addresses.<br />
Nested library rule set — Time Quota With IP Configuration<br />
Criteria — Client.IP is in list IP Blocklist for Time Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request from a client with an<br />
IP address that is on the blocking list maintained especially for time quota management.<br />
The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for<br />
the module settings, which are IP Configuration.<br />
Time Quota With Authenticated User Configuration<br />
This nested rule set handles time quota management related to user names.<br />
Nested library rule set — Time Quota With Authenticated<br />
User Configuration<br />
Criteria — Authenticated.RawUserName is in list User Blocklist for<br />
Time Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user<br />
name is on the blocking list maintained especially for time quota management.<br />
The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for<br />
the module settings, which are Authenticated User Configuration.<br />
Volume Quota (rule set)<br />
This section describes the rules in a library rule set for implementing volume quotas.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Volume Quota<br />
Criteria — SSL.Client.Context.IsApplied equals true OR<br />
Command.Name does not equal “CONNECT”<br />
Cycle — Requests (and IM)<br />
The rule set criteria specify that the rule set applies to SSL-secured communication, as well as to other<br />
communication, where the CONNECT command is not used at the beginning.<br />
The following rule sets are nested in this rule set:<br />
• Volume Quota With URL Configuration<br />
• Volume Quota With IP Configuration<br />
Note: This nested rule set is not enabled by default.<br />
• Volume Quota With Authenticated User Configuration<br />
Note: This nested rule set is not enabled by default.<br />
• Volume Quota With Media Type Configuration<br />
Note: This nested rule set is not enabled by default.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 151
5<br />
Authentication and access management<br />
Quota management<br />
Volume Quota With URL Configuration<br />
This nested rule set handles volume quota management related to URL categories.<br />
Nested library rule set — Volume Quota With URL<br />
Configuration<br />
Criteria — URL.Categories at least one in list URL<br />
Categories Blocklist for Volume Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls<br />
into a category on the blocking list maintained especially for volume quota management.<br />
The rule set contains the following rules:<br />
Redirecting after starting new volume session<br />
Quota.Volume.lsActivationRequest equals true –><br />
Redirect<br />
The rule redirects a request to let a user again access a web object after session time has been<br />
exceeded and the user has chosen to continue with a new session.<br />
The action settings specify a message to the requesting user.<br />
Check if volume session has been exceeded<br />
Quota.Volume.SessionExceeded equals true –><br />
Block<br />
The rule uses the Quota.Volume.SessionExceeded property to check whether the configured<br />
session time has been exceeded for a user. If it has, the user’s request for web access is blocked.<br />
The URL Category Configuration settings, which are specified with the property, are the settings of<br />
the module for handling volume quotas.<br />
The action settings specify a message to the requesting user.<br />
Check if volume quota has been exceeded<br />
Quota.Volume.Exceeded equals true –><br />
Block <br />
The rule uses the Quota.Volume.Exceeded property to check whether the configured volume quota<br />
has been exceeded. If it has, a user’s request for web access is blocked.<br />
The settings of the module that handles volume quotas are specified with the property.<br />
The action settings specify a message to the requesting user.<br />
Volume Quota With IP Configuration<br />
This nested rule set handles volume quota management related to IP addresses.<br />
Nested library rule set — Volume Quota With IP<br />
Configuration<br />
Criteria — Client.IP is in list IP Blocklist for Volume Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request from a client with an<br />
IP address that is on the blocking list maintained especially for volume quota management.<br />
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except<br />
for the module settings, which are IP Configuration.<br />
152 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Volume Quota With Authenticated User Configuration<br />
This nested rule set handles volume quota management related to user names.<br />
Nested library rule set — Volume Quota with Authenticated<br />
User Configuration<br />
Criteria — Authenticated.RawUserName is in list User Blocklist for<br />
Volume Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user<br />
name is on the blocking list maintained especially for volume quota management.<br />
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except<br />
for the module settings, which are Authenticated User Configuration.<br />
Volume Quota With Media Type Configuration<br />
This nested rule set handles volume quota management related to media types.<br />
Nested library rule set — Volume Quota with Media Type<br />
Configuration<br />
Criteria — MediaType.FromFileExtension at least one in list Media<br />
Type Blocklist for Volume Quota<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request for a web object that<br />
belongs to a media type on the blocking list maintained especially for volume quota management.<br />
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except<br />
for the module settings, which are Media Type Configuration.<br />
Coaching (rule set)<br />
This section describes the rules in a library rule set for coaching users in their web usage.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Coaching<br />
Criteria — SSL.Client.Context.IsApplied equals true OR<br />
Command.Name does not equal “CONNECT”<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies to SSL-secured communication, as well as to<br />
other communication, where the CONNECT command is not used at the beginning.<br />
The following rule sets are nested in this rule set:<br />
• Coaching With URL Configuration<br />
• Coaching With IP Configuration<br />
Note: This nested rule set is not enabled by default.<br />
• Coaching With Authenticated User Configuration<br />
Note: This nested rule set is not enabled by default.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 153
5<br />
Authentication and access management<br />
Quota management<br />
Coaching With URL Configuration<br />
This nested rule set handles coaching related to URL categories.<br />
Nested library rule set — Coaching With URL Configuration<br />
Criteria — URL.Categories at least one in list URL<br />
Categories Blocklist for Coaching<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls<br />
into a category on the blocking list maintained especially for coaching.<br />
The rule set contains the following rules:<br />
Redirecting after starting new coaching session<br />
Quota.Coaching.lsActivationRequest equals true –><br />
Redirect<br />
The rule redirects a request to let a user again access a web object after the coaching session time<br />
has been exceeded and the user has chosen to continue with a new coaching session.<br />
The action settings specify a message to the requesting user.<br />
Check if coaching session has been exceeded<br />
Quota.Coaching.SessionExceeded equals true –><br />
Block<br />
The rule uses the Quota.Coaching.SessionExceeded property to check whether the coaching<br />
session time has been exceeded for a user. If it has, the user’s request for web access is blocked.<br />
The URL Category Configuration settings, which are specified with the property, are the settings of<br />
the module that handles coaching.<br />
The action settings specify a message to the requesting user.<br />
Coaching with IP Configuration<br />
This nested rule set handles coaching related to IP addresses.<br />
Nested library rule set — Coaching with IP Configuration<br />
Criteria — Client.IP is in list IP Blocklist for Coaching<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request from a client with an<br />
IP address that is on the blocking list maintained especially for coaching.<br />
The rules in this rule set are the same as in the Coaching with URL Configuration rule set, except for the<br />
module settings, which are IP Configuration.<br />
154 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Coaching with Authenticated User Configuration<br />
This nested rule set handles volume quota management related to user names.<br />
Nested library rule set — Coaching with Authenticated User<br />
Configuration<br />
Criteria — Authenticated.RawUserName is in list User Blocklist for<br />
Coaching<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user<br />
name is on the blocking list maintained especially for coaching.<br />
The rules in this rule set are the same as in the Coaching with URL Configuration rule set, except for the<br />
module settings, which are Authenticated User Configuration.<br />
Authorized Override (rule set)<br />
This section describes the rules in a library rule set for allowing an authorized override to users when<br />
session time has been exceeded.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Authorized Override<br />
Criteria — SSL.Client.Context.IsApplied equals true OR<br />
Command.Name does not equal “CONNECT”<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies to SSL-secured communication, as well as to<br />
other communication, where the CONNECT command is not used at the beginning.<br />
Three rule sets are nested in this rule set:<br />
• Authorized Override With URL Configuration<br />
• Authorized Override With IP Configuration<br />
Note: This nested rule set is not enabled by default.<br />
• Authorized Override With Authenticated User Configuration<br />
Note: This nested rule set is not enabled by default.<br />
Authorized Override With URL Configuration<br />
This nested rule set handles authorized overriding related to URL categories.<br />
Nested library rule set — Authorized Override With URL<br />
Configuration<br />
Criteria — URL.Categories at least one in list URL<br />
Categories Blocklist for Authorized Override<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls<br />
into a category on the blocking list maintained especially for authorized overriding.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 155
5<br />
Authentication and access management<br />
Quota management<br />
The rule set contains the following rules:<br />
Redirect after authenticating for authorized override<br />
Quota.AuthorizedOverride.lsActivationRequest equals true –><br />
Redirect<br />
The rule redirects a request to let a user again access a web object after session time has been<br />
exceeded and the credentials the user submitted to continue with a new session have been<br />
validated.<br />
The action settings specify a message to the requesting user.<br />
Check if authorized override session has been exceeded<br />
Quota.AuthorizedOverride.SessionExceeded equals true –><br />
Block<br />
The rule uses the Quota.AuthorizedOverride.SessionExceeded property to check whether the<br />
configured session time has been exceeded for a user. If it has, the user’s request for web access<br />
is blocked.<br />
The URL Category Configuration settings, which are specified with the property, are the settings of<br />
the module that handles authorized overriding.<br />
The action settings specify a message to the requesting user.<br />
Authorized Override With IP Configuration<br />
This nested rule set handles authorized overriding related to IP addresses.<br />
Nested library rule set — Authorized Override With IP<br />
Configuration<br />
Criteria — Client.IP is in list IP Blocklist for Authorized Override<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request from a client with an<br />
IP address that is on the blocking list maintained especially for authorized overriding.<br />
The rules in this rule set are the same as in the Authorized Override With URL Configuration rule set,<br />
except for the module settings, which are IP Configuration.<br />
Authorized Override With Authenticated User Configuration<br />
This nested rule set handles authorized overriding related to user names.<br />
Nested library rule set — Authorized Override With<br />
Authenticated User Configuration<br />
Criteria — Authenticated.RawUserName is in list User Blocklist for<br />
Authorized Override<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user<br />
name is on the blocking list maintained especially for authorized overriding.<br />
The rules in this rule set are the same as in the Authorized Override With URL Configuration rule set,<br />
except for the module settings, which are Authenticated User Configuration.<br />
156 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Blocking Sessions (rule set)<br />
This section describes the rules in a library rule set for blocking sessions.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Blocking Sessions<br />
Criteria — SSL.Client.Context.IsApplied equals true OR<br />
Command.Name does not equal “CONNECT”<br />
Cycle — Requests (and IM)<br />
There is one nested rule set in this rule set:<br />
• Blocking Sessions With URL Configuration<br />
Blocking Sessions With URL Configuration<br />
This nested rule set handles blocking sessions related to URL categories.<br />
Nested library rule set — Blocking Sessions With URL<br />
Configuration<br />
Criteria — URL.Categories at least one in list URL<br />
Categories Blocklist for Blocking Session<br />
Cycle — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls<br />
into a category on the blocking list maintained especially for blocking sessions.<br />
The rule set contains the following rules:<br />
Block user if blocking session is active<br />
BlockingSession.IsBlocked equals true –> Block<br />
The rule uses the BlockingSession.IsBlocked property to check whether a blocking session has been<br />
activated for a user who sends a request. If it has, the request is blocked.<br />
The action settings specify a message to the requesting user.<br />
Activate blocking session if category is in list Category List for Blocking Session<br />
URL.Categories at least one in list Category List for Blocking Session –> Continue —<br />
BlockingSession.Activate<br />
The rule uses the URL.Categories property to check whether a URL that a user requests access to<br />
falls into a category on the blocking list maintained especially for blocking sessions. If it falls into a<br />
category on the list, a blocking session is activated for the user.<br />
The BlockingSession.Activate event is used to activate the blocking session. The event settings are<br />
specified with the event.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 157
5<br />
Authentication and access management<br />
Quota management<br />
Configuring quota management functions<br />
This section tells you how to configure quota management functions to restrict the web usage of the<br />
users in your network.<br />
The following quota management functions are available on the appliance:<br />
• Time quotas<br />
• Volume quotas<br />
• Coaching<br />
• Authorized override<br />
• Blocking sessions<br />
For general information on these functions, see Restricting web usage through quota management.<br />
For descriptions of the configuration procedures, see Configure time quotas and Configure volume<br />
quotas and other quota management functions.<br />
Configure time quotas<br />
You can configure time quotas to restrict the web usage of your users. This includes maintenance of the<br />
lists and configuration of the module settings that are specified by the time quota rules.<br />
Note: A rule set for time quotas is not implemented on the appliance after the initial setup. You can import a<br />
rule set from the rule set library or create a rule set of your own.<br />
To configure time quotas:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, expand the rule set that contains rules for time quotas, for example, the Time<br />
Quota rule set. The nested rule sets appear.<br />
3 Select the appropriate nested rule set. For example, to configure time quotas in relation to URL<br />
categories, select Time Quota With URL Configuration. The general settings and rules of the rule<br />
set appear on the settings pane.<br />
4 In the rule set criteria, click the URL Category Block List for Time Quota list name.<br />
Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries.<br />
The Edit List (Category) window opens.<br />
5 Add URL categories to the blocking list. Then click OK to close the window.<br />
6 In the criteria for one of the rules, click the URL Category Configuration settings name. The Edit<br />
Settings window opens.<br />
7 Configure session time and the time quota per day, week, and month. Then click OK to close the<br />
window.<br />
8 Click Save Changes.<br />
For more information on the module settings for time quota, see Time Quota engine settings. For<br />
adding categories to a category blocking list, see Add a URL category to a blocking list.<br />
158 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Configure volume quotas and other quota management functions<br />
You can configure volume quotas and other quota management functions to restrict the web usage of<br />
your users. This includes maintenance of the lists and configuration of the module settings that are<br />
specified by the quota rules. These activities are carried out in the same way as for time quotas.<br />
Note: Rule sets for quota management functions are not implemented on the appliance after the initial setup.<br />
You can import rule sets from the rule set library or create rule sets of your own.<br />
To configure volume quotas and other quota management functions:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, expand the rule set that contains rules for the quota management function you<br />
want to configure, for example, Volume Quota. The nested rule sets appear.<br />
3 Select the appropriate nested rule set, for example, Volume Quota With IP Configuration. The<br />
general settings and rules of the rule set appear on the settings pane.<br />
4 In the rule set criteria, click the appropriate blocking list name, for example, IP Block List for<br />
Volume Quota.<br />
Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries.<br />
The Edit List (Category) window opens.<br />
5 Add the appropriate entries to the blocking list, for example, IP addresses. Then click OK to close the<br />
window.<br />
6 In the criteria for one of the rules, click the appropriate settings name, for example, IP<br />
Configuration. The Edit Settings window opens.<br />
7 Configure the appropriate parameters, for example, session time and the volume quota per day,<br />
week, and month. Then click OK to close the window.<br />
8 Click Save Changes.<br />
For information on configuring time quotas, see Configure time quotas. For individual module settings,<br />
see Module settings for quota management.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 159
5<br />
Authentication and access management<br />
Quota management<br />
Module settings for quota management<br />
Values for time and volume quotas and for session times are configured on the appliance as settings of<br />
the quota modules. The quota rules call these modules to retrieve information about these values. This<br />
section describes the settings for the various modules that are involved in quota management.<br />
Module settings apply only to the module they are configured for. However, settings names can be the<br />
same for different modules. For example, in the library rule sets for quota management, there are<br />
settings named URL Configuration for the Time Quota module, the Volume Quota module, and all other<br />
modules dealing with quota management.<br />
Time Quota engine settings<br />
You can configure the Time Quota engine settings. These are the settings of the module that handles<br />
time quotas to restrict the web usage of your users.<br />
Note: You can configure these settings on the Settings tab of the Policy top-level menu. You can also click the<br />
settings name in a quota rule on the Rule Sets tab to configure these settings.<br />
URL Category Configuration<br />
Settings for time quotas related to URL categories<br />
Time Quota per Day, Week, Month, and Session Time<br />
Settings for selecting the time unit or the session time that quotas are configured for in the next<br />
section.<br />
Note: When a time unit or the session time is selected, the heading of the next section reads accordingly.<br />
Time quota per day (week, month) — When selected, the quota that is configured in the next<br />
section applies to the selected time unit<br />
Session time — When selected, the quota that is configured in the next section applies to the session<br />
time<br />
Hours and Minutes for . . .<br />
Settings for configuring time quotas that apply to the selected time unit or the session time<br />
Note: The heading of this section varies according to what you selected in the preceding section.<br />
Hours — Allowed hours per day, week, month, or for the session time<br />
Minutes — Allowed minutes per day, week, month, or for the session time<br />
Actual Configured Time Quota<br />
Displays the configured time quotas<br />
Time quota per day (week, month) — Allowed time per day, week, or month<br />
Session time — Allowed session time<br />
IP Configuration<br />
Settings for time quotas related to IP addresses<br />
These settings are configured in the same way as for time quotas related to URL categories.<br />
Authenticated User Configuration<br />
Settings for time quotas related to user names<br />
These settings are configured in the same way as for time quotas related to URL categories.<br />
Default<br />
Default settings for time quotas<br />
These settings are configured in the same way as for time quotas related to URL categories.<br />
160 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Volume Quota engine settings<br />
You can configure the Volume Quota engine settings. These are the settings of the module that handles<br />
volume quotas to restrict the web usage of your users.<br />
Note: You can configure these settings on the Settings tab of the Policy top-level menu. You can also click the<br />
settings name in a quota rule on the Rule Sets tab to configure these settings.<br />
URL Category Configuration<br />
Settings for volume quotas related to URL categories<br />
Volume Quota per Day, Week, Month, and Session Time<br />
Settings for selecting the time unit or the session time that quotas are configured for in the next<br />
section.<br />
Note: When a time unit or the session time is selected, the heading of the next section reads accordingly.<br />
Volume quota per day (week, month) — When selected, the quota that is configured in the next<br />
section applies to the selected time unit<br />
Session time — When selected, the quota that is configured in the next section applies to the session<br />
time<br />
Volume for . . . (Hours and minutes for . . .)<br />
Settings for configuring quotas that apply to the selected time unit or the session time<br />
Note: The heading of this section and the displayed settings vary according to what you selected in the<br />
preceding section.<br />
GiB — Allowed volume per day, week, or month<br />
MiB — Allowed minutes per day, week, or month<br />
or (for the session time):<br />
Hours — Hours for the session time<br />
Minutes — Minutes for the session time<br />
Actual Configured Volume Quota<br />
Displays the configured volume quotas<br />
Volume quota per day (week, month) — Allowed time per day, week, or month<br />
Session time — Allowed session time<br />
IP Configuration<br />
Settings for volume quotas related to IP addresses<br />
These settings are configured in the same way as for volume quotas related to URL categories.<br />
Authenticated User Configuration<br />
Settings for volume quotas related to user names<br />
These settings are configured in the same way as for volume quotas related to URL categories.<br />
Media Type Configuration<br />
Settings for volume quotas related to user names<br />
These settings are configured in the same way as for volume quotas related to URL categories.<br />
Default<br />
Default settings for volume quotas<br />
These settings are configured in the same way as for volume quotas related to URL categories.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 161
5<br />
Authentication and access management<br />
Quota management<br />
Coaching engine settings<br />
You can configure the Coaching engine settings. These are the settings of the module that handles<br />
coaching.<br />
Note: You can configure these settings on the Settings tab of the Policy top-level menu. You can also click the<br />
settings name in a quota rule on the Rule Sets tab to configure these settings.<br />
URL Category Configuration<br />
Settings for coaching related to URL categories<br />
Hours and Minutes of Session Time<br />
Settings for configuring the time length of a coaching session<br />
Days — Days of the coaching session<br />
Hours — Hours of the coaching session<br />
Minutes — Minutes of the coaching session<br />
IP Configuration<br />
Settings for coaching related to IP addresses<br />
These settings are configured in the same way as for coaching related to URL categories.<br />
Authenticated User Configuration<br />
Settings for coaching related to user names<br />
These settings are configured in the same way as for coaching related to URL categories.<br />
Default<br />
Default settings for coaching<br />
These settings are configured in the same way as for coaching related to URL categories.<br />
162 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Quota management 5<br />
Authorized Override engine settings<br />
You can configure the Authorized Override engine settings. These are the settings of the module that<br />
handles authorized overriding.<br />
Note: You can configure these settings on the Settings tab of the Policy top-level menu. You can also click the<br />
settings name in a quota rule on the Rule Sets tab to configure these settings.<br />
URL Category Configuration<br />
Settings for authorized overriding related to URL categories<br />
Hours and Minutes of Maximum Session Time<br />
Settings for configuring the time length of session where authorized overriding is allowed<br />
Days — Days of the authorized override session<br />
Hours — Hours of the authorized override session<br />
Minutes — Minutes of the authorized override session<br />
IP Configuration<br />
Settings for authorized overriding related to IP addresses<br />
These settings are configured in the same way as for authorized overriding related to URL categories.<br />
Authenticated User Configuration<br />
Settings for authorized overriding related to user names<br />
These settings are configured in the same way as for authorized overriding related to URL categories.<br />
Default<br />
Default settings for authorized overriding<br />
These settings are configured in the same way as for authorized overriding related to URL categories.<br />
BlockSessionFilter engine settings<br />
You can configure the BlockSessionFilter engine settings. These are the settings of the module that<br />
handles blocking sessions.<br />
Note: You can configure these settings on the Settings tab of the Policy top-level menu. You can also click the<br />
settings name in a quota rule on the Rule Sets tab to configure these settings.<br />
URL Category Configuration<br />
Settings for blocking sessions related to URL categories<br />
Hours and Minutes of Session Time<br />
Settings for configuring the time length of a blocking session<br />
Days — Days of the blocking session<br />
Hours — Hours of the blocking session<br />
Minutes — Minutes of the blocking session<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 163
5<br />
Authentication and access management<br />
Quota management<br />
Quota system settings<br />
Quota system settings are general settings for time intervals related to quota management. If an<br />
appliance is a node in a central management configuration, you can also configure time intervals for<br />
synchronization of data with other appliances.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
They can also appear under the name of Coaching (instead of Quota), but apply in both cases to all options<br />
that are provided for quota management: Authorized override, blocking sessions, coaching, time quota, and<br />
volume quota.<br />
Quota Intervals for Synchronisation Saving in Minutes<br />
Settings for time intervals related to quota management<br />
Save interval — Time (in minutes) to elapse before current quota values are saved on an appliance,<br />
for example, the volume in bytes that has been consumed by a particular user<br />
Interval for sending updated quota data — Time (in minutes) to elapse before current quota<br />
values are distributed from an appliance to all nodes in a central management configuration<br />
The distributed data includes the changes in quota values that have occurred since the last time that<br />
data were distributed from the appliance.<br />
Interval for base synchronisation — Time (in minutes) to elapse before quota values are<br />
synchronized on all nodes in a central management configuration<br />
The synchronization takes a snapshot of the current quota values on all appliances. The values that are<br />
most recent with regard to individual users are distributed to all appliances.<br />
The values are also distributed to nodes that were temporarily inactive and did not receive updates sent<br />
during that time. They are, furthermore, distributed to nodes that have been newly added to the<br />
configuration, so they did not receive any previous updates.<br />
Cleanup database after — Time (in days) to elapse before data is deleted in the quota database<br />
Before data is deleted, a check is performed to see whether the data is obsolete. Data is obsolete if the<br />
time interval that has been configured for a quota management function has elapsed.<br />
For example, if a particular amount of bytes has been configured as volume quota for a user to be<br />
consumed during a month, the amount that the user actually consumed during a month becomes<br />
obsolete when a new month begins. The cleanup then deletes this data if the time configured under the<br />
Cleanup database after option has also elapsed.<br />
Stored data becomes obsolete after a month for time quotas. For other quota management functions,<br />
other time intervals are relevant. For example, for coaching and authorized overriding, the cleanup<br />
cannot be performed before the allowed session time has elapsed.<br />
164 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Administrator accounts<br />
Authentication and access management<br />
Administrator accounts 5<br />
Administrator accounts can be set up and managed on the appliance or on an external server. This<br />
section tells you how to do this and how to create administrator roles with different access privileges for<br />
administrators.<br />
Internal management of administrator accounts<br />
You can manage accounts internally. These are stored on the appliance, not on an external server.<br />
Complete the below procedures to do this.<br />
Add an administrator account<br />
To add an internal administrator account:<br />
1 Go to Accounts | Administrator accounts.<br />
Note: On the Administrator Accounts tab, an administrator and a role have already been inserted at the<br />
initial setup.<br />
2 Under Internal Administrator Accounts, click Add. The Add Administrator window opens.<br />
3 Add a user name, a password, and other settings for the account. Then click OK.<br />
4 Click OK and then Save Changes.<br />
For more information, see Administrator account settings.<br />
Edit an administrator account<br />
To edit an internal administrator account:<br />
1 Go to Accounts | Administrator accounts.<br />
2 Under Internal Administrator Accounts, select an account and click Edit. The Edit Administrator<br />
window opens.<br />
Note: You can use the Filter input field to type a filtering term and display only accounts with matching<br />
names.<br />
3 Edit the settings of the account as needed.<br />
4 Click OK and then Save Changes.<br />
For more information, see Administrator account settings.<br />
Delete an administrator account<br />
To delete an administrator account:<br />
1 Go to Accounts | Administrator accounts.<br />
2 Under Internal Administrator Accounts, select an account and click Delete. A window opens to<br />
let you confirm the deletion.<br />
Note: You cannot delete all administrator accounts. At least one must always exist on the appliance.<br />
3 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 165
5<br />
Authentication and access management<br />
Administrator accounts<br />
Administrator account settings<br />
You can use the administrator account settings to add or edit an administrator account.<br />
User name — User name of the administrator<br />
Password — Administrator password<br />
Password repeated — Repetition of the password to check and confirm it<br />
Note: In the Edit Administrator window, you need to select Set a new password before the two password<br />
fields become available.<br />
Role — List for selecting an administrator role<br />
Note: You can use the Edit and Add icons to edit and add roles. The modified and added roles appear also in<br />
the list of administratrator roles under Roles.<br />
[Optional] Name — Real name of the person that the account is set up for<br />
Test with current settings<br />
You can test whether an administrator with given credentials would be admitted on the appliance. The<br />
following settings are provided for this purpose on the Administrator Accounts tab of the Accounts<br />
top-level menu.<br />
User — User name that is tested<br />
Password — Tested password<br />
Test — Executes the test<br />
The Authentication Test Results window opens to display the outcome of the test.<br />
Administrator roles<br />
You can set up roles and use them to configure administrator accounts.<br />
Manage administrator roles<br />
Complete the following procedure to manage administrator roles:<br />
1 Go to Accounts | Administrator accounts.<br />
Note: On the Administrator Accounts tab, an administrator and a role have already been inserted after the<br />
initial setup.<br />
2 Under Roles, click Add to add a role. The Add Role window opens.<br />
3 In the Name field, type a role name.<br />
4 Configure access rights for the dashboard, rules, lists, and other items.<br />
5 Use the Edit and Delete icons to edit and delete roles.<br />
Note: The added and modified roles appear also in the list of administratrator roles under Internal<br />
Administrator Accounts and the deleted disappear.<br />
6 Click OK and then Save Changes.<br />
For more information, see Administrator role settings.<br />
166 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Authentication and access management<br />
Administrator accounts 5<br />
Administrator role settings<br />
You can use the following settings to add or edit an administrator role. The items of the user interface<br />
listed here are accessible for the role according to your selections.<br />
Name — Name of the role<br />
Dashboard accessible — When selected<br />
Policy – Rules accessible — When selected<br />
Top level move & create — When selected<br />
Policy – Lists accessible — When selected<br />
List creation — When selected<br />
Policy – Settings accessible — When selected<br />
Settings creation — When selected<br />
Configuration accessible — When selected<br />
Accounts accessible — When selected<br />
Log files accessible — When selected<br />
Permissions accessible — When selected<br />
Read only admin — When selected, the role allows only to read information on the user interface, but<br />
not any configuration or other activities<br />
For more information, see Manage administrator roles.<br />
Configure external account management<br />
You can have administrator accounts managed on external authentication servers and map externally<br />
stored user groups and individual users on to roles on the appliance.<br />
Complete the following procedure to configure external account management:<br />
1 Go to Accounts | Administrator accounts.<br />
2 Click Administrator accounts are managed in an external directory server. Additional<br />
settings appear.<br />
3 Under Authentication Server Details, configure settings for the external server. These settings<br />
determine the way the authentication module on the appliance retrieves information from that server.<br />
4 Use the settings under Authentication group = role mapping, to map user groups and individual<br />
users stored on the external server to roles on the appliance:<br />
a Click Add. The Group/User Role Mapping window opens.<br />
b Select the checkboxes next to the input field for groups and users as needed and type group and<br />
user names in these fields.<br />
c Click OK.<br />
d Under Role to map to, select a role.<br />
Note: You can use the Edit and Delete icons to edit and delete roles.<br />
e Click OK and then Save Changes.<br />
For information on the settings for the authentication server, see Settings for the Authentication<br />
module.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 167
5<br />
Authentication and access management<br />
Administrator accounts<br />
168 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
6<br />
<strong>Web</strong> filtering<br />
Contents<br />
Filtering web objects<br />
Virus and malware filtering<br />
URL filtering<br />
Media type filtering<br />
HTML filtering<br />
Global whitelisting<br />
SSL scanning<br />
Supporting functions<br />
User messages<br />
Filtering web objects<br />
The <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance filters web objects before the users of your network can access<br />
them. The sections of this chapter explain the filtering process and tell you how to administer it.<br />
The functions for filtering web objects are controlled by rules. These say, for example, when access to<br />
an object is blocked or allowed. They go through blocking lists and whitelists and call modules to let<br />
them retrieve other relevant filtering information.<br />
For example, a rule calls the Anti-Malware module to find out whether an object is infected, while<br />
another rule calls the URL Filter module to retrieve information on URL categories.<br />
Administering the filtering process<br />
Administering the filtering process for web objects includes the following activities:<br />
• Reviewing and modifying the filtering rules — These rules are implemented at the initial setup<br />
by the policy creation wizard or as a default system. You can review and modify what is implemented.<br />
• Maintaining the filter lists — These include mainly blocking lists and whitelists for URLs, media<br />
types, HTML pages, and other web objects.<br />
• Configuring the module settings — By configuring these settings you determine the way the<br />
modules retrieve relevant information for the filtering process. For example, it depends on these<br />
settings whether the Antimalware module uses only virus signatures to detect infected web objects<br />
or also proactive methods.<br />
• Adapting user messages on filtering actions — A message sent to a user might read as follows:<br />
The transferred file contained a virus and was therefore blocked. To adapt these messages, you need<br />
to configure the settings of the actions in question.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 169
6<br />
<strong>Web</strong> filtering<br />
Filtering web objects<br />
The sections of this chapter explain these activities in detail for individual filtering functions. They<br />
assume that you have read the Rule and Rule Sets chapter, which provides general information on<br />
handling rules and how they use filter lists and modules.<br />
For more information, see Rules and rule sets and the sections on individual filtering functions, such as<br />
Virus and malware filtering, URL filtering, and others.<br />
For adapting user messages, see User messages.<br />
Functions for filtering web objects<br />
You can use the following functions to filter web objects on the appliance:<br />
• Virus and malware filtering — You can filter web objects and block them if they are infected by<br />
viruses and other malware, using the Antimalware module, which can apply different methods when<br />
scanning objects.<br />
• URL filtering — You can filter URLs individually and per category and block inappropriate or<br />
malicious content, using filter lists and information that the URL Filter module retrieves from the<br />
global Global Threat Intelligence system.<br />
• Media type filtering — You can filter media types and block text, audio, image, streaming, or other<br />
media, using appropriate filter lists for upload and download.<br />
• HTML filtering — You can filter HTML pages and have embedded objects, including Java and Visual<br />
Basic scripts, ActiveX controls, and others, removed from them.<br />
• Global whitelisting — You can enter URLs onto a global whitelist to ensure the users of your<br />
network can access them.<br />
• SSL scanning — You can have SSL-secured requests inspected to make them available for further<br />
filtering and block objects if they are not sufficiently secured by a valid certificate.<br />
You can also use functions that do not themselves filter web objects, but support the filtering process:<br />
• Progress indication — You can show users the progress made in downloading objects.<br />
• Next-hop proxies — You can use next-hop proxies for routing requests to their destinations.<br />
For more information, see the sections on individual filtering and supporting functions, for example,<br />
URL filtering or Progress Indication.<br />
170 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Virus and malware filtering<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
The appliance filters web objects to block viruses and other malware. This section gives an overview of<br />
the virus and malware filtering process and describes in detail how you can modify it.<br />
Virus and malware filtering process<br />
Several elements work together in the virus and malware filtering process on the appliance. These<br />
include:<br />
• Filtering rules that control the process<br />
• Whitelists that are used by rules to exempt particular web objects from filtering<br />
• The Anti-Malware module, which is called by a suitable rule to scan web objects for infections by<br />
viruses and other malware<br />
Filtering rules<br />
The rules that control the virus and malware filtering process are usually contained in one rule set.<br />
There is a rule that blocks web objects if infected by viruses and other malware. To find out about<br />
infections, the rule calls the Anti-Malware module, which scans objects and lets the rule know about its<br />
findings.<br />
Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them<br />
applies, the blocking rule is skipped and no virus and malware filtering is done for the whitelisted<br />
objects.<br />
You can review these rules, modify or delete them, and also create your own rules.<br />
For more information, see Rules for virus and malware filtering.<br />
Whitelists<br />
Whitelists are used by whitelisting rules to let particular web objects skip the blocking rule, which<br />
means there is no virus and malware filtering for these objects. There can be different whitelists for<br />
URLs, media types, and other types of objects.<br />
Note: Blocking lists are typically not used in virus and malware filtering because here the blocking depends<br />
not on lists, but on the findings of the Anti-Malware module.<br />
You can add entries to these lists or remove entries. You can also create your own lists and let them be<br />
used by the whitelisting rules.<br />
For more information, see Whitelists for virus and malware filtering.<br />
Anti-Malware module<br />
The Anti-Malware module scans objects to detect infections by viruses and other malware. Based on the<br />
findings of this module, the blocking rule blocks access to web objects or lets them pass through.<br />
You can configure settings for this module, for example, to let it scan objects using only virus<br />
signatures to detect infections or also proactive methods.<br />
For more information, see Module for virus and malware filtering.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 171
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Rules for virus and malware filtering<br />
Rules that filter web objects for infections are contained in a virus and malware filtering rule set. This<br />
section explains these rules and describes a library rule set.<br />
A virus and malware filtering rule set typically includes a blocking rule that blocks access to infected<br />
objects. It can also include rules for whitelisting web objects, such as URLs, media types, and others,<br />
that should not be filtered to avoid getting blocked eventually.<br />
The whitelisting rules are placed before the blocking rule, so they are processed before it. If a<br />
requested object is on one of the whitelists, the corresponding rule applies. It stops the processing of<br />
the rule set, so the blocking rule is not processed and cannot apply.<br />
A rule set like this is included when the wizard creates a system of rule sets. It is also included in the<br />
default system.<br />
Rule sets for virus and malware filtering differ from each other mainly with regard to their whitelisting<br />
rules, which can cover different types of web objects and use different whitelists. They do not differ,<br />
however, in their fundamental structure, which combines a blocking rule with one or more whitelisting<br />
rules that are processed before it.<br />
View the implemented virus and malware filtering rules<br />
The virus and malware filtering rules that are implemented on the appliance can be viewed on the user<br />
interface.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains the virus and malware filtering rules, which is<br />
by default named <strong>Gateway</strong> Antimalware. The individual rules appear on the settings pane.<br />
3 On the settings pane, click Show Details. Rule conditions and events are displayed for each rule.<br />
You can modify these rules, copy and paste them, delete them, and also create your own rules.<br />
172 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
Process flow in a virus and malware filtering rule set<br />
This section describes the process flow in a rule set for virus and malware filtering. This rule set could,<br />
for example, include:<br />
• A whitelisting rule for media types<br />
• A whitelisting rule for URLs<br />
• A blocking rule that blocks access to objects if they are infected.<br />
When, for example, an infected, non-whitelisted object is sent in response to a user request from a web<br />
server, these rules work together, creating a process flow as follows:<br />
Object is a URL and on the whitelist?<br />
– No. –><br />
Object is streaming media and on the<br />
whitelist? – No.<br />
Object is infected by a virus or other<br />
malware? – Yes. –><br />
Processing continues with the next rule in the rule set.<br />
–> Processing continues with the next rule in the rule set.<br />
Processing of rules stops.<br />
The object is blocked (and not passed on to the user<br />
who requested it). A block message is sent to this user.<br />
If the object were streaming media and on the whitelist, the process flow would be:<br />
Object is URL and on the whitelist? –<br />
No. –><br />
Object is streaming media and on the<br />
whitelist? – Yes. –><br />
Object isinfected bya virus or other<br />
malware?<br />
Processing continues with the next rule in the rule set.<br />
Processing of the rule set stops.<br />
The blocking rule is not processed. The object is not<br />
scanned for infections.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 173
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Virus and malware filtering rules<br />
This section explains in detail a blocking rule and a whitelisting rule for virus and malware filtering.<br />
Note: The rules are shown here in a notation that comes close to how they appear on the user interface.<br />
Blocking rule<br />
The following is an example of a blocking rule for virus and malware filtering.<br />
Name<br />
Block if virus was found<br />
Criteria Action<br />
Antimalware.Infected equals true –> Block<br />
In plain text, this rule can be rephrased as follows:<br />
If an object is infected by a virus or other malware, block access to it.<br />
The key element in the rule criteria is Antimalware.Infected. It is the property that is checked for a<br />
given web object. Antimalware.Infected is (“equals”) true if the object is actually infected by a virus or<br />
other malware. The Antimalware module is called to find out whether this is the case. If it is, the criteria<br />
is matched and the rule applies. The rule then executes its action, which is the Block action. It blocks<br />
access to the object.<br />
The Antimalware.Infected property has the <strong>Gateway</strong> Antimalware settings specified for it. This means<br />
the module that scans objects for infections runs with these settings. The settings determine, for<br />
example, which methods are used for the scanning.<br />
The Block action also has settings specified for it. These settings determine that a message is sent to a<br />
user who is affected by the action and what this message looks like. For this virus and malware filtering<br />
rule, the Virus Found settings are specified, which means that the message mentions an infection of the<br />
requested object as the reason for the blocking.<br />
Whitelisting rule<br />
The following is an example of a whitelisting rule for virus and malware filtering.<br />
Name<br />
Do not filter specific URLs<br />
Criteria Action<br />
URL matches in list Antimalware.URL Whitelist –> Stop Rule Set<br />
In plain text, this rule can be rephrased as follows:<br />
If a URL matches one of the entries on the whitelist for virus and malware filtering, do not process<br />
the virus and malware filtering rule set any further.<br />
The property in the rule criteria is URL. When the rule is processed, it is checked for a given URL<br />
whether it matches one of the entries in the list (“matches in list”) that is specified in the criteria as the<br />
Antimalware.URL Whitelist. If it does, the criteria matches and the rule applies.<br />
The rule then executes the Stop Rule Set action, which stops processing of the virus and malware<br />
filtering rule set and lets all rules of the rule set that follow this whitelisting rule be skipped, including<br />
the blocking rule (if placed behind this rule).<br />
174 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
<strong>Gateway</strong> Antimalware<br />
This section explains the rules in a library rule set for virus and malware filtering.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — <strong>Gateway</strong> Antimalware<br />
Criteria — Always<br />
Cycles — Requests (and IM), responses, embedded objects<br />
The rule set contains the following rules:<br />
Remove partial content for HTTP requests<br />
Cycle.TopName equals “Request” AND (Connection.Protocol equals “http” OR Connection.Protocol<br />
equals “https”) –> Continue — Header.RemoveAll (“Range”)<br />
The rule uses the Cycle.TopName and Connection.Protocol properties to check whether the current<br />
processing cycle is the request cycle and whether a request is sent in HTTP or HTTPS mode. If this<br />
is the case, the Header.RemoveAll event modifies the request by removing the specification that<br />
only partial content is requested.<br />
A request for complete content is then forwarded to the relevant web server and eventually<br />
received from there, so that the complete content of a web object can be processed on the<br />
appliance. For example, a complete archive can be opened and scanned for viruses and other<br />
malware. Malicious content that is distributed over several parts of a file can be detected by<br />
scanning the complete file, while it could go unnoticed if only parts of the file were scanned.<br />
The Continue action lets processing continue with the next rule.<br />
Block partial content for FTP requests<br />
Cycle.TopName equals “Request” AND Connection.Protocol equals “ftp” AND Command.Categories<br />
contains “Partial” –> Block<br />
The rule uses the Cycle.TopName, Connection.Protocol, and Command.Categories properties to<br />
check whether the current processing cycle is the request cycle, the request is sent in FTP mode,<br />
and the command category used for the FTP transfer contains Partial as a string. This allows the<br />
appliance to detect an FTP request for partial content and block it.<br />
Unlike with HTTP or HTTPS requests, an FTP request for partial content cannot be modified to<br />
make it a request for complete content. However, security problems would arise if partial content<br />
was accepted on the appliance, which are the same as the ones that were explained in the<br />
comment on the rule for blocking HTTP and HTTPS requests.<br />
The action settings specify a message to the requesting user.<br />
Allow if user agent matches User Agent Whitelist<br />
Header.Request.Get (“User-Agent”) matches in list User Agent WhiteList –> Stop Rule Set<br />
The rule uses the Header.Request.Get property to check the user agent information that is sent<br />
with the header of a request. If the user agent in question is on the specified whitelist, processing<br />
of the rule set stops, so the blocking rule of the rule set is not processed and cannot block the<br />
request.<br />
A parameter of the property specifies that it is the user agent information that must be checked<br />
when the rule is processed.<br />
Note: This rule is not enabled by default. Using this rule alone for whitelisting will cause a security problem<br />
because usually a client can set whatever user agent it prefers.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 175
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Allow URL hosts that match in list Antimalware URL Whitelist<br />
URL.Host matches in list Antimalware URL Whitelist –> Stop Rule Set<br />
The rule uses the URL.Host property to check whether a given URL matches one of the entries on<br />
the specified whitelist. If it does, processing of the rule set stops and the blocking rule is not<br />
processed.<br />
You can use this rule to exempt web traffic from filtering when the hosts of the URLs involved are<br />
well-known web servers for which it is safe to assume that they spread no viruses and other<br />
malware. Whitelisting increases performance because it avoids the effort of scanning the<br />
respective web objects.<br />
Allow streaming media from list Antimalware Media Whitelist<br />
(URL Categories contains Streaming Media OR<br />
URL Categories contains Internet Radio / TV OR<br />
URL Categories contains General News)<br />
AND MediaType.Ensured all in list Antimalware Media Type Whitelist –> Stop Rule Set<br />
The rule uses the URL.Categories property to check whether a given URL belongs to Streaming<br />
Media or related categories. The URL Filter module, which is called to retrieve category<br />
information, runs with the Default settings, as specified with the property.<br />
The second part of the criteria uses the MediaType.Ensured property to check if the media type of<br />
a web object is found on the specified whitelist.<br />
If the URL belongs to one of the categories in question, and the web object that is located by the<br />
URL is of a media type that is on the whitelist, processing of the rule set stops and the blocking<br />
rule is not processed.<br />
The Anti-Malware module scans complete files, which means it waits for the end of data<br />
transmission before starting the scan. As streaming media is by nature an endless stream of data,<br />
the Anti-Malware module would wait forever. However, the risk that streaming media will contain a<br />
virus or other malware is very low. Therefore, streaming media can be exempted from scanning.<br />
Block if virus was found<br />
Antimalware.Infected equals true –> Block<br />
— Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<br />
The rule uses the Antimalware.Infected property to check whether a given web object is infected<br />
by a virus or other malware. The Anti-Malware module, which is called to scan the object runs with<br />
the <strong>Gateway</strong> Antimalware settings, as specified with the property. These settings let the module<br />
use all its three submodules and their methods to scan web objects.<br />
If the module finds that a web object is infected, processing of all rules stops and the object is not<br />
passed on any further. Access to it is blocked this way. In a request cycle, the infected web object<br />
is not passed on to the web. In the response and embedded object cycles, it is not passed on to<br />
the user who requested it.<br />
The action settings specify a message to the requesting user.<br />
The rule also uses an event to count blocking due to virus and malware infections. The event<br />
parameters specify the counter that is incremented and the size of the increment. The event<br />
settings specify the settings of the Statistics module, which executes the counting.<br />
176 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Whitelists for virus and malware filtering<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
You can maintain whitelists for web objects to let them skip virus and malware filtering. This section<br />
explains how this is done and describes some sample whitelists.<br />
You can add entries for particular web objects, such as URL, media types, and others, onto whitelists.<br />
The rules of the virus and malware filtering rule set use these lists and let the rule that would<br />
eventually block the objects not be processed.<br />
Note: This means that when you edit a whitelist, you also modify the rule that uses it. You should therefore<br />
make sure you know which rule uses a list that you edit.<br />
You can do this, for example, by reviewing the rules of the virus and malware filtering rule set to see which<br />
list names appear in rule names and criteria.<br />
Whitelists are created at the initial setup of the appliance together with the corresponding rules and<br />
rule sets. You can also create lists of your own.<br />
The procedures used to maintain whitelists differ according to the list type. For example, you can add<br />
wildcard expressions to a whitelist for URLs by typing them into the list. When adding media types,<br />
however, you select them from folders with media type groups.<br />
Sample whitelists for virus and malware filtering<br />
This section describes some sample whitelists used by the library <strong>Gateway</strong> Antimalware rule set.<br />
When you import the rule set, these lists are also imported. You can find them on the Lists tab of the<br />
Policy top-level menu, sorted by their types and names.<br />
For general information on how to maintain lists, see List maintenance.<br />
User Agent Whitelist<br />
List of wildcard expressions for user agents<br />
Requests for URLs that have user agents matching these expressions are allowed to skip virus and<br />
malware filtering by an appropriate rule.<br />
Type — Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-1 User Agent Whitelist<br />
Option Definition<br />
Wildcard Expression Wildcard expression for user agents<br />
Comment Plain-text comment on a wildcard expression<br />
Antimalware URL Whitelist<br />
List of wildcard expressions for URLs<br />
Requests for URLs matching these expressions are allowed to skip virus and malware filtering by an<br />
appropriate rule.<br />
Type — Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-2 Antimalware URL Whitelist<br />
Option Definition<br />
Wildcard Expression Wildcard expression for URLs<br />
Comment Plain-text comment on a wildcard expression<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 177
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Antimalware Media Type Whitelist<br />
List of media types<br />
Requests for web objects that belong to these media types are allowed to skip virus and malware<br />
filtering by an appropriate rule.<br />
Type — MediaType<br />
Initial entries — application/ogg – Audio/Video files in OGG format<br />
application/vnd.ms-af – Microsoft Multimedia Container<br />
and others<br />
The following table describes the list entries.<br />
Table 6-3 Antimalware Media Type Whitelist<br />
Option Definition<br />
MediaType Media type<br />
Comment Plain-text comment on a media type<br />
Add a wildcard expression to a virus and malware filtering whitelist for URLs<br />
You can add a wildcard expression to a whitelist in a virus and malware filtering rule to exempt requests<br />
for URLs that match this expression from filtering.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for virus and malware filtering, for example<br />
<strong>Gateway</strong> Antimalware. The rules appear on the settings pane.<br />
3 Find the rule that uses a whitelist to exempt requests for particular URLs from filtering, for example,<br />
Allow URL hosts that match in list Antimalware User Whitelist, and click on the list name. The<br />
Edit List (Wildcard Expression) window opens.<br />
4 Click Add. The Add Wildcard Expression window opens.<br />
5 In the Wildcard expression field, type a wildcard expression.<br />
Note: To add multiple wildcard expressions at once, click Add multiple and type every wildcard<br />
expression in a new line.<br />
6 [Optional] In the Comment field, type a comment on the wildcard expression.<br />
7 Click OK. The window closes and the wildcard expression appears on the whitelist.<br />
8 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance. For the types of wildcard<br />
expressions that are allowed in the list, see Wildcard expressions.<br />
178 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
Add a wildcard expression to a virus and malware filtering whitelist for user<br />
agents<br />
You can add a wildcard expression to a whitelist in a virus and malware filtering rule to exempt requests<br />
from filtering when these are sent from clients with user agents that match the expression.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for virus and malware filtering, for example<br />
<strong>Gateway</strong> Antimalware. The rules appear on the settings pane.<br />
3 Find the rule that uses a whitelist to exempt requests sent with particular user agents from filtering,<br />
for example, Allow if user agent matches in list User Agent Whitelist, and click on the list<br />
name.<br />
Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries.<br />
The Edit List (Wildcard Expression) window opens.<br />
4 Click Add. The Add Wildcard Expression window opens.<br />
5 In the Wildcard expression field, type a wildcard expression.<br />
Note: To add multiple wildcard expressions at once, click Add multiple and type every wildcard<br />
expression in a new line.<br />
6 [Optional] In the Comment field, type a comment on the wildcard expression.<br />
7 Click OK. The window closes and the wildcard expression appears on the whitelist.<br />
8 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance. For the types of wildcard<br />
expressions that are allowed in the list, see Wildcard expressions.<br />
Add a media type to a virus and malware filtering whitelist<br />
You can add a media type to a whitelist to let web objects of this type skip virus and malware filtering.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for virus and malware filtering, for example<br />
<strong>Gateway</strong> Antimalware. The rules appear on the settings pane.<br />
3 Find the rule that uses a whitelist to exempt web objects that belong to a particular media type from<br />
filtering, for example, Allow streaming media from list Antimalware Media Type Whitelist,<br />
and click on the list name.<br />
The Edit List (MediaType) window opens.<br />
4 Click Edit. And Edit window opens. It displays a list of group folders with media types.<br />
5 Expand the group folder with the media type you want to add, for example, Document, and select<br />
the media type, for example, application/vnd/ms-excel.<br />
Note: To add multiple media types at once, select multiple media types or one or multiple group folders.<br />
6 Click OK. The window closes and the media type appears on the whitelist.<br />
7 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 179
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Change the list used by a whitelisting rule<br />
This section explains how to change a list for a whitelisting rule used in virus and malware filtering by<br />
replacing it with a new list you have created.<br />
Create a new list for a whitelisting rule<br />
To create a new list:<br />
1 Go to Policy | Lists.<br />
2 On the Custom Lists branch of the lists tree, select Wildcard Expression and click Add. The Add<br />
List window opens.<br />
a In the Name field, type a name for the new list, for example, My Antimalware URL Whitelist.<br />
b [Optional] In the Comment field, type a plain-text comment on the new list and on the<br />
Permissions tab, configure who is allowed access to it.<br />
c Click OK. The Add List window closes and the new list is inserted on the lists tree under Wildcard<br />
Expression.<br />
3 Click Save Changes.<br />
Modify a whitelisting rule to use a new list<br />
To let a whitelisting rule use a new list:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select a virus and malware filtering rule set, for example, the <strong>Gateway</strong><br />
Antimalware rule set. The rules of this rule set appear on the settings pane.<br />
3 Select the whitelisting rule for URLs, for example, Allow URL hosts that match in list<br />
Antimalware URL Whitelist, and click Edit immediately above the topmost rule. The Edit Rule<br />
window opens.<br />
4 Select Rule Criteria and then the rule and click Edit. The Edit Criteria window opens.<br />
5 From the drop-down list under Parameter – Value, select the new list.<br />
6 Click OK and Finish to close the open windows. The name of the new list appears in the criteria of<br />
the whitelisting rule on the settings pane.<br />
7 Click Save Changes.<br />
The whitelisting rule for URLs now uses your new list. You need to fill this list with wildcard expressions<br />
to let URLs skip virus and malware filtering.<br />
For information on how to fill a list with entries, see Add list entries.<br />
180 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Module for virus and malware filtering<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
The Anti-Malware module (also known as Anti-Malware engine) scans web objects for infections by<br />
viruses and other malware. This section tells you how to configure this module and describes the<br />
module settings.<br />
The blocking rule of the virus and malware filtering process relies on the Anti-Malware module to find<br />
out whether a web object is infected by viruses or other malware. By configuring settings for it, you can<br />
let the module do its scanning job in different ways.<br />
Note: This means that when you edit the module settings, you also modify the blocking rule that uses it. You<br />
should therefore make sure you know which blocking rule uses the module whose settings you edit. You can<br />
do this, for example, by reviewing the rule in the virus and malware filtering rule set to see which settings<br />
name appears in the rule criteria.<br />
The module has three submodules, which can run in different combinations. Each submodule uses<br />
different methods to detect infections in web objects.<br />
Note: Which of the submodules are available on your appliance depends on the licenses you have purchased.<br />
• <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware — Uses proactive methods. You can configure several advanced<br />
settings for this submodule, however not for the other two.<br />
• <strong>McAfee</strong> Anti-Malware — Uses virus signatures. In contrast to the proactive methods, virus<br />
signatures can only be applied to detect viruses that are already known.<br />
• Avira — Provides the scanning methods of a third-party product.<br />
The submodules and their methods can be combined into scanning modes as follows:<br />
Mode a: proactive + signatures + third-party<br />
Mode b: proactive + signatures<br />
Mode c: signatures only<br />
Other module settings are for the AV PreScan option, which reduces the scanning load, or the Mobile<br />
Code Behavior option, which lets you set a level of strictness in classifying code.<br />
For more information, see Configure the Anti-Malware module and Select a different mode for scanning<br />
web objects.<br />
Configure the Anti-Malware module<br />
This section tells you how to configure settings for the Anti-Malware module.<br />
Complete the following procedure to configure these settings:<br />
1 Go to Policy | Settings.<br />
2 On the settings tree, go to Engines | Anti-Malware and select a settings name, for example,<br />
<strong>Gateway</strong> Antimalware.<br />
3 Configure these settings as needed.<br />
4 Click Save Changes.<br />
For more information on these settings, see Anti-Malware engine settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 181
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Select a different mode for scanning web objects<br />
This section explains how to select a different mode for the module that scans web objects for<br />
infections.<br />
Note: Which mode can be selected on your appliance depends on the licenses you have purchased.<br />
To select a different mode for the scanning module:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select a virus and malware filtering rule set, for example, <strong>Gateway</strong><br />
Antimalware. The rules of this rule set appear on the settings pane.<br />
3 Make sure Show Details (above the list of rules) is enabled and in the criteria of the Block if virus<br />
was found rule, select the module settings, for example <strong>Gateway</strong> Antimalware. The Edit Settings<br />
window opens.<br />
4 Scroll down to the Select scanning engines section and select a combination of submodules that<br />
uses a particular scanning mode.<br />
• <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware including <strong>McAfee</strong> Anti-Malware — When selected, these<br />
two submodules and Avira are active.<br />
–> Scanning mode: proactive methods + virus signatures + third-party module functions<br />
• <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware including <strong>McAfee</strong> Anti-Malware without Avira — When<br />
selected, only the first two submodules are active.<br />
–> Scanning mode: proactive methods + virus signatures.<br />
• <strong>McAfee</strong> Anti-Malware only — When selected, only this submodule is active.<br />
–> Scanning mode: signatures only<br />
Note: If you select this mode for a <strong>Gateway</strong> Antimalware rule set, you should rename the settings and<br />
the rule set, for example, to <strong>McAfee</strong> Anti-Malware settings and rule set respectively, to indicate a key<br />
setting has changed.<br />
5 Click OK and then Save Changes.<br />
182 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
Anti-Malware engine settings<br />
You can configure the Anti-Malware engine settings. These are settings of the module used in virus and<br />
malware filtering to scan web objects.<br />
Note: These settings can be configured on the Settings tab of the Policy top-level menu.<br />
<strong>Gateway</strong> Antimalware<br />
Settings for the scanning module used in virus and malware filtering<br />
Select Scanning Engines<br />
Settings for selecting a combination of submodules to determine the scanning mode<br />
<strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware including <strong>McAfee</strong> Anti-Malware — When selected, these two<br />
submodules and Avira are active<br />
<strong>Web</strong> objects are then scanned using:<br />
proactive methods + virus signatures + third-party module functions<br />
<strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware including <strong>McAfee</strong> Anti-Malware without Avira — When<br />
selected, only the first two submodules are active<br />
<strong>Web</strong> objects are then scanned using:<br />
proactive methods + virus signatures<br />
<strong>McAfee</strong> Anti-Malware only — When selected, only this submodule is active<br />
<strong>Web</strong> objects are then scanned using:<br />
signatures only<br />
Mobile Code Behavior<br />
Settings for configuring a risk level in classifying mobile code<br />
The risk level can take values from 60 to 100.<br />
A low value means the risk in proactively scanning the behavior of mobile code and not detecting that it<br />
is malware is low because the scanning methods are applied very strictly. Mobile code will then be<br />
classified as malware even if only a few criteria of being potentially malicious have been detected.<br />
This can lead to classifying mobile code as malware that is actually not malicious (“false positives”).<br />
While more proactive security is achieved with a stricter setting, accuracy in determining which mobile<br />
code is really malicious will suffer. Consequently, the appliance might block web objects that you want<br />
to get through to your users.<br />
A high value means the risk in not detecting malicious mobile code is high (more “false negatives”), but<br />
more accuracy is achieved in classifiying mobile code correctly as malicious or not (fewer “false<br />
positives”).<br />
Classification threshold — Slider scale for setting a risk level as described above<br />
• Minimum value (maximum proactivity): 60<br />
• Maximum value (maximum accuracy): 100<br />
Advanced Settings<br />
Settings for all submodules<br />
Enable AV PreScan — When selected, performance of the submodules is improved by reducing the<br />
load sent to them for scanning<br />
Note: This option is by default selected. It is generally recommended not to change this setting.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 183
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Enable GTI file reputation queries — When selected, information on the reputation of files retrieved<br />
from the Global Threat Intelligence system is included in the scanning result that the Anti-Malware<br />
module provides<br />
Advanced Settings for <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware<br />
Settings applying only to the <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware submodule<br />
Note: The following options are by default selected. It is generally recommended not to change these<br />
settings.<br />
(General Settings)<br />
Settings for some general scanning methods<br />
Enable Artemis queries — When selected, queries regarding infected objects are also performed on<br />
an Artemis database<br />
Enable heuristic scanning — When selected, heuristic methods are used in scanning web objects<br />
Enable detection for potentially unwanted programs — When selected, web objects are also<br />
scanned for potentially unwanted programs<br />
Enable mobile code scanning — When selected, mobile code is scanned in general<br />
Note: Individual settings can be configured under Scan the following mobile code types.<br />
Scan the Following Mobile Code Types<br />
Settings for including different types of mobile code in the scanning<br />
Windows executables — When selected, these are scanned<br />
Once downloaded from the web or received by email, these executables can become a threat when<br />
launched because they run with all the privileges of the current user.<br />
JavaScript — When selected, this is scanned<br />
JavaScript code can be embedded virtually anywhere, from web pages and PDF documents to video and<br />
HTML files.<br />
Flash ActionScript — When selected, this is scanned<br />
ActionScript code can be embedded in flash videos and animations and has access to the flash player<br />
and the browser with all their functions.<br />
Java applets — When selected, these are scanned<br />
Java applets can be embedded in web pages. Once activated, they can run at different permission<br />
levels, based on a digital certificate and the user’s choice.<br />
Java applications — When selected, these are scanned<br />
Java applications run stand-alone with all privileges of the current user.<br />
ActiveX controls — When selected, these are scanned<br />
ActiveX controls can be embedded in web pages and office documents. Once activated, they run with all<br />
privileges of the current user.<br />
Windows libraries — When selected, these are scanned<br />
These libraries usually come along with an executable in a setup package or are downloaded from the<br />
web by a running executable or by malicious code.<br />
Visual Basic script — When selected, this is scanned<br />
Visual Basic script code can be embedded in web pages or in emails.<br />
Visual Basic for applications — When selected, this is scanned<br />
Visual Basic macros can be embedded in office documents created with Word, Excel, or PowerPoint.<br />
184 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Virus and malware filtering 6<br />
Block the Following Behavior<br />
Settings for selecting code behavior that leads to blocking<br />
Data theft: Backdoor — When selected, the following is blocked: Malicious applications that grant an<br />
attacker full remote access and control to a victim’s system through existing or newly created network<br />
channels<br />
Data theft: Keylogger — When selected, the following is blocked: Malicious applications that hook<br />
into the operating system to record and save keyboard strokes<br />
The captured information, such as passwords, is sent back to the attacking party<br />
Data theft: Password stealer — When selected, the following is blocked: Malicious applications that<br />
gather, store, and leak sensitive information, such as the system configuration, confidential data,<br />
credentials, and other data for user authentication<br />
System compromise: Code execution exploit — When selected, the following is blocked: Exploits<br />
for vulnerabilities in any client applications, such as browsers, office programs, or multi-media players,<br />
that could allow an attacker to run arbitrary code on the compromised system<br />
System compromise: Browser exploit — When selected, the following is blocked: Exploits for<br />
vulnerabilities in browser applications and plug-ins that could allow the attacker to run arbitrary code,<br />
steal sensitive data, or escalate privileges<br />
System compromise: Trojan — When selected, the following is blocked: Malicious applications that<br />
pretend to be harmless or useful, but actually perform malicious activities<br />
Stealth activity: Rootkit — When selected, the following is blocked: Malicious applications or device<br />
drivers that manipulate the operating system and hide presence of malware on infected systems<br />
After the compromise, files, registry keys, and network connections belonging to the malware<br />
processes turn invisible and could be hard to recover<br />
Viral Replication: Network worm — When selected, the following is blocked: Malicious applications<br />
or device drivers that self-replicate using email, the internet, peer-to-peer networking, or by copying<br />
themselves onto removable media such as USB devices<br />
Viral Replication: File infector virus — When selected, the following is blocked: Self-replicating<br />
applications that infect existing files on the hard-disk, embedding viral code in order to spread through<br />
the newly infected host file<br />
System compromise: Trojan downloader — When selected, the following is blocked: Malicious<br />
applications or script code that download and execute additional payload from the internet<br />
System compromise: Trojan dropper — When selected, the following is blocked: Malicious<br />
applications that carry hidden payload, extract and launch it upon execution<br />
System compromise: Trojan proxy — When selected, the following is blocked: Malicious<br />
applications that allow to relay potentially malicious hidden network activity through the compromised<br />
system<br />
<strong>Web</strong> threats: Infected website — When selected, the following is blocked: <strong>Web</strong>sites that contain<br />
injected malicious script code or request additional malicious code as soon as it is opened in a browser<br />
The initial infection might have taken place through an SQL injection attack against the web server.<br />
Stealth activity: Code injection — When selected, the following is blocked: Applications that copy<br />
their code into other, often legitimate processes, resulting in a hijacking of the respective privileges and<br />
trust<br />
This technique is typically employed by malware that tries to hide its presence on compromised<br />
systems and tries to evade detection.<br />
Detection evasion: Obfuscated code — When selected, the following is blocked: Applications that<br />
consist of highly scrambled of encrypted code<br />
Detection evasion: Packed code — When selected, the following is blocked: Applications whose<br />
content has been compressed by a run-time packer or protector<br />
Applying a run-time packer to an application changes the way it looks so it is harder to it is harder to<br />
classify.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 185
6<br />
<strong>Web</strong> filtering<br />
Virus and malware filtering<br />
Potentially unwanted: Ad-/Spyware — When selected, the following is blocked: Applications that<br />
show potentially annoying or unwanted advertisements, but also track and analyze the user’s activities<br />
and behavior<br />
Potentially unwanted: Adware — When selected, the following is blocked: Applications that show<br />
potentially annoying or unwanted advertisements, but also track and analyze the user’s activities and<br />
behavior<br />
Data theft: Spyware — When selected, the following is blocked: Applications that track and analyze<br />
the user’s activities and behavior, steal sensitive data, and leak this data to the attacker’s servers<br />
Potentially unwanted: Dialer — When selected, the following is blocked: Applications that provide<br />
access to content, such as pornography, through a more expensive network connection<br />
<strong>Web</strong> threats: Vulnerable ActiveX controls — When selected, the following is blocked: Potentially<br />
vulnerable ActiveX controls that are restricted to other on-browser usage and should not be used on a<br />
web page<br />
Potentially unwanted: Suspicious activity — When selected, the following is blocked: Potentially<br />
malicious code that is identified by either non-standard or not fully trusted behavior<br />
<strong>Web</strong> threats: Cross-site scripting — When selected, the following is blocked: Malicious scripts that<br />
try to exploit browser or web application access-control vulnerabilities in browsers or web applications<br />
to steal user-specific data, such as cookies<br />
Potentially unwanted: Deceptive behavior — When selected, the following is blocked: Misleading<br />
messages, missing code tricks, and fake alerts presented to users<br />
These threats might tell users that their systems are infected with spyware and promote so-called fake<br />
AV applications for cleaning.<br />
Potentially unwanted: Redirector — When selected, the following is blocked: Redirecting code that<br />
forwards users visiting a website to other, potentially malicious locations<br />
This behavior is often caused by an infection of a previously legitimate website.<br />
Potentially unwanted: Direct kernel communication — When selected, the following is blocked:<br />
Applications that directly communicate with the Windows kernel or in kernel mode<br />
These might try to install a rootkit or to destabilize the system.<br />
Potentially unwanted: Privacy violation — When selected, the following is blocked: Potentially<br />
malicious code that accesses sensitive or private data<br />
This could result in eavesdropping your clipboard content or reading registry keys.<br />
Network Behavior and DLP<br />
Settings for handling unknown browsers, unwanted programs, and data leakage<br />
Forbid unknown browsers to download executables — When selected, requests for downloading<br />
executables submitted by unknown browsers are blocked<br />
Block requests sent by PUPs — When selected, requests sent by potentially unwanted programs<br />
(PUPs) are blocked<br />
Treat as request sent by a PUP if probability is at least — Slider scale to set the probability<br />
(in percent) for classifying a request as being sent by a potentially unwanted program<br />
Detect unsolicited POSTs — When selected, unsolicited POST requests, which could enable data<br />
leakage, are detected<br />
186 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
URL filtering<br />
<strong>Web</strong> filtering<br />
URL filtering 6<br />
The appliance filters URLs to block inappropriate or malicious content. This section gives an overview of<br />
the URL filtering process and describes how you can modify it.<br />
URL filtering process<br />
Several elements work together in the URL filtering process on the appliance. These include:<br />
• Filtering rules that control the process<br />
• A whitelist and blocking lists that are used by rules to exempt some URLs from filtering and block<br />
others<br />
• The URL filter module, which is called by suitable rules to retrieve information on URL categories and<br />
reputation scores from the Global Threat Intelligence system<br />
Filtering rules<br />
The rules that control the URL filtering process are contained in a URL filtering rule set. One of these<br />
rules says, for example, that access to a URL is blocked if it matches an entry on a blocking list.<br />
Another rule blocks URLs if they belong to a category that is on a blocking list. This rule calls the URL<br />
filter module to retrieve category information for URLs from the Global Threat Intelligence system.<br />
Another rule works in a similar way to block URLs that have a bad reputation.<br />
A whitelisting rule exempts URLs from filtering if they match entries on the list used by the rule. This<br />
rule is placed and processed before the blocking rules. If it applies, the blocking rules are skipped and<br />
no URL filtering is performed for the whitelisted objects.<br />
You can review these rules, modify or delete them, and also create your own rules.<br />
For more information, see Rules for URL filtering.<br />
Whitelist and blocking lists<br />
A whitelist is used by a whitelisting rule to let particular URLs skip the blocking rule, which means there<br />
is no URL filtering for these objects.<br />
Note: Since a URL filtering rule set handles only URL filtering, whitelists are not needed for several types of<br />
objects as they are in virus and malware filtering.<br />
Blocking lists are used by rules for blocking URLs according to the categories they belong to or because<br />
they match an entry on a list. Each of the blocking rules uses its own list.<br />
You can add entries to these lists or remove entries. You can also create your own lists and let them be<br />
used by the whitelisting rules.<br />
For more information, see Whitelist and blocking lists for URL filtering.<br />
Filter module<br />
The module for URL filtering retrieves information on URL categories and reputation scores from the<br />
Global Threat Intelligence system that is maintained by <strong>McAfee</strong>. Based on this information, blocking<br />
rules block access to URLs. The module name is URL Filter.<br />
You can configure settings for this module, for example, to let it include category information retrieved<br />
from an Extended List that you provide or to perform a DNS lookup for URLs and include the<br />
corresponding IP address in the search for category information.<br />
For more information, see Module for URL filtering.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 187
6<br />
<strong>Web</strong> filtering<br />
URL filtering<br />
Rules for URL filtering<br />
Rules that filter URLs are contained in a URL filtering rule set. This section explains an individual<br />
filtering rule and describes the rules in a URL filtering rule set.<br />
A rule set for URL filtering usually includes a blocking rule that blocks access to URLs per category and<br />
one that blocks access according to reputation. A whitelisting rule exempts URLs that should not get<br />
blocked from filtering.<br />
The whitelisting rule is placed before the blocking rules, so it is processed before them. If a requested<br />
URL matches an entry on the whitelist, the rule applies. It stops the processing of the rule set, so the<br />
blocking rules are not processed and cannot apply.<br />
A rule set like this is usually included when the wizard creates a system of rule sets. It is also included<br />
in the default system. There can be several URL filtering rule sets in a rule set system, containing rules<br />
that apply to different user groups.<br />
URL filtering rule sets can differ from each other in that they use different blocking lists and whitelists.<br />
They do not differ, however, in their basic structure, which combines a whitelisting rule with blocking<br />
rules that block URLs individually or according to their categories and reputation scores.<br />
View the implemented URL filtering rules<br />
The URL filtering rules that are implemented on the appliance can be viewed on the user interface.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to the rule set that contains the URL filtering rules, which is by default named<br />
URL Filtering. The individual rules appear on the settings pane.<br />
3 On the settings pane, click Show Details. Rule conditions and events are displayed for each rule.<br />
You can modify these rules, delete them, and also create your own rules.<br />
URL filtering rule<br />
This section explains a category blocking rule, which is a key rule type in URL filtering.<br />
Note: The rule is shown here in a notation that comes close to how it appears on the user interface.<br />
Name<br />
Block URLs whose category is in URL Category BlockList<br />
Criteria Action<br />
URL.Categories at least one in list Category BlockList –> Block<br />
In plain text, this rule can be rephrased as follows:<br />
If a URL belongs to a category that is on a blocking list, block access to it.<br />
The property of the rule criteria is URL.Categories. This property is checked for a given URL and the URL<br />
Filter module is called to find the categories the URL belongs to. If these are on the specified blocking<br />
list, the criteria is matched and the rule applies.<br />
The rule then executes its action, which is the Block action. It blocks access to the URL. If a URL<br />
belongs to more than one category, it is blocked if any of these categories is on the list.<br />
The URL.Categories property has the Default settings specified for it. This means the module that<br />
retrieves the category information runs with these settings. The settings determine, for example,<br />
whether a DNS lookup is performed for a URL and category information also searched for based on the<br />
corresponding IP address.<br />
188 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
URL filtering 6<br />
The Block action also has settings. These specify a message that is sent to a user who is affected by the<br />
action.<br />
For this URL blocking rule, the URL Blocked settings are specified, which means that the message<br />
mentions the category that a requested URL belongs to as the reason for the blocking.<br />
URL Filtering (rule set)<br />
This section describes the URL Filtering library rule set.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — URL Filtering<br />
Criteria — Always<br />
Cycles — Requests (and IM)<br />
The rule set contains the following rules:<br />
Allow URLs that match in URL WhiteList<br />
URL matches in list URLWhiteList –> Stop Rule Set<br />
The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is,<br />
processing of the rule set stops and the blocking rules that follow the whitelisting rule are not<br />
processed.<br />
You can use this rule to exempt URLs from filtering to make sure they are available to the users of<br />
your network and do not get blocked by any of the following blocking rules. Whitelisting also<br />
increases performance because it avoids the effort of retrieving information about the respective<br />
URLs.<br />
Block URLs that match in URL BlockList<br />
URL matches in list URL BlockList –> Block — Statistics.Counter.Increment<br />
(“BlockedByURLFilter”,1)<br />
The rules uses the URL property to check whether a given URL is on the specified blocking list. If it<br />
is, processing of all rules stops and the request for access to the URL is not passed on to the<br />
appropriate web server. Access to it is blocked this way.<br />
The action settings specify a message to the requesting user.<br />
The rule also uses an event to count blocking due to virus and malware infections. The event<br />
parameters specify the counter that is incremented and the size of the increment. The event<br />
settings specify the settings of the Statistics module, which executes the counting.<br />
Enable SafeSearchEnforcer<br />
Always –> Continue — Enable SafeSearchEnforcer<br />
The rule enables the SafeSearchEnforcer, which is an additional module for filtering access to web<br />
sites with adult content.<br />
The enabling is done by executing an event. The settings of the module are specified with the<br />
event.<br />
Processing continues with the next rule.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 189
6<br />
<strong>Web</strong> filtering<br />
URL filtering<br />
Allow uncategorized URLs<br />
List.OfCategory.IsEmpty(URL.Categories) equals true –> Stop Rule Set<br />
The rule uses the List.OfCategory.IsEmpty property, which has the URL.Categories property as a<br />
parameter, to check whether the list of categories for categorizing a URL is empty. This would<br />
mean that the URL is uncategorized, as it could not be assigned to any of the existing categories.<br />
Specifying the URL.Categories property as a parameter ensures that it is a particular list of<br />
categories that is checked. It is the list that is the value of this property.<br />
To provide a list of categories as the value for the URL.Categories property, the URL Filter module<br />
is called, which retrieves this list from the Global Threat Intelligence system. The module runs with<br />
the specified Default settings.<br />
If a URL is uncategorized, processing of the rule set stops and the blocking rules that follow this<br />
rule are not processed. The request for the URL is forwarded to the appropriate web server and,<br />
unless access to the URL is blocked in the response or embedded object cycle, the user is allowed<br />
to access the web object that was requested by submitting the URL.<br />
For information on how to modify this rule to let it execute a block action, see Modify a filtering rule<br />
to block uncategorized URLs.<br />
Block URLs whose category is in URL Category BlockList<br />
URL.Categories at least one in list Category BlockList –> Block<br />
— Statistics.Counter.Increment (“BlockedByURLFilter”,1)<br />
The rule uses the URL.Categories property to check whether one of the categories a given URL<br />
belongs to is on the specified blocking list. The URL Filter module, which is called to retrieve<br />
information on these categories, runs with the Default settings, as specified with the property.<br />
If one of the URL’s categories is on the list, processing of all rules stops and the request for access<br />
to the URL is not passed on to the appropriate web server. Access to it is blocked this way.<br />
The URLBlocked action settings specify that the user who requested this access is notified of the<br />
blocking.<br />
The rule also uses an event to count blocking due to URL filtering in the same way as the blocking<br />
rule for individual URLs in this rule set.<br />
Block URLs with bad reputation<br />
URL.IsHighRisk equals true –> Block — Statistics.Counter.Increment<br />
(“BlockedByURLFilter”,1)<br />
The rules uses the URL.IsHighRisk property to find out whether a URL has a reputation that lets<br />
access to it appear as a high risk. If the value for this property is true, processing of all rules stops<br />
and the request for access to the URL is not passed on to the appropriate web server. Access to it<br />
is blocked this way.<br />
The reputation score is retrieved by the Global Threat Intellegence module, which runs with the<br />
settings specified after the property.<br />
The URLBlocked action settings specify that the user who requested this access is notified of the<br />
blocking.<br />
The rule also uses an event to count blocking due to URL filtering in the same way as the blocking<br />
rule for individual URLs in this rule set.<br />
190 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Modify a filtering rule to block uncategorized URLs<br />
You can modify a filtering rule that allows uncategorized URLs to let it block these URLs.<br />
1 Go to Policy | Rule Sets.<br />
<strong>Web</strong> filtering<br />
URL filtering 6<br />
2 On the rule sets tree, select the rule set that contains rules for URL filtering, for example, the default<br />
URL Filtering rule set. The rules appear on the settings pane.<br />
3 Select the rule Allow uncategorized URLs and click Edit. The Edit Rule window opens.<br />
4 Select Action and from the list of actions, select Block.<br />
5 Select Name and in the Name field type Block in the place of the word Allow.<br />
6 Click Finish. The window closes and the modified rule appears on the settings pane.<br />
7 Click Save Changes.<br />
The modifed rule uses the same criteria as the default rule to detect uncategorized URLs. However,<br />
instead of allowing them, it blocks them. It also stops the processing of all other rules and sends a<br />
block message to the user who requested access to the URL. Processing continues when the next user<br />
request is received on the appliance.<br />
If you want to keep the default rule (in disabled state), use the Copy and Paste buttons above the list of<br />
rules to copy the default rule and apply your modifications to the copied rule.<br />
The Move up and Move down buttons allow you to move the additional rule to the appropriate position,<br />
which should be immediately before or after the old rule.<br />
By selecting or deselecting the Enabled checkbox in each rule line, you can easily switch between the<br />
rules if a change in your web security policy should require it.<br />
Whitelist and blocking lists for URL filtering<br />
You can maintain different lists for use by the URL filtering rules. This section provides information on<br />
how this is done and describes some sample lists.<br />
The URL filtering rules use the following types of lists:<br />
• URL whitelist — List of wildcard expressions<br />
URLs that match these expressions are allowed by a whitelisting rule to skip URL filtering.<br />
• URL category blocking list — List of URL categories<br />
URLs that belong to these categories are blocked by a blocking rule.<br />
• URL blocking list — Lists of wildcard expressions<br />
URLs that match these expressions are blocked by a blocking rule.<br />
The procedures used to maintain URL filter lists differ according to the list type. For example, to add<br />
URL categories to a category blocking list, you select them from category folders.<br />
Adding entries to a whitelist for individual URLs is done in the same way as for a virus and malware<br />
filtering whitelist. You enter wildcard expressions onto the list that URLs will eventually match or not.<br />
Adding entries to a blocking list for individual URLs is also done in this way.<br />
For more information on these lists, see Sample lists for URL filtering.<br />
For information on adding entries to blocking lists and whitelists, see Add a URL category to a blocking<br />
list and Add a wildcard expression to a virus and malware filtering whitelist for URLs.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 191
6<br />
<strong>Web</strong> filtering<br />
URL filtering<br />
Sample lists for URL filtering<br />
This section describes several sample lists that are used by the rules of the library URL filtering rule set.<br />
When you import the rule set from the library, these lists are also imported. You can find them on the<br />
Lists tab of the Policy top-level menu, sorted by their names.<br />
For general information on how to maintain lists, see List maintenance.<br />
URL WhiteList<br />
Library list of wildcard expressions for URLs<br />
Type — Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-4 URL WhiteList<br />
Option Definition<br />
Wildcard Expression Wildcard expression for URLs<br />
Comment Plain-text comment on the wildcard expression<br />
Category BlockList<br />
Library list of URL categories<br />
Type — Category<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-5 Category BlockList<br />
Option Definition<br />
Category URL category<br />
Comment Plain-text comment on the category<br />
URL BlockList<br />
Library list of wildcard expressions for URLs<br />
Type — Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-6 URL BlockList<br />
Option Definition<br />
Wildcard Expression Wildcard expression for URLs<br />
Comment Plain-text comment on the wildcard expression<br />
192 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
URL filtering 6<br />
Add a URL category to a blocking list<br />
You can add a URL category to a blocking list to block access to all URLs falling into that category.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for URL filtering. The rules appear on the<br />
settings pane.<br />
3 Find the rule that uses a category blocking list, for example, Block URLs whose category is in<br />
Category BlockList, and click on the list name.<br />
Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries.<br />
The Edit List (Category) window opens.<br />
4 Expand the group folder with the category you want block, for example, Purchasing, and select the<br />
category, for example, Online Shopping.<br />
Note: To add multiple categories at once, select multiple categories or one or multiple group folders.<br />
5 Click OK. The window closes and the category appears on the blocking list.<br />
6 Click Save Changes.<br />
For more information on how to maintain lists, see List maintenance.<br />
Extended Lists for blocking URLs per category<br />
You can maintain Extended Lists of URLs that you have assigned to categories yourself. These lists can<br />
be included when the URL filter module retrieves category information. This section tells you how to<br />
add and edit an Extended list.<br />
Add an Extended List<br />
This section tells you how to add an Extended List of URLs with categorizations of your own.<br />
Complete the following procedure to do add this list:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to URL Filter and select the settings you want to<br />
configure, for example, Default.<br />
3 Under Extended List, click Add. The Add List window opens.<br />
4 [Optional] In the Comment field, type a plain-text comment on the list and on the Permissions tab,<br />
configure who is allowed access to it.<br />
5 Click OK & Edit. The Edit List (Extended List Element) window opens.<br />
6 To add a list entry:<br />
a Click Add. The Add Extended List Element window opens.<br />
b Configure the following:<br />
• Protocol — Network protocol that must be used if categorization and, eventually, blocking is<br />
to be applied for a URL<br />
For example, if FTP is specified here, categories are not looked up and blocking is never applied<br />
when requests are sent under HTTP or HTTPs.<br />
• URL — URL that is categorized<br />
c Under Categories, click the Edit symbol. An Edit window opens with a list of group folders<br />
containing URL categories.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 193
6<br />
<strong>Web</strong> filtering<br />
URL filtering<br />
d Expand the folder with the category you want to assign the URL to, for example, Lifestyle, and<br />
select the checkbox next to this category, for example, Travel.<br />
Note: Repeat this substep if you want to add more than one category.<br />
e Click OK. The Edit window closes and the category or categories appear on the list in the Add<br />
Extended List Element window.<br />
7 Click OK. The Add Extended List Element window closes and the new entry appears on the Extended<br />
List in the Edit List (Extended List Element) window.<br />
Note: Repeat steps 6 and 7 if you want to add more entries to the Extended List.<br />
8 Click OK. The Edit List (Extended List Element) window closes and the new list appears:<br />
• On the lists tree under Extended List Element<br />
• Under the Extended List options of the Default settings for the URL Filter module<br />
9 Click Save Changes.<br />
Edit an Extended List<br />
This section explains how you edit an Extended List to modify your categorizations of URLs.<br />
Complete the following procedure to edit this list:<br />
1 Go to Policy | Lists.<br />
2 On the lists tree, go to Extended List Element and select the Extended List you want to edit. The<br />
list entries appear on the settings pane.<br />
3 Edit the list, using the items on the toolbar above the entries. The following table describes the list<br />
entries:<br />
Table 6-7 Extended List<br />
Option Definition<br />
Protocol Network protocol that must be used if categorization and, eventually, blocking is to be<br />
applied for a URL<br />
URL URL that is categorized<br />
Categories URL categories that the URL is assigned to<br />
Comment Plain-text comment on the URL<br />
4 Click Save Changes.<br />
For more information on how to maintain lists, see List maintenance.<br />
194 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Module for URL filtering<br />
<strong>Web</strong> filtering<br />
URL filtering 6<br />
You can configure the module for URL filtering to let it retrieve information on URLs in different ways.<br />
This section explains how this is done and describes the module settings.<br />
The name of the module for URL filtering is URL Filter. It is also known as URL Filter engine. When this<br />
module is called by a URL filtering rule to retrieve information on particular URLs, it connects to the<br />
Global Threat Intelligence (GTI) system. This system provides information on categories and<br />
reputation scores for URLs, based on the content of the corresponding web pages.<br />
Various technologies, such as link crawlers, security forensics, honeypot networks, sophisticated<br />
auto-rating tools, and customer logs are used to gather this information. An international, multi-lingual<br />
team of <strong>McAfee</strong> web analysts evaluates the information and enters URLs under particular categories<br />
into a database.<br />
To gather information on the reputation of a URL, its behavior on a worldwide real-time basis is<br />
analyzed, for example, where a URL shows up in the web, its domain behavior, and other details.<br />
Configure the URL Filter module<br />
To configure settings for the URL Filter module:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select the rule set that contains rules for URL filtering. The rules appear on the<br />
settings pane.<br />
3 Find the rule that uses a category blocking list, for example, Block URLs whose category is in<br />
Category BlockList. The settings of the URL filter module appear within the rule criteria next to the<br />
URL.Categories property. Their name is, for example, Default.<br />
4 Click on the settings name. The Edit Settings window opens.<br />
5 Configure these settings as needed.<br />
6 Click Save Changes.<br />
For more information on these settings, see Settings for the URL Filter module.<br />
Settings for the URL Filter module<br />
This section describes the settings for the URL Filter module, which is the module that retrieves<br />
information from the Global Threat Intelligence system.<br />
Default<br />
Default settings for the URL Filter module<br />
Extended List<br />
Settings for Extended Lists<br />
Use the extended list — List for selecting an Extended List<br />
Add — Opens the Add List window for adding an Extended List<br />
Edit — Opens the Edit List (Extended List) window for editing the selected Extended List<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 195
6<br />
<strong>Web</strong> filtering<br />
URL filtering<br />
Rating Settings<br />
Settings for retrieving rating information on URLs based on categories and reputation scores<br />
Search the CGI parameters for rating — When selected, CGI parameters are included in the search<br />
for information<br />
CGI (Common <strong>Gateway</strong> Interface) parameters in a URL trigger scripts or programs when the URL is<br />
accessed. Information on CGIs can affect the categorization of a URL.<br />
Search for and rate embedded URLs — When selected, embedded URLs are included in the search<br />
for information and rated. Information on an embedded URL can affect the categorization of the<br />
embedding URL<br />
Note: Searching for embedded URLs can reduce performance.<br />
Do a forward DNS lookup to rate URLs — When selected, a DNS lookup is performed for a URL that<br />
no relevant information has been found for<br />
The IP address that was looked up is used for another search.<br />
Do a backward DNS lookup for unrated IP-based URLs — When selected, a backward DNS<br />
lookup, based on its IP address, is performed for a URL that no relevant information has been found for<br />
The host name that was looked up is used for another search.<br />
Use the built-in keyword list — When selected, the built-in keyword list is included in the search<br />
Only use online GTI web reputation and categorization services — When selected, information<br />
on URL categories and reputation scores is only retrieved from the Global Threat Intelligence system<br />
Use online GTI web reputation and categorization services if local rating yields no results —<br />
When selected, information on URL categories and reputation scores is only retrieved from the Global<br />
Threat Intelligence system if the search in the internal database yielded no results<br />
Use default GTI server for web reputation and categorization services — When selected, the<br />
appliance connects to the default server for retrieving information on URL categories and reputation<br />
scores from the Global Threat Intelligence system<br />
Note: When this option is not selected, the following options for using a non-default server are accessible.<br />
IP of the server — IP address of the server used to connect to the Global Threat Intelligence<br />
system when the default server is not used<br />
Format: or or <br />
Regular IPv6 addresses cannot be specified here.<br />
Port of the server — Port number of the port on this server that listens to requests from the<br />
appliance<br />
Allowed range: 1 – 65535<br />
196 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
URL filtering 6<br />
Advanced Settings<br />
Advanced settings for the URL Filter module<br />
Force rating attempts to run in synchronous mode — When selected, the search is performed in<br />
synchronous mode<br />
Searching in synchronous mode means that if the Global Threat Intelligence system is involved, the<br />
appliance connects to the Global Threat Intelligence server for processing a particular request and does<br />
not begin with processing other requests before the server has responded and processing of the first<br />
request has been completed.<br />
Note: Using this option will reduce performance if the Global Threat Intelligence server is slow in responding.<br />
Treat connection problems to the cloud as errors — When selected, problems arising on the<br />
connection from the appliance to the Global Threat Intelligence server are logged as errors<br />
Properties for error handling are set and eventually rules from an Error Handler rule set are executed.<br />
Do a backward DNS lookup also for private addresses — When selected, private IP addresses<br />
are included in the backward DNS lookup<br />
Excluding these addresses from the lookup leads to an increase in performance for URL filtering.<br />
Note: This option is disabled by default.<br />
The lookup includes the following types of addresses:<br />
• IPv4<br />
• Private addresses<br />
• Zeroconf addresses<br />
• IPv6<br />
• Link local addresses<br />
• Site local addresses<br />
• Unique local addresses<br />
Proxy Settings<br />
Settings for configuring a proxy the appliance can use to connect to the Global Threat Intelligence<br />
system<br />
Use upstream proxy — When selected, the appliance uses a proxy for connecting to the Global<br />
Threat Intelligence server on which lookups for URL category information, also known as “in-the-cloud”<br />
lookups, can be performed<br />
IP or name of the proxy — IP address or host name of the proxy<br />
Port of the proxy — Number of the port on the proxy that listens for lookup requests from the<br />
appliance<br />
User name — User name for the appliance when logging on to the proxy<br />
Password — Password for the appliance<br />
Set — Opens a window for setting the password<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 197
6<br />
<strong>Web</strong> filtering<br />
URL filtering<br />
Logging<br />
Settings for logging URL filtering activities on the appliance<br />
Enable logging — When selected, URL filtering activities are logged on the appliance<br />
Note: If this option is not selected, the following logging options are grayed out.<br />
Log level — List for selecting the log level<br />
Log levels are as follows:<br />
• 00 FATAL — Logs only fatal errors<br />
• 01 ERRORS — Logs all errors<br />
• 02 WARNING — Logs errors and warnings<br />
• 03 INFO — Logs errors, warnings, and additional information<br />
• 04 DEBUG1 ... 013 DEBUG9 — Log information required for debugging URL filtering activities<br />
The amount of logged information increases from level DEBUG1 to DEBUG9.<br />
• 14 TRACE — Logs information required for tracing URL filtering activities<br />
• 15 ALL — Logs all URL filtering activities<br />
(Log area) — Settings for including different areas of URL filtering activities into the logging<br />
• LOG_AREA_ALL — When selected, all URL filtering activities are logged<br />
• LOG_AREA_NETWORK — When selected, activities regarding the network connections used for<br />
URL filtering are logged<br />
• LOG_AREA_DATABASE_SEARCH — When selected, activities regarding the retrieval of data for<br />
URL filtering from the internal database are logged<br />
• LOG_AREA_DNS — When selected, activities regarding a DNS lookup that is performed for URL<br />
filtering are logged<br />
• LOG_AREA_URL — When selected, activities for handling URLs, such as parsing them, are logged<br />
• LOG_AREA_CLOUD — When selected, activities regarding the retrieval of information from the<br />
Global Threat Intelligence system are logged<br />
198 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Different versions of URL category sets<br />
<strong>Web</strong> filtering<br />
URL filtering 6<br />
When individual URLs are assigned to categories under the Global Threat Intelligence system, a<br />
particular set of categories is used. You can configure which set you want to be used on the appliance.<br />
An example of how sets differ from each other is category splitting for malicious sites. Category Set 3<br />
has a single category named Malicious Sites. This category is kept in Category Set 4, but the categories<br />
Browser Exploits and Malicious Downloads are added to enable a more refined categorizing.<br />
After installing version 7.1 of the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance (clean install), Category Set 4 is<br />
implemented on the appliance.<br />
After upgrading from a 7.0.x version to version 7.1, use of the category sets can require further action.<br />
There are two cases:<br />
• An older version uses Category Set 3 and one or more of the rules implemented in this version use<br />
directly a category that is affected by a change under Category Set 4.<br />
For example, a rule includes the following criteria:<br />
URL.Categories contains Malicious Sites<br />
Under Category Set 4, use of the Malicious Sites category has become ambiguous because it is<br />
unclear whether the category itself should be used or one of the two categories that were split off<br />
from it. You can then continue to use Category Set 3 on your appliance or explicitly migrate to<br />
Category Set 4. A function for this is provided on the user interface.<br />
If you migrate to Category Set 4, all rule sets that are affected by the migration appear on the<br />
user interface marked in red color. You then need to modify these rule sets manually to resolve<br />
conflicts arising from the migration. For example, you can select one of the two categories that<br />
were split off from Malicious Sites to replace the former category in criteria where it is used<br />
directly.<br />
• An older version uses Category Set 3 and none of the rules implemented in this version use directly<br />
a category that is affected by a change under Category Set 4.<br />
For example, a category list contains the Malicious Sites category. Then the two categories that<br />
were split off from it are added to the list.<br />
Migration from Category Set 3 to 4 is then performed as part of the upgrade. No further action<br />
regarding category sets is required from your side.<br />
For information on how to migrate from Category Set 3 to 4, see Migrate to Category Set 4.<br />
Migrate to Category Set 4<br />
To migrate the URL category set that is used on the appliance from version 3 to 4:<br />
1 Go to Configuration | Appliances.<br />
2 On the toolbar of the settings pane, click Migrate URL Filter category set from version 3 to 4.<br />
The set of URL categories used on the appliance changes from category set 4 to category set 4.<br />
Rule sets that use modified or abandoned categories are displayed in red within the rule sets tree.<br />
3 Review the rules in these rule sets and modify them as needed.<br />
4 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 199
6<br />
<strong>Web</strong> filtering<br />
Media type filtering<br />
Media type filtering<br />
The appliance filters media according to their types, based on rules that use appropriate filter lists, so<br />
particular text, audio, image, streaming, and other media can be blocked. This section explains media<br />
type filtering and tells you how to modify the rules and lists that are involved in the filtering.<br />
Rules for media type filtering<br />
Rules for media type filtering block and whitelist media types. This section explains how these rules<br />
work and how you can modify them. It also describes a media type filtering rule set from the library.<br />
A media type filtering rule set typically includes nested rule sets for controlling media upload and<br />
download. In each rule set, there is at least one rule that blocks media if their types are on a blocking<br />
list.<br />
There can be whitelisting rules that let media skip the blocking rule. There can also be several blocking<br />
rules to handle different media types or media types in different contexts, for example, media types<br />
embedded in archives. A special rule calls an opener module to open media.<br />
Note: Media type filtering rules can also be included in rule sets that are not media type filtering rule sets in<br />
the first place, for example, in virus and malware filtering rule sets.<br />
Media type filtering rule<br />
The following is an example of a rule for blocking media types.<br />
Note: The rule is shown here in a notation similar to the one used on the user interface.<br />
Name<br />
Block types from list Download Media Type Blocklist<br />
Criteria Action<br />
MediaType.EnsuredTypes at least one in list Download Media Type –> Block<br />
Blocklist<br />
<br />
In plain text, this rule can be rephrased as follows:<br />
If media belongs to a type that is on a particular blocking list, block access to it.<br />
The rule criteria checks the MediaType.EnsuredTypes property. Media have this property if it can be<br />
ensured with a probability of more than 50% that they are of a particular type. This is the case if a<br />
signature from an internal list on the appliance can be found in the object code of the media.<br />
For media that have their types ensured in this sense, the rule looks up the specified blocking list to see<br />
whether they are on it. It they are, the criteria is matched and the rule applies. If media belong to<br />
multiple types, already one of them on the list is sufficient to let the criteria match.<br />
The rule then executes the Block action. Processing of all rules stops and the media is not passed on to<br />
the user who requested it. This way, access to it is blocked.<br />
The settings of the Block action specify a message that is sent to a user who is affected by the action.<br />
The message mentions media type as the blocking reason.<br />
200 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Media type filtering 6<br />
Media type filtering properties<br />
Most of the media type filtering rules in a library rule set use the MediaType.EnsuredTypes property.<br />
There are several other properties, however, which let rules behave differently when included in their<br />
criteria.<br />
There is, for example, the MediaType.NotEnsuredTypes property. If you use this property in the criteria<br />
of a blocking rule, the rule blocks media whose types are on a blocking list even if the probability that<br />
they actually are of this type is less than 50%. You could do this if you wanted to make sure a media<br />
type gets blocked under all circumstances.<br />
The following table lists the properties of the rules in a library rule set for media type filtering.<br />
Table 6-8 Media type filtering properties<br />
Property Description<br />
MediaType.EnsuredTypes Property of media that have their types ensured with a probability of more than<br />
50%<br />
This level of probability is assumed if a media type signature from an internal list<br />
on the appliance can be found in the object code of the media.<br />
MediaType.NotEnsuredTypes Property of media for which the probability that they actually are of their respective<br />
types is less than 50%<br />
MediaType.FromFileExtension Property of media for which types are assumed based on the extensions of the<br />
media type file names<br />
Extensions and the media types associated with them are looked up in an internal<br />
catalog on the appliance. There are, however, extensions that are used by more<br />
than one media type.<br />
MediaType.FromHeader Property of media for which types are assumed according to the content type field<br />
of the headers sent with the media<br />
Headers are read and evaluated in a standardized format. To filter headers in their<br />
original formats, you can use the Header.Get property.<br />
MediaType.IsSupported Property of embedded or archived media that can be extracted by the opener<br />
module of the appliance.<br />
List.OfMediaType.IsEmpty Property of media with types that are not on an internal list<br />
For information on other properties, see the List of properties in the appendix. For a procedure to let a<br />
rule use a different property, see Modifying a media type filtering rule.<br />
Processing data in MIME format<br />
<strong>Web</strong> objects can be filtered on the appliance when they are multi-part objects transmitted in MIME<br />
(Multi-Purpose Internet Mail Extension) format, which is used for data sent in POST messages. Several<br />
MIME type filtering properties are available for configuring within filtering rules.<br />
The MIME format provides a header and header parameters for each part of a multi-part object, for<br />
example, for each member of an archive. The information contained in a MIME header and its<br />
parameters specifies the type of the object in question. The format is also known as<br />
multipart/form-data format.<br />
You can use the Composite Opener module of the appliance in a rule to open multi-part objects that are<br />
transmitted in MIME format and extract individual parts from it. You can then block or allow these parts<br />
depending on whether a particular header or header parameter is sent with them, or depending on the<br />
value that a header or header parameter has.<br />
You can set up rules for this using special MIME data filtering properties. These rules are similar to the<br />
ones you can use for media type filtering.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 201
6<br />
<strong>Web</strong> filtering<br />
Media type filtering<br />
The following table lists the MIME data filtering properties that are available on the appliance:<br />
Table 6-9 MIME data filtering properties<br />
Property Description<br />
Body.HasMimeHeader Boolean property that is true if the body of a part that was extracted from<br />
a multi-part object has a MIME header with a given name<br />
Body.HasMimeHeaderParameter Boolean property that is true if the body of a part that was extracted from<br />
a multi-part object has a MIME header parameter with a given name<br />
Body.MimeHeaderValue Property filled with a string that is the value of a given MIME header<br />
Body.MimeHeaderParameterValue Property filled with a string that is the value of a given MIME header<br />
parameter<br />
Media Type Filtering (rule set)<br />
This section describes the rules of a library rule set for filtering the upload and download of media<br />
types.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Media Type Filtering<br />
Criteria — Always<br />
Cycles — Requests (and IM), responses, embedded objects<br />
The following rule sets are nested in this rule set.<br />
• Upload Media Type<br />
Note: This rule set is not enabled by default.<br />
• Download Media Types<br />
Upload Media Type<br />
This nested rule set blocks the upload of media belonging to particular media types. It is processed in<br />
request cycles when users request to upload media to the web, as well as in embedded object cycles<br />
when objects are embedded in media.<br />
Nested library rule set — Upload Media Type<br />
Criteria — Always<br />
Cycle — Requests (and IM) and embedded objects<br />
The rule set contains the following rule:<br />
Block types from list Upload Media Type Blocklist<br />
Media.TypeEnsuredTypes at least one in list Upload Media Type Blocklist –> Block — Statistics.Counter.Increment (“BlockedByMediaFilter”, 1)<br />
The rule uses the Media.TypeEnsuredTypes property to check for media that have their type<br />
ensured if they are on the specified list. If they are, access to the media type is blocked and<br />
processing rules stops.<br />
The rule uses an event to count blocking due to media type filtering. The event parameters specify<br />
the counter that is incremented and the size of the increment. The event settings specify the<br />
settings of the Statistics module, which executes the counting.<br />
Processing continues with the next request that is received on the appliance.<br />
202 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Media type filtering 6<br />
Download Media Types<br />
This nested rule set blocks the download of media belonging to particular media types. It is processed<br />
in response cycles when web servers send media in response to user requests for downloading them, as<br />
well as in embedded object cycles when objects are embedded in media.<br />
Nested library rule set — Download Media Types<br />
Criteria — Always<br />
Cycle — Responses and embedded objects<br />
The rule set contains the following rule:<br />
Block types from Download Media Type Blocklist<br />
Media.TypeEnsuredTypes at least one in list Download Media Type Blocklist –> Block — Statistics.Counter.Increment (“BlockedByMediaFilter”, 1)<br />
The rule uses the Media.TypeEnsuredTypes property to check for media that have their type<br />
ensured if they are on the specified list. If they are, access to the media type is blocked and<br />
processing rules stops.<br />
The rule uses an event to count blocking due to media type filtering. The event parameters specify<br />
the counter that is incremented and the size of the increment. The event settings specify the<br />
settings of the Statistics module, which executes the counting.<br />
Processing continues with the next request that is received on the appliance.<br />
Modifying a media type filtering rule<br />
You can modify a media type filtering rule to filter a different kind of media types by changing the<br />
property in the rule criteria. This section tells you how to do this and how create a new filter list for use<br />
by the modified rule.<br />
Create a filter list for a modified rule<br />
To create a new filter list for use in a modified media type filtering rule:<br />
1 Go to Policy | Lists.<br />
2 On the Custom Lists branch of the lists tree, select Media Type and click Add. The Add List window<br />
opens.<br />
3 In the Name field, type a name for the new list, for example, Not Ensured Download Media Type<br />
Blocklist.<br />
4 [Optional] In the Comment field, type a plain-text comment on the new list and on the Permissions<br />
tab, configure who is allowed to access it.<br />
5 Click OK. The Add List window closes and the new list is inserted on the lists tree under MediaType.<br />
6 Go to Policy | Rule Sets.<br />
7 On the rule sets tree, select a rule set for media type downloads, for example, Media Type<br />
Download.<br />
Before a media type filtering rule can make use of the new list, you need to fill with entries, so the rule<br />
knows what to block or allow.<br />
For information on filling a list for media type filtering, see Add a media type to a media type filter list.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 203
6<br />
<strong>Web</strong> filtering<br />
Media type filtering<br />
Change a property in a media type filtering rule<br />
To let a media type filtering rule filter a different kind of media types, you can, for example, replace the<br />
MediaType.EnsuredTypes property in the rule criteria with MediaType.NotEnsuredType.<br />
To replace this property:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select a rule set for media type filtering, for example, the nested Download<br />
Media Type rule set in the Media Type Filtering rule set.<br />
3 Select a rule, for example, Block types from Download Media Type Blocklist, and click Edit. The<br />
Edit Rule window opens.<br />
4 Select Rule Criteria and under Criteria select the rule. Then click Edit. The Edit Criteria window<br />
opens.<br />
5 From the drop-down list under Property select a new property, for example,<br />
MediaType.NotEnsuredTypes (instead of MediaType.EnsuredTypes).<br />
6 From the list under Parameter – Value, select Not Ensured Download Media Type Blocklist.<br />
7 Click OK and then Finish to close the windows. The modified rule appears on the settings pane.<br />
8 Click Save Changes.<br />
The modified rule blocks not ensured media types that are on your new list.<br />
If you want to keep the old rule to have rules for both filtering ensured and not ensured media types,<br />
use the Copy and Paste buttons above the list of rules to copy the old rule and apply your modifications<br />
to the copied rule.<br />
The Move up and Move down buttons allow you to move the additional rule to the appropriate position,<br />
which should be immediately before or after the old rule.<br />
204 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Lists for media type filtering<br />
<strong>Web</strong> filtering<br />
Media type filtering 6<br />
You can maintain lists for media type filtering. This section explains different types of these lists and<br />
some sample lists that are used by the library rules. It also describes how you add a media type to a<br />
list.some sample lists that are used by the library rules.<br />
Media type lists contain different kinds of media, such as text, audio, image, streaming, and others.<br />
When editing these lists, you do not type names of media types, but select them from folders. Some<br />
lists are provided by the system and cannot be edited at all. You can use them only as they are.<br />
Apart from being system or user-maintained lists, lists used in media type filtering are the same with<br />
regard to editing. However, you can use them for different purposes and this way have blocking lists,<br />
whitelists, upload lists, download lists, or even upload blocking lists, upload whitelists, and so on.<br />
The following is an overview of the kinds of media type filtering lists you can use on the appliance.<br />
However, you can also create and use lists and lists types other than these.<br />
• Upload whitelists and blocking lists — Lists of media types that users are allowed or not to upload<br />
to the web<br />
• Download whitelist and blocking lists — Lists of media types that are allowed or not when users<br />
attempt to download them from the web<br />
With regard to editing, media type filtering lists can be:<br />
• Custom lists — Can be reviewed and edited like all other custom lists<br />
• System lists — Are provided by the appliance system and cannot be edited<br />
There are system lists for text, audio, image, streaming, and other media types.<br />
You can view these lists under System Lists | Media Types on the Lists tab of the Policy<br />
top-level menu.<br />
If you see, for example, that a media type is on a system list used by a blocking rule, but do not<br />
want this media type to be blocked, you cannot remove it from the list. However, you can modify<br />
the rule to let it not use the system list, but a custom list without the media type in question.<br />
Sample lists for media type filtering<br />
This section describes some sample lists used by the Media Type Filtering rule set from the library.<br />
When you import the rule set, these lists are also imported. You can find them on the Lists tab of the<br />
Policy top-level menu, sorted by their names.<br />
For general information on how to maintain lists, see List maintenance.<br />
Upload Media Type Blocklist<br />
List of media types that are blocked when users attempt to upload to them to the web<br />
Type — Media Type<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-10 Upload Media Type Whitelist<br />
Option Definition<br />
Media type Media type that is not allowed for uploading to the web<br />
Comment Plain-text comment on a media type<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 205
6<br />
<strong>Web</strong> filtering<br />
Media type filtering<br />
Download Media Type Blocklist<br />
List of media types that are blocked when users attempt to download them from the web.<br />
Type — Media Type<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-11 Media Type Blocklist<br />
Option Definition<br />
Media type Media type that is not allowed for downloading from the web<br />
Comment Plain-text comment on a media type<br />
Add a media type to a media type filter list<br />
You can add a media type to a list media type filtering.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, go to a rule set that contains rules for media filtering, for example, the nested<br />
Download Media Types rule set of the Media Type Filtering rule set and select it. The rules<br />
appear on the settings pane.<br />
3 Select the rule Block types from Media Type Blocklist and click on the list name. The Edit List<br />
(MediaType) window opens.<br />
4 Click Edit. And Edit window opens. It displays a list of group folders with media types.<br />
5 Expand the group folder with the media type you want to add, for example, Audio, and select the<br />
media type, for example, audio/mp4.<br />
Note: To add multiple media types at once, select multiple media types or one or multiple group folders.<br />
6 Click OK. The window closes and the media type appears on the filter list.<br />
7 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance.<br />
206 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
HTML filtering<br />
<strong>Web</strong> filtering<br />
HTML filtering 6<br />
The appliance can filter HTML pages and remove embedded objects from them. This section explains<br />
HTML filtering and describes the rules, lists and module settings involved in the filtering process.<br />
Rules for HTML filtering typically say whether er objects embedded in HTML pages should be removed<br />
or kept. They evaluate object types and use also filter lists. They call an opener module to make<br />
embedded objects accessible for filtering.<br />
The types of objects HTML filtering can remove include the following:<br />
• Java applets — Are embedded in HTML pages (unlike the stand-alone Java applications) and run,<br />
once their certificates are accepted, with all privileges of the current user<br />
• ActiveX controls — Run with all privileges of the user<br />
• Scripts — Include JavaScript, JScript, and Visual Basic Script<br />
• Media types — Include text, audio, image, streaming, and other media types<br />
Rules for HTML filtering<br />
To enable HTML filtering on the appliance, a rule set containing appropriate rules must be implemented.<br />
This section describes a sample rule set from the rule set library.<br />
After the initial setup, an HTML filtering rule set is not implemented on the appliance. You can import<br />
the HTML Filtering rule set from the library and modify it according to your requirements or create a<br />
rule set of your own.<br />
For more information, see Import a rule set and HTML Filtering (rule set).<br />
HTML Filtering (rule set)<br />
This section describes the rules of a library rule set for HTML Filtering.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — HTML Filtering<br />
Criteria — Always<br />
Cycles — Requests (and IM), responses, embedded objects<br />
The rule set contains a rule and the following two nested rule sets:<br />
• Enable HTML Filtering<br />
• HTML Filtering<br />
The following rule is contained in the rule set in addition to the nested rules sets:<br />
Remove Content-Encoding header<br />
Always –> Continue — Header.RemoveAll (“Accept-Encoding”)<br />
The rule uses an event to remove the content encoding header from a request.<br />
This header is not needed because filtering is only applied to the content, which is eventually sent<br />
in not encoded format to the user who requested it. The name of the header is specified by the<br />
event parameter.<br />
Processing continues with the next rule set.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 207
6<br />
<strong>Web</strong> filtering<br />
HTML filtering<br />
Enable HTML Filtering<br />
This nested rule set prepares HTML filtering by enabling the HTML opener and removing a header<br />
element.<br />
Nested library rule set — Enable HTML Filtering<br />
Criteria — Always<br />
Cycles — Requests (and IM) and responses<br />
The rule set contains the following rule:<br />
Enable HTML opener<br />
Always –> Continue — Enable HTML Opener<br />
The rule uses an event to enables the HTML opener. The settings of this module are specified with<br />
the event.<br />
Processing continues with the next rule.<br />
Remove header for “Content-Length”<br />
Always –> Continue — Header.RemoveAll (“Content-Length”)<br />
The rule uses an event to remove the header providing the content length from a request.<br />
Processing continues with the next rule set.<br />
HTML Filtering (nested rule set)<br />
This nested rule set removes different types of objects embedded in HTML pages, using a nested rule<br />
set for each type.<br />
Nested library rule set — Enable HTML Filtering<br />
Criteria — MediaType.EnsuredTypes contains text/html<br />
Cycles — Embedded objects<br />
The following rule sets are nested in this rule sets:<br />
• Embedded Objects<br />
• Embedded Scripts<br />
• ActiveX Controls<br />
Note: This rule set is not enabled by default.<br />
• Advertising Filter<br />
Note: This rule set is not enabled by default.<br />
208 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
HTML filtering 6<br />
Embedded Objects<br />
This nested rule set removes Java applets embedded in HTML pages, as well as other embedded media<br />
types if they are on a blocking list.<br />
It is processed in the embedded object cycle when these objects are sent with requests or responses.<br />
Nested library rule set — Embedded Objects<br />
Criteria — Always<br />
Cycle — Embedded objects<br />
The rule set contains the following rules:<br />
Java applets<br />
HTMLElement.Name equals “APPLET” OR (<br />
HTMLElement.Name equals “OBJECT” AND<br />
HTMLElement..HasAttribute (“codetype”) equals true AND<br />
HTMLElement.Attribute (“codetype”) equals “application/java”) –> Remove<br />
The rule uses several HTMLElement ... properties to remove an element from an HTML page if it is<br />
found that particular values are true for these properties. An element is removed if its name is<br />
APPLET or if its name is OBJECT and has a code type attribute with application/java as its value.<br />
Processing of the embedded object cycle stops then and the HTML page is forwarded without the<br />
removed element to the user who requested it or to the web if a user attempted to upload it.<br />
Stop if element is not interesting<br />
(HTMLElement.Name does not equal “OBJECT” AND<br />
HTMLElement.Name does not equal “embed”) OR<br />
HTMLElement.HasAttribute (“type”) equals false –> Stop Rule Set<br />
The rule uses several HTMLElement ... properties to check whether an element needs not be<br />
removed. An element needs not be removed if its name is neither OBJECT nor embed or has no<br />
type attribute at all.<br />
Processing of the rule set stops then, so the rule that removes elements from HTML pages (and<br />
follows this rule in the rule set) is not processed. Processing continues with the next rule set.<br />
Default action for unlisted media types<br />
HTMLElement.Attribute (“type”) is not in list Media Type Whitelist<br />
HTMLElement.Attribute (“type”) is not in list Media Type Blocklist –> Stop Rule Set<br />
The rule uses the HTMLElement.Attribute property to check whether an element is of a type that is<br />
neither on the relevant whitelist nor the blocking list. In this case, a default action is executed,<br />
which for this rule is Stop Rule Set.<br />
Processing of the rule set stops then, so the whilelisting and blocking rules for media types that<br />
follow in the rule set are not processed. Processing continues with the next rule set.<br />
Handle whitelisted media types<br />
HTMLElement.Attribute (“type”) is in list Mediatype whitelist<br />
The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a<br />
media type whitelist. If it is, the rule applies.<br />
Processing of the rule set stops then, so the removing rule that follows this rule in the rule set is<br />
not processed. Processing continues with the next rule set.<br />
Note: This rule is not enabled by default.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 209
6<br />
<strong>Web</strong> filtering<br />
HTML filtering<br />
Handle blocklisted media types<br />
HTMLElement.Attribute (“type”) is in list Mediatype blocklist –> Remove<br />
The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a<br />
media type blocklist. If it is, the rule applies and the media type in question is removed from the<br />
HTML page.<br />
Processing of the embedded object cycle stops then and the HTML page is forwarded without the<br />
removed element to the user who requested it or to the web if a user attempted to upload it.<br />
Embedded Scripts<br />
This nested rule set removes script code embedded in HTML pages, providing options for keeping some<br />
code types.<br />
It is processed in the embedded object cycle when this code is sent with requests or responses.<br />
Nested library rule set — Embedded Scripts<br />
Criteria — HTMLElement.Name equals “SCRIPT”<br />
Cycle — Embedded objects<br />
The rule criteria specifies that the rule set applies when an element of the script type is embedded in<br />
an HTML page.<br />
The rule set contains the following rules:<br />
Variable resetter<br />
Always –> Continue – Set User-Defined.removeOneScript = false<br />
The rule sets the User-Defined.removeOneScript property to false, so the break rules that follow<br />
this rule later in the rule set do not apply. Processing continues with the next rule.<br />
Note: This rule is not enabled by default.<br />
JavaScript<br />
HTMLElement.Script.Type (“type”) equals “text/javascript” –> Stop Rule Set<br />
– Set User-Defined.removeOneScript = true<br />
The rule uses the HTMLElement.Script.Type property to check whether an element is of the<br />
JavaScript type. If it does, the rule applies.<br />
Processing of the rule set stops then, so the rule that removes script code at the end of the rule set<br />
is not processed. This way, the embedded script code is kept in the HTLM page. Processing<br />
continues with the next rule set.<br />
If you want to remove JavaScript code, replace the Stop Rule Set by the Remove action.<br />
The rule also sets the User-Defined.removeOneScript property to true. This property is evaluated<br />
by the break rule that follows this JavaScript rule.<br />
When this rule applies with Stop Rule Set or Remove as its action, processing of the rule set is<br />
stopped. If you let the rule use an action that does not stop the rule set, you can enable the break<br />
rule. It will find that the value for the User-Defined.removeOneScript property is true and stop<br />
processing of the rule set accordingly.<br />
To reset the value of the User-Defined.removeOneScript property to false, you need to enable the<br />
reset rule at the beginning of the rule set. With this value for the property, the break rules of the<br />
rule set will not apply.<br />
210 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Break;<br />
User-Defined.removeOneScript equals true –> Stop Rule Set<br />
<strong>Web</strong> filtering<br />
HTML filtering 6<br />
The rule stops processing of the rule set if the User-Defined.removeOneScript property has true as<br />
its value. Processing continues with the next rule set.<br />
Note: This rule is not enabled by default.<br />
JScript<br />
HTMLElement.Script.Type equals “text/jscript” –> Stop Rule Set<br />
– Set User-Defined.removeOneScript = true<br />
This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule.<br />
Break;<br />
User-Defined.removeOneScript equals true –> Stop Rule Set<br />
This rule works in the same way as the break rule that follows the JavaScript rule.<br />
Note: This rule is not enabled by default.<br />
Visual Basic script<br />
HTMLElement.Script.Type “text/vbscript” equals “vbscript”<br />
–> Stop Rule Set – Set User-Defined.removeOneScript = true<br />
This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule.<br />
Break;<br />
User-Defined.removeOneScript equals true –> Stop Rule Set<br />
This rule works in the same way as the break rule that follows the JavaScript rule.<br />
Note: This rule is not enabled by default.<br />
Other scripts<br />
Always –> Remove<br />
The rule removes all embedded script code from HTML pages, unless it is kept from doing so by<br />
one of the rules preceding it in the rule set. These can stop the rule set before the process reaches<br />
the removing rule. They can do so for JavaScript, JSCript, and Visual Basic script code if enabled.<br />
If you want this to happen for other script code as well, you can add appropriate rules.<br />
The break rules of the rule set can also stop it and let the removing rule not be processed.<br />
If the removing rule is processed, it stops processing of the embedded objects cycle. Processing<br />
then continues with the next cycle.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 211
6<br />
<strong>Web</strong> filtering<br />
HTML filtering<br />
ActiveX Controls<br />
This nested rule set removes ActiveX controls embedded in HTML pages.<br />
It is processed in the embedded object cycle when these objects are sent with requests or responses.<br />
Note: This rule set is not enabled by default.<br />
Nested library rule set — ActiveX Controls<br />
Criteria — Always<br />
Cycle — Embedded objects<br />
The rule set contains several rules and the nested Filter ActiveX in Scripts rule set.<br />
Advertising Filter<br />
The nested Advertising Filter library rule set removes advertising elements embedded in HTML pages,<br />
such as images, layers, forms, and others.<br />
It is processed in the embedded object cycle when these objects are sent with requests or responses.<br />
Note: This rule set is not enabled by default.<br />
Nested library rule set — Advertising Filter<br />
Criteria — Always<br />
Cycle — Embedded objects<br />
The rule set contains a rule and the following nested rule sets:<br />
• Link Filter<br />
• Dimension Filter<br />
• Popup Filter<br />
• Script Filter<br />
Sample lists for HTML filtering<br />
You can maintain lists for use by HTML filtering rules. This section describes some sample lists that are<br />
used by the rules in the HTML Filtering library rule set.<br />
When you import this rule set, these lists are implemented. You can find them on the Lists tab of the<br />
Policy top-level menu, sorted by their types and names.<br />
For general information on how to maintain lists, see List maintenance.<br />
Media Type Whitelist<br />
List of media types embedded in HTML pages you want to keep<br />
Type — String<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-12 Media Type Blocklist<br />
Option Definition<br />
Media type Media type that is kept during HTML filtering<br />
Comment Plain-text comment on the media type<br />
212 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Media Type String Blocklist<br />
List of media types embedded in HTML pages you want to remove<br />
Type — String<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-13 Media Type String Blocklist<br />
Option Definition<br />
Media type Media type that is removed by HTML filtering<br />
Comment Plain-text comment on a media type<br />
Module for opening objects embedded in HTML pages<br />
<strong>Web</strong> filtering<br />
HTML filtering 6<br />
A rule in an HTML filtering rule set can call an opener module to open objects embedded in HTML pages<br />
to make them accessible for filtering. This section explains how to configure settings for this module.<br />
Configure the HTML opener<br />
You can configure settings for the module that opens objects embedded in HTML pages.<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to Enable.HTMLOpener and select the settings you<br />
want to configure, for example, HTML Filtering.<br />
3 Configure these settings as needed.<br />
4 Click Save Changes.<br />
For more information on these settings, see HTML Opener engine settings.<br />
HTML Opener engine settings<br />
You can configure the HMTL Opener engine settings. These are settings for the module that opens<br />
objects embeded in HTML pages to make them accessible for filtering.<br />
Note: These settings can be configured on the Settings tab of the Policy top-level menu.<br />
HTML Opener Configuration<br />
Settings for the HMTL opener<br />
(HTML Opener list) — List of objects embedded in an HTML page that the module should open<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 6-14 HTML Opener list<br />
Option Definition<br />
Node name Type of an object that the HTML opener should open.<br />
Only open start tags When selected, the HTML opener opens only starts tags, which contain the attributes<br />
that are checked by the rules.<br />
Comment Plain-text comment on the element<br />
Only open elements that refer to external sources — When selected, the HTML opener opens<br />
only these elements, for example, when pictures are transmitted from an external server<br />
You can select this option if you think that HTML pages stored on the local server can be trusted and<br />
need not have elements removed.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 213
6<br />
<strong>Web</strong> filtering<br />
Global whitelisting<br />
Global whitelisting<br />
URLs and other web objects can be placed on global whitelists to skip all further filtering for related<br />
requests. This section explains global whitelisting and describes a library rule set for this function, as<br />
well as some lists used by the whitelisting rules.<br />
Rules for global whitelisting<br />
This section explains what a global whitelisting rule set does and describes a sample library rule set.<br />
A rule set for global whitelisting contains at least one whitelisting rule for a particular object type, for<br />
example, for URLs. The rule uses a list to stop the filtering cycle for web objects that have been entered<br />
onto it.<br />
The rule set is typically placed at the beginning of a rule set system and before the rule sets that do<br />
virus and malware filtering, URL filtering, and other filtering jobs. This way, all these rule sets are not<br />
processed in the current cycle when the rule or rules of the global whitelisting rule set apply.<br />
The impact of the rule set is global because it does not only disable a particular kind of filtering, but all<br />
filtering that would have been executed after it in the filtering process.<br />
Global Whitelist<br />
This section describes the rules in a library rule set that exempts requests from all further filtering when<br />
they are related to web objects on particular lists.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Global Whitelist<br />
Criteria — Always<br />
Cycle — Requests (and IM), responses, embedded objects<br />
The rule set contains the following rules:<br />
Client IP is in list Allowed Clients<br />
Client.IP is in list Allowed Clients –> Stop Cycle<br />
The rule uses the Client.IP property to check whether the IP address of a client that a request was<br />
sent from is on the specified whitelist. If it is, the rule applies and stops the current processing<br />
cycle. The request is then forwarded to the appropriate web server.<br />
URL.Host matches in list Global Whitelist<br />
URL.Host matches in list Global Whitelist –> Stop Cycle<br />
The rule uses the URL.Host property to check whether the host that a URL sent in a request<br />
provides access to is on the specified whitelist. If it is, the rule applies and stops the current<br />
processing cycle. The request is then forwarded to the web server that is the requested host.<br />
214 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Global whitelists<br />
<strong>Web</strong> filtering<br />
Global whitelisting 6<br />
You can maintain lists for use by global whitelisting rules. This section describes some sample lists and<br />
tells you how to add a web object to a global whitelist.<br />
Sample lists for global whitelisting<br />
The sample lists described here are used by the rules in the Global Whitelist library rule set. After<br />
importing the rule set, you will find them on the Lists tab of the Policy top-level menu, sorted by their<br />
names.<br />
For general information on how to maintain lists, see List maintenance.<br />
Global Whitelist<br />
List of wildcard expressions for hosts that URLs provide access to<br />
Type — Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-15 Global Whitelist<br />
Option Definition<br />
Wildcard Expression Wildcard expression for hosts<br />
Comment Plain-text comment on a wildcard expression<br />
Allowed Clients<br />
List of IP addresses for clients<br />
Type — IP<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-16 URL WhiteList<br />
Option Definition<br />
IP IP address of a client<br />
Comment Plain-text comment on an IP address<br />
Add a wildcard expression to a global whitelist for URLs<br />
You can add a wildcard expression to a whitelist used by a global whitelisting rule to exempt requests<br />
from further filtering when they submit URLs providing access to hosts that match the expression.<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, select a rule set that contains rules for global whitelisting, for example Global<br />
Whitelist. The rules appear on the settings pane.<br />
3 Find the rule that uses a whitelist to exempt requests when they submit URLs for hosts matching the<br />
wildcard expressions on the list, for example, URL.Host matches in list Global Whitelist and click<br />
on the list name.<br />
Note: A yellow triangle by the list name indicates that this list is empty and you need to fill the entries.<br />
The Edit List (Wildcard Expression) window opens.<br />
4 Click Add. The Add Wildcard Expression window opens.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 215
6<br />
<strong>Web</strong> filtering<br />
SSL scanning<br />
SSL scanning<br />
5 In the Wildcard expression field, type a wildcard expression.<br />
Note: To add multiple wildcard expressions at once, click Add multiple and type every wildcard<br />
expression in a new line.<br />
6 [Optional] In the Comment field, type a comment on the wildcard expression.<br />
7 Click OK. The window closes and the wildcard expression appears on the whitelist.<br />
8 Click Save Changes.<br />
For more information on how to maintain a list, see List maintenance. For the types of wildcard<br />
expressions that are allowed in the list, see Wildcard expressions.<br />
SSL-secured requests can be inspected by an SSL scanning module before other appliance functions<br />
filter them. This section explains the SSL scanning process and tells you how you can modify it.<br />
The rules in a rule set for SSL scanning call the SSL scanning module to let it verify the certificates sent<br />
with SSL-secured requests. If certificate verification does not lead to blocking a request, the rules call<br />
the module to enable content inspection and have the request filtered by the other implemented rule<br />
sets.<br />
The rules also handle the CONNECT request that SSL-secured communication begins with if it does not<br />
use the transparent mode. Whitelists of hosts and certificates can be used to skip certificate verification<br />
and content inspection.<br />
Rules for SSL scanning<br />
To use SSL scanning on the appliance, a rule set containing appropriate rules must be implemented.<br />
This section describes a sample rule set from the library.<br />
A rule set for SSL scanning contains rules for handling the different types of requests that a client sends<br />
to the appliance in SSL-secured communication and for enabling certificate verification and content<br />
inspection. Other rules whitelist requests if, for example, the host or the certificate that a request is<br />
related to are on a whitelist.<br />
SSL Scanner<br />
This section describes the rules in a library rule set for SSL scanning.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — SSL Scanner<br />
Criteria — Always<br />
Cycle — Requests (and IM)<br />
The following rule sets are nested in this rule set:<br />
• Handle Connect Call<br />
• Certificate Verification.<br />
• Verify Common Name (proxy setup)<br />
• Content Inspection<br />
• Verify Common Name (transparent setup)<br />
216 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
SSL scanning 6<br />
Handle CONNECT Call<br />
This nested rule set handles the CONNECT call in SSL-secured communication and enables certificate<br />
verification.<br />
Nested library rule set — Handle Connect Call<br />
Criteria — Command.Name equals “CONNECT”<br />
Cycle — Requests (and IM)<br />
The rule criteria specifies that the rule set applies if a request is received on the appliance that contains<br />
the CONNECT command, which is sent in the opening phase of SSL-secured connection.<br />
The rule set contains the following rules:<br />
Set client context<br />
Always –> Continue — Enable SSL Client Context with CA <br />
The rule enables the use of a server certificate that is sent to a client. The event settings specify the<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> root certificate authority (CA), which is implemented on the appliance after<br />
the initial setup, as the default issuer of this certificate.<br />
Tunneled hosts<br />
URL.Host is in list SSL Host Tunnel List –> Stop Cycle<br />
The rule lets requests for access to hosts with a URL that is on the specified whitelist skip SSL<br />
scanning.<br />
Restrict destination ports to Allowed CONNECT Ports<br />
URL.Port is not in list Allowed Connect Ports –> Block<br />
The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports.<br />
The action settings specify a message to the requesting user.<br />
Enable certificate verification without EDH for hosts in no-EDH server list<br />
URL.Host is in list No-EDH server –> Stop Rule Set — Enable SSL Scanner<br />
The rule enables the certificate verification for requests sent from a host on the no-EDH<br />
(Ephemeral Diffie-Hellman) server list.<br />
The event settings specify running in verification mode for the SSL scanning module and a special<br />
cipher string for data encryption on non-EDH hosts.<br />
Enable certificate verification<br />
Always –> Stop Rule Set — Enable SSL Scanner<br />
The rule enables certificate verification. The event settings specify that the SSL scanning module<br />
runs in verification mode.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 217
6<br />
<strong>Web</strong> filtering<br />
SSL scanning<br />
Certificate Verification<br />
This nested rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted<br />
certificates skip verification and blocks others according to particular criteria.<br />
Nested library rule set — Certificate Verification<br />
Criteria — Command.Name equals “CERTVERIFY”<br />
Cycle — Requests (and IM)<br />
The rule criteria specifies that the rule set applies if a request is received on the appliance that contains<br />
the CERTVERIFY command, which is sent to request the verification of a certificate.<br />
The rule set contains the following rules:<br />
Skip verification for certificates found in Certificate Whitelist<br />
SSL.Server.Certificate.HostAndCertificate is in list Certificate Whitelist –> Stop Rule Set<br />
The rule lets whitelisted certificates skip verification.<br />
Block self-signed certificates<br />
SSL.Server.Certificate.SelfSigned equals true –> Block <br />
The rule blocks requests with self-signed certificates. The action settings specify a message to the<br />
requesting user.<br />
Block expired server (7 day tolerance) and expired CA certificates<br />
SSL.Server.Certificate.DaysExpired greater than 7 OR<br />
SSL.Server.CertificateChain.ContainsExpiredCA equals true –> Block <br />
The rule blocks requests with expired server and CA certificates. The action settings specify a<br />
message to the requesting user.<br />
Block too long certificate chains<br />
SSL.Server.CertificateChain.PathLengthExceeded equals true –> Block <br />
The rule blocks a certificate chain if it exceeds the path length.<br />
The settings in the property specify a list for the module that checks the certificate authorities. The<br />
action settings specify a message to the requesting user.<br />
Block revoked certificates<br />
SSL.Server.CertificateChain.ContainsRevoked equals true –> Block <br />
The rule blocks a certificate chain if one of the included certificates has been revoked.<br />
The settings in the property specify a list for the module that checks the certificate authorities. The<br />
action settings specify a message to the requesting user.<br />
Block unknown certificate authorities<br />
SSL.Server.CertificateChain.FoundKnownCA equals false –> Block <br />
The rule blocks a certificate chain if none of the certificate authoritiies (CAs) issuing the included<br />
certificates is a known CA . The settings in the property specify a list for the module that checks<br />
the certificate authorities.<br />
The action settings specify a message to the requesting user.<br />
218 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Block untrusted certificate authorities<br />
<strong>Web</strong> filtering<br />
SSL scanning 6<br />
SSL.Server.FirstKnownCAIsTrusted equals false –> Block <br />
The rule blocks a certificate chain if the first known CA that was found is not trusted. The settings<br />
in the property specify a list for the module that checks the certificate authorities.<br />
The action settings specify a message to the requesting user.<br />
Verify Common Name (proxy setup)<br />
This nested rule set verifies set the common name in a certificate. It applies only to requests sent in<br />
non-transparent mode.<br />
Nested library rule set — Verify Common Name (proxy setup)<br />
Criteria — Connection.SSL.TransparentCNHandling equals false<br />
Cycle — Requests (and IM)<br />
The rule criteria specifies that the rule set applies if a request is received through a connection used in<br />
SSL-secured communication and verification of the common name is not performed in transparent<br />
mode.<br />
The rule set contains the following rules:<br />
Allow matching hostname<br />
URL.Host equals Certificate.SSL.CN –> Stop Rule Set<br />
The rule allows a request if the URL of the requested host is the same as the common name in the<br />
certificate.<br />
Allow wildcard certificates<br />
Certificate.SSL.CN.HasWildcards equals true AND<br />
URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set<br />
The rule allows requests to hosts sending certificates that have wildcards in their common names<br />
matching the URLs of the hosts. To verify that a common name containing wildcards matches a<br />
host, this name is converted into a regular expression.<br />
Allow alternative common names<br />
URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set<br />
The rule allows requests to hosts with alternative common names in their certificates and the host<br />
matches at least one of them.<br />
Block incident<br />
Always –> Block <br />
If any of the rules for allowing matching common names applies, processing of the rule set stops<br />
and this rule is not processed. Otherwise, requests are blocked by this rule due to a common name<br />
mismatch. The action settings specify a message to the requesting user.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 219
6<br />
<strong>Web</strong> filtering<br />
SSL scanning<br />
Content Inspection<br />
This nested rule set completes the handling of a CERTVERIFY call. It lets some requests skip content<br />
inspection according to particular criteria and enables inspection for all others.<br />
Nested library rule set — Content Inspection<br />
Criteria — Command.Name equals “CERTVERIFY”<br />
Cycle — Requests (and IM)<br />
The rule criteria specifies that the rule set applies if a request is received on the appliance that contains<br />
the CERTVERIFY command, which is sent to request the verification of a certificate.<br />
The rule set contains the following rules:<br />
Skip content inspection for hosts found in SSL Inspection Whitelist<br />
Connection.SSL.Transparent equals false AND<br />
URL.Host matches in list SSL Inspection Whitelist –> Stop Rule Set<br />
The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in<br />
non-transparent mode.<br />
Skip content inspection for CN found in SSL Inspection Whitelist<br />
Connection.SSL.Transparent equals true AND<br />
Certificate.SSL.CN matches in list SSL Inspection Whitelist –> Stop Rule Set<br />
The rule lets requests with whitelisted common names in their certificates skip content inspection.<br />
It applies only in transparent mode.<br />
Note: This rule is not enabled by default.<br />
Do not inspect connections with client certificates<br />
Connection.Client.CertificateIsRequested equals true –> Stop Rule Set<br />
The rule lets requests skip inspection if they require the use of client certificates.<br />
Note: This rule is not enabled by default.<br />
Enable content inspection<br />
Always –> Continue — Enable SSL Scanner<br />
The rule enables content inspection. The event settings specify that the SSL scanning module runs<br />
in inspection mode.<br />
If any of the rules for skipping content inspection applies, processing of the rule set stops and this<br />
last rule, which enables the inspection, is not processed. Otherwise, content inspection is enabled<br />
by this rule.<br />
220 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
SSL scanning 6<br />
Verify Common Name (transparent setup)<br />
This nested rule set verifies the common name in a certificate. It applies only to requests sent in<br />
transparent mode.<br />
Nested library rule set — Verify Common Name (transparent setup)<br />
Criteria — Connection.SSL.TransparentCNHandling equals true AND Command.Name does not equal “CONNECT”<br />
AND Command.Name does not equal “CERTVERIFY”<br />
Cycle — Requests (and IM)<br />
The rule criteria specifies that the rule set applies if a request is received through a connection used in<br />
SSL-secured communication and verification of the common name is performed in transparent mode.<br />
The rules of the rule set check the same criteria to verify a common name as those of the Verify<br />
Common Name rule set for the non-transparent mode.<br />
However, in the latter mode, the host name to be checked is taken from the CONNECT request, which<br />
is not sent under the transparent mode. In this mode, the host name is taken from the request that is<br />
sent.<br />
For more information, see Verify Common Name (proxy setup).<br />
Lists for SSL scanning<br />
This section describes some sample lists for SSL scanning. The lists are used by the rules of the library<br />
SSL Scanner rule set.<br />
Note: When you import this rule set, the lists are also imported. You can find them on the Lists tab of the<br />
Policy top-level menu, which displays lists sorted by their types and names.<br />
For general information on how to maintain lists, see List maintenance.<br />
Allowed CONNECT Ports<br />
List of ports that are allowed CONNECT ports on destination servers<br />
Type — Number<br />
Initial entry — 443 – Default HTTPS port<br />
The following table describes the list entries.<br />
Table 6-17 Allowed CONNECT Ports list<br />
Option Definition<br />
Number Number of a port that is an allowed CONNECT port on a destination server<br />
Comment Plain-text comment on the port<br />
Certificate White List<br />
List of certificates that are not verified by the SSL scanning module<br />
Type — Host and Certificate<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-18 Certificate White List<br />
Option Definition<br />
Certificate Name of a whitelisted certificate<br />
Host Host that the certificate proves to be trustworthy (in regular expression format)<br />
Comment Plain-text comment on the certificate<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 221
6<br />
<strong>Web</strong> filtering<br />
SSL scanning<br />
No-EDH Server<br />
List of hosts that are non-EDH servers<br />
When requests are sent from these hosts, the SSL scanning module verifies the certificate with special<br />
settings.<br />
Type — String<br />
The list is initially empty<br />
The following table describes the list entries.<br />
Table 6-19 No-EDH Server list<br />
Option Definition<br />
String Host name of a non-EDH server<br />
Comment Plain-text comment on the server<br />
SSL Inspection White List<br />
List of hosts<br />
For requests sent to these hosts, the SSL scanning module does not enable content inspection.<br />
Type — Wildcard Expression<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-20 SSL Inspection White List<br />
Option Definition<br />
Wildcard expression Name of a whitelisted host (in regular expression format including also wildcards)<br />
Comment Plain-text comment on the host<br />
222 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Modules for SSL scanning<br />
<strong>Web</strong> filtering<br />
SSL scanning 6<br />
The SSL scanning rules call several modules to execute jobs that are related to SSL scanning. This<br />
section tells you how to configure these modules.<br />
You can configure the following modules:<br />
• SSL Scanner — Enables certificate verification and content inspection, which are key jobs in SSL<br />
scanning.<br />
Typically, there are separate settings for the module when called to verify certificates and when<br />
called to inspect content.<br />
• SSL Client Context — Handles the sending of a certificate from the appliance to a client.<br />
After the initial setup, the module uses a certificate issued by the default root certificate authority<br />
(CA) that is implemented on the appliance. For further administration, it is recommended that you<br />
create your own root CA, using the options provided with the module settings.<br />
• Certificate Chain — Handles the building of a certificate chain.<br />
When building the chain, the module uses a list of certificate authorities for the certificates that are<br />
included in the chain. You can add certificate authorities to existing lists and also add new lists.<br />
Configure a module for SSL scanning<br />
This section describes the procedure for configuring the modules that are involved in SSL scanning.<br />
To configure an SSL scanning module:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to the module you want to configure settings for and<br />
select these settings. For example, go to SSL Scanner and select Default Certificate Verification.<br />
3 Configure these settings as needed.<br />
4 Click Save Changes.<br />
For more information on these settings, see SSL Scanner engine settings, SSL Client Context engine<br />
settings, and Certificate Chain engine settings.<br />
SSL Scanner engine settings<br />
You can configure the SSL Scanner engine settings. These are the settings for the module that the SSL<br />
scanning rules call to verify certificates and enable content inspection in SSL-secured communication.<br />
Note: These settings can be configured on the Settings tab of the Policy top-level menu.<br />
Certificate Verification Without EDH<br />
Settings for the SSL Scanner module when it uses a special mode to verify certificates in<br />
communication with web servers that do not support the EDH (Ephemeral Diffie-Hellman) method<br />
Meaning and usage of these settings are the same as for the Default Certificate Verification settings.<br />
For the Server cipher list parameter, the string specified as its value usually differs from the string<br />
specified for the default settings.<br />
For more information, see Default Certificate Verification.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 223
6<br />
<strong>Web</strong> filtering<br />
SSL scanning<br />
Default Certificate Verification<br />
Settings for the SSL Scanner module when it uses the default mode to verify certificates<br />
Enable SSL Scanner<br />
Settings for configuring standard parameters of certificate verification<br />
SSL scanner function — Function performed by the SSL Scanner module<br />
• Certificate verification — When selected, the module verifies certificates submitted in SSL-secured<br />
communication<br />
Note: For the Default Certificate Verification and Certificate Verification Without EDH settings, this option<br />
is enabled by default.<br />
• SSL inspection — When selected, the module inspects the content of web objects transmitted in<br />
SSL-secured communication<br />
SSL protocol version — Version of the protocol the SSL Scanner module follows when it performs its<br />
functions<br />
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used<br />
• SSL 3.0 — When selected, SSL version 3.0 is used<br />
Server cipher list — String of Open SSL symbols used for decrypting server data<br />
The SSL Scanner module uses different strings for default certificate verification and for verifying<br />
certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method.<br />
SSL session cache TTL — Time (in seconds) for keeping the parameter values of a session in<br />
SSL-secured communication stored in the cache<br />
Allow handshake and renegotiation with servers that do not implement RFC 5746 — When<br />
selected, the SSL Scanner module performs these activities also in communication with web servers<br />
that fail to comply with the specified standard<br />
Allow Alternative Handshakes<br />
Settings for handshakes in SSL-secured communication that use alternative parameter values<br />
Use alternative handshake settings after handshake failure — When selected, the SSL Scanner<br />
module uses alternative parameter values after the first attempt to perform a handshake in<br />
SSL-secured communication has failed<br />
SSL protocol version — Version of the protocol the SSL Scanner module follows when it performs an<br />
alternative handshake<br />
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used<br />
• SSL 3.0 — When selected, SSL version 3.0 is used<br />
Server cipher list — Alternative string of Open SSL symbols used for decrypting server data<br />
The SSL Scanner module uses different strings to do the default certificate verification and a special<br />
kind of verification for certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman)<br />
method.<br />
Enable Content Inspection<br />
Settings for the SSL Scanner module when it enables the inspection of content<br />
Meaning and usage of these settings are the same as for the Default Certificate Verification settings.<br />
For the SSL scanner function parameter, the SSL inspection option is enabled by default.<br />
For more information, see Default Certificate Verification.<br />
224 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
SSL scanning 6<br />
SSL Client Context engine settings<br />
You can configure the SSL Client Context engine settings. These are the settings for the module that<br />
deals with the certificates the appliance sends to its clients.<br />
Note: These settings can be configured on the Settings tab of the Policy top-level menu.<br />
Default CA<br />
Settings for the SSL Client Context module when it uses a certificate issued by the default root<br />
certificate authority (root CA)<br />
Define SSL Client Context<br />
Settings for the SSL Client Context module<br />
(Current root certificate authority) — Parameters and values of the root certificate authority (root CA)<br />
that is currently in use on the appliance<br />
After the initial setup, a default root CA is implemented on the appliance. For further administration, it<br />
is recommended that you create your own root CA. Use the Generate New button to create this<br />
certificate authority.<br />
Send certificate chain — When selected, the appliance sends information on the chain of<br />
certificates that are involved in the process of validating the certificate the appliance sends to its<br />
clients<br />
The certificate the appliance sends as a server to its clients is considered to exist on level 0. When a<br />
certificate authority (CA) signs this server certificate to validate it, it is done on level 1. When an<br />
additional certificate authority validates the first certificate authority, it is done on level 2. With each<br />
additional certificate authority that is involved, the level increases by one.<br />
When a certificate authority validates another certificate authority, it issues and signs a certificate for<br />
this authority. However, instead of being validated by another certificate authority, a certificate<br />
authority can also validate itself by issuing and signing a certificate. This certificate is then called a<br />
self-signed certificate.<br />
The certificates involved in the validating process are said to form a certificate chain. In the simplest<br />
case, a certificate chain has only two members: the certificate the appliance sends as a server to its<br />
clients and the self-signed certificate of the certificate authority that signed the server certificate on<br />
level 1. The certificate authority that stands at the beginning of the validating process is known as the<br />
root certificate authority (root CA).<br />
Information on a certificate chain includes data on all the certificate authorities involved. The appliance<br />
needs to send this information to its clients if not all of these certificate authorities are known and<br />
trusted by the clients.<br />
Certificate chain — Input field for entering information on a certificate chain<br />
After importing an existing certificate authority (CA) that is involved in a certificate chain, the<br />
information on this certificate chain appears in the field.<br />
Perform insecure renegotations — When selected, the module renegotiates the parameters for<br />
the SSL-secured communication even if this is insecure to do<br />
Client cipher list — String of Open SSL symbols used for decrypting client data<br />
SSL session cache TTL — Time (in seconds) for keeping the parameter values of a session in<br />
SSL-secured communication stored in the cache<br />
SSL protocol version — Version of the protocol the SSL Scanner module follows when it performs a<br />
handshake<br />
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used<br />
• SSL 3.0 — When selected, SSL version 3.0 is used<br />
For more information on how to create a new certificate authority or import an existing certificate<br />
authority for use instead of the default one, see Create your own certificate authority and Import a<br />
certificate authority.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 225
6<br />
<strong>Web</strong> filtering<br />
SSL scanning<br />
Create your own certificate authority<br />
This section describes a procedure for creating a certificate authority (CA) of your own for use instead<br />
of the certificate authority that is implemented on the appliance after the initial setup.<br />
To create a certificate authority:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to SSL Client Context with CA and select the<br />
settings you want to configure, for example, Default.<br />
3 Click Generate New. The Generate New Certificate Authority Window opens.<br />
4 In the Organization and Locality fields, type suitable information for your own certificate authority.<br />
5 [Optional] In the Organizational unit and State fields, type suitable information. From the<br />
Country list, select a country.<br />
6 In the Common name field, type a common name for your own certificate authority.<br />
7 [Optional] In the Email address field, type an email address of your organization.<br />
8 From the Valid for list, select the time that your certificate authority should be valid.<br />
9 [Optional] In the Comment field, type a plain-text comment on the certificate authority.<br />
10 Click OK. The new certificate authority is generated.<br />
11 Click Save Changes.<br />
The certificate authority you created through this procedure is the one that signs the certificate the<br />
appliance sends to its clients in the starting phase of the SSL-secured communication.<br />
For information on other settings for the communication between the appliance and its clients, see SSL<br />
Client Context engine settings.<br />
Import a certificate authority<br />
This section describes a procedure for importing an existing certificate authority (CA) for use instead of<br />
the certificate authority that is implemented on the appliance after the initial setup.<br />
To import a certificate authority:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to SSL Client Context with CA and select the<br />
settings you want to configure, for example, Default.<br />
3 Click Import. The Import Certificate Authority Window opens.<br />
4 In the the Certificate field, enter the name of the file that contains the data for the certificate<br />
authority you want to import. To do this, click the Browse button and browse to a suitable file.<br />
The file must be encoded in PEM (Privacy-enhanced mail) format.<br />
5 In the the Private key field, enter the name of the file that contains the key the certificate authority<br />
uses for signing certificates. To do this, click the Browse button and browse to a suitable file.<br />
The file must be encoded in PEM format. The key must have a length of at least 2048 bit.<br />
6 [Conditional] If the private key is protected by a password, type it in the Password field.<br />
Note: Only unencrypted keys and key that are AES-128-bit encrypted can be used here.<br />
7 [Conditional] If the certificate authority is involved in a certificate chain and you want to retrieve<br />
information on this chain to let the appliance send it to its clients with a certificate, enter the name<br />
of the file that contains the information in the Certificate chain field. To do this, click the Browse<br />
button and browse to a suitable file.<br />
The file must be encoded in PEM format.<br />
226 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
8 Click OK. The window closes and the certificate authority is imported.<br />
9 Click Save Changes.<br />
<strong>Web</strong> filtering<br />
SSL scanning 6<br />
The certificate authority you imported through this procedure is the one that is used for issuing the<br />
certificate the appliance sends to its clients in the starting phase of the SSL-secured communication.<br />
For information on other settings for the communication between the appliance and its clients, see SSL<br />
Client Context engine settings.<br />
Certificate Chain engine settings<br />
You can configure the Certificate Chain engine settings. These are the settings for the module that<br />
deals with the certificates the appliance receives from web servers.<br />
Note: These settings can be configured on the Settings tab of the Policy top-level menu.<br />
Default<br />
Default settings for the Certificate Chain module<br />
Certificate Verification<br />
Settings for the certificates used to build a certificate chain<br />
List of certificate authorities — List for selecting a list of certificate authorities (CAs) that sign the<br />
certificates in a certificate chain<br />
The following table describes the entries in a list of certificate authorities. For information on<br />
maintaining a list of this type, see Inline lists.<br />
Table 6-21 List of certificate authorities lists<br />
Option Definition<br />
Certificate authority Name of a certificate authority<br />
Certificate revocation list List with information on when a certificate signed by this certificate authority<br />
becomes invalid and the URI used to access the list<br />
Trusted Information on whether a certificate authority is trusted on the appliance<br />
Comment Plain-text comment on a certificate authority<br />
For information on how to import a certificate authority for the certificates in a certificate chain, see<br />
Add a certificate authority.<br />
Add a certificate authority<br />
This section describes a procedure for importing an existing certificate authority (CA) and adding it to a<br />
list of known certificate authorities.<br />
To import and add a certificate authority:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to Certificate Chain and select the settings you want<br />
to configure, for example, Default.<br />
3 Select a list of certificate authorities and click Edit. The Edit List (Certificate Authority) window opens.<br />
4 Click Add. The Add Certificate Authority window opens.<br />
5 [Optional] Type the name of a certificate revocation list (CRL) in the input field provided here and<br />
select or deselect Trusted, according to the status the new certificate authority should have.<br />
6 Click Import. A window opens to let you access your file system.<br />
7 Browse to the file for the certificate authority you want to import and click Open. The window closes<br />
and information on the new certificate authority appears in the Add Certificate Authority window.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 227
6<br />
<strong>Web</strong> filtering<br />
Supporting functions<br />
8 Click OK. The window closes and the new certificate authority appears on the list in the Edit List<br />
(Certificate Authority) window.<br />
9 Click OK to close the Edit List (Certificate Authority) window.<br />
10 Click Save Changes.<br />
Supporting functions<br />
Some functions on the appliance do not filter web objects or users, but support the filtering process in<br />
various ways. This section explains some of these functions.<br />
You can use them to do, for example, the following:<br />
• Show download progress — You can configure methods to show users the progress made in<br />
downloading web objects.<br />
• Throttle bandwith for uploads and downloads — You can limit the speed used for uploading data<br />
from clients to the appliance or downloading them from web servers to the appliance.<br />
• Route requests through next-hop proxies — You can use these proxies to route requests to their<br />
destinations.<br />
For more information, see Progress Indication, Bandwidth throttling, and Next-hop proxies.<br />
Progress Indication<br />
The progress made in downloading objects from the web can be shown to users in different ways. This<br />
section explains how to configure the methods for showing this progress.<br />
It depends on the users’s browser which method of progress indication is appropriate. Accordingly, the<br />
rules of a progress indication rule set call different modules that use one or the other method to show<br />
download progress.<br />
Administering progress indication on the appliance includes the following activities:<br />
• Make sure a progress indication rule set is implemented — The rule set that is implemented<br />
as part of a default system contains rules for calling a module that displays a progress page for Mozilla<br />
browsers and another module that uses data trickling for all others. You can also create a rule set of<br />
your own and let it contain different rules.<br />
• Configuring the settings of the progress indication modules — When a default rule set is<br />
implemented, module settings are also available. You can modify the settings of the module that<br />
executes data trickling and of the one that uses a progress page.<br />
For more information, see Progress Indication (rule set) and Configure the progress indication modules.<br />
Progress Indication (rule set)<br />
This section describes the rule in a library rule set that enable a progress page or data trickling to show<br />
download progress to users.<br />
For general information on understanding and handling rules, see Rules and rule sets<br />
Library rule set — Progress Indication<br />
Criteria — MediaType.FromHeader does not equal text/htm<br />
Cycles — Responses<br />
The rule set criteria specifies that the rule set applies when media that is sent in reponse to the<br />
appliance is not of the text or htm type.<br />
228 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
The rule set contains the following rules:<br />
Progress Page<br />
<strong>Web</strong> filtering<br />
Supporting functions 6<br />
Header.Request.Get (“User-Agent”) matches *(Mm)ozilla* –> Stop Rule Set — Enable Progress<br />
Page <br />
The rule enables a progress page for Mozilla browsers. The event settings specify what the<br />
progress page looks like, for example, the language it uses.<br />
Data Trickling<br />
Always –> Stop Rule Set — Enable Data Trickling<br />
The rule enables data trickling for all browsers that are not Mozilla. The event settings specify the<br />
chunk and block sizes used for the trickling.<br />
Configure the progress indication modules<br />
When a default rule set for progress indication is implemented, settings for two modules that use<br />
different methods of progress indication are also implemented.<br />
Complete the following procedure to configure these settings:<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to Enable.DataTrickling or Enable.Progress Page<br />
and select the settings you want to configure, for example, Default.<br />
3 Configure these settings as needed.<br />
• Data trickling — For all browsers that are not Mozilla<br />
You can configure the size of the first chunk and the trickle rate.<br />
• Progress page — For Mozilla browsers<br />
You can configure a page for the progress bar, a page for download completion, and other<br />
settings.<br />
Templates are used to provide these two pages. You can configure them in the same way as the<br />
templates for user messages.<br />
4 Click Save Changes.<br />
For more information, see Enable Data Trickling engine settings, Enable Progress Page engine settings,<br />
and User messages.<br />
Enable Data Trickling engine settings<br />
You can configure the Enable Data Trickling engine settings. These are the settings of the module that<br />
uses the data trickling method for progress indication.<br />
Note: These settings are configured on the Settings tab of the Policy top-level menu.<br />
Data Trickling Parameters<br />
Settings for chunks and blocks used in data trickling<br />
Size of first chunk — Size (in bytes) of the first chunk of a web object that is forwarded using the<br />
data trickling method<br />
Forwarding rate — Portion of a web object that is forwarded every five seconds<br />
The forwarding rate is the thousandth part of the volume that is to be forwarded multiplied by the value<br />
you configure here.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 229
6<br />
<strong>Web</strong> filtering<br />
Supporting functions<br />
Enable Progress Page engine settings<br />
You can configure the Progress Page engine settings. These are the settings of the module that uses<br />
the progress page method for progress indication.<br />
Note: These settings are configured on the Settings tab of the Policy top-level menu.<br />
Default<br />
Default settings for the progress page<br />
Progress Page Parameters<br />
Settings for templates and timeouts<br />
Templates<br />
Settings for the templates used by the progress page<br />
Language — Settings for selecting the language of the progress page<br />
Auto (Browser) — When selected, the message is in the language of the browser that the<br />
blocked request was sent from<br />
Force to — When selected, the message is in the language chosen from the list that is provided<br />
here<br />
Value of ‘Message.Language’ property — When selected, the message is in the language that<br />
is the value of the Message.Language property<br />
This property can be used for creating a rule.<br />
Collection — List for selecting a template collection<br />
Add — Opens the Add Template Collection window for adding a template collection<br />
Edit — Opens the Template Editor for editing a template collection<br />
Template name for progress bar page — List for selecting a template<br />
Add — Opens the Add Template window for adding a template<br />
Edit — Opens the Template Editor for editing a template<br />
Template name for download finished page — List for selecting a template<br />
Add — Opens the Add Template window for adding a template<br />
Edit — Opens the Template Editor for editing a template<br />
Template name for download canceled page — List for selecting a template<br />
Add — Opens the Add Template window for adding a template<br />
Edit — Opens the Template Editor for editing a template<br />
Timeouts<br />
Settings for the timeouts that apply to the progress page<br />
Delay for redirects to progress page — Time (in seconds) to elapse before the progress page<br />
appears<br />
File availability time before download — Time (in minutes) to elapse before a file is no longer<br />
available to a user before the download<br />
File availability time after download — Time (in minutes) to elapse before a file is no longer<br />
available to a user after the download<br />
230 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Bandwidth throttling<br />
<strong>Web</strong> filtering<br />
Supporting functions 6<br />
You can limit the speed for uploading and downloading data to the appliance in a process also known as<br />
bandwidth throttling. This section explains how this process is configured and provides two examples of<br />
bandwidth throttling rules.<br />
You can use bandwidth throttling, for example, to avoid a situation where the network performance you<br />
need for completing a particular task is impacted by other users who are individually uploading objects<br />
to the web or are requesting large downloads from the web.<br />
Bandwidth throttling events<br />
Two events are available for use in rules that can trigger bandwidth throttling:<br />
• The Throttle.Client event limits the speed of data transfer from a client to the appliance. This is the<br />
case when a client sends a request for uploading an object to a web server and the request is<br />
intercepted on the appliance together with the object.<br />
• The Throttle.Server event limits the speed of data transfer from a web server to the appliance. In this<br />
case, there has been a client request to download an object from a web server, and after this request<br />
has been filtered on the appliance and forwarded, the web server sends the object in response.<br />
The transfer speed is measured in Kbps (kilobits per second). The events both have a parameter for<br />
specifying the maximum speed that should be used during a transfer. The lowest value that you can<br />
specify here is 10 Kbps.<br />
Bandwith throttling rule for uploads<br />
The following is an example of a rule that can execute bandwidth throttling rule for uploads.<br />
Note: The example shows approximately how the rule appears on the user interface.<br />
Name<br />
Limit upload speed for hosts on throttling list<br />
Criteria Action Event<br />
URL.Host is in list Upload Throttling List –> Continue – Throttle.Client (10)<br />
The rule uses the Throttle.Client event to limit the speed with which uploads are performed to 10 Kbps<br />
if the web server that the data should be uploaded to is on a particular list.<br />
In the criteria of the rule, the URL.Host property is used to retrieve the host name of the web server<br />
that is specified in the uploading request.<br />
If the Upload Throttling List contains this name, the criteria is matched and the rule applies. The<br />
throttling event is then executed.<br />
The Continue action lets rule processing continue with the next rule.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 231
6<br />
<strong>Web</strong> filtering<br />
Supporting functions<br />
Bandwith throttling rule for downloads<br />
The following is an example of a rule that can execute bandwidth throttling rule for downloads.<br />
Note: The example shows approximately how the rule appears on the user interface.<br />
Name<br />
Limit download speed for media types on throttling list<br />
Criteria Action Event<br />
MediaType.EnsuredTypes at least one in list MediaType<br />
Throttling List<br />
–> Continue – Throttle.Server (1000)<br />
The rule uses the Throttle.Server event to limit the speed with which downloads are performed to 1000<br />
Kbps if the web object that should be downloaded belongs to a media type on a particular list.<br />
In the criteria of the rule, the MediaType.EnsuredTypes property is used to detect the media type of the<br />
web object that the web server sends. An object can also be found to belong to more than one type.<br />
If any of these types is on the Media Type Throttling List, the criteria is matched and the rule applies.<br />
The throttling event is then executed.<br />
The Continue action lets rule processing continue with the next rule.<br />
Bandwidth throttling rules and rule sets<br />
It is recommended that you create an overall rule set for bandwidth throttling rules and embed two rule<br />
sets in it, one for throttling uploads and another for throttling downloads. You can then let the<br />
embedded upload rule set apply for the request cycle and the embedded download rule set for the<br />
response cycle.<br />
Note: Within each embedded rule set, you can have multiple throttling rules that apply to different kinds of<br />
web objects.<br />
The overall rule set for bandwidth throttling should be placed at the beginning of your rule set system.<br />
If this is not done, rules in other rule sets can start unthrottled downloads of web objects before your<br />
throttling rules are executed.<br />
For example, a rule for virus and malware filtering could trigger the download of a web object that has<br />
been sent by a web server in response to a user request. The web object then needs to be completely<br />
downloaded to the appliance to see whether it is infected. If your bandwidth throttling rule set is placed<br />
and processed after the rule set with the virus and malware filtering rule, bandwidth throttling is not<br />
applied to that download.<br />
232 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Next-hop proxies<br />
<strong>Web</strong> filtering<br />
Supporting functions 6<br />
The appliance can use next-hop proxies for routing requests received from its clients to their<br />
destinations. This section explains how to implement and configure these proxies.<br />
When next-hop proxies are implemented, rules in a corresponding rule set use a module to call proxies<br />
that have been entered onto a list for routing requests.<br />
For example, you can route requests that have internal destinations using internal proxies. IP<br />
addresses of destinations that are internal are then entered onto a list, which the routing rule relies on.<br />
Similarly, there can be a list of internal next-hop proxy servers for use by the rule.<br />
A rule set with rules for using next-hop proxies is not implemented on the appliance after the initial<br />
setup. You can import a rule set from the library and modify it according to your needs or create a rule<br />
set of your own.<br />
When you import a next-hop proxy rule set, a server list is also imported, which is initially empty and<br />
must be filled by you. You can also create more than one list and use these lists for routing in different<br />
situations.<br />
Settings for the next-hop proxy module are mported with a library rule set as well. You can configure<br />
these settings to let the module use a particular next-hop proxy list and to determine the mode of<br />
calling the proxies (round-robin or fail-over).<br />
For more information on modes of calling next-hop proxies, see Next-hop proxy modes.<br />
For information on a rule set, lists, and module settings for next-hop proxies, see Next-Hop Proxy, Lists<br />
for next-hop proxy routing, and Configure next-hop proxy settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 233
6<br />
<strong>Web</strong> filtering<br />
Supporting functions<br />
Next-hop proxy modes<br />
When multiple servers are available as next-hop proxies for routing requests, the next-hop proxy<br />
module can use two modes to call them: round-robin and fail-over.<br />
When routing a request in round-robin mode, the next-hop proxy module calls the server that is next<br />
on the list to the one that was called last time.<br />
For the next request, this is handled in the same way, so all servers on the list will eventually have<br />
been used as next-hop proxies.<br />
Figure 6-1 Round-robin mode<br />
When routing a request in fail-over mode, the next-hop proxy module calls the first server on the list.<br />
If the server fails to respond, the call is repeated until the configured number of retries is reached. Only<br />
then is the next server in the list tried. It is called in the same way as the first, and eventually the next<br />
server in the list is tried.<br />
This is continued until a server responds or all servers in the list were found to be unavailable.<br />
Figure 6-2 Fail-over mode<br />
234 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
Supporting functions 6<br />
Next-Hop Proxy<br />
This section describes a library rule set with a rule that routes internal requests through internal<br />
next-hop proxies.<br />
For general information on understanding and handling rules, see Rules and rule sets<br />
Library rule set — Next-Hop Proxy<br />
Criteria — Always<br />
Cycle — Requests (and IM)<br />
The rule set contains the following rule:<br />
Use internal proxy for internal host<br />
URL.Destination.IP is in range list Next Hop Proxy IP Range List OR URL.Destination.IP is in list Next<br />
Hop Proxy IP List –> Continue — Enable Next Hop Proxy<br />
The rule uses the URL.Destination.IP property to check whether an IP address that corresponds to<br />
a URL is in one of the ranges specified on a list or is on a list directly. If it is, the rule uses an event<br />
to route requests for access to these URLs through internal next-hop proxies.<br />
The event settings specify settings that include the next-hop proxy list and the mode for calling<br />
proxies.<br />
Lists for next-hop proxy routing<br />
This section describes the library next-hop proxy lists. When you import the Next Hop Proxy rule set<br />
from the library, these lists are also imported.<br />
Note: You can find the list on the Lists tab of the Policy top-level menu, which displays lists sorted by their<br />
types and names.<br />
For general information on how to maintain lists, see List maintenance.<br />
Next-Hop Proxy IP List<br />
List of IP addresses that are the destinations of requests received on the appliance<br />
Type — IP<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-22 Next-Hop Proxy IP List<br />
Option Definition<br />
IP IP address of the destination for a request<br />
Comment Plain-text comment on an IP address<br />
Next-Hop Proxy IP Range List<br />
List of IP address ranges for the destinations of requests received on the appliance<br />
Type — IPRange<br />
The list is initially empty.<br />
The following table describes the list entries.<br />
Table 6-23 Next-Hop Proxy IP Range List<br />
Option Definition<br />
IPRange IP address range for destinations of requests<br />
Comment Plain-text comment on an IP address range<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 235
6<br />
<strong>Web</strong> filtering<br />
Supporting functions<br />
Configure next-hop proxy settings<br />
You can configure the settings of the module that calls next-hop proxies.<br />
1 Go to Policy | Settings.<br />
2 On the Engines branch of the settings tree, go to Next-Hop Proxy and select the settings you want<br />
to configure, for example, the Internal Proxies settings.<br />
3 Configure these settings as needed.<br />
4 Click Save Changes.<br />
For more information on these settings, see Next-Hop Proxy engine settings.<br />
Next-Hop Proxy engine settings<br />
You can configure the Next-Hop Proxy engine settings. These are the settings of the module that calls<br />
next-hop proxies to route requests.<br />
Note: These settings can be configured on the Settings tab of the Policy top-level menu.<br />
Next-Hop Proxy Server<br />
Settings for configuring servers as next-hop proxies<br />
List of next-hop proxy servers — List for selecting a next-hop proxy server list<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 6-24 Next-hop proxy servers list<br />
Option Definition<br />
Name Name of a next-hop proxy server list<br />
Comment Plain-text comment on a next-hop proxy server list<br />
Round robin — When selected, the next-hop proxy module uses the next-hop proxy following the one<br />
in the list that has been used last<br />
When the end of the list has been reached, the first next-hop proxy in the list is again selected.<br />
Fail over — When selected, the next-hop proxy module tries the first next-hop proxy in the list first<br />
If it fails, it is retried until the configured retry maximum has been reached. Then the second next-hop<br />
proxy in the list is tried, and so on, until a server responds or all are found to be unavailable.<br />
236 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
User messages<br />
<strong>Web</strong> filtering<br />
User messages 6<br />
Messages can be sent to users when a filtering rule blocks their requests for web access or affects them<br />
in other ways. This section tells you how to modify these messages.<br />
Messages are sent to users based on templates. To modify what messages look like, you adapt these<br />
templates. This is done under the settings for the actions that affect users.<br />
• Authenticate — Template-based message for telling a user that authentication is required to access<br />
a URL<br />
• Block — Template-based message for telling a user that a request was blocked for various reasons,<br />
for example, because a virus was detected in the requested object<br />
• Redirect — Template-based message for telling a user that redirecting to another URL is needed for<br />
accessing the requested object<br />
Message templates<br />
Message templates contain standard text with variables. The variables are filled with values as needed<br />
in a given situation.<br />
Note: All variables used in message templates are also properties used by rules. For example, URL is a<br />
variable in a message text and a property used in the rule that exempts URLs from filtering.<br />
For example, a Virus Found message might have the following text and variables:<br />
• Standard text — The transferred file contained a virus and was therefore blocked.<br />
• Variables — as follows:<br />
• URL — URL that the user requested to access the file<br />
The variable used to display a URL is $URL$.<br />
• Virus name — Name of the found virus that caused the blocking of the file<br />
The variable used to display a virus name is $List.OfString.ByName(String)$.<br />
Note: When editing a message template, you can select and insert variables from a list of properties.<br />
To serve as variables in message templates, these are converted into strings (if they are not strings<br />
already).<br />
For this reason, it makes no sense to select “string converter” properties here, which are properties<br />
whose job it is to convert other data types into strings, for example, the NumberToString(String)<br />
property.<br />
Different versions can exist of a particular template regarding:<br />
• File format — .html or .txt<br />
• Language — Language of template<br />
Templates can exist for multiple languages. An English version is provided by default for all initially<br />
existing templates.<br />
You can group templates into collections and have, for example, a default collection and collections for<br />
other purposes.<br />
You can edit message templates when you edit the settings for particular actions. For more information,<br />
see Adapt a user message template.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 237
6<br />
<strong>Web</strong> filtering<br />
User messages<br />
Adapt a user message template<br />
You can adapt the templates of messages sent to users when they are affected by an action of a<br />
filtering rule.<br />
Complete the following procedure to adapt a template:<br />
1 Go to Policy | Settings.<br />
2 On the Actions branch of the settings tree, go to an action and select the settings you want to<br />
configure, for example, the Virus Found settings of the Block action.<br />
3 Configure these settings as needed.<br />
For example, to edit the text of a message:<br />
a From the list under Template Name, select a template, for example, Virus Found.<br />
b Click Edit. The Template Editor opens.<br />
c On the templates tree, double-click the Virus Found folder. The folder opens and displays<br />
templates in the available languages and file formats (.html and .txt).<br />
d Select, for example, en for English and html. The corresponding template appears on the settings<br />
pane.<br />
Initially, the template text reads as follows: The transferred file contained a virus and was<br />
therefore blocked.<br />
e Edit this text as needed.<br />
4 Click Save Changes on the Template Editor.<br />
For more information, see Template Editor and Settings for message templates.<br />
Template Editor<br />
The Template Editor is a device on the user interface that allows you to edit existing templates for user<br />
messages.<br />
Note: The Template Editor opens when you click Edit for a selected template or template collection on the<br />
Settings tab of the Policy top-level menu (after selecting the settings of the Authenticate, Block, or Redirect<br />
action on the settings tree).<br />
When editing a message template, you can do the following:<br />
• Select a language for the message of the template<br />
• Edit the text of the message<br />
• Replace the variables of the template<br />
• Provide a block reason for logging purposes (only for Block action templates)<br />
• Provide a URL for redirecting (only for Redirect action templates)<br />
238 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
The following table describes the options of the Template Editor in detail:<br />
Table 6-25 Template Editor<br />
<strong>Web</strong> filtering<br />
User messages 6<br />
Option Definition<br />
Templates Displays a tree structure (for viewing templates and selecting them for editing) with the<br />
following elements:<br />
• Template collections — Collections of templates, for example, the Default collection<br />
• Templates — Templates belonging to a collection, for example, Virus Found<br />
For each template, the following is provided under a tree node:<br />
– de, en ... — Language versions of the template<br />
– html — version in .html format<br />
– txt — version in .txt format<br />
When you select a format, the template content appears on the HTML Editor pane.<br />
• Import — Opens the Import window to let you browse to a file containing .html and .txt<br />
template versions for a particular language and import it<br />
• Export — Opens the Export window to let you browse to a template file and export it<br />
• (Expand All) — Expands all collapsed items on the Templates tree<br />
• (Collapse All) — Lets all expanded items collapse<br />
A right-click on a collection, template, language version, or format opens a menu with the<br />
following options (the selection of the options varies with the item):<br />
• Clone — Opens the Clone window for inserting a copy of an item under a new<br />
name into a collection<br />
• Add Content File — Opens the Add Content File window for adding a file<br />
• Rename — Opens the Rename window for renaming an item<br />
• Change — Opens the Change Language window for changing a language version<br />
• Delete — Deletes an item<br />
A window opens to let you confirm the deletion.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 239
6<br />
<strong>Web</strong> filtering<br />
User messages<br />
Table 6-25 Template Editor (continued)<br />
Option Definition<br />
File System Displays a tree structure (for completing general tasks, such as adding, renaming, and<br />
deleting template files) with the following elements:<br />
• Template collections — Collections of templates, for example, the Default collection.<br />
• Language versions — Templates sorted by language versions (and within a language<br />
group first by names and then by formats).<br />
For example, the en language group contains:<br />
– authenticationrequired.html<br />
– authenticationrequired.txt<br />
– AuthorizedOnly.html<br />
– AuthorizedOnly.txt<br />
...<br />
When you select a format, the template content appears on the HTML Editor pane (same<br />
function as on the Templates pane).<br />
• Images — Image files (with images used in templates) sorted by name<br />
• Add — Opens the following menu:<br />
– New File — Opens the Filename window for adding a file with a new name<br />
– New Directory — Opens the Rename Directory window for adding a selected folder<br />
of the tree structure under a new name<br />
– Existing File or Directory — Opens your file manager for selecting and adding a file<br />
or folder<br />
• Edit — Opens the following menu:<br />
– Rename — Opens the Rename window for renaming an item<br />
– Delete — Deletes an item. A window opens to let you confirm the deletion<br />
• Cut — Copies and deletes a selected item<br />
• Copy — Copies a selected item<br />
• Paste — Pastes a copied item<br />
• Delete — Deletes a selected item<br />
• (Expand All) — Expands all collapsed items on the File System tree<br />
• (Collapse All) — Lets all expanded items collapse<br />
A right-click on an item opens a menu with the above options (options that do not apply for<br />
an item are grayed out).<br />
HTML Editor Displays the content the template that is currently selected on the Templates or File System<br />
pane.<br />
• Add — Opens the following menu:<br />
– Resource Reference — Opens the Insert Resource Path window for entering the<br />
path to a resource, such as an image or other graphical element, that appears in<br />
a template<br />
– Property — Opens the Choose Property window for adding a property that appears<br />
as a variable in a template, for example, $URL$<br />
240 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
• Edit — Opens the following menu:<br />
– Cut — Copies and deletes a selected portion of template content<br />
– Copy — Copies a selected portion<br />
– Paste — Pastes a copied portion<br />
– Delete — Deletes a selected portion<br />
– Select All — Selects the complete template content<br />
• Discard Changes — Undoes your changes of a template<br />
• Show Source — Toggle button to display the HTML source code of a template<br />
• Languages drop-down menu — Lets you select the language of the preview<br />
• Preview — Displays a preview of a template
Table 6-25 Template Editor (continued)<br />
Option Definition<br />
Viewer (visible Displays the image contained in a currently selected image file<br />
instead of the HTML<br />
Editor when an image<br />
file is selected on the<br />
•<br />
•<br />
Zoom In — Enlarges an image<br />
Zoom Out — Reduces the size of an image<br />
File System tree) • Fit to Window — Lets an image fill out the Viewer pane<br />
• Original Size — Displays an image in original size again<br />
Save Template<br />
Changes<br />
Saves your changes to a template<br />
Cancel Lets you leave the Template Editor without changes<br />
<strong>Web</strong> filtering<br />
User messages 6<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 241
6<br />
<strong>Web</strong> filtering<br />
User messages<br />
Settings for message templates<br />
You can configure settings for the Authenticate, Block, and Redirect actions, including the settings of<br />
the templates for messages to affected users. This section describes these settings.<br />
Note: These settings are configured on the Settings tab of the Policy top-level menu.<br />
Block action settings<br />
The settings for the Block action allow you to configure user messages and a block reason for logging<br />
purposes.<br />
A typical text of a user message sent with this action is: The file was blocked, because the detected<br />
media type is not allowed.<br />
Language and Template Settings<br />
Settings for the Block action<br />
Language — Settings for selecting the language of a user message<br />
Auto (Browser) — When selected, the message is in the language of the browser that the blocked<br />
request was sent from<br />
Force to — When selected, the message is in the language chosen from the list that is provided<br />
here<br />
Value of Message.Language property — When selected, the message is in the language that is the<br />
value of the Message.Language property<br />
This property can be used for creating a rule.<br />
Template collection — List for selecting a template collection<br />
Add — Opens the Add Template Collection window for adding a template collection<br />
Edit — Opens the Template Editor for editing a template collection<br />
Template name — List for selecting a template<br />
Add — Opens the Add Template window for adding a template<br />
Edit — Opens the Template Editor for editing a template<br />
Secure <strong>Web</strong> Reporter block reason ID — Numerical value for a block reason<br />
Block reason — Block reason in plain text<br />
Authenticate action settings<br />
The settings for the Authenticate action allow you to configure user messages informing users that they<br />
need to authenticate in a given situation.<br />
A typical text of a user message sent with this action is: You must be authenticated to access this<br />
URL.The file was blocked, because the detected media type is not allowed.<br />
Failed Login Message Template<br />
Settings for the Authenticate action<br />
These settings are the same as for the Block action (except for the block reason) and are configured in<br />
the same way.<br />
For more information, see Block action settings.<br />
242 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
<strong>Web</strong> filtering<br />
User messages 6<br />
Redirect action settings<br />
The settings for the Redirect action allow you to configure user messages and the redirect URL.<br />
A typical text of a user message sent with this action is: The object has moved to another place, please<br />
enable redirects in your browser.<br />
Redirect Settings<br />
Settings for the Redirect action<br />
Most of these settings are the same as for the Block action and are configured in the same way. The<br />
following settings apply only to the Redirect action:<br />
Redirect.URL — When selected, the URL used for redirecting is the value given to the Redirect.URL<br />
property. This property can be part of a corresponding rule<br />
User-defined URL — When selected, the redirecting URL must be specified by you<br />
Redirect URL — Input field for this redirecting URL<br />
For more information, see Block action settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 243
6<br />
<strong>Web</strong> filtering<br />
User messages<br />
244 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
7<br />
System configuration<br />
Contents<br />
Configuring the appliance system<br />
System settings<br />
System files<br />
Database updates<br />
Central management<br />
Configuring the appliance system<br />
The <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance is a system providing functions for authenticating users and<br />
filtering web objects. You can configure settings for these functions and also for the system itself,<br />
including settings for network interfaces, the user interface, central management, and other items.<br />
You can configure system settings on the user interface or on a command line interface (CLI). The<br />
sections of this chapter describe these settings.<br />
Initial setup system settings<br />
Some system settings are configured during the initial setup. You can later modify these settings, as<br />
well as configure other system settings.<br />
The following table shows the initial settings and their default values:<br />
Table 7-1 Initial setup system settings<br />
Parameter Default value<br />
Primary network interface eth0<br />
Autoconfiguration with DHCP yes<br />
Host name mwgappl<br />
Root password webgateway<br />
Remote root logon with SSH off<br />
Default gateway <br />
DNS server <br />
For more information, see System settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 245
7<br />
System configuration<br />
Configuring the appliance system<br />
System configuration after the initial setup<br />
System settings that can be configured after the initial setup include the following:<br />
• Network system settings — Settings for integrating the appliance system into your network<br />
You can modify the initial settings for the primary network interface of the appliance and the<br />
domain name server. You can also modify the default proxy mode of the appliance and configure<br />
settings for port forwarding and static routes.<br />
• Central Management system settings — Settings for running multiple instances of the appliance<br />
You can run the appliance as a standalone system or integrate multiple instances of the appliance<br />
in a system that you administer using Central Management methods.<br />
• Authentication system settings — Settings for authenticating users<br />
In addition to configuring authentication rules, you can configure some authentication methods<br />
also through system settings. This includes joining the appliance to Windows domains and using a<br />
Kerberos server for authenticating users.<br />
• System settings for logging and troubleshooting — Settings for logging system functions and<br />
solving problems<br />
You can configure the log file manager, forward data to an ePO server, and monitor events using<br />
an SNMP agent. You can also generate core files and enable connection tracing.<br />
• System settings for other functions — Settings for licensing, date and time, and the user<br />
interface<br />
The license system settings are used immediately after the initial setup to import a license for an<br />
appliance. Settings for date and time and the user interface can be modified later as needed.<br />
246 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
System settings<br />
System configuration<br />
System settings 7<br />
This section tells you where you can configure the settings of the appliance system on the user<br />
interface and describes individual system settings.<br />
Appliances tab<br />
Use the Appliances tab to configure the settings of the appliance system. It is selected from the<br />
Configuration top-level menu.<br />
Appliances<br />
toolbar<br />
(on tab) — — Appliance<br />
toolbar<br />
(appears<br />
when an<br />
appliance<br />
name is<br />
selected,<br />
for<br />
example,<br />
mwgappl)<br />
Appliances<br />
tree —<br />
Figure 7-1 Appliances tab<br />
The main elements of the tab are:<br />
• Appliances toolbar — Options for adding and deleting appliances and updating all of them<br />
• Appliances tree — Tree structure displaying different appliances and system settings<br />
• Appliance toolbar — Options for working with a selected appliance (appears when the appliance<br />
name is selected, for example, mwgappl)<br />
• Appliance settings — System settings of the selected appliance<br />
Appliances toolbar<br />
The Appliances toolbar provides the following options:<br />
Table 7-2 Appliances toolbar<br />
Option Definition<br />
Add Opens the Add Appliance window for adding an appliance<br />
Delete Deletes a selected appliance. A window opens to let you confirm the deletion<br />
— Appliance<br />
settings<br />
Manual engine update Updates DAT files with virus signatures and other filtering information for all configured<br />
appliances<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 247
7<br />
System configuration<br />
System settings<br />
Appliance toolbar<br />
The Appliance toolbar provides the following options:<br />
Note: This toolbar appears only when an appliance name is selected on the Appliances tree, for example,<br />
mwgappl.<br />
Table 7-3 Appliance toolbar<br />
Option Definition<br />
Reboot Restarts an appliance<br />
Flush cache Flushes the web cache of an appliance<br />
Update appliance<br />
software<br />
Implements an updated version of the appliance software<br />
Shutdown Lets an appliance become inactive<br />
Rotate logs Rotates log files on an appliance<br />
Rotate and push logs Rotates log files on an appliance and pushes them to the destination that you have<br />
specified in the Log File Manager settings<br />
Configure the system settings<br />
The system settings of an appliance include settings for network interfaces, central management, and<br />
other functions. This section tells you how to access these settings and where they are described within<br />
this guide.<br />
Note: When you administer multiple appliances using central management, you can also configure their<br />
system settings from the one you are logged on to.<br />
Complete the following procedure to configure the system settings of an appliance:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to an appliance and select the system settings you want to configure, for<br />
example, Network.<br />
3 Configure these settings as needed.<br />
4 Click Save Changes.<br />
For information on individual system settings, see the following table.<br />
Note: Some of the system settings are described in this guide together with functions they are related to. For<br />
example, the Kerberos Administration system settings are described in the chapter on authentication.<br />
Table 7-4 List of sections on system settings<br />
Individual system settings are described under ...<br />
Central Management system settings<br />
Date and Time system settings<br />
DNS system settings<br />
ePolicy Orchestrator system settings<br />
File Server system settings<br />
Kerberos Administration system settings<br />
License system settings<br />
Log File Manager system settings<br />
Network system settings<br />
Network Protection system settings<br />
Port Forwarding system settings<br />
Proxies (HTTP(S), FTP, ICAP, and IM) system settings<br />
Quota system settings<br />
248 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table 7-4 List of sections on system settings<br />
Individual system settings are described under ...<br />
SNMP system settings<br />
Static Routes system settings<br />
Troubleshooting system settings — Information on these<br />
settings is provided under Enable the creation of core<br />
files and Enable the creation of connection tracing files.<br />
User Interface system settings<br />
Windows Domain Membership system settings<br />
Date and Time system settings<br />
System configuration<br />
System settings 7<br />
The Date and Time system settings include settings for the time servers that synchronize date and time<br />
on the appliance, as well as for the time zone.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Date and Time<br />
Settings for date and time on the appliance system<br />
Enable time synchronization with NTP servers — When selected, the appliance uses time servers<br />
under the NTP (Network Time Protocol) for time synchronization<br />
The system time of the appliance is then synchronized with the time on the NTP servers. This will fail,<br />
however, if the delta between both times is too big. It is therefore recommended that you restart the<br />
appliance after configuring time synchronization with NTP servers. When the appliance restarts, it sets<br />
system time to the time on the NTP servers.<br />
NTP Server List — List of servers used for time synchronization under the NTP protocol.<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-5 NTP Server List<br />
Option Definition<br />
String Name of an NTP server<br />
Comment Plain-text comment on the NTP server<br />
Select time zone — List for selecting a time zone<br />
Time synchronization performed by the NTP servers or manually set time refer to the time zone that<br />
you select here.<br />
Set System Time Manually<br />
Settings for configuring time and date on the appliance system manually<br />
Current date and time — Elements for setting date and time on the appliance system.<br />
• (Date field) — For entering a date by typing it in the field or using a calendar<br />
• (Calendar icon) — Opens a calendar for selecting a date<br />
After selecting a date on the calendar and clicking OK, the date appears in the date field.<br />
• (Time field) — For typing a time<br />
Set now — Sets the date and time you have entered into the corresponding fields<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 249
7<br />
System configuration<br />
System settings<br />
DNS system settings<br />
The DNS system settings are settings for the domain name servers. The appliance uses these to<br />
retrieve the IP addresses that match the host names submitted in user requests.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Domain Name Service Settings<br />
Settings for the IP addresses of different domain name servers<br />
Primary Domain Name Server — IP address of the first server<br />
Secondary Domain Name Server — IP address of the second server<br />
Tertiary Domain Name Server — IP address of the third server<br />
File Server system settings<br />
The File Server system settings are used for configuring dedicated file server ports on the appliance to<br />
enable, for example, the downloading of files by clients.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
HTTP Connector Port<br />
Settings for configuring dedicated file server ports on the appliance<br />
Enable dedicated file server port over HTTP — When selected, the dedicated HTTP file server ports<br />
configured below are enabled<br />
HTTP connector — Port number of the dedicated HTTP file server port<br />
You can enter more than one port number here, separating them by commas. The allowed range is<br />
1024 to 65335.<br />
Note: You can set up a port forwarding rule if you want to forward requests to ports 1-1023.<br />
Instead of entering a port number alone, you can enter it with an IP address. This means connecting to<br />
the appliance over this port is only allowed when using the specified address.<br />
For example:<br />
An appliance has two interfaces with IP addresses as follows:<br />
eth0: 192.168.0.10, eth1: 10.149.110.10<br />
You enter the following under HTTP connector:<br />
4711, 192.168.0.10:4722<br />
Then connecting to the appliance over port 4711 is allowed using both IP addresses, whereas<br />
connecting over port 4722 requires that IP address 192.168.0.10 is used.<br />
Note: Restricting connections in the latter way can be used for setting up an intranet.<br />
Enable dedicated file server port over HTTPS — When selected, a dedicated HTTPS file server port<br />
is enabled<br />
HTTPS connector — Port number of the dedicated HTTPS file server port<br />
You can enter more than one port number here, separating them by commas. The allowed range is<br />
1024 to 65335.<br />
Entering an IP address with a port number can be done in the same way as for the HTTP connector and<br />
has the same meaning.<br />
Note: You can set up a port forwarding rule if you want to forward requests to ports 1-1023.<br />
For more information on port forwarding rules, see Port Forwarding system settings.<br />
250 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
License system settings<br />
System configuration<br />
System settings 7<br />
The License system settings are used to import a license for the appliance. Information on the license is<br />
also displayed with these settings.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
License administration<br />
Settings for importing a license and reviewing license information<br />
Import License<br />
Provides items for importing a license<br />
License file — Input field for entering the name of a license file<br />
You can type a file name here or use the Browse button and select an appropriate file.<br />
Browse — Opens the file manager on your system to let you browse to a license file<br />
Activate — Activates the license specified in the input field<br />
Note: The Activate button is grayed out as long as you have not entered a file name in the input field.<br />
License information<br />
Displays information on the license that is currently in use on the appliance<br />
The following table explains this information.<br />
Table 7-6 License information<br />
Option Definition<br />
Status Status of a license<br />
Creation Date when the license was created<br />
Expiration Date when the license expires<br />
License ID Numerical value that identifies the license<br />
Customer Name of the license owner<br />
Seats Number of workplaces in the owner’s company that the license is valid for<br />
Evaluation Information whether the license has been evaluated<br />
Network system settings<br />
The Network system settings are used for configuring the network interfaces of the appliance.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Network Interface Settings<br />
Settings for configuring network interfaces<br />
Host name — Name of the appliance<br />
Enable these network interfaces — List of network interfaces that can be enabled or disabled<br />
IPv4 — Tab for configuring network interfaces under version 4 of the Internet Protocol<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 251
7<br />
System configuration<br />
System settings<br />
The following table describes this tab.<br />
Table 7-7 IPv4 tab<br />
Option Definition<br />
IP settings List for selecting a method of configuring an IP address for a network interface<br />
• Obtain automatically (DHCP) — The IP address is automatically obtained, using the<br />
Dynamic Network Host Protocol (DHCP).<br />
• Configure manually — The IP address is configured manually, using the input fields<br />
below.<br />
Note: If this option is not selected, the input fields are grayed out.<br />
• Disable IPv4 — Version 4 of the Internet Protocol is not used for this interface.<br />
IP address IP address of the network interface (manually configured)<br />
Subnet mask Subnet mask of the network interface (manually configured)<br />
Default route Default route for web traffic using the network interface (manually configured)<br />
MTU Maximum number of bytes in a single transmission unit<br />
IP aliases List of aliases for the IP address<br />
• Add alias — Opens the Input window for adding an alias<br />
• Delete — Deletes a selected alias<br />
IPv6 — Tab for configuring network interfaces under version 6 of the Internet Protocol<br />
The following table describes this tab.<br />
Table 7-8 IPv6 tab<br />
Option Definition<br />
IP settings List for selecting a method of configuring an IP address for a network interface<br />
• Obtain automatically (DHCP) — The IP adress is automatically obtained, using the<br />
Dynamic Network Host Protocol (DHCP).<br />
• Solicit from router — The IP address is obtained by a router.<br />
• Configure manually — The IP address is configured manually using the input fields<br />
below.<br />
Note: If this option is not selected, the input fields are grayed out.<br />
• Disable IPv6 — Version 6 of the Internet Protocol is not used for this interface.<br />
IP address, subnet These items have the same meanings as on the IPv4 tab, see above.<br />
mask, and so on<br />
Advanced — Tab for configuring additional media and a bridge for a network interface<br />
The following table describes this tab.<br />
Table 7-9 Advanced tab<br />
Options Definition<br />
Media List for selecting additional media for use with the network interface<br />
• Automatically detect — Media for use with the network interface are automatically<br />
detected if available in the network environment of the appliance.<br />
• 1000BaseT-FD, 1000Base-HD, ... — The selected media item is used with the<br />
network interface.<br />
Bridge enabled When selected, web traffic is routed through the network interface in transparent bridge<br />
mode<br />
• Name — Name of the transparent bridge<br />
252 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Network Protection system settings<br />
System configuration<br />
System settings 7<br />
The Network Protection system settings are used to configure a default policy for handling traffic that<br />
comes in to the appliance system from the network and exceptions to the default policy.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Network Protection Rules<br />
Settings for handling incoming traffic to protect the appliance system<br />
Enable network protection — When selected, the settings configured in the following for network<br />
protection are enabled<br />
Input policy — List for selecting the action taken on incoming traffic<br />
Incoming traffic can either be dropped or accepted.<br />
Allow Ping requests — When selected, the appliance accepts and answers Ping requests.<br />
Exceptions from default policy — List of network devices that send traffic to the appliance system<br />
Traffic from these devices is not handled according to the configured input policy. When this policy<br />
drops incoming traffic, traffic sent from the devices listed here is accepted and vice versa.<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-10 Network devices list<br />
Option Definition<br />
Device Name of a network device that sends traffic to the appliance system<br />
* or no entry means all devices are covered.<br />
Protocol Protocol used for sending traffic<br />
Source IP address or address range of the network device or devices that send traffic to the<br />
appliance system<br />
Destination port Port on the appliance that is the destination of network traffic<br />
Comment Plain-text comment on the network device<br />
Port Forwarding system settings<br />
The Port Forwarding system settings are used for configuring rules to let the appliance direct web traffic<br />
sent from a particular port on a particular host to another host and port.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Port Forwarding<br />
Settings for configuring port forwarding rules<br />
Port forwarding rules — List of port forwarding rules<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-11 Elements of an entry in the Port Forwarding Rules list<br />
Option Definition<br />
Source Host IP address of the host that is the source of web traffic in a port forwarding rule<br />
Source Port Port used on this host for outgoing web traffic<br />
Destination Host IP address of the host that web traffic from the source host should be directed to<br />
Destination Port Port used on this host for web traffic coming in from the source host and port<br />
Comment Plain-text comment on the port forwarding rule<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 253
7<br />
System configuration<br />
System settings<br />
Static Routes system settings<br />
The Static Routes system settings are for configuring routes that always use the same gateway and<br />
interface on this gateway when web traffic is routed from the appliance to a particular host.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Static routes<br />
Settings for configuring static routes<br />
Static Routes List — List of static routes used under version 4 of the Internet Protocol<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-12 Static Routes List<br />
Option Definition<br />
Destination IP address and (optionally) netmask of the host that is the destination for a static route<br />
<strong>Gateway</strong> IP address of the gateway for routing web traffic from the appliance to this host<br />
Device Interface used on this gateway for the static route<br />
Description Plain-text description of the static route<br />
Comment Plain-text comment on the static route<br />
Static Routes List (IPv6) — List of static routes used under version 6 of the Internet Protocol<br />
The elements of the entries in this list have the same meanings as under version 4, see above.<br />
User Interface system settings<br />
The User Interface system settings are used for configuring the ports of the local user interface on the<br />
appliance and for configuring a session timeout.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
HTTP Connector Port<br />
Settings for configuring the user interface on the appliance<br />
Enable local user interface over HTTP — When selected, you can connect to the user interface using<br />
the HTTP protocol<br />
HTTP connector — Port for connecting to the user interface under HTTP<br />
You can enter more than one port number here, separated by commas. The allowed range is 1024 to<br />
65335.<br />
Note: If you want to use a port with a number from 1 to 1023, you can set up a port forwarding rule that<br />
forwards requests from the port configured here to one of these.<br />
Instead of entering a port number alone, you can enter it with an IP address. This means connecting to<br />
the user interface over this port is only allowed when using the specified address.<br />
Enable local user interface over HTTPS — When selected, you can connect to the user interface<br />
using the HTTPS protocol<br />
HTTPS connector — Port for connecting to the user interface under HTTPS<br />
You can enter more than one port number here, separating them by commas. The allowed range is<br />
1024 to 65335.<br />
Note: You can set up a port forwarding rule if you want to forward requests to ports 1-1023.<br />
Instead of entering a port number alone, you can enter it with an IP address. This means connecting to<br />
the user interface over this port is only allowed when using the specified address.<br />
254 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
System configuration<br />
System settings 7<br />
Session timeout — Time (in minutes) to elapse before a session on the user interface is closed if no<br />
activities occur<br />
The allowed range is 1 to 9999.<br />
For more information on port forwarding rules, see Port Forwarding system settings.<br />
Login Page Options<br />
Settings for the page used to log on to the appliance<br />
Allow browser to save login credentials — When selected, credentials submitted by a user for<br />
logging on to the appliance are saved by the browser<br />
Restrict browser session to IP address of user — When selected, a session for working with the<br />
user interface is only valid as long as the IP address of the client that the user started this session from<br />
remains the same<br />
Let user decide to restrict session for IP address or not — When selected, it is up to the user who<br />
started a session for working with the user interface whether it should be valid only for the IP address<br />
of the client that the session was started from<br />
User Interface Certificate<br />
Settings for a certificate used in SSL-secured communication through the HTTPs appliance port<br />
Subject, Issuer, Validity, Extensions — Information on the certificate that is currently in use<br />
Import — Opens the Import Certificate Authority window for importing a new certificate<br />
Certificate chain — Displays a certificate chain that is imported with a certificate<br />
For more information on the window used for importing a certificate, see Import Certificate Authority<br />
window.<br />
Import Certificate Authority window<br />
Settings for importing a certificate that is used in SSL-secured communication<br />
Certificate — Input field for entering the name of a certificate file<br />
The file name can be entered manually or by using the Browse button in the same line.<br />
Browse — Opens the local file manager to let you browse for and select a certificate file<br />
Private key — Input field for entering the name of a private key file<br />
The file name can be entered manually or by using the Browse butting in the same line.<br />
Note: Only keys that are AES-128-bit encrypted or unencrypted keys can be used here.<br />
Browse — Opens the local file manager to let you browse for and select a private key file<br />
Password — Input field for entering a password that allows the use of a private key.<br />
Import — Opens the Import Certificate Authority window for importing a new certificate<br />
OK — Starts the import process for the specified certificate<br />
Certificate chain — Input field for entering the name of a certificate chain file<br />
The file name can be entered manually or by using the Browse butting in the same line.<br />
Browse — Opens the local file manager to let you browse for and select a certificate chain file<br />
Note: After importing a certificate with a certificate chain, the certificate chain is displayed in the Certificate<br />
chain field of the User Interface Certificate settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 255
7<br />
System files<br />
System configuration<br />
System files<br />
You can edit the system files of the appliance with a file editor. This section tells you how to work with<br />
this editor.<br />
File Editor tab<br />
Use the File Editor tab to edit system files on the appliance. It is selected from the Configuration<br />
top-level menu.<br />
Appliances —<br />
System<br />
files —<br />
Figure 7-2 File Editor tab<br />
The main elements of the tab are:<br />
• Appliances — Tree structure of appliances that can be administered from this appliance<br />
• System files — Tree structure of system files for an appliance<br />
• Toolbar — Items for editing a system file<br />
• File text — Text of the currently selected system file<br />
File Editor toolbar<br />
The following table describes the options of the File Editor toolbar:<br />
Table 7-13 File Editor tool bar<br />
Option Definition<br />
Edit Opens a menu with editing options<br />
• Cut Cuts out selected text<br />
• Copy Copies selected text<br />
• Paste Pastes copied or cut-out text.<br />
• Delete Deletes selected text<br />
256 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
— Toolbar<br />
— File<br />
text
Database updates<br />
Table 7-13 File Editor tool bar (continued)<br />
Option Definition<br />
• Select All Selects the complete text<br />
Discard Changes Discards text changes<br />
A window opens to let you confirm the discarding.<br />
System configuration<br />
Database updates 7<br />
Information retrieved from external databases for use in the filtering process needs to be updated on<br />
the appliance from time to time. This section tells you how you can schedule automatic updates and<br />
also how to update this information manually.<br />
<strong>Web</strong> objects are filtered on the appliance in a rule-based process. The filtering rules need information<br />
on these objects before they can trigger actions, such as blocking access to an object or allowing it.<br />
They rely for this information on special modules.<br />
For example, a virus and malware filtering rule relies on the Antivirus module (or engine) to find out<br />
whether an object is virus-infected, or a URL filtering rules relies on the URL Filter module for URL<br />
category information.<br />
The modules retrieve this information, for example, virus signatures stored in DAT files, from external<br />
databases. The database updates on the appliance are updates of this information.<br />
You can update database information on the appliance using different methods.<br />
• Manual engine update — You can manually update database information for the modules of the<br />
appliance you are currently logged on to.<br />
If you are running multiple appliances and use Central Management functions to administer them,<br />
this manual update applies also to all appliances that you have included as nodes in this Central<br />
Management configuration.<br />
• Automatic engine update — You can also configure automatic updates in regular intervals for the<br />
modules of the appliance you are currently logged on to. These updates can retrieve information:<br />
• From the internet — Information is then downloaded from the relevant external databases.<br />
Note: Database information is updated in this way immediately after the initial setup of an appliance.<br />
• From other nodes in a Central Management configuration — Information is then downloaded<br />
from these nodes. For every node, you can in turn configure whether uploading linformation from<br />
it to other nodes is allowed.<br />
You can configure these updates when you set up the Central Management configuration,<br />
specifying for each node how it should behave regarding automatic updates.<br />
Update database information manually<br />
This section tells you how update database information manually. The update applies to the modules of<br />
the appliance you are logged on to and to those of other appliances if you have included them in a<br />
Central Management configuration.<br />
Complete the following procedure to update database information manually:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances toolbar, click Manual Engine Update. The update is performed.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 257
7<br />
System configuration<br />
Database updates<br />
Schedule automatic engine updates<br />
This section tells you how to schedule automatic updates of database information for the modules of<br />
the appliance.<br />
If you want to run multiple appliances in a central management configuration, you can schedule these<br />
updates when you set up the configuration.<br />
Complete the following procedure to schedule automatic engine updates:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, navigate to the appliance you want to schedule automatic updates for and<br />
select Central Management Configuration.<br />
3 Scroll down to Automatic Engine Updates and configure update settings as needed.<br />
• Enabling of automatic updates — To make sure updates can happen automatically on an<br />
appliance at all<br />
• Sources of the updates — These can be external databases on the internet. In a Central<br />
Management configuration, these can also be other nodes.<br />
• Update intervals — With a special setting for updating certificate revocation lists (CRLs)<br />
• Use of update proxies — To enable a fail-over when systems become unavailable<br />
• Advanced update settings — For the upload of updated information from one node to others in<br />
a Central Management configuration and other functions<br />
4 Click Save Changes.<br />
Automatic Engine Updates system settings<br />
The Automatic Engine Updates settings are for scheduling automatic updates of database information<br />
for modules used in the filtering process.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Enable automatic updates — When selected, database information is automatically updated<br />
Allow to download updates from the internet — When selected, database updates are<br />
downloaded from the internet<br />
Allow to download updates from other nodes — When selected, database updates are<br />
downloaded from other nodes in a Central Management configuration<br />
Update interval — Time (in minutes) to elapse before database information is again updated<br />
The time is set on a slider scale.<br />
Note: The range of allowed values is 15 to 360.<br />
CRL update interval — Time (in hours) to elapse before certificate revocation lists used in filtering<br />
SSL-secured web traffic are updated<br />
This update uses a method that differs from those of other updates and must therefore be configured<br />
separately.<br />
The time is set on a slider scale.<br />
Note: The range of allowed values is 3 to 168.<br />
Enable update proxies — When selected, proxy servers are used for routing updated database<br />
information<br />
258 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
System configuration<br />
Database updates 7<br />
Update proxies (fail over) — List of proxy servers used for routing updated database information<br />
The proxy servers are used in fail-over mode. The first server on the list is tried first and only if the<br />
configured timeout has elapsed is the next server tried.<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-14 Update Proxies list<br />
Option Definition<br />
Host Host name or IP address of the server that is used as proxy for routing updates<br />
Port Port on the proxy that listens for update requests<br />
User User name of the user who is authorized to request updates that use the proxy<br />
Password Password of this user<br />
Comment Plain-text comment on the proxy<br />
Advanced Settings<br />
Settings for advanced update functions<br />
Allow to upload updates to other nodes — When selected, updated database information can be<br />
uploaded from the appliance (as a a node in a central management configuration) to other nodes<br />
The first time an update starts, it should wait an appropriate time before starting — Time (in<br />
seconds) to elapse before an update is started<br />
Note: The range of allowed values is 5 to 1200.<br />
The first time an automatic update starts, it uses the startup interval to update — Time (in<br />
seconds) to elapse between attempts to start an automatic update for the first time<br />
During an update, the coordinator subsystem, which stores updated information on the appliance, tries<br />
to connect to the appliance core, where the modules reside that use this information. A low value for<br />
this interval can therefore speed up updates because it reduces the time the coordinator might have to<br />
wait until the core is ready to receive data.<br />
Note: The range of allowed values is 5 to 600.<br />
Try to update with start interval — Maximum number of attempts (1 to 9) the appliance makes<br />
when trying to start an update<br />
Use alternative URL — URL of an update server that is used instead of the default server<br />
Verify SSL tunnel — When selected, an option to “tunnel” SSL-secured web traffic is used for updates<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 259
7<br />
System configuration<br />
Central management<br />
Central management<br />
You can set up multiple appliances within your network and run them as nodes in a central<br />
management configuration. This section explains how to configure settings for a configuration of this<br />
type.<br />
As nodes in a central management configuration, the appliances have the following connections:<br />
• Each of the appliances has clients that direct their web traffic to it.<br />
• Appliances are joined in appliance groups that allow, for example, updates from one appliance to<br />
others. An appliance can be a member of different groups at the same time.<br />
After setting up an appliance, you can configure central management settings for it. You can then add<br />
other appliances that you want to be in the same group to the configuration. After adding an appliance,<br />
you can view and configure its system settings on the user interface of the appliance that the other<br />
appliance was added to.<br />
The following diagram shows a group of appliances in a central management configuration.<br />
Figure 7-3 Central management configuration<br />
260 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Configure central management settings<br />
You can run multiple appliances in a central management configuration.<br />
To configure central management settings for an appliance:<br />
1 Go to Configuration | Appliances.<br />
System configuration<br />
Central management 7<br />
2 On the appliances tree, go to the appliance you want to configure central management settings for<br />
and select Central Management Configuration.<br />
3 Configure these settings as needed. They include:<br />
• Communication parameters — The IP address used for communication with other nodes, a<br />
timeout, and the maximum number of retries<br />
• Group membership — The group or groups that an appliance belongs to<br />
• Update schedules — Methods and intervals for database updates<br />
• Advanced settings — For storing configuration data and other functions<br />
4 Click Save Changes.<br />
For more information, see Central Management system settings.<br />
Add an appliance to a central management configuration<br />
When administering a central management configuration, you can add appliances and run them as<br />
members of the same group.<br />
To add an appliance:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances toolbar, click Add. The Add Appliance window opens.<br />
3 Configure settings for the appliance:<br />
• Host name or IP — Of the added appliance<br />
• Network group — Group that the appliance belongs to (selected from a list)<br />
4 Click OK. The new appliance appears on the appliances tree.<br />
5 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 261
7<br />
System configuration<br />
Central management<br />
Central Management system settings<br />
The Central management system settings are used for configuring an appliance as a node in a central<br />
management configuration.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Central Management Settings<br />
Settings for a node in a central management configuration<br />
IP addresses for central management communication — List of IP addresses of the node<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-15 IP address list<br />
Option Definition<br />
String String for an IP address of the appliance when it is a node in a central management<br />
configuration<br />
Comment Plain-text comment on a IP address<br />
Timeout for distributing messages to other nodes — Time (10 to 600 seconds) to elapse before<br />
the node makes the next attempt to send a message to another node that has not yet responded<br />
The value for this priority is set on a slider scale.<br />
Advanced Management Settings<br />
Settings for advanced central management functions<br />
Multiplier for timeout when distributing over multiple nodes — Factor to increase the time<br />
interval that has been configured under Timeout for distributing messages to other nodes in the Central<br />
Management Settings section.<br />
The interval can be increased by a value ranging from 1 to 2.<br />
The value is set on a slider scale.<br />
Attempts made for each address of another node to distribute messages — Maximum number<br />
of attempts (1 to 5) the node makes when trying to reach another node under a particular IP address<br />
that has not yet responded<br />
The number is set on a slider scale.<br />
Node priority — Priority (ranging from 1 to 100) that the node takes within the configuration. The<br />
highest priority is 1.<br />
When you add a node to a group of nodes in a Central Management configuration, the nodes that have<br />
a lower priority (a higher value) and are allowed to receive configuration settings from other nodes<br />
receive new settings from this node.<br />
Note: If this is not your intention, you should make sure the nodes that you add have the same priority as the<br />
already existing nodes. In this case, the most recent configuration settings are distributed, either from the<br />
newly added node to the existing nodes or from the node with the most recent settings in the group to the<br />
new node.<br />
The value for this priority is set on a slider scale.<br />
Allow a GUI server to attach to this node — When selected, a server providing an additional user<br />
interface for the appliance is allowed to connect to the node<br />
Allow to attach a GUI server from non-local host — When selected, a server with an additional<br />
user interface that is not running within your network is allowed to connect to the node<br />
GUI control address — IP address and port number of the server that provides an additional user<br />
interface<br />
GUI request address — IP address and port number of this server used when sending requests to it<br />
262 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
System configuration<br />
Central management 7<br />
Contact other nodes unencrypted — When selected, messages sent from this node to other nodes<br />
in the configuration are not encrypted<br />
Enable IP checking for other nodes — When selected, the IP address can be verified when<br />
messages are sent from this node to other nodes in the configuration<br />
Multiplier for timeout when distributing over multiple nodes — Time (10 to 600 seconds) to<br />
elapse before the node makes the next attempt to send a message to another node that has not yet<br />
responded<br />
Allowed time difference — Difference in time (10 to 600 seconds) allowed for an update<br />
The seconds are set on a slider scale.<br />
Enable version checking for other nodes — When selected, the version of an update that is<br />
distributed to other nodes can be verified<br />
This way updates that are already implemented on a node can be avoided.<br />
• Level of version check — Level of thoroughness when verifying the version of an update<br />
Verification levels range from 1 (very relaxed: only the major version number must match) to 6<br />
(very strict: the build number must also match)<br />
The level is set on a slider scale.<br />
This Node is a Member of the Following Groups<br />
Settings for including a node in a group of nodes<br />
Group runtime — Group of the node, in which runtime data can be shared with all nodes of the group,<br />
for example, the amount of quota time or volume<br />
Group update — Group of the node, in which updates can be shared with all nodes of the group<br />
Group network — Group of the node, in which it can immediately connect to all other nodes of the<br />
group<br />
A node can be a member of more than one network group. In this case, the nodes of one group that a<br />
node is a member of can connect through this node to nodes of another group that this node is also a<br />
member of.<br />
All groups that a node is a member of are listed here.<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 7-16 Group Network list<br />
Option Definition<br />
String String for the name of a group of nodes<br />
Comment Plain-text comment on the group<br />
Automatic Engine Updates<br />
Settings for automatically updating database information for special appliance modules<br />
For more information, see Automatic Engine Updates system settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 263
7<br />
System configuration<br />
Central management<br />
Handle Stored Configuration Files<br />
Settings for storing configuration file folders on disk<br />
Keep saved configuration folders for a minimal time — Time (1 to 365 days) that configuration<br />
file folders are at least stored on disk<br />
Keep minimal number of configuration folders — Number of configuration file folders (1 to 100)<br />
that are at least stored on disk at any time<br />
Keep minimal number of packed folders — Number of packed configuration file folders (1 to 100)<br />
that are at least stored on disk at any time<br />
Note: Configuration folders are packed when the minimal time configured for storing them on disk has<br />
elapsed and the minimal number of folders stored on disk at any time would be exceeded if they were stored<br />
unpacked any longer.<br />
Advanced Scheduled Jobs<br />
Settings for scheduled jobs<br />
Job list — List of scheduled jobs on an appliance<br />
The following table describes the list entries.<br />
For information on how to create a scheduled job and add it to the job list, see Add a scheduled job.<br />
For general information on maintaining a list of this type, see Inline lists.<br />
Table 7-17 List of scheduled jobs<br />
Option Definition<br />
Start job Time setting for starting a scheduled job, for example, hourly, daily, once<br />
Start job immediately Information on whether a scheduled job is started immediately if this has not<br />
if it was not started at<br />
its original schedule<br />
happened according to the originally configured schedule<br />
Job Type of job, for example, Backup Configuration or Upload File<br />
Unique Job ID ID of a scheduled job<br />
When this job has<br />
finished run job with<br />
ID<br />
ID of a job that is run immediately after this job<br />
Comment Plain-text comment on a scheduled job<br />
Add a scheduled job<br />
You can add scheduled jobs to a list on the appliance to have them executed according to a time<br />
schedule that you configure. Scheduled jobs include creating a backup configuration, uploading a file,<br />
and other activities. This section tells you how to add such a job to the job list.<br />
To add a scheduled job:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure a scheduled job for and select<br />
Central Management Configuration.<br />
3 On the settings pane, click Advanced Scheduled Jobs. The scheduled jobs list appears.<br />
4 On the toolbar above the list, click Add. The Add Scheduled Job window opens.<br />
5 Configure settings for the scheduled job.<br />
6 Click OK. The window closes and the new scheduled job appears on the job list.<br />
7 Click Save Changes.<br />
For information on the scheduled job settings, see Scheduled job settings.<br />
264 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Scheduled job settings<br />
This section describes the settings for adding or editing a scheduled job.<br />
Time Settings<br />
Settings for configuring the time when a scheduled job is started<br />
Start job — List for selecting the time setting<br />
• Hourly — Starts a scheduled job every hour<br />
• Daily — Starts a scheduled job once on a day<br />
• Weekly — Starts a scheduled job once in a week<br />
• Monthly — Starts a scheduled job once in a month<br />
• Once — Starts a scheduled job only once<br />
System configuration<br />
Central management 7<br />
• Activated by other job — Starts a scheduled job after another job has been completed<br />
(Time parameter settings) — Settings specifying the parameters for the time setting, for example, the<br />
minute in an hour when a job scheduled for hourly execution should be started<br />
Note: Which time parameter settings are available depends on the selected time setting. For example, if you<br />
have selected Hourly, you can configure the minute in an hour, but not a day or week.<br />
• Minute — Minute in an hour<br />
• Hour — Hour on a day<br />
• Day of month — Day in a month<br />
• Enter day of week — List for selecting a day in the week<br />
• Month — Month in a year (specified by a number from 1 to 12)<br />
• Year — Year (four digits)<br />
Start job immediately if it was not started at its original schedule — When selected, a<br />
scheduled job is started immediately if this has not happened according to the originally configured<br />
schedule<br />
This can be the case, for example, when an appliance is temporarily shut down due to overload and a<br />
job was scheduled to run during this downtime. The job is then executed as soon as the appliance is up<br />
again.<br />
Job Settings<br />
Settings for configuring the type and ID of a scheduled job<br />
Job — List for selecting the type of a scheduled job<br />
• Backup configuration — Creates a backup of an appliance configuration<br />
• Restore backup — Restores a backup of an appliance configuration<br />
• Upload file — Uploads a file to an external server using the HTTP or HTTPS protocol<br />
• Download file — Downloads a file onto the appliance using the HTTP or HTTPS protocol<br />
• Yum update — Performs a yum update on an appliance configuration.<br />
Note: This scheduled job type is not available when an appliance runs in a FIPS-compliant mode.<br />
Unique job ID — String that uniquely identifies a scheduled job<br />
Note: The characters specified in this string are case-sensitive.<br />
Job description — Optional description of a scheduled job in plain-text format<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 265
7<br />
System configuration<br />
Central management<br />
When this job has finished run job with ID — ID of a scheduled job that is to run immediately<br />
after the job configured here has finished<br />
Note: You must have configured the Activated by other job time setting for the job that runs immediately<br />
after.<br />
Execute job on remote node — List for selecting other nodes to execute a scheduled job when an<br />
appliance is a node in a central management configuration<br />
The list displays the host names of the other appliances that are nodes within the same central<br />
management configuration. The scheduled job that you configure on this appliance is executed with its<br />
time and parameter settings on the selected node or nodes.<br />
A message is sent to the other node or nodes to inform them about the scheduled job.<br />
Parameter Settings<br />
Settings for configuring more parameters of a scheduled job<br />
These settings differ for each job type you have selected under Job Settings. However, for a scheduled<br />
job that performs a yum update there are no additional parameter settings.<br />
Backup configuration parameter settings<br />
Settings for configuring a scheduled job that creates a backup of an appliance configuration<br />
Use most recent configuration — When selected, the scheduled job creates a backup from the most<br />
recent appliance configuration<br />
Backup configuration path — Name of the path to the folder where the configuration that should be<br />
used for the backup is stored<br />
Format: /opt/mwg/storage/default/configfolder<br />
Note: This setting is only available if Use most recent configuration is deselected.<br />
Save configuration to path — Path and file name for the backup configuration<br />
Format: //<br />
Note: You must set user rights for the folder you want to store the backup configuration in, making the<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance the owner who is allowed to write data into the folder.<br />
On the command line provided, for example, by a serial console, run the appropriate commands to create a<br />
folder or change the rights for an existing folder.<br />
Restore backup parameter settings<br />
Settings for configuring a scheduled job that restores a backup of an appliance configuration<br />
Restore backup from file — Path and file name for the configuration file that should be used to<br />
restore a backup<br />
Format: //<br />
Only restore policy — When selected, a scheduled job backs up only settings related to the web<br />
security policy that was implemented on an appliance<br />
Settings needed for connecting an appliance to a network, such as the UUID or IP address, are not<br />
restored.<br />
Lock storage during restore — When selected, no other files can be stored on the appliance until the<br />
scheduled job has completely restored the backup configuration<br />
Upload file parameter settings<br />
Settings for configuring a scheduled job that uploads a file to an external server using the HTTP or<br />
HTTPS protocol<br />
File to upload — Path and file name for a file that should be uploaded<br />
Format: //<br />
Destination to upload file to — Path name to the server that a file should be uploaded to under the<br />
HTTP or HTTPS protocol and file name for storing the file on the server<br />
266 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
System configuration<br />
Central management 7<br />
Format: http | https: ///<br />
Enable basic authentication — When selected, basic authentication is required for uploading a file to<br />
a destination server<br />
User name — User name submitted for basic authentication<br />
Note: This setting is only available if Enable basic authentication is selected.<br />
Password — Password submitted for basic authentication<br />
Set — Opens the New Password window for setting a password<br />
When a password has been set, the Set button is replaced by a Change button, which opens the New<br />
Password window for changing a password.<br />
Note: This setting is only available if Enable basic authentication is selected.<br />
Download file parameter settings<br />
Settings for configuring a scheduled job that downloads a file to the appliance using the HTTP or HTTPS<br />
protocol<br />
URL to download — URL for the location of a file that should be downloaded under the HTTP or HTTPS<br />
protocol and name of the file<br />
Format: http | https: ///<br />
Save downloaded file to — Path to the location where a downloaded file should be stored and file<br />
name for storing the file<br />
Format: //<br />
Enable basic authentication — When selected, basic authentication is required for downloading a file<br />
from a location<br />
User name — User name submitted for basic authentication<br />
Note: This setting is only available if Enable basic authentication is selected.<br />
Password — Password submitted for basic authentication<br />
Set — Opens the New Password window for setting a password<br />
When a password has been set, the Set button is replaced by a Change button, which opens the New<br />
Password window for changing a password.<br />
Note: This setting is only available if Enable basic authentication is selected.<br />
Comment<br />
Optional comment on a scheduled job in plain-text format<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 267
7<br />
System configuration<br />
Central management<br />
268 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
8 Monitoring<br />
Contents<br />
Monitoring the appliance<br />
Dashboard<br />
Logging<br />
Performance measurement<br />
Transferring data to an ePO server<br />
Event monitoring with SNMP<br />
Error handling<br />
Monitoring the appliance<br />
You can monitor the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance when it executes the filtering functions that<br />
ensure web security for your network. The sections in this chapter provide on overview of this<br />
monitoring, tell you how to access the dashboard, and explain how to use logging and other functions<br />
for monitoring purposes.<br />
Monitoring functions<br />
This section gives an overview of the monitoring functions that are available on the appliance.<br />
• Dashboard — The user interface provides a dashboard, where you can view information on web<br />
usage, filtering activities, and system behavior.<br />
• Logging — The appliance provides two default logs for storing log files. Entries in these files are<br />
written by rules in corresponding rule sets. You can configure the handling of these log files, such as<br />
rotation, deletion, and pushing. Other log files are not maintained by rules.<br />
The default rule-based logs are:<br />
• Access log — Records requests for access to the web received on the appliance<br />
• Viruses Found log — Records viruses and other malware that infected requested objects<br />
• Monitoring with external devices — You can transfer information on the appliance status to a<br />
server that has <strong>McAfee</strong> ePolicy Orchestrator (ePO) software installed and monitor events on the<br />
appliance with an agent application under the SNMP protocol.<br />
Troubleshooting functions<br />
When problems arise in working with the appliance, you might want to take troubleshooting measures.<br />
Monitoring what has happened in a problem situation can be one of the means for troubleshooting.<br />
The user interface provides a Troubleshooting top-level menu, which also includes some monitoring<br />
functions.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 269
8<br />
Dashboard<br />
Monitoring<br />
Dashboard<br />
For more information, see Troubleshooting.<br />
The dashboard on the user interface of the appliance allows you to monitor key events and parameters,<br />
such as alerts, filtering activities, status, web usage, and system behavior. If the appliance is a node in<br />
a central management configuration, statuses and alerts are also shown for the other appliances.<br />
This section tells you how to access the dashboard and gives an overview of the information it provides.<br />
Access the dashboard<br />
To access the dashboard:<br />
1 Select the Dashboard top-level menu.<br />
2 Select one of the following two tabs:<br />
• Alerts — Shows status and alerts<br />
• Charts and Tables — Shows web usage, filtering activities, and system behavior<br />
Alerts tab<br />
The Alerts tab displays information on the status and alerts for the appliance and, in case the appliance<br />
is a node in a central management configuration, also of the other appliances.<br />
View status and alerts information<br />
To view the information shown on the Alerts tab:<br />
1 Go to Dashboard | Alerts.<br />
2 [Optional] Refresh the alerts information that is provided on the lower part of the tab in one of the<br />
following ways:<br />
• Automatic refresh — Select or deselect this checkbox for an automatic refresh after a given<br />
period of time.<br />
Note: This option is selected by default.<br />
• Refresh now — Click this button for an immediate refresh.<br />
270 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Dashboard 8<br />
Overview of status information<br />
Information about the status of appliances is provided under Appliances Status on the Alerts tab of the<br />
dashboard. The following table provides an overview of this information.<br />
Table 8-1 Overview of status information<br />
Information Description<br />
Appliance Basic appliance information:<br />
• Name — Name of an appliance<br />
Performance Key performance parameters:<br />
• Alert peaks, seven last days — Most severe alert on an appliance for each of<br />
the last seven days<br />
A colored field is displayed for each day (right-most field is today):<br />
• Gray — No alert during the day<br />
• Green — Most severe alert during the day was an information<br />
• Yellow — Most severe alert during the day was a warning<br />
• Red — Most severe alert during the day was an error<br />
• Requests per second — Diagram showing how number of web requests in<br />
HTTP and HTTPS mode received on the appliance evolved over the last 30<br />
minutes<br />
The value to the right of the diagram is the average number of requests per<br />
second over the last ten minutes.<br />
<strong>McAfee</strong> Anti-Malware Versions Update and version information for virus and malware filtering modules:<br />
• Last update — Number of minutes since the appliance modules related to<br />
virus and malware filtering were last updated<br />
• <strong>Gateway</strong> Engine — Version number of the <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware<br />
engine<br />
• Proactive Database — Version number of the Proactive Database<br />
• Engine — Version number of the <strong>McAfee</strong> Anti-Malware engine<br />
• DATs — Version number of the DAT files (containing virus signatures)<br />
URL Filter Update and version information URL filtering module:<br />
• Last update — Number of days since the appliance module for URL filtering<br />
was last updated<br />
• Version — Version number of the URL filtering module<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 271
8<br />
Monitoring<br />
Dashboard<br />
Filtering alerts information<br />
Information about alerts on an appliance is provided under Alerts on the Alerts tab of the dashboard.<br />
You can filter the information that is displayed using several filters. The following table explains these<br />
filters.<br />
Table 8-2 Items for filtering alerts information<br />
Information Description<br />
Appliance Filter Filters alerts according to the appliances they occurred on<br />
Click the button to display a window for selecting the appliances you want to<br />
view alerts for.<br />
The filter applies as soon as you close the window.<br />
Date Filter Filters alerts according to the period of time they occurred in<br />
Click the button to display a drop-down menu for selecting the time period you<br />
want to view alerts for.<br />
The filter applies as soon as you close the menu.<br />
You can select one of the following:<br />
• All<br />
• Today<br />
• Yesterday<br />
• Last week<br />
• Custom<br />
Under the Custom option, you can set a start and end date on two calendars<br />
and type a start and end time in two filter fields. The time format is<br />
hh:mm:ss, using the 24-hours notation, for example, 1 p. m. is 13:00:00.<br />
When an appliance is a node in a central management configuration and you<br />
have selected several nodes of this configuration in the Appliance Filter, alerts<br />
are shown for all nodes. They are shown, however, according to the date and<br />
time of the user interface you are working with on a particular node to set the<br />
Date Filter.<br />
For example, you select Today in the Date Filter on a node in Amsterdam at<br />
7 p. m. local time. This means all alerts that occurred during the last 19 hours<br />
are shown. For a node in New York, local time is 1 p. m. at the time you set the<br />
filter.<br />
Alerts that occurred on the New York node are then shown for the last 19 hours,<br />
not for the last 13 hours, which would correspond to what Today is for the New<br />
York node.<br />
Message Filter Filters alerts according to alert message types and strings within the message<br />
texts<br />
The filter applies as soon as you have set the filter options.<br />
Set these options in the following way:<br />
• Error, Warning, Information — Select the alert message type you want to<br />
view or any combination of types.<br />
• Filter — Optionally type a filtering term into this field. Only alerts with<br />
message texts matching this term and the selected type or types are shown.<br />
Note: The search for matching terms is performed on alert entries as they<br />
are stored in an internal database on the appliance, not as they appear on<br />
the user interface.<br />
272 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
When alerts appear on the user interface, the alert message text can include<br />
additional parts. For example, the word origin is added to the name of the<br />
component that is the origin of an alert. You can, however, not use origin or<br />
other added terms to filter alerts.
Charts and Tables tab<br />
Monitoring<br />
Dashboard 8<br />
The Charts and Tables tab displays statistical data on web usage, filtering activities, and system<br />
behavior of the appliance and, in case the appliance is a member in a central management<br />
configuration, also of the other appliances.<br />
View charts and tables information<br />
To view the information shown on the Chart and Tables tab:<br />
1 Go to Dashboard | Charts and Tables.<br />
2 From the Appliance drop-downlist, select the appliance you want to view chart and tables<br />
information for.<br />
3 [Optional] Click Update to ensure you see the latest information.<br />
4 From the list on the navigation pane, select the information you want to view, for example <strong>Web</strong> Traffic<br />
Summary.<br />
Display options<br />
You have several options for displaying the information on the Charts and Tables tab, depending on the<br />
type of information that is provided.<br />
There are the following types of information:<br />
• Evolving data — Shows how particular parameters evolved over a selected time interval<br />
For example, you can view how the number of blocked or allowed URL requests evolved over a<br />
selected time interval.<br />
• Top scores — Shows top numbers for activities or byte volumes related to key items of the filtering<br />
process up to the moment when you view them<br />
What you see then is these numbers, but not how they evolved over time.<br />
For example, you can view the URL categories that have been most often requested. Or you can<br />
view media types ranked according to the volumes transferred when web objects of these types<br />
were downloaded.<br />
Note: The maximum number of items stored on the appliance for presenting top scores at a given point in<br />
time is 1500. When this number is exceeded, items that have the lowest occurence or byte volumes are<br />
removed.<br />
• Other information — Shows other information presented on tables<br />
For example, you can view the current versions of key modules on the appliance such as the<br />
Anti-Malware module or the URL Filter module.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 273
8<br />
Monitoring<br />
Dashboard<br />
The following table explains the display options for evolving data and top scores. For the tables that<br />
show other information, there are no particular display options.<br />
Table 8-3 Options for displaying information on the Charts and Tables tab<br />
Option Definition<br />
For evolving data<br />
Show last Drop-down list for selecting a time interval: 1 hour | 3 hours | ... | 1 year<br />
Resolution Displays the time unit used for the diagram that shows the evolution of a parameter over<br />
the selected interval<br />
Resolution varies with the interval.<br />
For example, when 1 hour is selected, the diagram uses 1 minute as the time unit, when<br />
1 year is selected, the diagram uses 1 day.<br />
View Drop-down menu for selecting:<br />
• Display mode: Line | Stacked<br />
• Average values<br />
Refreshes the view<br />
For top scores<br />
Top Drop-down list for selecting how many of the items with the highest scores are shown:<br />
10 | 25 | ... | 1000<br />
For example, the 25 URL categories that were most often requested can be shown.<br />
Refreshes the view<br />
Overview of charts and tables information<br />
The Charts and Tables tab displays statistical data on web usage, filtering activities, and system<br />
behavior. The following table provides an overview of this information.<br />
Table 8-4 Overview of charts and tables information<br />
Information Description<br />
Executive Summary<br />
URL Executive Summary Shows how numbers of requests evolved during the selected interval and sorts them<br />
into allowed (“good”) requests and requests blocked by filtering rules for viruses and<br />
other malware, URLs, and media types<br />
Categories by Hits Shows the URL categories that were requested most often within the interval<br />
selected for the summary<br />
Malwares by Hits Shows the virus and malware types that were requested most often within the<br />
interval selected for the summary<br />
System Summary<br />
Network Utilization Shows how numbers of requests sent and received evolved during the selected<br />
interval<br />
System Utilization Shows how usage of hard disk, CPU, physical memory of the appliance system, and<br />
the physical memories of the core and coordinator modules evolved during the<br />
selected interval<br />
Update Status Shows the versions of several modules and filter information files that are<br />
implemented on the appliances, for example, of the <strong>Gateway</strong> Antimalware engine or<br />
of the anti-malware signature files<br />
Last Update Shows when several modules of the appliance were last updated, for example, the<br />
URL Filter module<br />
Open Ports Lists the ports on the appliance that are currently listening to requests.<br />
WCCP Services Shows status of WCCP services used to redirect traffic to the appliance<br />
Active Proxy Connections Shows how numbers of connections evolved during the selected interval<br />
<strong>Web</strong> Traffic Summary<br />
Traffic per Protocol Shows how volumes of web traffic under the HTTP, HTTPS, and FTP protocols<br />
evolved during the selected interval<br />
274 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table 8-4 Overview of charts and tables information (continued)<br />
Monitoring<br />
Dashboard 8<br />
Information Description<br />
Requests per Protocol Shows how numbers of requests under the HTTP, HTTPS, and FTP protocols evolved<br />
during the selected interval<br />
ICAP Traffic Summary<br />
ICAP Traffic Shows how volumes of ICAP requests in REQMOD and RESPMOD modes evolved<br />
during the selected interval<br />
ICAP Requests Shows how numbers of ICAP requests in REQMOD and RESPMOD modes evolved<br />
during the selected interval<br />
IM Traffic Summary<br />
Instant Messaging Traffic Shows how volumes of instant messaging requests evolved during the selected<br />
interval for different services<br />
Instant Messaging Requests Shows how numbers of instant messaging requests evolved during the selected<br />
interval for different services<br />
Instant Messaging Clients Shows how numbers of instant messaging clients evolved during the selected<br />
interval for different services<br />
Traffic Volume<br />
Top-Level Domains by Bytes<br />
Transferred<br />
Top-Level Domains by<br />
Number of Requests<br />
Destinations by Bytes<br />
Transferred<br />
Destinations by Number of<br />
Requests<br />
Source IPs by Bytes<br />
Transferred<br />
Source IPs by Number of<br />
Requests<br />
<strong>Web</strong> Cache Statistics<br />
Lists the domains that were requested most according to the amount of bytes<br />
transferred from them<br />
Lists the domains that were requested most according to the number of requests for<br />
them<br />
Lists the destinations that were requested most according to the number of bytes<br />
transferred from them<br />
Lists the domains that were requested most according to the number of requests for<br />
them<br />
Lists the source IPs that most volume was transferred to<br />
Lists the source IPs that most requests were made from<br />
<strong>Web</strong> Cache Efficiency Shows how numbers of caching requests evolved during the selected interval and<br />
sorts them into hits and misses<br />
<strong>Web</strong> Cache Object Count Shows how numbers of objects in the cache evolved during the selected interval<br />
<strong>Web</strong> Cache Usage Shows how usage of the cache evolved during the selected interval<br />
Malware Statistics<br />
Malware URLs by Hits Lists the URLs infected by viruses and other malware that were most requested<br />
Malware by Hits Lists the malware types that most requests were made for<br />
URL Filter Statistics<br />
Category Shows how numbers of requested URL categories evolved during the selected<br />
interval<br />
Reputation Shows how numbers of requests evolved during the selected interval and sorts them<br />
according to the reputation of the requested URLs<br />
Categories by Hits Lists the URL categories that were most requested<br />
Sites Not Categorized by Hits Lists among the sites that are not categorized those that were most requested<br />
Malicious Sites by Hits Lists among the sites that were found to be infected those that were most requested<br />
Media Type Statistics<br />
Media Type Groups by Hits Shows how numbers of requested media type groups evolved during the selected<br />
interval and sorts the different types into audio files, images, and others<br />
Media Types by Bytes Lists the media types that were most requested according to the number of bytes<br />
transferred<br />
Media Types by Hits Lists the media types that were most requested according to the numbers of<br />
successful requests for them<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 275
8<br />
Monitoring<br />
Dashboard<br />
Table 8-4 Overview of charts and tables information (continued)<br />
Information Description<br />
Certificate Statistics<br />
Certificate Incidents Shows how numbers of incidents evolved during the selected interval and sorts them<br />
according to the events that caused the incident, for example, expired certificates<br />
or common name mismatches<br />
System Details<br />
Network Utilization Shows how numbers of requests sent and received evolved during the selected<br />
interval<br />
CPU Utilization Shows how CPU usage evolved during the selected interval<br />
Memory Usage Shows how usage of memory evolved during the selected interval<br />
Swap Space (Virtual<br />
Memory) Usage<br />
276 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Shows how usage of virtual memory evolved during the selected interval<br />
File System Utilization Shows how usage of the file system evolved during the selected interval<br />
File System Utilization Shows usage of the file system per partition<br />
Open TCP Ports Shows how numbers of open TCP ports evolved during the selected interval<br />
Authentication Statistics<br />
Authentication Requests Shows how numbers of requests processed remotely, locally, or found in the cache<br />
evolved under each authentication method during the selected interval<br />
Average Request Processing Shows how average processing time for requests sent to a server evolved under<br />
Time per Method in ms each authentication method during the selected interval<br />
Current Requests Report Shows numbers of requests, cache hits, and minimum, maximum, and average<br />
processing time for requests sent to a server<br />
Current Connection Status Shows the connections that are currently active under each authentication method<br />
Performance Information<br />
General Performance Shows how the processing time consumed on average for completing particular<br />
tasks evolved during the selected interval<br />
These tasks include performing a DNS lookup, connecting to a given web server, and<br />
the work done by the rule engine to process a request throughout all cycles.<br />
Note: When measuring the time consumed for DNS lookups, only lookups on<br />
external servers are considered. Cache lookups are disregarded.<br />
Detailed Performance Shows how the time consumed on average for processing a request throughout all<br />
cycles evolved during the selected interval<br />
Note: This performance information is only measured and displayed for web<br />
traffic that uses HTTP and HTTPS connections.<br />
The processing of a request throughout all cycles (request, response, and embedded<br />
object cycles) is considered to be one transaction.<br />
Average processing time is shown for complete transactions, but also for particular<br />
data transfers going on during a transaction:<br />
• First Byte Received from Client until First Byte Sent to Client – Shows the<br />
average processing time consumed between receiving the first byte from a client<br />
on the appliance and sending the first byte to this client within a transaction<br />
• Last Byte Received from Client until Last Byte Sent to Client – Shows the average<br />
processing time consumed between receiving the last byte received from a client<br />
on the appliance on and sending the last byte to this client within a transaction<br />
• First Byte Sent to Server until First Byte Received from Sever – Shows the<br />
average processing time consumed between sending the first byte from the<br />
appliance to a web server and receiving the first byte from this server within a<br />
transaction<br />
• Last Byte Sent to Server until Last Byte Received from Server – Shows the<br />
average processing time consumed between sending the last byte from the<br />
appliance to a web server and receiving the last byte from this server within a<br />
transaction
Logging<br />
Monitoring<br />
Logging 8<br />
Appliance behavior can be recorded in log files. This section describes the available log file types,<br />
explains their handling, and gives an example of configuring a log file to record found viruses.<br />
Log file types<br />
There are several types of log files on the appliance. They differ in the type of data that is recorded and<br />
in the way the recording is done.<br />
Log files that record the same kind of data are stored in a folder, which is called a log.<br />
System log files<br />
Some log files are maintained by the appliance system, which includes the operating system and<br />
several system-related services. For these log files, data is recorded by system functions. You can view<br />
these files on the user interface, but not edit or delete them.<br />
Note: When system log files are unreadable, they are not shown on the user interface.<br />
The files are also rotated in regular intervals by the system. There is no option for configuring this<br />
rotation.<br />
Module log files<br />
Another type of log file is maintained by particular modules of the appliance, such as the proxy or<br />
anti-malware module. Data for these log files is recorded by module functions. You can view these files<br />
on the user interface, but not edit or delete them.<br />
Rotation, deletion, and pushing of these files is handled by the Log File Manager, which you can<br />
configure settings for. The files are stored in subfolders that are located on the appliance under<br />
/opt/mwg/log.<br />
All files in these folders are handled by the Log File Manager, except those that have mwgResInfo as a<br />
part of their names. The folders with the following names are also not handled by the Log File Manager:<br />
cores, feedbacks, tcpdump, migration, system, ruleengine_tracing, connection_tracing,<br />
message_tracing.<br />
Logs for module log files include the following:<br />
• Audit log — Stores log files that record changes to the appliance configuration<br />
• Debug log — Stores log files that record debugging information<br />
• Migration log — Stores log files that record migration activities<br />
• MWG errors logs — Stores log files that record errors occurring in modules of the appliance<br />
There are separate errors logs for the core and coordinator subsystems, the Anti-Malware module,<br />
the user interface, and the system configuration daemon.<br />
• Update log — Stores log files that record updates of modules and files on the appliance<br />
Rule-based log files<br />
There are also log files that record data based on rules. The recording is executed by events that are<br />
triggered when these rules apply. For example, a rule triggers an event when an object that a user<br />
requested is infected by a virus. The triggered event writes an entry with information on the user, the<br />
infected object, date and time of the request, and so on, to the log file.<br />
You can edit the rules for this type of log files in the same way as any other rules.<br />
The following rule-based log files are provided on the appliance by default:<br />
• Access log — Stores log files that record requests and related information, including date and time,<br />
user name, requested object, infection of an object, blocking of an object<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 277
8<br />
Monitoring<br />
Logging<br />
• Found viruses log — Stores log files that record the names of viruses and other malware that were<br />
found to infect requested objects<br />
The log also records date and time, user name, IP address of the client a request was sent from,<br />
requested URL.<br />
• Incident logs — A number of logs for storing log files that record incidents concerning various<br />
functions, such as licensing, monitoring, or updates<br />
To these default logs, you can add logs that you have created yourself.<br />
View log files<br />
The log files that exist on the appliance can be viewed on its user interface.<br />
To view log files on the appliance:<br />
1 Select the Troubleshooting top-level menu.<br />
2 On the appliances tree, go to the appliance you want to view log files for and select Log Files. A list<br />
of log file folders appears.<br />
3 Double-click the folder or subfolder with the log files you want to view. The folder opens to display its<br />
log files.<br />
4 Select the log file you want to view and, on the toolbar above the list, click View.<br />
Log file handling using rules<br />
When log files use rules, they have their entries written by events of those rules. If a logging rule<br />
applies, one event sets the parameter values that are recorded, another writes these values into a log<br />
file. The log for this file is specified by the settings of the write event. These settings include also<br />
options for configuring log file rotation, deletion, and pushing.<br />
So, when handling log files using rules, you need to take care of the following:<br />
• Logging rules — Rules including the criteria and events that write log file entries when the criteria<br />
are matched<br />
• Logging rule sets — Rule sets containing logging rules<br />
These rule sets are nested on the appliance in top-level rule sets known as log handlers. A Default<br />
log handler is provided after the initial setup.<br />
• Logging event settings — Settings that specify the log for the log files and measures, such as<br />
rotation, deletion, and pushing<br />
The log and the measures are handled by a particular module (or engine) on the appliance. By<br />
default, this is the File System Logging engine.<br />
If you want to use log files of your own, you need to configure all these items in an appropriate way.<br />
For more information, see Use self-configured log files.<br />
278 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Sample logging rule<br />
Monitoring<br />
Logging 8<br />
This section explains a sample logging rule. The rule is taken from the Found Viruses Log rule set,<br />
which is provided on the appliance by default.<br />
Note: The rule is shown in a notation that comes close to the one used on the user interface.<br />
Name<br />
Write Found Viruses Log<br />
Criteria Action Events<br />
Antimalware.Infected equals true –> Continue — Set User-Defined.LogLine =<br />
+ DateTime.To<strong>Web</strong>ReporterString<br />
+ “ ””<br />
+ Authentication.Username<br />
+ “ ”<br />
+ String.ReplaceIf Equals (IP.ToString.<br />
(Client.IP), “”, “-”)<br />
+ ““ ””<br />
+ List.OfString.ToString (Antimalware.<br />
VirusNames)<br />
+ ““ ””<br />
+ URL<br />
+ ““”<br />
The rule applies when a requested object has been found to be infected.<br />
The rule then triggers two events, one to set parameter values, including the names of the found<br />
viruses and malware items and related information, and another to write an entry with these values<br />
into a log file.<br />
The elements of this rule have the following meanings:<br />
• Criteria — Antimalware.Infected equals true<br />
The criteria of the rule uses the Antimalware.Infected property. It is matched when it has the value<br />
true. This means that the rule applies when a filtered object is infected.<br />
• Action — Continue<br />
When it applies, the rule triggers the Continue action. This action lets processing continue with the<br />
next rule after the events of the current rule have been executed.<br />
• Events — When it applies, the rule also triggers two events:<br />
• Set User-Defined.logLine = ... — Sets the parameter values that are logged, including:<br />
• DateTime.To<strong>Web</strong>ReporterString — Date and time in <strong>Web</strong> Reporter format of the request for the<br />
object that was found to be infected<br />
The value is converted into a string before being logged.<br />
• Authentication.Username — Name of the authenticated user who requested the object<br />
• String.ReplaceIf Equals (IP.ToString. (Client.IP), “”, “-”) — IP address of the client the request<br />
was sent from<br />
The address is converted into a string.<br />
FileSystemLogging.WriteLogEntry<br />
(User-Defined.logLine)<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 279
8<br />
Monitoring<br />
Logging<br />
• List.OfString.ToString (Antimalware.VirusNames) — List with the names of the found viruses<br />
and other malware items<br />
The list is converted into a string.<br />
• URL — URL that was requested<br />
• FileSystemLogging.WriteLogEntry ... — Executes the write event.<br />
The entry that is to be written and the log file it is written into are specified with the event:<br />
• (User-Defined.logLine) — Event parameter specifying the entry<br />
This is a log file line with the parameter values that have been set by the other event of the rule.<br />
• — Event settings specifying the log file<br />
Note: Clicking the settings name on the user interface opens the settings for editing.<br />
You can modify this logging rule or create similar rules of your own. For more information, see Create a<br />
sample logging rule.<br />
Create a sample logging rule<br />
This section describes steps for creating a sample logging rule. The rule is taken from the Found Virus<br />
Log Rule Set, which is provided on the appliance by default.<br />
Note: The rule name is slighty modified to avoid a conflict with the existing rule.<br />
To create a sample logging rule:<br />
1 Go to Policy | Rule Sets.<br />
2 From the Rule Sets menu, select Log Handler and then the Found Viruses Log rule set.<br />
3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In<br />
the main window area, items appear for adding a name and other general settings.<br />
4 Add the following general settings:<br />
a Name — Type Write Found Malware Log.<br />
Note: The name of the already existing logging rule is Write Found Viruses Log.<br />
b Enable rule — Deselect this checkbox, so the sample rule gets not enabled.<br />
5 Select Rule Criteria. Items for adding the criteria appear.<br />
6 Click Add. The Add Criteria window opens.<br />
7 Add the criteria of the rule (Antimalware.Infected equals true):<br />
a From the Property list, select Antimalware.Infected.<br />
b In the Operator list, leave equals.<br />
c In the Parameter area, select true from the Value list.<br />
8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area. It<br />
lets the rule write a log file entry if an object is actually found to be infected.<br />
9 Select Action and from the Action list, select Continue. This action lets the filtering process continue<br />
after the log file entry has been written.<br />
10 Select Events.<br />
11 Click Add and from the drop-down menue that appears select Set Property Value. The Add Set<br />
Property window opens.<br />
12 From the list under Set this property (string), select User-Defined.logLine.<br />
280 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
13 Configure the following for the log file line:<br />
“[” + DateTime.ToString(“ ”) + “]”<br />
+ Authentication.UserName + ““ ””<br />
+ String.IP.ToString (Client.IP) + ““ ”<br />
+ String.List.String.ToString (Antimalware.VirusNames) + ““ ”<br />
+ URL + ““ ””<br />
To do this:<br />
Monitoring<br />
Logging 8<br />
a Click Add and in the window that opens select Value and enter an opening square bracket. Then<br />
click OK.<br />
b Click Add again, select Property, and from the properties list, select DateTime.ToString<br />
(String).<br />
c Click Parameters and in the Property Parameters window (where Value is selected), click OK.<br />
Then click OK again to close the preceding window.<br />
d Click Add, select Value and enter a closing square bracket. Then click OK.<br />
This adds the date and time part included in square brackets and with an output field for the<br />
date and time value.<br />
e Click Add, select Property, and from the properties list, select Authentication.UserName.<br />
Then click OK.<br />
f Click Add and in the Value field, type “ ”. Then click OK.<br />
This adds the user name part with an output field for the value.<br />
g Use the appropriate items to add properties and output fields for the client IP address and the<br />
remaining parameters as shown at the beginning of this step.<br />
h Click OK to close the Add Set Property window.<br />
14 To add the write event, click Add and select Event. The Add Event window opens.<br />
15 From the properties list, select FileSystemLogging.WriteFileEntry.<br />
16 Click Parameters. The Property Parameters window opens.<br />
17 From the properties list, select User-Defined-LogLine. This adds the entry that is written into the<br />
log file.<br />
18 Click OK on both open windows to close them.<br />
19 Select Summary to review what you have configured.<br />
20 Click Finish. The sample logging rule is inserted in the Found Viruses Log rule set. Click Delete to<br />
remove it again.<br />
21 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 281
8<br />
Monitoring<br />
Logging<br />
Create a log handler<br />
When you create new logging rules, you can insert them into existing logging rule sets or create new<br />
rule sets for them. These must be nested themselves in top-level rule sets known as log handlers. This<br />
section tells you how to create a log handler.<br />
Note: You can also use the Default log handler for inserting new logging rule sets.<br />
Complete the following procedure to do this:<br />
1 Go to Policy | Rule Sets.<br />
2 From the Rule Sets menu, select Log Handler.<br />
3 On the log handler tree, navigate to the position where you want to insert the new log handler. Then<br />
click Add.<br />
4 From the drop-down menu that appears, select Log Handler. The Add New Log Handler window<br />
opens with the Rule Sets tab selected.<br />
5 Configure the following general settings:<br />
• Name — Name of the log handler<br />
• Enable — When selected, the log handler is enabled.<br />
• [Optional] Comment — Plain-text comment on the log handler.<br />
6 [Optional] Click the Permissions tab and configure who is allowed to access the new log handler.<br />
7 Click OK to close the Add New Log Handler window. The log handler is inserted into the tree structure.<br />
8 Click Save Changes.<br />
You can now insert one or more nested rule sets into the log handler and fill these with rules.<br />
For more information, see Add a new rule set, Create a sample logging rule, and Access restrictions.<br />
Use self-configured log files<br />
You can use log files of your own to monitor appliance behavior and have entries written into them by<br />
rules. This section explains how this is done.<br />
Complete the following procedure to enable the use of your own log files:<br />
1 Go to Policy | Rule Sets.<br />
2 Use the items on this tab to create a log handler and a nested rule set within this log handler.<br />
3 Create a log for storing log files:<br />
a Go to Policy | Settings.<br />
b Go to File System Logging and select one of the existing settings, for example, Access Log<br />
Configuration. These will serve as the starting point for creating new setting, including settings<br />
for a new log.<br />
c Click Add above the Settings tree. The Add Settings window opens.<br />
d In the Name field, enter a name for the new settings.<br />
e [Optional] Type a comment on the new settings and use the Permission tab to configure who is<br />
allowed access to the new settings.<br />
f Under Name of the log, type the name of the new log.<br />
g Configure other items of the new settings as needed.<br />
h Click OK. The Add Settings window closes and the new settings appear under File System<br />
Logging on the Settings tree.<br />
282 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Logging 8<br />
4 Go to Policy | Rule Sets and insert a logging rule that triggers events when its criteria is matched<br />
into the rule set you created in step 2. The logging rule should triggers the following events if its<br />
criteria is matched:<br />
• A set event that sets parameter values for a log file entry<br />
• A write event that writes the entry into a log file of the log you created<br />
Note: The criteria of the logging rule relates to what you want to log, for example, Antimalware.Infected<br />
equals true as the criteria if you want to log requests for infected objects. Then the set and write events<br />
are triggered if an object is found to be infected.<br />
5 Click Save Changes.<br />
The new log and the log files are stored in a folder of the program files for <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong>. To<br />
view them, navigate with your file manager to the location where these program files are stored and go<br />
to:<br />
/opt/mwg/log/user-defined-logs//<br />
For more information, see Create a log handler, Add a new rule set, Create a sample logging rule,<br />
Configuring log file settings, and Access restrictions.<br />
Use of a property in a logging rule to record blocking key words<br />
When user access to web objects is blocked on the appliance, you can in some situations use the<br />
List.LastMatches property to find out why it was done. This section explains what you need to configure<br />
to use the property in this way.<br />
The implemented rules on your appliance could, for example, include a rule for blocking access to web<br />
objects containing unwanted text, which is identified by the occurrence of “bad” key words. Then you<br />
might be interested in knowing not only that access to an object has been blocked, but also what the<br />
key words were that led to the blocking.<br />
To find out about the key words, you need to configure the following:<br />
• A list of the key words<br />
• A rule that blocks access to web objects with text containing the key words<br />
• An addition to a default logging rule to let it record the key words<br />
List of key words<br />
You can create a list of key words on the Lists tab and fill it with suitable entries.<br />
For more information on how to create this list, see Create a list of key words.<br />
Rule for blocking text with key words<br />
You can create a rule for blocking text with key words, which must be contained in a rule set. You can<br />
create both items on the Rule Sets tab.<br />
The following is an example of what the blocking rule could look like:<br />
Block text with bad words<br />
User-Defined.listOfWords at least one in list BadWords –> Block<br />
The rule uses the User-Defined.ListOfWords property to compare the text contained in the body of<br />
a web object with the words in the BadWords list. The value of the property is a string list of all the<br />
words that are in this text. If one of these words matches a word from the list, access to the web<br />
object with this text is blocked for the user who requested it.<br />
Processing then stops and continues with the next request that is received on the appliance.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 283
8<br />
Monitoring<br />
Logging<br />
The settings of the blocking action specify a message to the requesting user. They also include an<br />
ID for the block reason, which is recorded in the entry that is written into the Access Log for the<br />
request.<br />
To configure action settings for the rule, you need to create these settings before you create the rule.<br />
If you want to set the text contained in the body of the web object as the value of the<br />
User-defined.listOfWords property, you must use another rule to set the value. This rule, which must be<br />
placed and executed before the blocking rule, could look as follows:<br />
Set User-Defined.listOfWords<br />
Always –> Continue — Set User-Defined.listofWords = String.ToStringList (Body.Text “ ” “.,;:‘’!?”)<br />
When this rule is processed, it is always executed. It uses an event to set the User-Defined.listOf<br />
Words property to a value, which is the list of words in a text. To provide this list, the String.To<br />
StringListProperty converts the words from the text contained in the body of a web object into a<br />
list. The web object is the one that is currently being requested by a user.<br />
The Body.Text property is the first parameter of the String.ToStringList property. It is a string<br />
containing the text in the body of the requested web object. The other two parameters specify a<br />
list delimiter and a character that has all its occurrences deleted in the list, which is the whitespace<br />
in this case.<br />
The Continue action lets processing continue with the next rule.<br />
For information on how to configure a user-defined property for the blocking rule, see Create a<br />
user-defined property of the list type.<br />
For creating a rule set to contain the two rules, see Create a rule set for new rules.<br />
For creating the rules, see Create a rule for setting text as the value of a user-defined property and<br />
Create a rule for blocking text with bad key words.<br />
Addition to a default logging rule<br />
You can use the Rule Sets tab to work with the default logging rules. To let a logging rule write key<br />
words that have been identified by a suitable rule into the Access Log, you need to add the value of the<br />
List.LastMatches property to the log line used by the log.<br />
The value of the List.LastMatches property is a string containing all elements that have been found to<br />
match when two lists are compared using an operator such as at least one in list or all in list.<br />
After adding this value to the log line of the Access Log, you will see in this log the word or words that<br />
the blocking rule has identified as the reason for blocking access to a web object.<br />
For example, the blocking rule compares a keyword list containing the words “shopping”, “travel”, and<br />
“games” to a list of words created by converting the text in question. If the comparison uses the<br />
at-least-one-in-list operator, the occurrence of the word “shopping” is sufficient for blocking access to<br />
this text. The log line then includes this word. This way you not only know why access was blocked, but<br />
also the key word that triggered the blocking.<br />
If you use a different operator, for example, the all-in-list operator, the blocking rule is only executed if<br />
all key words are matched within the text in question. All key words are then recorded.<br />
After adding the value of the List.LastMatches property to the log line of the Access Log, the default<br />
logging rule that writes this line into the log could look as follows:<br />
Write access.log<br />
Always –> Continue —<br />
Set User-Defined.logLine =<br />
DateTime.To<strong>Web</strong>ReporterString + “ ”<br />
+ Authentication.Username + “ ”<br />
...<br />
284 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
+ Number.ToString (Block.ID) + ““”<br />
+ List.LastMatches + “ ”<br />
Monitoring<br />
Logging 8<br />
FileSystemLogging.WriteLogEntry (User-Defined.logLine)<br />
When the rule is processed, it is always executed. It uses two events: one to set values for a log<br />
line and another to write this line into the Access Log on the appliance.<br />
The first event uses the User-Defined.logLine property to set a log line that is written into the<br />
Access Log, for example, when a request has been received on the appliance. The elements of the<br />
log line are the values of the properties specified for the event. The List.LastMatches property<br />
provides the key word or words that triggered the blocking of access to a web object.<br />
The second event writes the log line with the values it has been set to into the Access Log. The log<br />
line is specified as a parameter of this event. The Access Log is specified by the event settings.<br />
The Continue action lets processing continue with the next rule, which can be contained in this or<br />
the next rule set.<br />
Create a list of key words<br />
To create a string list of key words that can have matches in a given text:<br />
1 Go to Policy | Lists.<br />
2 On the lists tree, go to Custom Lists | String.<br />
3 Click Add on the toolbar. The Add List window opens.<br />
4 On the Add List tab, configure the following general settings:<br />
• Name — For example: BadWords<br />
• Comment — [Optional] Plain-text comment on the list<br />
• Type — String (preselected)<br />
5 [Optional] Click the Permissions tab and configure who is allowed to view and edit the list.<br />
6 Click OK. The Add List window closes and the new list appears on the lists tree.<br />
7 Click Save Changes.<br />
For information on how to fill the new list with entries, see Add entries to a key word list.<br />
Add entries to a key word list<br />
To add entries to a key word list:<br />
1 Go to Policy | Lists.<br />
2 On the lists tree, go to Custom Lists | String, and select the list you created for entering key words,<br />
for example, BadWords.<br />
3 On the settings pane, click Add. The Add String window opens.<br />
4 Under String, type an entry, for example, Travel.<br />
Note: To add multiple entries at once, click Add multiple and use a new line of the window for each<br />
entry.<br />
5 [Optional] In the Comment field, type a plain-text comment on the list entry.<br />
6 Click OK. The Add String window closes and the entry is added to the list.<br />
Repeat steps 3 to 6 as often as needed to add more entries.<br />
7 Click Save Changes.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 285
8<br />
Monitoring<br />
Logging<br />
Create a user-defined property of the list type<br />
To create a user-defined property of the list type for comparison to another list:<br />
1 Go to Policy | Rule Sets.<br />
2 From the rule sets menu, select User Defined Properties.<br />
3 Click Add and select User Defined Properties. The Add New User Defined Property window opens.<br />
4 Configure the following settings for the property:<br />
• Name — User-Defined.listOfWords<br />
• Type — List<br />
• List content type — String<br />
• Comment — [Optional] Plain-text comment on the property<br />
5 Select the Initially empty checkbox.<br />
6 Click OK. The Add New User Defined Property window closes and the property is added to the list.<br />
7 Click Save Changes.<br />
You can use a rule to set this property to a particular value, which is a list of strings. You can then use<br />
another rule to compare this string list to another string list, for example, a list of bad key words.<br />
For more information on these rules, see Create a rule for setting text as the value of a user-defined<br />
property and Create a rule for blocking text with bad key words.<br />
Create a rule set for new rules<br />
To create a rule set to contain the two rules you want to use for blocking unwanted text:<br />
1 Go to Policy | Rule Sets.<br />
2 On the rule sets tree, navigate to the position where you want to insert the rule set.<br />
Note: A good position to insert the rule set is before the rule sets that control other filtering functions,<br />
such as URL or virus and malware filtering.<br />
3 Click Add above the rule sets tree. A drop-down menu opens.<br />
4 Select Rule Set. The Add New Rule Set window opens.<br />
5 Configure the following general settings for the rule set:<br />
• Name — Name of the rule set, for example, Block Unwanted Text<br />
• [Optional] Comment — Plain-text comment on the rule set<br />
6 Select the Enable checkbox.<br />
7 [Optional] Click the Permissions tab and configure who is allowed to view and edit the rule set.<br />
8 In the Applies to section, select Responses and Embedded objects.<br />
9 In the Apply this rule set section, select Always.<br />
10 Click Save Changes.<br />
286 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Create a rule for setting text as the value of a user-defined property<br />
Monitoring<br />
Logging 8<br />
A rule can convert text that is the body of a web object to a list of strings and set this list as the value<br />
of a used-defined property.<br />
To configure this rule:<br />
1 Go to Policy | Rule Sets.<br />
2 From the rule sets tree, select the rule set you have created for the rule, for example, Block Unwanted<br />
Text.<br />
3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected.<br />
4 In the Name field, type the rule name, for example, Set User-Defined.listOfWords.<br />
5 Select Rule Criteria and under Apply this rule, select Always.<br />
6 Select Action and from the Action list, select Continue.<br />
7 Select Events, click Add, and select Set Property Value. The Add Set Property window opens.<br />
8 From the list under Set this property, select the user-defined property you created, for example,<br />
User-Defined.listOfWords.<br />
9 Under To this value, select Property and from the list of properties, select String.ToStringList.<br />
10 Click Parameters. The Property Parameters window opens.<br />
11 Configure the three parameters of the String.ToStringList property as follows:<br />
a Parameter 1: Select Property and from the list of properties, select Body.Text.<br />
b Parameter 2: Make sure Value is selected, and in the List Delimiter field, type the character to<br />
use as a delimiter.<br />
c Parameter 3: Make sure Value is selected, and in the Trim Characters field, type the characters<br />
you do not want to appear at the beginning and end of words in the string list that is the result of<br />
the conversion.<br />
12 Click OK to close the Property Parameters window and then again for the Add Set Property window.<br />
13 Click Finish. The Add Rule window closes and the new rule appears on the settings pane.<br />
After using this rule to set a particular text as the value of the User-Defined.listOfWords property, you<br />
can use another rule to compare this text to a list of key words and eventually execute a blocking<br />
action.<br />
For more information about this rule, see Create a rule for blocking text with bad key words.<br />
For more information about delimiters and trim characters and how to specify them as parameters, see<br />
the description of the String.ToStringList property in the List of properties.<br />
Add action settings for a key word blocking rule<br />
When a rule blocks text containing key words, the settings of the blocking action can specify a message<br />
to the user who requested access to this text.<br />
To add these settings to the preconfigured settings for blocking actions:<br />
1 Go to Policy | Settings.<br />
2 On the Actions branch of the settings tree, select Block.<br />
3 Click Add. The Add Settings window opens.<br />
4 Configure the following general parameters:<br />
• Name — For example: Bad Words Found<br />
• Comment — [Optional] Plain-text comment on the settings<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 287
8<br />
Monitoring<br />
Logging<br />
5 [Optional] Select the Permissions tab and configure who is allowed to view the settings and edit<br />
them.<br />
6 Click OK. The settings appear under Block on the settings tree.<br />
7 Click Save Changes.<br />
To use these settings for a rule that blocks bad key words, you also need to configure several special<br />
parameters.<br />
For more information, see Configure action settings for a key word blocking rule.<br />
Configure action settings for a key word blocking rule<br />
To configure special settings for the action in a rule that blocks bad key words:<br />
1 Go to Policy | Settings.<br />
2 On the Actions branch of the settings tree, go to Block and select the settings you configured for<br />
this rule, for example, Bad Words Found. Options for configuring parameter values appear on the<br />
settings pane.<br />
3 In the <strong>McAfee</strong> <strong>Web</strong> Reporter Block Reason ID field, type 111.<br />
4 In the Block Reason field, type a description of the block reason, for example, Text contains bad<br />
words.<br />
5 Next to the Template Name list, click Add. The Add Template Window opens.<br />
6 Configure the following general parameters:<br />
• Name — Name of the template that is used for sending a message to a user, for example,<br />
Bad Words Found<br />
• File name — Name of the html and txt files that can be sent as user messages.<br />
The file names are by default generated from the template name. To specify a different name,<br />
deselect the auto checkbox and type a file name into the field.<br />
• Languages — List for selecting the language of the user messages, for example, English (En).<br />
• Content File Type — Types of the files that deliver the content of the user messages: html and txt<br />
7 Click OK & Edit. The Template Editor opens.<br />
The template you added and the content files of the types and in the language you selected appear<br />
on the templates tree of the editor, for example, Bad Words Found | en | html and txt.<br />
8 Configure the content files of the types you selected:<br />
a Select, for example, the html file. A blank area appears under HTML Editor on the right side of<br />
the editor.<br />
b Fill the html file with content, for example, by copying content from the default html file:<br />
• On the templates tree, go to Default Error Template and from the en branch, select html.<br />
The content of the English default html file appears.<br />
• Click Edit and then Select All and Copy.<br />
• Go back to the Bad Words Found template and from the en branch, select html.<br />
• Click into the blank area, select Edit and then Paste. The default content appears.<br />
c Modify the default content:<br />
• In the first content line, type BadWordsFound to replace DefaultError as the template name.<br />
• In the Title section, go to the line below and type Bad Words Found<br />
to replace Default Block as the template title.<br />
288 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Logging 8<br />
• In the Content section, go to the line below , delete the default<br />
text completely and type the text you want to appear in the user message.<br />
Type, for example: The text you requested access to was blocked because it contained<br />
words that are on a list of forbidden words.<br />
d Select the txt file and fill it with content.<br />
You can proceed in the same way as for the hmtl file. If you copy and paste the content of the<br />
default txt file, you only need to type new text to replace the existing template title and<br />
message text.<br />
e Click Save Template Changes. The Template Editor closes.<br />
f Click Save Changes.<br />
Action settings are now available for the blocking action in a rule that blocks bad key words. For<br />
information on how to create this rule, see Create a rule for blocking text with bad key words.<br />
For more information on configuring action settings that specify user messages, see User messages.<br />
Create a rule for blocking text with bad key words<br />
A rule can block text containing “bad” key words, which are eventually recorded in a log file.<br />
This rule requires special settings for the blocking action, which you must have created before creating<br />
the rule.<br />
To create the blocking rule:<br />
1 Go to Policy | Rule Sets.<br />
2 From the rule sets tree, select the rule set you have created for the rule, for example, Block Unwanted<br />
Text.<br />
3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected.<br />
4 In the Name field, type the rule name, for example, Block bad words.<br />
5 Select Rule Criteria and click Add. The Add Criteria window opens.<br />
a From the Property list, select User-Defined.listOfWords.<br />
b From the Operator list, select a suitable operator, for example, at least one in list.<br />
c From the Value list in the Parameter area, select the list you created, for example, BadWords.<br />
6 Click OK. The Add Criteria window closes and the added criteria appears in the main window area.<br />
7 Select Action and configure the following:<br />
a From the Action list, select Block.<br />
b From the Settings list, select the settings you created for the rule, for example, Bad Word Found.<br />
8 Click Finish. The Add Rule window closes and the new rule appears on the settings pane.<br />
9 Click Save Changes.<br />
For information on creating the action settings that are required for this rule, see Add action settings for<br />
a key word blocking rule.<br />
When this rule has been processed and a blocking action was executed, the blocking reason and the<br />
key words that triggered the blocking can be recorded in an entry of the Access Log.<br />
To ensure an entry with this data is written into the log, you need to modify the appropriate logging<br />
rule.<br />
For more information, see Modify a default logging rule to record key words.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 289
8<br />
Monitoring<br />
Logging<br />
Modify a default logging rule to record key words<br />
You can modify a default logging rule that writes entries into the Access Log to include the key words<br />
that led to the blocking of text with “bad” key words.<br />
To modify this rule:<br />
1 Go to Policy | Rule Sets.<br />
2 From the rule sets menu, select Log Handler.<br />
3 Expand the Default log handler rule set and select the nested Access Log rule set. The rules of this<br />
rule set appear on the settings pane.<br />
4 Select the Write access.log rule and click Edit. The Edit Rule window opens.<br />
5 Select Events and in the Events field, select the Set User-Defined.logLine = ... event.<br />
6 Click Edit. The Edit Set Property window opens.<br />
7 Click Add. The Please Enter a String window opens.<br />
8 Click Property and from the list of properties, select List.LastMatches.<br />
9 Click OK. The window closes and the List.LastMatches property is added to log line that is written into<br />
the Access Log.<br />
10 Click Add again, select Value in the window, and in the input field type the following string: “ ”<br />
(whitespace embedded in quotes).<br />
11 Click OK to close the Edit Set Property window.<br />
12 Click Finish to close the Edit Rule window. The modified rule appears on the settings pane.<br />
13 Click Save Changes.<br />
After modifying the rule in this way, the log line for the Access Log contains a string that is the value of<br />
the List.LastMatches property.<br />
If a blocking rule blocks access to text based on a comparison to a list of bad key words, this string<br />
contains the matching key word or words that led to the blocking.<br />
For more information, see Use of a property in a logging rule to record blocking key words.<br />
290 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Configuring log file settings<br />
Monitoring<br />
Logging 8<br />
By configuring log file settings, you can determine how log files are rotated, deleted, and pushed. For<br />
rule-based log files, these specify also the log that is used to store the log files. This section tells you<br />
how these settings are configured for the different types of log files.<br />
Configure settings for rule-based log files<br />
Complete the following procedure to configure this type of log files:<br />
1 Go to Policy | Settings.<br />
2 On the settings tree, go to File System Logging and select the settings you want to configure, for<br />
example, Access Log Configuration.<br />
3 Configure these settings as needed:<br />
• Log settings — For log name, log file header, and other parameters<br />
• Log file settings — For rotation, deletion, and pushing of log files<br />
4 Click Save Changes.<br />
For more information, see File System Logging engine settings<br />
Configure settings for system-maintained log files<br />
Complete the following procedure to configure this type of log files:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to configure system settings for and select Log<br />
File Manager.<br />
3 Configure these system settings as needed. They include settings for rotation, deletion, and pushing<br />
of log files.<br />
4 Click Save Changes.<br />
For more information, see Log File Manager system settings<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 291
8<br />
Monitoring<br />
Logging<br />
Log file settings<br />
You can configure log file settings to determine the handling of log files on the appliance, for example,<br />
how they are rotated and deleted. This section describes these settings for different types of log files.<br />
File System Logging engine settings<br />
The File System Logging engine settings are settings for the module that handles rule-based log files on<br />
the appliance.<br />
Note: These settings are configured on the Settings tab of the Policy top-level menu.<br />
File System Logging Settings<br />
Settings for a log that stores log files<br />
Name of the log — Log name<br />
Enable log buffering — When selected, the log is buffered. The buffer interval is 30 seconds<br />
Enable header writing — When selected, the header below is added to all log files<br />
Log header — Input field for typing a header for all log files<br />
Encrypt the log file — When selected, log files are stored encyrpted<br />
First password, Repeat password — Input field for creating a password for access to encrypted log<br />
files<br />
[Optional] Second password, Repeat password — Input field for creating an second password for<br />
access to encrypted log files<br />
Settings for Rotation, Deletion, and Pushing<br />
Settings for handling log files<br />
Enable specific settings for User-Defined Log — When selected, the settings configured in the<br />
following apply to the user-defined logs, which store the log files that are rule-based<br />
Otherwise the system settings configured for the Log File Manager function apply also to this log.<br />
Auto Rotation<br />
Settings for rotating log files automatically according to size and time of day<br />
Enable auto rotation — When selected, log files are rotated according to the following settings<br />
Note: You can configure just one of the two settings or both.<br />
Enable log file rotation if log file size exceeds — When selected, log files are rotated<br />
according to the size (in MiB) specified in the input field provided here<br />
Enable scheduling of log file rotation — When selected, log files are rotated according to the<br />
time of day (in hours and minutes) specified in the input field provided here<br />
Note: The 24-hours format is used here, for example, 1:30 p. m. is 13:30.<br />
Auto Deletion<br />
Settings for deleting log files automatically according to size and last time of modification<br />
Enable auto rotation — When selected, log files are deleted according to the following settings<br />
Note: You can configure just one of the two settings or both.<br />
Enable log file deletion if log file size exceeds — When selected, log files are rotated<br />
according to the size (in MiB) specified in the input field provided here<br />
Enable autodeletion of unchanged files — When selected, log files are deleted after the time<br />
(in days) specified in the input field provided here<br />
292 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Logging 8<br />
Auto Pushing<br />
Settings for pushing rotated log files to another server<br />
Enable auto pushing — When selected, rotated log files are pushed from the local database on the<br />
appliance to the server specified by the following settings<br />
Destination — Network protocol, host name, and path of the server<br />
A variable can be added to the path name to specify the pushing process more precisely.<br />
For example, %h can be added for the host name of the appliance that log files were pushed from.<br />
The destination could then be specified as follows:<br />
ftp://myftp.com/%h<br />
When the log files are pushed, the variable is replaced with the appropriate value, which is a host<br />
name in this example.<br />
The variables you can use here include:<br />
%h – host name of an appliance<br />
%y – current year (four digits)<br />
%m – current month (one or two digits)<br />
%% – for % (if it is to occur in a host name)<br />
User name — Name of the user who is authorized to push log files to the server<br />
Enable pushing log files directly after rotation — When selected, pushing follows rotation<br />
immediately<br />
Push interval — Time (in hours) to elapse before the next log files are pushed (if not pushed<br />
immediately after rotation)<br />
Log File Manager system settings<br />
The Log File Manager system settings are settings for the function that handles system-maintained log<br />
files.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
Global Log File Settings<br />
Settings for all log files that no specific settings have been configured for<br />
Auto Rotation, Auto Deletion, Auto Pushing<br />
Meanings and usage of these settings are the same as of the corresponding settings for the File System<br />
Logging module.<br />
For more information, see File System Logging engine settings.<br />
Destination<br />
Destination that a file is pushed to<br />
Settings for the Update Log<br />
Enable specific settings for Update Log — When selected, the settings configured in the following<br />
apply to the Update Log. Otherwise the global log file settings apply<br />
Auto Rotation, Auto Deletion, Auto Pushing<br />
Meanings and usage of these settings are the same as of the corresponding settings for the File System<br />
Logging module.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 293
8<br />
Monitoring<br />
Logging<br />
Settings for the Audit Log<br />
Enable specific settings for Audit Log — When selected, the settings configured in the following<br />
apply to the Audit Log. Otherwise the global log file settings apply<br />
Auto Rotation, Auto Deletion, Auto Pushing<br />
Meanings and usage of these settings are the same as of the corresponding settings for the File System<br />
Logging module.<br />
Advanced<br />
Settings for auto-deletion of core and feedback files<br />
Enable auto-deletion of core files — When selected, core files are automatically deleted according<br />
to the settings you configure<br />
You can specify a number, a time interval, and a volume to let core files that exist in excess of these<br />
values be automatically deleted<br />
Enable auto-deletion of feedback files — When selected, feedback files are automatically deleted<br />
according to the settings you configure<br />
You can specify a number, a time interval, and a volume in the same way as for core files.<br />
294 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Log handler rule sets<br />
Monitoring<br />
Logging 8<br />
Log handler rule sets are top-level rule sets with nested rule sets that include logging rules. This section<br />
describes the nested logging rule sets that are provided by default on the appliance.<br />
Access Log<br />
This nested logging rule set records requests for access to the web sent from users of your network.<br />
Nested logging rule set — Access Log<br />
Criteria — Always<br />
The rule set contains the following rule:<br />
Write access.log<br />
Always –> Continue —<br />
Set User-Defined.logLine = DateTime.To<strong>Web</strong>ReporterString + “ ”” ...<br />
FileSystemLogging.WriteLogEntry (User-Defined.logLine)<br />
The rule uses an event to fill a log file entry with parameter values relating to requests sent by<br />
users, such as user names or request headers. It uses another event to write this entry to a log<br />
file.<br />
The log file entry is specified as a parameter in both events. The log that stores the log file is<br />
specified by the settings of the write event.<br />
Values for the following parameters are set and logged by the events of the rule (properties used<br />
by the set event are shown in italics):<br />
• Date and time — DateTime.To<strong>Web</strong>ReporterString<br />
• User name — Authentication.UserName<br />
• Client IP address — String.ReplaceIfEquals (IP.ToString(Client.IP), “”, “-”)<br />
• Response status — String.ReplaceIfEquals (Number.ToString (Response.StatusCode), “”, “-”)<br />
• Request header — RequestHeader.FirstLine<br />
• URL category — List.OfCategory.ToString (URL.Categories)<br />
• URL reputation — String.ReplaceIfEquals (URL.ReputationString, “”, “-”)<br />
(URL.Reputation)<br />
• Media type — MediaType.ToString (MediaType.FromHeader)<br />
• Body size — String.ReplaceIfEquals (Number.ToString (Body.Size), “”, “-”)<br />
• User agent — Header.Request.Get(“User-Agent”)<br />
• Virus and malware names — List.OfString.ToString (Antimalware.VirusNames)<br />
• Block action ID — Number.ToString (Block.ID)<br />
The logging rule applies whenever a request for access to the web is received. The two rule events<br />
for filling and writing a log entry are then executed.<br />
Processing continues with the next rule or rule set.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 295
8<br />
Monitoring<br />
Logging<br />
Found Viruses<br />
This nested logging rule set records names of viruses and other malware found in requested web<br />
objects.<br />
Nested logging rule set — Found Viruses Log<br />
Criteria — Always<br />
The rule set contains the following rule:<br />
Write found viruses.log<br />
Antimalware.Infected equals true –> Continue —<br />
Set User-Defined.logLine = DateTime.To<strong>Web</strong>ReporterString + “ ”” ...<br />
FileSystemLogging.WriteLogEntry (User-Defined.logLine)<br />
The rule uses an event to fill a log file entry with parameter values relating to web objects infected<br />
by viruses or other malware, such as virus names or IP addresses. It uses another event to write<br />
this entry to a log file.<br />
The log file entry is specified as a parameter in both events. The log that stores the log file is<br />
specified by the settings of the write event.<br />
Values for the following parameters are set and logged by the events of the rule (properties used<br />
by the set event in italics):<br />
• Date and time — DateTime.To<strong>Web</strong>ReporterString<br />
• User name — Authentication.UserName<br />
• Client IP address — String.ReplaceIfEquals (IP.ToString(Client.IP), “”, “-”)<br />
• Virus and malware names — List.OfString.ToString (Antimalware.VirusNames)<br />
• URL — URL<br />
The logging rule applies whenever a requested web object has been found to be infected. The two<br />
rule events for filling and writing a log entry are then executed.<br />
Processing continues with the next rule or rule set.<br />
296 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Performance measurement<br />
Monitoring<br />
Performance measurement 8<br />
Processing time consumed for particular activities is measured on the appliance and displayed on the<br />
user interface. This section tells you where it is displayed and how you can set up rules for logging<br />
processing time and for measuring it on your own.<br />
View performance information<br />
How the appliance performs is measured by recording average processing times for several activities<br />
such as performing DNS lookups or processing client requests. This information is displayed on the<br />
dashboard of the user interface.<br />
To view this information:<br />
1 Go to Dashboard | Charts and Tables.<br />
2 Select Performance Information.<br />
For details about the information displayed here, see Overview of charts and tables information.<br />
Properties for logging performance information<br />
You can log performance information using logging rules with appropriate properties. For each type of<br />
performance information, a corresponding property is available.<br />
For example, the dashboard displays information on the average time it takes to resolve host names by<br />
looking up names on a DNS server. The property Timer.ResolveHostNameViaDNS corresponds to this<br />
information. The value of this property is the time that was consumed for looking up a host name<br />
appearing in a request that was processed on the appliance. The time is measured in milliseconds.<br />
You can use this property to create an element in a log line. When this line is written to a log file by a<br />
logging rule, the time for looking up host names is recorded together with other information covered by<br />
the log line.<br />
Other properties that make performance information available for logging include Timer.HandleConnect<br />
ToServer for measuring the time needed to connect to external servers or Timer.TimeConsumedByRule<br />
Engine for the time the rule engine needs to do its job when a request is received on the appliance.<br />
The time that is measured and made available by a property includes the time needed for the relevant<br />
activity, for example, connecting to external servers while a particular request was processed on the<br />
appliance throughout all relevant processing cycles (request, response, and embedded object cycles).<br />
Processing one individual request on the appliance is considered to be one transaction.<br />
A transaction need not go through all cycles for a given request. For example, if a user sends a request<br />
to access a web page falling into a category that is blocked under a particular web security policy, a<br />
block message is returned to this user, the request is not forwarded to a web server, and processing<br />
does not enter the response cycle.<br />
All properties that make performance information available for logging have the element Timer at the<br />
beginning of their names. For more information on these properties, see the List of properties.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 297
8<br />
Monitoring<br />
Performance measurement<br />
Using properties in rules to log performance information<br />
You can insert the properties that are available on the appliance for logging performance information<br />
into logging rules that write log lines into log files.<br />
The properties for logging performance information make this information available with regard to the<br />
processing of individual requests. When a request is received on the appliance, particular activities are<br />
completed to process it, which are together considered as one transaction.<br />
An Access Log exists by default on the appliance with log files into which a log line is written whenever<br />
a transaction has been completed for a request. This log is an appropriate location for recording<br />
performance information.<br />
Writing log lines into the log files of the Access Log is handled by a logging rule. This rule uses one<br />
event to create a log file entry and another to write this entry as a log line into a log file.<br />
A log entry is composed of several elements, each of which adds a particular piece of information, for<br />
example, the date and time when a request was received on the appliance. By inserting an element<br />
providing performance information into the entry you can let this information be recorded.<br />
The event that creates a log entry for the Access Log begins as follows:<br />
Set User-Defined.logLine = DateTime.To<strong>Web</strong>ReporterString + “”” ...<br />
Date and time for a request is recorded by the DateTime.To<strong>Web</strong>ReporterString + “”” element. More<br />
elements providing other information follow this element.<br />
To record performance information about, for example, the processing time consumed for DNS lookups<br />
you need to add the following element:<br />
+ Number.ToString (Timer.ResolveHostNameViaDNS) + “””<br />
Since the log line is a string, the numerical value for the processing time must be converted to string<br />
format before it can be recorded. This is done by the Number.ToString property, which takes the<br />
Timer.ResolveHostNameViaDNS property as a parameter.<br />
For more information on working with log entries, see Sample logging rule and Create a sample logging<br />
rule.<br />
Events for measuring performance in rule set processing<br />
You can measure the time the rule engine consumes for processing individual rule sets. Several events<br />
to be used in appropriate rules are available for this purpose.<br />
The reason for measuring this time could be that you want to know whether performance is improved<br />
or reduced after you have applied changes to the rule set.<br />
The events for measuring rule set processing performance control an internal watch on the appliance.<br />
The following events are available:<br />
• Stopwatch.Start (String) — Starts the internal watch<br />
• Stopwatch.Stop (String) — Stops the internal watch<br />
• Stopwatch.Reset (String) — Resets the internal watch<br />
The string parameter that each of these events takes can be used to identify the event. For example, if<br />
you use these events to record processing time for the URL Filtering rule set, you can assign<br />
URLFiltering as a value to this string.<br />
298 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Performance measurement 8<br />
Using events in rules to measure processing time for rule sets<br />
To measure the time the rule engine consumes for processing a rule set you can use the events that<br />
control the internal watch on the appliance in appropriate rules.<br />
A rule that uses, for example, the Stopwatch.Start event to start measuring processing time for the<br />
URL Filtering rule set could look as follows:<br />
Note: The example shows approximately how the rule appears on the user interface.<br />
Name<br />
Start stopwatch for rule set<br />
Criteria Action Event<br />
Always –> Continue – Stopwatch.Start (“URLFiltering”)<br />
In a similar way, you can use the events for stopping and resetting the internal watch in other rules.<br />
To measure the time consumed for processing the rule set, you can place a rule containing the starting<br />
event at the beginning of the rule set and one with the stopping event at the end.<br />
However, if you have rules in a rule set that can execute a Stop Rule Set, Stop Cycle, or Block action,<br />
you need to place the starting rule at the beginning of the rule set and a stopping event into each rule<br />
that executes one of the mentioned actions.<br />
A rule with an event to stop the internal watch inserted would look as follows:<br />
Note: The example shows approximately how the rule appears on the user interface.<br />
Name<br />
Allow URLs in URL Whitelist<br />
Criteria Action Event<br />
URL matches in URL Whitelist –> Stop Rule Set – Stopwatch.Stop (“URLFiltering”)<br />
When this rule is applied, it stops processing the URL Filtering rule set because the URL that a user<br />
requested access for has been found to be on the list of allowed URLs. The stopwatch event must<br />
therefore be inserted into this rule.<br />
If it were inserted into a separate rule at the end of the rule set, this rule would never be processed<br />
because the whitelisting rule had stopped processing of the rule set before all its rules were processed.<br />
In this case, the event that stops the internal watch would never be executed.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 299
8<br />
Monitoring<br />
Performance measurement<br />
Properties for logging rule set processing time<br />
You can log the time that has been measured for rule set processing by the events that control the<br />
internal watch on the appliance. Properties to be used in logging rules are available for this purpose.<br />
The following properties have the time that has been measured by the internal watch for rule sets<br />
assigned as their values:<br />
• Stopwatch.GetMilliSeconds (String) — Time measured for rule set processing in milliseconds<br />
• Stopwatch.GetMicroSeconds (String) — Time measured for rule set processing in microseconds<br />
The string parameter that these properties take is used to ensure the values they hold are the ones<br />
measured by the events that have the same string as a parameter.<br />
For example, the value assigned to the Stopwatch.GetMilliseconds (URLFiltering) property is the one<br />
thas has been measured by the Stopwatch.Start (URLFiltering) and Stopwatch.Stop (URLFiltering)<br />
events.<br />
You can use these properties in the same way as other properties for recording processing time by<br />
inserting them in logging rules.<br />
For more information, see Using properties in rules to log performance information.<br />
300 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Transferring data to an ePO server<br />
Monitoring<br />
Transferring data to an ePO server 8<br />
The <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance can be monitored on the <strong>McAfee</strong> ePolicy Orchestrator ®<br />
(ePO)<br />
console. This section tells you how to configure the appliance to transfer monitoring data to a server<br />
with <strong>McAfee</strong> ePO software installed.<br />
The <strong>McAfee</strong> ePO security management console is a tool for administering several <strong>McAfee</strong> products,<br />
including the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance. If you configure the <strong>McAfee</strong> ePO software and the<br />
appliance accordingly, you can log on to the appliance from the <strong>McAfee</strong> ePO console and have<br />
monitoring data transferred from the appliance to the <strong>McAfee</strong> ePO server.<br />
When data transfer to the <strong>McAfee</strong> ePO server is configured, this server sends SSL-secured requests for<br />
data collected on the appliance in regular intervals. Then you need to allow the CONNECT request that<br />
the SSL-secured communication begins with to bypass the normal processing of web security rules, so<br />
it does not get blocked on the appliance. For example, if you have authentication rules implemented,<br />
this would lead to blocking because the <strong>McAfee</strong> ePO server does not support the authentication method<br />
used by these rules.<br />
You can import an appropriate rule set from the library to enable the bypassing or create a rule set of<br />
your own.<br />
For more information, see Configure the data transfer, Import a rule set, and Bypass ePO Requests.<br />
Configure the data transfer<br />
To configure the transfer of data to a <strong>McAfee</strong> ePO server on the appliance:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, go to the appliance you want to transfer data from and select ePolicy<br />
Orchestrator.<br />
3 Configure the ePolicy Orchestrator Settings as needed. These include settings for an account on<br />
the appliance that is needed to transfer the data, as well as settings for the data collection process.<br />
4 Click Save Changes.<br />
For more information, see ePolicy Orchestrator system settings.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 301
8<br />
Monitoring<br />
Transferring data to an ePO server<br />
ePolicy Orchestrator system settings<br />
The ePolicy Orchestrator system settings can be configured to allow the transfer of <strong>McAfee</strong> ePO data.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
ePolicy Orchestrator Settings<br />
Settings for transferring data to a <strong>McAfee</strong> ePO server<br />
ePO user account — User name of the user who is authorized to retrieve <strong>McAfee</strong> ePO data on the<br />
appliance<br />
Password, Repeat password — For the user retrieving the data<br />
Enable data collection for ePO — When selected, data for the <strong>McAfee</strong> ePO server is collected on the<br />
appliance<br />
Data collection interval in minutes — Time (in minutes) to elapse between data collections<br />
The range is between 10 minutes and 6 hours.<br />
Bypass ePO Requests<br />
This section describes a library rule set that lets requests from a <strong>McAfee</strong> ePO server to connect to the<br />
appliance bypass the filtering process.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Library rule set — Bypass ePO requests<br />
Criteria — Command.Name equals “CONNECT”<br />
Cycles — Requests (and IM)<br />
The rule set criteria specifies that the rule set applies when the SSL-secured communication between<br />
the <strong>McAfee</strong> ePO server and the appliance begins with a request from the server to connect to the<br />
appliance.<br />
The rule set contains the following rule:<br />
Skip subsequent rules for ePO requests<br />
URL.Host equals “127.0.0.1” OR URL.Host equals “[::1]” –> Stop Cycle – Enable SSL Client Context<br />
Enable SSL Scanner <br />
The rule uses the URL.Host property to identify the host of a requested URL, based on the IP<br />
address of the host. If this address is 127.0.0.1, the host of the requested URL is the appliance.<br />
When the <strong>McAfee</strong> ePO server sends a request to connect to the appliance, it uses this address.<br />
So if 127.0.0.1 is the requested address, the rule applies and stops all further processing in the<br />
request cycle. This way the CONNECT request is allowed to pass through.<br />
The next step in this process is sending and verifying certificates. The rule includes an event to<br />
enable the sending of a client certificate that is issued by the default certificate authority. You can<br />
modify the event settings to have the certificate issued by another authority.<br />
The rule also includes an event to enable verification of the certificate sent by the <strong>McAfee</strong> ePO<br />
server without using the EDH (Ephemeral Diffie-Hellman) method, which is the appropriate<br />
procedure for this server.<br />
When certificate verification has been completed, the SSL-secured communication can go ahead.<br />
302 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Event monitoring with SNMP<br />
Monitoring<br />
Event monitoring with SNMP 8<br />
Events on the <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> appliance can be monitored under SNMP (Simple Network<br />
Management Protocol). This section tells you what you need to configure on the appliance for this<br />
monitoring option.<br />
The monitoring is done by an SNMP client that communicates with an SNMP agent, which is provided on<br />
the appliance. When SNMP monitoring is configured, you can view system information on the appliance<br />
and have messages sent about particular system events or incidents, for example, when CPU usage<br />
exceeds a particular value.<br />
Messages sent under the SNMP protocol are known as traps. The host systems that messages are sent<br />
to are known as trap sinks.<br />
Configure SNMP monitoring<br />
To configure SNMP monitoring:<br />
1 Go to Configuration | Appliances.<br />
2 On the appliances tree, navigate to the appliance you want to monitor events on and select SNMP.<br />
3 Configure the SNMP settings as needed.<br />
• SNMP port settings — Settings for the ports on the appliance that listen to requests from the<br />
SNMP client<br />
• SNMP system information — Information on the appliance that is the monitored system<br />
• SNMP protocol options — Options for the communication between the appliance and the client<br />
• SNMP trap sinks — Information on the host systems that traps are sent to<br />
4 Click Save Changes.<br />
For more information, see SNMP system settings.<br />
SNMP system settings<br />
The SNMP system settings can be configured to allow event monitoring under SNMP.<br />
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.<br />
SNMP Port Settings<br />
Settings for the port listening to requests from the SNMP client<br />
Enable UDP — When selected, allows UDP to be used to communicate with the SNMP client<br />
UDP port — Port listening to requests under UDP<br />
Enable TCP — When selected, allows TCP to be used to communicate with the SNMP client<br />
TCP port — Port listening to requests under TCP<br />
SNMP System Information<br />
Settings for the appliance that is the monitored system<br />
Description — Helps identify the system<br />
Object ID — ID of the object in the Management Information Base (MIB) where information on the<br />
monitored system begins<br />
Contact person — Mame of the person administering the SNMP functions of the system<br />
Physical location — Location of the system<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 303
8<br />
Monitoring<br />
Event monitoring with SNMP<br />
SNMP Protocol Options<br />
Settings for communities and users who are allowed access to information under different versions of<br />
the SNMP protocol<br />
SNMP v1 — When selected, allows version 1 of SNMP to be used<br />
SNMP v2c — When selected, allows version 2c of SNMP to be used<br />
Communities for SNMPv1 and SNMPv2c access — List of communities who are allowed access<br />
The following table describes the list entries. For information on maintaining a list of this type,, see<br />
Inline lists.<br />
Table 8-5 SNMP Communities list<br />
Option Definition<br />
Community string String denoting a community, for example, public, that allows access to information<br />
Allowed root OID ID of the item on the MIB (Management Information Base) tree where the part of the<br />
information that access is allowed to begins<br />
Note: When * or no value is specified here, access to all information is allowed.<br />
Allowed from Host name or IP address of the host system that access is allowed from<br />
Note: When * or no value is specified here, access is allowed from every host.<br />
Read-only access Information on whether only reading access is allowed<br />
Comment Plain-text comment on a community<br />
SNMP v3 — When selected, allows version 3 of SNMP to be used.<br />
SNMP v3 users — List of users who are allowed access<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 8-6 SNMP v3 Users list<br />
Option Definition<br />
User name Name of a user who is allowed access<br />
Allowed root OID ID of the item on the MIB (Management Information Base) tree where the part of the<br />
information that access is allowed to begins<br />
Authentication<br />
Note: When * or no value is specified here, access to all information is allowed.<br />
Information on the hash algorithm used to authenticate a user<br />
Encryption Information on the encryption method used for communication with the SNMP client<br />
Read-only access Information on whether only reading access is allowed<br />
Comment Plain-text comment on a user<br />
SNMP Trap Sinks<br />
Settings for the host systems that traps are sent to<br />
Trap sinks — List of the host systems that traps are sent to<br />
The following table describes the list entries. For information on maintaining a list of this type, see<br />
Inline lists.<br />
Table 8-7 Trap Sinks list<br />
Option Definition<br />
Host name or IP<br />
address<br />
Host name or IP address of a host system that traps are sent to<br />
Port Port on a host listening for traps<br />
Community string String denoting a community, for example, public, that allows the sending of data to a trap<br />
sink<br />
304 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Error handling<br />
Table 8-7 Trap Sinks list (continued)<br />
Monitoring<br />
Error handling 8<br />
Option Definition<br />
Send SNMP v2c traps Information on whether traps can be sent under version v2c of SNMP (or under v1)<br />
Comment Plain-text comment on a trap sink<br />
SNMP-MIB Files<br />
Provides two .txt files containing information related to SNMP monitoring on the appliance<br />
MCAFEE-SMI.txt — Contains Structure of Management Information (SMI) on <strong>McAfee</strong>, including<br />
contact information for the <strong>McAfee</strong> customer service<br />
MCAFEE-MWG-MIB.txt — Contains descriptions of the items in the Management Information Base<br />
(MIB) that you can do SNMP monitoring for on the appliance<br />
When errors and incidents occur on the appliance, you can use rules to take appropriate measures.<br />
This section explains two types of error handling and describes the rule sets that are by default<br />
provided for error handling. It also describes a procedure for creating a top-level error handling rule set<br />
(also known as error handler).<br />
View the rule sets for error handling<br />
To view the rule sets that are implemented on the appliance for error handling:<br />
1 Go to Policy | Rule Sets.<br />
2 From the rule sets menu, select Error Handler. A rule set tree appears displaying the Default rule<br />
set for error handling with its nested rule sets.<br />
If you have created your own rule sets for error handling, these are also displayed.<br />
For more information on the default rule sets, see Rule sets for error handling.<br />
Error handling using error IDs<br />
This section explains how you can use error IDs as a means of error handling.<br />
Errors that occur on the appliance are identified by an error ID. For example, error ID 14000 indicates<br />
a failure to load the Anti-Malware module.<br />
Error IDs can be used by rules to trigger a particular method of error handling, such as blocking access<br />
to web objects or creating an entry in the system log. To enable the use of error IDs in rules, the<br />
Error.ID property is available. A rule can trigger an action or event when this property has a particular<br />
value.<br />
For more information on the use of error IDs in a default rule set, see Block on Anti-Malware Engine<br />
Errors. For individual error IDs, see List of error IDs.<br />
Error handling using incidents<br />
This section explains how you can use incidents as a means of error handling.<br />
There is a group of activities and situations that is termed incidents on the appliance. Incidents can be<br />
related to the appliance system, as well as to its subsystems and modules. For example, a failure of the<br />
Log File Manager to push log files is recorded as an incident.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 305
8<br />
Monitoring<br />
Error handling<br />
Incidents can be used by rules to trigger a particular method of error handling, such as sending a<br />
notification message or creating an entry in the system log. To enable the use of incidents in rules, key<br />
incident parameters, including the ID, severity, origin, and others, are made available as properties.<br />
For example, there is the Incident.ID property. A rule can use this property to trigger an event that<br />
creates a syslog entry if the value of the property is a particular number.<br />
Rules using incidents<br />
The Default rule set for error handling contains a nested rule set providing rules that trigger a<br />
notification message and other error handling events when incidents concerning the Log File Manager<br />
occur. The name of this nested rule set is Log File Manager Incidents. Other nested rule sets handle<br />
incidents related to updates and licensing.<br />
You can also create rules and rules sets of your own that use incidents for error handling.<br />
For more information on incident use in a default rule set, see Log File Manager Incidents.<br />
Incident parameters and properties<br />
Incidents are recorded on the appliance with their IDs and other parameters. For each parameter, there<br />
is a property, which can be used in an appropriate rule.<br />
• Incident ID — Each incident is identified by a number. For example, the incident with ID 501 is a<br />
failure of the Log File Manager to push log files. The Incident.ID property can be used in a rule to<br />
check the ID of an incident.<br />
• Description — An incident can be explained by a description in plain text. The name of the relevant<br />
property is Incident.Description.<br />
• Origin — Each incident is assigned to the appliance component that is its origin. Origins are specified<br />
by numbers. For example, origin number 5 specifies the Log File Handler. The name of the relevant<br />
property is Incident.Origin.<br />
The origin of an incident is further specified by the value of the Incident.OriginName property.<br />
• OriginName — The origin of an incident is further specified by the name of the appliance component<br />
that is involved in the incident. The name of the relevant property is Incident.OriginName.<br />
The origin name can specify a subcomponent that is a part of the component specified by the<br />
origin number. For example, origin number 2 (Core) can be further specified by the origin name<br />
as:<br />
• Core<br />
• Proxy<br />
• URL Filter<br />
• and other names of core subcomponents<br />
• Severity — Each incident is classified according to its severity. Severity levels range from 0 to 7, with<br />
0 indicating the highest level.<br />
Note: These levels are the same as those used for entries in a syslog file.<br />
The name of the relevant property is Incident.Severity.<br />
• Affected host — If there is an external system that is involved into an incident, for example, a server<br />
that the appliance cannot connect to, the IP address of this system is also recorded. The name of the<br />
relevant property is Incident.AffectedHost.<br />
For more information on the properties that are available for use in incident handling rules, see List of<br />
properties. For individual incident IDs, see List of incident IDs.<br />
306 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Rule sets for error handling<br />
Monitoring<br />
Error handling 8<br />
Several rule sets for error handling are provided by default on the appliance. They are nested in the<br />
Default error handler rule set. This section describes these rule sets.<br />
For general information on understanding and handling rules, see Rules and rule sets.<br />
Long Running Connections<br />
This nested error handling rule set keeps connections alive when a proxy module error occurs.<br />
Nested error handling rule set — Long Running Connections<br />
Criteria — Error.ID equals 20000<br />
The rule set criteria specifies that the rule set applies when the value of the Error.ID property is 20000,<br />
which indicates a malfunction of the proxy module.<br />
The rule set contains the following rule:<br />
Keep connection always alive<br />
Always –> Stop Cycle<br />
When the rule is executed, it stops the current processing cycle. The rule is always executed when<br />
the criteria of its rule set is matched. Stopping the processing cycle prevents the connection from<br />
being closed in the course of further rule processing.<br />
Note: This rule is not enabled by default.<br />
Monitoring (rule set)<br />
This nested error handling rule set handles measures taken when an incident occurs that involves the<br />
appliance system.<br />
Nested error handling rule set — Monitoring<br />
Criteria — Incident.ID equals 5<br />
The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 5,<br />
which indicates an incident that involves the appliance system.<br />
The following rule sets are nested within this rule set:<br />
• Check CPU Overload<br />
• Check Cache Partition<br />
• Check Request Overload<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 307
8<br />
Monitoring<br />
Error handling<br />
Check CPU Overload<br />
This nested error handling rule set handles measures that are taken when the CPU load exceeds a<br />
configured value.<br />
Nested error handling rule set — Check CPU Overload<br />
Criteria — Statistics.Counter.GetCurrent(“CPULoad”)<br />
greater than or equals 95<br />
The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter.<br />
GetCurrent property for CPU load is 95 or higher. This value indicates the percentage of the maximum<br />
load that the CPU is currently running with.<br />
The Statistics module, which provides the value, runs with default settings, as is specified after the CPU<br />
Load property parameter.<br />
The rule set contains the following rules:<br />
Create notification message<br />
Always –> Continue — Set User-Defined.loadMessage =<br />
“CPU load at “<br />
+ Number.ToString (Statistics.Counter.GetCurrent(“CPULoad”))<br />
+ “%”<br />
The rule is always executed when the criteria of its rule set is matched. The rule then uses an<br />
event to set a user-defined property to a chain of values that make up a message text on the CPU<br />
overload.<br />
The Continue action lets processing continue with the next rule.<br />
Send SNMP trap and other rules<br />
Always –> Continue — ...<br />
The Send SNMP trap rule and other rules in the rule set are always executed when the rule set<br />
criteria is matched. The rules then use different events for taking measures to make the<br />
administrator aware of the CPU overload.<br />
Note: These rules are not enabled by default.<br />
Check Cache Partition<br />
This nested error handling rule set handles measures that are taken when the web cache usage<br />
exceeds a configured value.<br />
Nested error handling rule set — Check Cache Partition<br />
Criteria — Statistics.Counter.GetCurrent(“<strong>Web</strong>CacheDiskUsage”)<br />
greater than or equals 95<br />
The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter.<br />
GetCurrent property for web cache usage is 95 or higher. This value indicates the percentage of the<br />
maximum allowed usage of the web cache that is currently in use.<br />
The Statistics module, which provides the value, runs with default settings, as is specified after the<br />
<strong>Web</strong>CacheDiskUsage property parameter.<br />
308 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
The rule set contains the following rules:<br />
Create notification message<br />
Monitoring<br />
Error handling 8<br />
Always –> Continue — Set User-Defined.cacheMessage =<br />
“Cache partition usage at “<br />
+ Number.ToString (Statistics.Counter.GetCurrent(“<strong>Web</strong>CacheDiskUsage”))<br />
+ “%”<br />
The rule is always executed when the criteria of its rule set is matched. The rule then uses an<br />
event to set a user-defined property to a chain of values that make up a message text on the web<br />
cache usage.<br />
The Continue action lets processing continue with the next rule.<br />
Send SNMP trap and other rules<br />
Always –> Continue — ...<br />
The Send SNMP trap rule and other rules in the rule set are always executed when the rule set<br />
criteria is matched. The rules use different events for taking measures to make the administrator<br />
aware of the web cache usage.<br />
Note: These rules are not enabled by default.<br />
Check Request Overload<br />
This nested error handling rule set handles measures that are taken when the number of requests<br />
processed on the appliance per second exceeds a configured value.<br />
Nested error handling rule set — Check Request Overload<br />
Criteria — Statistics.Counter.GetCurrent(“HttpRequests”)<br />
greater than or equals 480000<br />
The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter.<br />
GetCurrent property for requests is 480,000 or higher. This value is the number of requests that are<br />
currently processed one the appliance per second.<br />
The Statistics module, which provides the value, runs with default settings, as is specified after the<br />
HttpRequests property parameter.<br />
The rule set contains the following rules:<br />
Create notification message<br />
Always –> Continue —<br />
Set User-Defined.requestsPerSecond =<br />
Statistics.Counter.GetCurrent(“HttpRequests”))<br />
/ 60<br />
Set User-Defined.requestLoadMessage =<br />
“detected high load: ”<br />
+ Number.ToString (User-Defined.requestsPerSecond)<br />
+ “requests per second”<br />
The rule is always executed when the criteria of its rule set is matched. The rule then uses two<br />
events to set user-defined properties. One of these properties is set to the number of requests that<br />
are currently processed on the appliance per second. The other is set to a chain of values that<br />
make up a message text on this number.<br />
The Continue action lets processing continue with the next rule.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 309
8<br />
Monitoring<br />
Error handling<br />
Send SNMP trap and other rules<br />
Always –> Continue — ...<br />
The Send SNMP trap rule and other rules in the rule set are always executed when the rule set<br />
criteria is matched. The rules use different events for taking measures to make the administrator<br />
aware of the request overload.<br />
Note: These rules are not enabled by default.<br />
Log File Manager Incidents<br />
This nested error handling rule set handles measures taken when an incident occurs that involves the<br />
Log File Manager.<br />
Nested error handling rule set — Log File Manager Incidents<br />
Criteria — Incident.ID greater than or equals 501 AND Incident ID<br />
less than or equals 600<br />
The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is<br />
within the range of incidents that involve the Log File Manager.<br />
The rule set contains the following rules:<br />
Create notification message<br />
Incident.ID equals 501 –> Continue — Set User-Defined.notificationMessage =<br />
“A log file cannot be pushed. Please have a look at the mwg-logfilemanager errors log<br />
(/opt/mwg/log/mwg-errors/mwg-logmanager.errors.log).”<br />
The rule checks whether the value of the Incident.ID property is 501, which indicates that the Log<br />
File manager could not push a log file. If this is the case, the rule uses an event to set a<br />
user-defined property for sending a notification message to a string value that is the text of this<br />
message.<br />
The Continue action lets processing continue with the next rule.<br />
Send SNMP trap and other rules<br />
Incident.ID equals 501 –> Continue — ...<br />
The Send SNMP trap rule and other rules in the rule set check the value of the Incident.ID property<br />
in the same way as the Create notification message rule and use different events to take measures<br />
if this value is 501.<br />
Note: These rules are not enabled by default.<br />
310 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Error handling 8<br />
Handle Update Incidents<br />
This nested error handling rule set handles measures taken when an incident occurs that involves<br />
updates performed on the appliance.<br />
Nested error handling rule set — Handle Update Incidents<br />
Criteria — Incident.OriginName equals “Updater” OR Incident.ID<br />
equals 299 OR Incident.ID equals 298<br />
The rule set criteria specifies that the rule set applies when the update module is specified by the value<br />
of the Incident.OriginName property or the value of the Incident.ID property is within the range of<br />
incidents that involve the update module.<br />
The rule set contains the following rules:<br />
Create update incident message<br />
Always –> Continue — Set User-Defined.eventMessage =<br />
“Update Event triggered [“<br />
+ Number.ToString (Incident.ID)<br />
+ “]:”<br />
+ Incident.Description<br />
+ “; origin:”<br />
+ Incident.OriginName<br />
+ “; severity:”<br />
+ Number.ToString (Incident.Severity)<br />
The rule is always executed when the criteria of its rule set is matched. The rule then uses an<br />
event to set a user-defined property to a chain of values that make up a message text on the<br />
update incident. The message includes values for several incident properties.<br />
The Continue action lets processing continue with the next rule.<br />
Create syslog entry and other rules<br />
Always (or other criteria) –> Continue — ...<br />
The Create syslog enty rule and other rules in the rule set use different events to take measures if<br />
the respective rule criteria is matched.<br />
Note: These rules are not enabled by default.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 311
8<br />
Monitoring<br />
Error handling<br />
Handle License Incidents<br />
This nested error handling rule set handles measures taken when an incident occurs that involves the<br />
expiration date of the license for your appliance.<br />
Nested error handling rule set — Handle License Incidents<br />
Criteria — Incident.ID equals 200<br />
The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 200,<br />
which indicates that the remaining number of days for your licence has been checked.<br />
The rule set contains the following rules:<br />
Create license incident message<br />
Always –> Continue — Set User-Defined.notificationMessage =<br />
“License expires in ”<br />
+ Number.ToString (License.RemainingDays)<br />
+ “ days”<br />
The rule is always executed when the criteria of its rule set is matched. The rule then uses an<br />
event to set a user-defined property to a chain of values that make up a message text on the<br />
remaining number of days for your license.<br />
The Continue action lets processing continue with the next rule.<br />
Create syslog entry and other rules<br />
Always (or other criteria) –> Continue — ...<br />
The Create syslog enty rule and other rules in the rule set use different events to take measures if<br />
the respective rule criteria is matched.<br />
Note: These rules are not enabled by default.<br />
Block on Anti-Malware Engine Errors<br />
This nested error handling rule set blocks access to all web objects when the Anti-Malware module<br />
cannot be loaded or is overloaded.<br />
Nested error handling rule set — Block on Anti-Malware<br />
Engine Errors<br />
Criteria — Always<br />
The rule set contains the following rules:<br />
Block if Anti-Malware engine cannot be loaded<br />
Error.ID equals 14000 –> Block<br />
The rule blocks access to all web objects when the value of the Error.ID property is 14000, which<br />
indicates an error that prevents the Anti-Malware module from loading.<br />
The action settings specify a message to a user who requested access.<br />
Block if Anti-Malware engine is overloaded<br />
Error.ID equals 14001 –> Block<br />
The rule blocks access to all web objects when the value of the Error.ID property is 14001, which<br />
indicates all connections to the Anti-Malware module are currently in use and the module is<br />
overloaded.<br />
The action settings specify a message to a user who requested access.<br />
312 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Monitoring<br />
Error handling 8<br />
Block on URL Filter Errors<br />
This nested error handling rule set blocks access to all web objects when the URL Filter module cannot<br />
be loaded or another error regarding this module occurs.<br />
Nested error handling rule set — Block on URL Filter Errors<br />
Criteria — Error.ID greater than or equals 15000 AND Error.ID less<br />
than or equals 15999<br />
The rule set criteria specifies that the rule set applies when the value of the Error.ID property lies within<br />
the specified range, which is the range for errors related to URL filtering.<br />
The rule set contains the following rules:<br />
Block if Anti-Malware engine cannot be loaded<br />
Error.ID equals 15000 OR Error.ID equals 15002 OR Error.ID equals 15004 OR Error.ID equals<br />
15005 –> Block<br />
The rule blocks all requests for web access when the value of the Error.ID property is one of those<br />
specified in the rule criteria. These values indicate errors that prevent the URL Filter module from<br />
loading.<br />
The action settings specify a message to a requesting user.<br />
Block all other internal URL Filter errors<br />
Always –> Block<br />
The rule is always executed when its rule set applies and the rule preceding it in the rule set has<br />
not been executed. The rule then blocks all requests for web access.<br />
The action settings specify a message to a requesting user.<br />
Block on All Errors<br />
This nested error handling rule set blocks access to all web objects when an internal error occurs on the<br />
appliance.<br />
Nested error handling rule set — Block on All Errors<br />
Criteria — Always<br />
The rule set contains the following rule:<br />
Always block<br />
Always –> Block<br />
The rule blocks access to all web objects when an internal error occurs.<br />
The action settings specify a message to a user who requested access.<br />
The rule in this rule set is for handling internal errors on the appliance. It is executed at the time<br />
when an internal error occurs, which can, of course, not be predicted and can happen at any time<br />
during the filtering process or not at all. In this sense, processing the rule is not part of the normal<br />
process flow.<br />
After executing the blocking, the rule stops all further processing of rules for the requests,<br />
responses, or embedded objects that were being filtered when the internal error occurred.<br />
This way it is ensured that no malicious or inappropriate web objects enter your network or leave<br />
it while the appliance is not fully available.<br />
The process flow continues when the next request is received if the internal error did not lead to a<br />
general interruption of the appliance functions.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 313
8<br />
Monitoring<br />
Error handling<br />
Create an error handler<br />
When you create new error handling rules, you can insert them into existing error handling rule sets or<br />
create new rule sets for them. These must be nested themselves in top-level rule sets known as error<br />
handlers. This section tells you how to create an error handler.<br />
Note: You can also use the Default error handler for inserting new nested error handling rule sets.<br />
Complete the following procedure to do this:<br />
1 Go to Policy | Rule Sets.<br />
2 From the Rule Sets menu, select Error Handler.<br />
3 On the error handler tree, go to the position where you want to insert the new error handler. Then<br />
click Add.<br />
4 From the drop-down menu that appears, select Error Handler. The Add New Error Handler window<br />
opens with the Rule Sets tab selected.<br />
5 Configure the following general settings:<br />
• Name — Name of the error handler<br />
• Enable — When selected, the error handler is enabled.<br />
• [Optional] Comment — Plain-text comment on the log handler.<br />
6 [Optional] Click the Permissions tab and configure who is allowed to access the new error handler.<br />
7 Click OK to close the Add New Error Handler window. The error handler is inserted into the tree<br />
structure.<br />
8 Click Save Changes.<br />
You can now insert one or more nested rule sets into the error handler and fill these with rules.<br />
For more information on creating a rule set, see Add a new rule set and Access restrictions. For the rule<br />
sets that are by default available for error handling, see Rule sets for error handling.<br />
314 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
9 Troubleshooting<br />
Contents<br />
Troubleshooting appliance problems<br />
Create a feedback file<br />
Enable the creation of core files<br />
Enable the creation of connection tracing files<br />
Create a packet tracing file<br />
Use network tools<br />
Back up and restore the appliance configuration<br />
Troubleshooting appliance problems<br />
The sections of this chapter explain how to use troubleshooting tools and methods if problems arise<br />
when working with the appliance.<br />
Files for recording appliance behavior<br />
You can record appliance behavior and evaluate the data recorded in the corresponding files. Several<br />
types of files can be created for this purpose:<br />
• Log files — For logging different events and functions, such as access to the appliance or updates of<br />
files and modules<br />
• Rule tracing files — For recording the processing of rules<br />
• Feedback files — For backtracing functions after the failure of a particular function<br />
• Core files — For recording memory content after a crash has occurred<br />
• Connection tracing files — For recording activities on the connections from the appliance to other<br />
network components<br />
• Packet tracing files — For recording network activities of the appliance<br />
Network tools<br />
You might need to test whether connections to other network components still work. The appliance<br />
provides several tools, including ping, nslookup, and others, for this purpose.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 315
9<br />
Troubleshooting<br />
Create a feedback file<br />
Backup and restore files<br />
When other troubleshooting methods do not work, it can be necessary to remove a faulty configuration<br />
and replace it with a backup. Having a backup available might also help in other situations, for<br />
example, when you want to discard changes applied to an existing configuration.<br />
The appliance provides functions for creating backups and using them to restore configurations.<br />
Create a feedback file<br />
Feedback files can be used on the appliance to trace back functions when the process on the appliance<br />
is halted due to the failure of particular functions.<br />
To create a feedback file:<br />
1 Go to Troubleshooting | Feedback.<br />
2 Select or deselect Pause running <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> as needed.<br />
Note: It is recommended that you use this option to stop the appliance before creating the feedback file.<br />
3 Click Create Feedback File. The file is created and appears with its name, size, and date in the list<br />
under Feedback file.<br />
Using the items on the toolbar, you can:<br />
• View — file content<br />
• Delete — files<br />
• Download — files<br />
• Copy Link — copy links to files<br />
Enable the creation of core files<br />
Core files can be created on the appliance to record memory content after system crashes.<br />
To enable the creation of core files:<br />
1 Go to Configuration | Troubleshooting.<br />
2 Make sure Enable core file creation is selected. Core files are then created after crashes.<br />
They can be viewed on a list after selecting the Troubleshooting top-level menu, navigating to an<br />
appliance, and selecting Core Files.<br />
Using the items on the toolbar, you can:<br />
• View — file content<br />
• Delete — files<br />
• Download — files<br />
• Copy Link — copy links to files<br />
316 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Enable the creation of connection tracing files<br />
Troubleshooting<br />
Enable the creation of connection tracing files 9<br />
Trace files can be created on the appliance to record activities on connections from the appliance to<br />
other network components.<br />
To enable the creation of connection tracing files:<br />
1 Go to Configuration | Troubleshooting.<br />
2 Make sure Enable connection tracing is selected. Connection tracing files are then created.<br />
Note: To trace only activities on a connection to a network component with a particular IP address, select<br />
Restrict tracing to only one IP and type the address in the IP field.<br />
Connection tracing files can be viewed on a list after selecting the Troubleshooting top-level<br />
menu, navigating to an appliance, and selecting Connection Tracing.<br />
Using the items on the toolbar, you can:<br />
• View — file content<br />
• Delete — files<br />
• Download — files<br />
• Copy Link — copy links to files<br />
Create a packet tracing file<br />
Packet tracing files can be used on the appliance to review network activities of the appliances and<br />
detect reasons for errors and failures.<br />
To create a packet tracing file:<br />
1 Go to Troubleshooting | Packet tracing.<br />
2 Under Command line parameters, type parameters for the packet tracing file as needed.<br />
3 Click tcpdump start. The packet tracing file is generated and appears with its name, size, and date<br />
in the list under Results (dump).<br />
To stop the ongoing creation of a packet tracing file, click tcpdump stop.<br />
Using the items on the toolbar, you can:<br />
• View — file content<br />
• Delete — files<br />
• Download — files<br />
• Copy Link — copy links to files<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 317
9<br />
Troubleshooting<br />
Use network tools<br />
Use network tools<br />
Several network tools are provided for troubleshooting on the appliance.<br />
To use a network tool:<br />
1 Go to Troubleshooting | Network Tools.<br />
2 Under Command line parameters, type the parameters for a command that is provided by a<br />
particular network tool. For example, type the name of a host you want to “ping”.<br />
3 Click the button for a network tool:<br />
• ping<br />
• ping6<br />
• nslookup<br />
• traceroute<br />
• traceroute6<br />
• ip neigh<br />
• service restart<br />
• ntp<br />
The corresponding command is executed and the output displayed in the Results field, for<br />
example:<br />
Ping: unknown host testhost<br />
Back up and restore the appliance configuration<br />
The appliance configuration, including rules, lists, settings, and administrator accounts, can be stored<br />
in a backup file and also restored from there.<br />
Complete the following procedure to backup or restore the appliance configuration:<br />
1 Go to Troubleshooting | Backup/Restore.<br />
2 Under Backup Policy, Configuration, and Accounts, proceed as follows:<br />
• To backup the configuration, click Backup to file.<br />
A window opens to let you select a file for storing the configuration.<br />
• To restore the configuration, click Restore from file.<br />
A message informs you that you will be logged out after restoring and asks whether you really<br />
want to do it. If you confirm, a window opens to let you select a file for restoring the<br />
configuration.<br />
If you only want to restore the rules, lists, and settings that were configured on the tabs of the<br />
Policy top-level menu, make sure the Only restore policy checkbox is selected before clicking<br />
the<br />
318 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
List of actions<br />
Appendix: Configuration lists<br />
Contents<br />
List of actions<br />
List of error IDs<br />
List of events<br />
List of incident IDs<br />
List of properties<br />
Wildcard expressions<br />
The following table provides a list of the actions that can be configured in web security rules on the<br />
appliance.<br />
The actions are listed in alphabetical order.<br />
Table A-1 List of actions<br />
Name Description<br />
Authenticate • Stops processing the rules in the current cycle<br />
• Sends an authentication request to the client of the user who requested access to a web<br />
object<br />
• Continues processing with the next cycle<br />
Block • Blocks access to a requested web object<br />
• Stops processing rules<br />
• Continues when the next request is received on the appliance<br />
Continue Continues processing with the next rule<br />
Redirect Redirects a client that requested access to a web object to another object<br />
Remove • Removes a requested web object<br />
• Stops processing the rules in the current cycle<br />
• Continues processing with the next cycle<br />
Stop Cycle • Stops processing the rules in the current cycle<br />
• Does not block access to a requested web object<br />
• Continues processing with the next cycle<br />
Stop Rule Set • Stops processing the rules of the current rule set<br />
• Continues processing with the next rule set<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 319
List of error IDs<br />
Appendix: Configuration lists<br />
List of error IDs<br />
The following table provides a list of the error IDs that can be configured in web security rules on the<br />
appliance.<br />
The error IDs are grouped in numerical ranges as follows:<br />
10000–10049: Incorrect usage of properties or events<br />
10050–10099: Errors of the rule processing module<br />
10100–10199: General errors<br />
11000–11999: License Manager errors<br />
12000–12999: Errors related to the appliance system<br />
13000–13999: Persistent Database (PDStore) errors<br />
14000–14999: Virus and malware filtering errors<br />
15000–15999: URL filtering errors<br />
16000–16999: ICAP client errors<br />
20000–21000: Proxy module errors<br />
For more information on how to use error IDs, see Error handling using error IDs.<br />
Table A-2 List of error IDs<br />
Error ID Error name Error message<br />
10000 WrongPropParams $onPosition$: Wrong parameters or types for property $propName$.<br />
10001 UnknownProperty $onPosition$: Error in rule ‘$ruleName$’: Property dispatcher does not<br />
know property $propName$.<br />
10002 NoPropParam $onPosition$: No parameter for property $propName$ given.<br />
10003 WrongThirdPropParam $onPosition$: Wrong type of third parameter for property<br />
$propName$.<br />
10004 InvalidPropertyParameter $onPosition$: Parameters for property $propName$ are invalid,<br />
reason: $reason$.<br />
10005 InvalidPropertyParameter2 Parameters are invalid. Reason: $reason$<br />
10006 UnknownProperty2 $onPosition$: Unknown property $propName$.<br />
10007 UnknownFunc $onPosition$: Unknown function $funcName$. Details: $reason$<br />
10050 WrongOperator $onPosition$: Error in Rule '$ruleName$': wrong operator '$operator$'<br />
used on left hand side type $typeLeft$ and right hand side type<br />
$typeRight$.<br />
10051 WrongOperator_NoNames $onPosition$: $action$ failed. Type of $property$ is $typeName$, but<br />
it has to be $formatType$.<br />
10052 FormatError $onPosition$: User-defined property '$propName$' could not be<br />
found. Reason: it was not yet set (not initialized).<br />
10053 UserDefinedPropertyNotFound $onPosition$: User-defined property '$propName$' could not be<br />
found. Reason: it was not yet set (not initialized).<br />
10054 PropertyNotFound $onPosition$: Property '$propName$' could not be found. Reason: it<br />
was not yet set (not initialized).<br />
10055 NeedMoreDataOnLastCall On computing property '$propName$' the filter returned<br />
'NeedMoreData' though there is no more data.<br />
10056 WrongPropState $onPosition$: State of Property $propName$ is $propState$.<br />
10057 ZombieRuleElemIsExecuted $rule$ (name: '$name$', id: '$id$') could not be executed because it<br />
is a zombie. Reason: '$reason$'.<br />
10058 SetPropertyFailed $onPosition$: Setting of Property/Variable $propName$ failed.<br />
Reason: $reason$.<br />
10059 EventError $onPosition$: Error in Rule '$ruleName$': Event could not be<br />
evaluated. Reason: $reason$.<br />
320 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table A-2 List of error IDs (continued)<br />
Appendix: Configuration lists<br />
List of error IDs<br />
Error ID Error name Error message<br />
10100 ErrorDuringOperation $onPosition$: Error while $operation$ the $objName$. Reason:<br />
$reason$.<br />
10101 InitializeFailed $onPosition$: Could not initialize/create $objName$. Reason:<br />
$reason$.<br />
11000 NoLicense The requested functionality '$func$' is not covered by your license.<br />
12000 CannotOpenPipe Cannot open pipe.<br />
12001 CannotOpenFile Cannot open file '$name$' in mode '$mode$' with errno '$errno$'.<br />
13000 NoUser No user available.<br />
14000 AVError Error in AntivirusFilter: $reason$<br />
14001 AVScanFailedFull Cannot call <strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware engine. All connections in<br />
use.<br />
15000 TSDatabaseExpired Global Threat Intelligence system database expired error: database is<br />
expired. '$desc$'.<br />
15001 TSInvalidURL The URL '$url$' is invalid. In function $func$.<br />
15002 TSBinaryNotProperlyLoaded Binary could not be loaded from '$path$'. In function $func$.<br />
15003 TSCommon Global Threat Intelligence system error (code: $errorCode$). In<br />
function $func$.<br />
15004 TSBinaryDoesNotExist Global Threat Intelligence system library is not yet available. In<br />
function $func$.<br />
15005 TSDatabaseNotProperlyLoaded Database was not properly loaded. In function $func$.<br />
15006 TSNoMem Global Threat Intelligence system is out of memory in function $func$.<br />
15007 TSInsufficientSpace Insufficient space in buffer for Global Threat Intelligence system. In<br />
function $func$.<br />
15008 TSNetLookup Global Threat Intelligence system net error (code: TS_NET_ERROR).<br />
In function $func$.<br />
15009 TSCommonNetLookup Global Threat Intelligence system net error (code: $errorCode$). In<br />
function $func$.<br />
15010 TSPipe Cannot open Global Threat Intelligence system pipe. In function<br />
$func$.<br />
16000 NoICAPServerAvailable No ICAP server available from list: $list$ dyx<br />
20000 CheckLongRunningConnection Check for long running connections<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 321
List of events<br />
Appendix: Configuration lists<br />
List of events<br />
The following table provides a list of the events that can be configured in web security rules on the<br />
appliance.<br />
The events are listed in alphabetical order.<br />
Table A-3 List of events<br />
Name Description Parameters<br />
Authentication.<br />
AddMethod<br />
322 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Adds an authentication method 1. String: Name of an<br />
authentication method<br />
2. String: Value for an<br />
authentication method<br />
3. Boolean: If true, an existing<br />
method is overwritten<br />
Authentication.<br />
ClearCache<br />
Clears the cache<br />
Authentication.<br />
ClearMethodList<br />
Clears the authentication methods list<br />
Authentication.<br />
ClearNTMLCache<br />
Clears the NTML cache<br />
BlockingSession.<br />
Activate<br />
Activates a blocking session<br />
Body.Insert Inserts a string into body of a message 1. Number: Byte position where<br />
insertion begins<br />
2. String: Pattern<br />
a. string embedded in double<br />
quotes (“ ...”, can also contain<br />
hex values preceded by \)<br />
or:<br />
b. sequence of hex values<br />
Body.Remove Removes a number of bytes from a body 1. Number: Byte position where<br />
the removal begins<br />
2. Number: Number of bytes to<br />
remove<br />
Body.Replace Replaces a portion of a body with a string 1. Number: Byte position where<br />
replacement begins<br />
2. String: Pattern<br />
a. string embedded in double<br />
quotes (“ ...”, can also contain<br />
hex values preceded by \)<br />
or:<br />
b. sequence of hex values<br />
Connection.Mark Sets a connection mark Number: Number of a connection<br />
Email.Send Sends an email 1. String: Recipient<br />
2. String: Subject<br />
3. String: Body<br />
Enable Cache Enables web cache<br />
Enable Composite<br />
Opener<br />
Enables composite opener<br />
Enable Data Trickling Enables data trickling<br />
Enable HTML Opener Enables HTML opener<br />
Enable Next Hop Proxy Enables use of next-hop proxies<br />
Enable Progress Page Enables display of a progress page<br />
Enable RuleEngine<br />
Tracing<br />
Enables tracing of the rule processing module
Table A-3 List of events (continued)<br />
Enable SSL Client<br />
Context with CA<br />
Enable SSL Client<br />
Context without CA<br />
Enables sending of client certificates issued by a<br />
certificate authority<br />
Enables sending of client certificates not issued by a<br />
certificate authority.<br />
Appendix: Configuration lists<br />
List of events<br />
Name Description Parameters<br />
Enable SSL Scanner Enables module for SSL scanning<br />
Enable<br />
SafeSearchEnforcer<br />
Enables SafeSearchEnforce.<br />
Enable Workaround Enables a workaround<br />
FileSystemLogging. Writes a debugging entry 1. String: Debugging entry<br />
WriteDebugEntry<br />
2. Boolean: If true, entry is<br />
written to stdout<br />
FileSystemLogging.<br />
WriteLogEntry<br />
Writes an entry into a log String: Log entry<br />
HTMLElement.<br />
Inserts an attribute into an HTML element 1. String: Attribute name<br />
InsertAttribute<br />
2. String: Attribute value<br />
HTMLElement.<br />
RemoveAttribute<br />
Removes an attribute from an HTML element String: Attribute name<br />
HTMLElement.<br />
Sets an attribute to a value 1. String: Attribute name<br />
SetAttributeValue<br />
2. String: Value to set attribute to<br />
Header.Add Adds a header to a request or response 1. String: Header name<br />
2. String: Header value<br />
Header.AddMultiple Adds a header with a list of values to a request or 1. String: Header name<br />
response<br />
2. List of String: List of header<br />
values<br />
Header.Block.Add Adds a block header to a request or response 1. String: Header name<br />
2. String: Header value<br />
Header.Block.<br />
Adds a block header with a list of values to a request 1. String: Header name<br />
AddMultiple<br />
or response<br />
2. List of String: List of header<br />
values<br />
Header.Block.<br />
Removes all block headers with a given name from a String: Header name<br />
RemoveAll<br />
request or response.<br />
Header.ICAP.Response. Adds a header to an ICAP response 1. String: Header name<br />
Add<br />
2. String: Header value<br />
Header.ICAP.Response. Adds a header with a list of values to an ICAP 1. String: Header name<br />
AddMultiple<br />
response<br />
2. List of String: List of header<br />
values<br />
Header.ICAP.Response. Removes all headers with a given name from an ICAP String: Header name<br />
RemoveAll<br />
response<br />
Header.RemoveAll Removes all headers with a given name from a<br />
request or response<br />
String: Header name<br />
ICAP.<br />
Adds information to an ICAP request 1. String: Name of the request<br />
AddRequestInformation<br />
2. String: Added information<br />
MediaType.Header. Replaces a media type header with an appropriate<br />
FixContentType<br />
header when it is found after inspection of the media<br />
body that the original header does not match the<br />
body<br />
Notice Writes an entry with notice level into syslog String: Log entry<br />
PDStorage.<br />
Adds global variable of type Boolean 1. String: Variable key<br />
AddGlobalData.Bool<br />
2. Boolean: Variable value<br />
PDStorage.<br />
Adds global variable of type Category 1. String: Variable key<br />
AddGlobalData.<br />
Category<br />
2. Category: Variable value<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 323
Appendix: Configuration lists<br />
List of events<br />
Table A-3 List of events (continued)<br />
Name Description Parameters<br />
PDStorage.<br />
Adds global variable of type Dimension 1. String: Variable key<br />
AddGlobalData.<br />
Dimension<br />
2. Dimension: Variable value<br />
PDStorage.<br />
Adds global variable of type Hex 1. String: Variable key<br />
AddGlobalData.Hex<br />
2. Hex: Variable value<br />
PDStorage.<br />
Adds global variable of type IP 1. String: Variable key<br />
AddGlobalData.IP<br />
2. IP: Variable value<br />
PDStorage.<br />
Adds global variable of type IPRange 1. String: Variable key<br />
AddGlobalData.<br />
IPRange<br />
2. IPRange: Variable value<br />
PDStorage.<br />
Adds global variable of type List of Category 1. String: Variable key<br />
AddGlobalData.List.<br />
Category<br />
2. List of Category: Variable value<br />
PDStorage.<br />
AddGlobalData.List.<br />
Dimension<br />
PDStorage.<br />
AddGlobalData.List.Hex<br />
PDStorage.<br />
AddGlobalData.List.IP<br />
PDStorage.<br />
AddGlobalData.List.<br />
IPRange<br />
PDStorage.<br />
AddGlobalData.List.<br />
MediaType<br />
PDStorage.<br />
AddGlobalData.List.<br />
Number<br />
PDStorage.<br />
AddGlobalData.List.<br />
String<br />
PDStorage.<br />
AddGlobalData.List.<br />
Wildcard<br />
PDStorage.<br />
AddGlobalData.<br />
MediaType<br />
PDStorage.<br />
AddGlobalData.Number<br />
PDStorage.<br />
AddGlobalData.String<br />
PDStorage.<br />
AddGlobalData.<br />
Wildcard<br />
PDStorage.<br />
AddUserData.Bool<br />
PDStorage.<br />
AddUserData.Category<br />
PDStorage.<br />
AddUserData.<br />
Dimension<br />
324 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Adds global variable of type List of Dimension 1. String: Variable key<br />
2. List of Dimension: Variable<br />
value<br />
Adds global variable of type List of Hex 1. String: Variable key<br />
2. List of Hex: Variable value<br />
Adds global variable of type List of IP 1. String: Variable key<br />
2. List of IP: Variable value<br />
Adds global variable of type List of IPRange 1. String: Variable key<br />
2. List of IPRange: Variable value<br />
Adds global variable of type List of MediaType 1. String: Variable key<br />
2. List of MediaType: Variable<br />
value<br />
Adds global variable of type List of Number 1. String: Variable key<br />
2. List of Number: Variable value<br />
Adds global variable of type List of String 1. String: Variable key<br />
2. List of String: Variable value<br />
Adds global variable of type List of Wildcard<br />
Expression<br />
1. String: Variable key<br />
2. List of Wildcard Expression:<br />
Variable value<br />
Adds global variable of type MediaType 1. String: Variable key<br />
2. MediaType: Variable value<br />
Adds global variable of type Number. 1. String: Variable key<br />
2. Number: Variable value<br />
Adds global variable of type String 1. String: Variable key<br />
2. String: Variable value<br />
Adds global variable of type Wildcard Expression 1. String: Variable key<br />
2. Wildcard Expression: Variable<br />
value<br />
Adds user variable of type Boolean 1. String: Variable key<br />
2. Boolean: Variable value<br />
Adds user variable of type Category 1. String: Variable key<br />
2. Category: Variable value<br />
Adds user variable of type Dimension 1. String: Variable key<br />
2. Dimension: Variable value
Table A-3 List of events (continued)<br />
Appendix: Configuration lists<br />
List of events<br />
Name Description Parameters<br />
PDStorage.<br />
Adds user variable of type Hex 1. String: Variable key<br />
AddUserlData.Hex<br />
2. Hex: Variable value<br />
PDStorage.<br />
Adds user variable of type IP 1. String: Variable key<br />
AddUserData.IP<br />
2. IP: Variable value<br />
PDStorage.<br />
Adds user variable of type IPRange 1. String: Variable key<br />
AddUserData.IPRange<br />
2. IPRange: Variable value<br />
PDStorage.<br />
Adds user variable of type List of Category 1. String: Variable key<br />
AddUserData.List.<br />
Category<br />
2. List of Category: Variable value<br />
PDStorage.<br />
AddUserData.List.<br />
Dimension<br />
PDStorage.<br />
AddUserData.List.Hex<br />
PDStorage.<br />
AddUserData.List.IP<br />
PDStorage.<br />
AddUserData.List.<br />
IPRange<br />
PDStorage.<br />
AddUserData.List.<br />
MediaType<br />
PDStorage.<br />
AddUserData.List.<br />
Number<br />
PDStorage.<br />
AddUserData.List.<br />
String<br />
PDStorage.<br />
AddUserData.List.<br />
Wildcard<br />
Adds user variable of type List of Dimension 1. String: Variable key<br />
2. List of Dimension: Variable<br />
value<br />
Adds user variable of type List of Hex 1. String: Variable key<br />
2. List of Hex: Variable value<br />
Adds user variable of type List of IP 1. String: Variable key<br />
2. List of IP: Variable value<br />
Adds user variable of type List of IPRange 1. String: Variable key<br />
2. List of IPRange: Variable value<br />
Adds user variable of type List of MediaType 1. String: Variable key<br />
2. List of MediaType: Variable<br />
value<br />
Adds user variable of type List of Number 1. String: Variable key<br />
2. List of Number: Variable value<br />
Adds user variable of type List of String 1. String: Variable key<br />
2. List of String: Variable value<br />
Adds user variable of type List of Wildcard Expression 1. String: Variable key<br />
2. List of Wildcard Expression:<br />
Variable value<br />
PDStorage.<br />
Adds user variable of type MediaType 1. String: Variable key<br />
AddUserData.<br />
MediaType<br />
2. MediaType: Variable value<br />
PDStorage.<br />
Adds user variable of type Number 1. String: Variable key<br />
AddUserData.Number<br />
2. Number: Variable value<br />
PDStorage.<br />
Adds user variable of type String 1. String: Variable key<br />
AddUserData.String<br />
2. String: Variable value<br />
PDStorage.<br />
Adds user variable of type Wildcard Expression 1. String: Variable key<br />
AddUserData.Wildcard<br />
2. Wildcard Expression: Variable<br />
value<br />
PDStorage.Cleanup Cleans up persistently stored data<br />
PDStorage.<br />
DeleteAllUserData<br />
Deletes all permanently stored user data<br />
PDStorage.<br />
Deletes all permanently stored global variables of a String: Variable key<br />
DeleteGlobalData given type<br />
PDStorage.<br />
Deletes all permanently stored user variables of a String: Variable key<br />
DeleteUserData<br />
given type<br />
SNMP.Send.Trap. Sends an SNMP trap message with application<br />
Application<br />
information<br />
SNMP.Send.Trap. Sends an SNMP trap message with system<br />
System<br />
information<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 325
Appendix: Configuration lists<br />
List of events<br />
Table A-3 List of events (continued)<br />
Name Description Parameters<br />
SNMP.Send.Trap.User Sends an SNMP trap message with user information 1. Number: User ID<br />
2. String: Message body<br />
SNMP.Send.Trap. Sends an SNMP trap message with information on 1. Number: User ID<br />
UserHost<br />
host of a user<br />
2. String: Message body<br />
3. IP: IP address of the host<br />
Statistics.Counter. Increments a counter 1. String: Counter name<br />
Increment<br />
2. Number: Increment value<br />
Statistics.Counter.<br />
Reset<br />
Resets a counter String: Counter name<br />
Stopwatch.Reset Sets an internal watch that measures processing<br />
time for rule sets to zero<br />
String: Rule set name<br />
Stopwatch.Start Starts an internal watch that measures processing<br />
time for rule sets<br />
String: Rule set name<br />
Stopwatch.Stop Stops an internal watch that measures processing<br />
time for rule sets<br />
String: Rule set name<br />
Syslog Writes an entry into syslog 1. Number: Log level<br />
0 – Emergency<br />
1 – Alert<br />
2 – Critical<br />
3 – Error<br />
4 – Warning<br />
5 – Notice<br />
6 – Info<br />
7 – Debugging<br />
2. String: Log entry<br />
326 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
List of incident IDs<br />
Appendix: Configuration lists<br />
List of incident IDs<br />
The following table provides a list of the incident IDs that can be used in web security rules on the<br />
appliance.<br />
The incident IDs are grouped in numerical ranges as follows:<br />
1–199: Incidents related to the appliance system<br />
200–299: Core subsystem incidents<br />
300–399: Update module incidents<br />
500–599: Log File Manager incidents<br />
600–699: sysconfd daemon incidents<br />
700–799: Proxy module incidents<br />
800–899: Virus and malware filtering incidents<br />
900-999: Authentication incidents<br />
1000–1099: URL filtering incidents<br />
1600–1699: SSL certification incidents<br />
3000–3200: Central management incidents<br />
For more information on how to use incident IDs and other incident properties, see Error handling using<br />
incidents.<br />
For individual incident properties, see List of properties.<br />
Table A-4 List of incident IDs<br />
Incident ID Description Origin number and name Severity<br />
5 A rule that uses an incident property has been executed. 1 System 7<br />
20 RAID monitoring reports critical status or failure of one 1 Health monitor 4 (or 3 for<br />
or more hard disks.<br />
hard-disk<br />
failure)<br />
21 S.M.A.R.T health check reports an error on a HDD hard<br />
disk.<br />
1 Health monitor 4<br />
22 File system usage exceeds a configured limit. 1 Health monitor 4<br />
23 Memory usage exceeds a configured limit. 1 Health monitor 4<br />
24 System load exceeds a configured limit. 1 Health monitor 4<br />
200 The license expiration date has been checked. 2 Core 6<br />
201 The appliance has successfully completed all FIPS 140-2<br />
self-tests.<br />
2 Core 6<br />
301 Download of update files was stopped because there is<br />
not enough disk space.<br />
3 Updater 3<br />
302 Download of product x failed for node y in central<br />
management.<br />
3 Updater 3<br />
303 The update module reports that update of product x<br />
failed on node y in central management.<br />
3 Updater 3<br />
304 The update module received a report from an update<br />
server that status of product x is up-to-date.<br />
3 Updater 3<br />
305 The update module could not connect to an update<br />
server.<br />
3 Updater 3<br />
501 The Log File Manager failed to push log files. 5 Log File Manager 3<br />
601 Data packages involved in a yum update require an<br />
restart of the appliance to become effective.<br />
6 mwg-update 4<br />
666 A FIPS 140-2 self-test failed on node y in central<br />
management. The node is running in non-FIPS mode.<br />
1 FIPS 0<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 327
Appendix: Configuration lists<br />
List of incident IDs<br />
Table A-4 List of incident IDs (continued)<br />
Incident ID Description Origin number and name Severity<br />
700 The number of concurrent connections exceeds a<br />
configured overload limit. The appliance enters overload<br />
state. Requests sent to the appliance are accepted with<br />
delay.<br />
2 Proxy 2<br />
701 The appliance is in overload state for more than 30<br />
seconds. Requests sent to the appliance are accepted<br />
with delay.<br />
702 The appliance has left overload state. Requests sent to<br />
the appliance are again accepted without delay.<br />
703 The number of concurrent connections exceeds a<br />
configured high load limit. The appliance enters high load<br />
state. Requests sent to the appliance are accepted with<br />
a delay.<br />
704 The appliance is in high load state for more than 30<br />
seconds. Requests sent to the appliance are accepted<br />
with a delay.<br />
705 The number of concurrent connections has dropped<br />
below 85 % of a configured high load limit. The appliance<br />
is still in high load state. Requests sent to the appliance<br />
are accepted with a delay.<br />
328 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
2 Proxy 2<br />
2 Proxy 4<br />
2 Proxy 4<br />
2 Proxy 4<br />
2 Proxy 6<br />
710 A next-hop proxy server is down and will not be available<br />
for n seconds.<br />
2 Proxy 4<br />
711 The appliance cannot connect to a next-hop proxy<br />
server.<br />
2 Proxy 4<br />
712 A next-hop proxy server has moved back from error<br />
state to normal operation.<br />
2 Proxy 6<br />
720 The listener on IP address x, port y could not be opened. 2 Proxy 2<br />
730 A changed proxy mode configuration requires restart of<br />
the appliance.<br />
2 Proxy 2<br />
850 An update of the Anti-Malware module was completed<br />
successfully.<br />
2 Anti-Malware Filter 6<br />
851 An update of the Anti-Malware module failed. 2 Anti-Malware Filter 3<br />
852 Download or verification of update files for the<br />
Anti-Malware module failed.<br />
2 Anti-Malware Filter 3<br />
853 The Anti-Malware module version is up-to-date. 2 Anti-Malware Filter 6<br />
901 The appliance is connected to n servers for NTML<br />
authentication in Windows domain x.<br />
2 Core 6<br />
902 The appliance cannot connect to n servers for NTML<br />
authentication in Windows domain x.<br />
2 Core 4<br />
903 The appliance cannot contact Windows domain x for<br />
NTLM authentication.<br />
2 Core 3<br />
910 The appliance is connected to the LDAP server with<br />
configuration ID n.<br />
2 Core 6<br />
912 The appliance is disconnected from the LDAP server with<br />
configuration ID n.<br />
2 Core 4<br />
913 The appliance cannot connect to any LDAP server with<br />
configuration ID n.<br />
2 Core 3<br />
920 A response has been received on the appliance from<br />
RADIUS server x after attempting to start<br />
communication with this server to retrieve user<br />
information for authentication purposes.<br />
2 Core 6<br />
921 A response has again been received on the appliance<br />
from RADIUS server x after communication with this<br />
server had been interrupted.<br />
2 Core 6<br />
923 An authentication request sent from the appliance to<br />
RADIUS server x has led to a timeout.<br />
2 Core 3<br />
931 The appliance is connected to NTLM-Agent server x. 2 Core 6
Table A-4 List of incident IDs (continued)<br />
Appendix: Configuration lists<br />
List of incident IDs<br />
Incident ID Description Origin number and name Severity<br />
932 The appliance is disconnected from NTLM-Agent<br />
server x.<br />
2 Core 3<br />
933 The appliance cannot connect to NTLM-Agent server x. 2 Core 3<br />
1050 An update of the URL Filter module was completed<br />
successfully.<br />
2 URL Filter 6<br />
1051 An update of the URL Filter module failed. 2 URL Filter 3<br />
1052 Download or verification of update files for the URL Filter<br />
module failed.<br />
2 URL Filter 3<br />
1053 URL Filter module status is up-to-date. 2 URL Filter 6<br />
1650 An updated Certificate Revocation List (CRL) was<br />
downloaded and loaded successfully on the appliance.<br />
2 Certificate Chain Filter 6<br />
1651 An updated Certificate Revocation List (CRL) was<br />
downloaded onto the appliance, but could not be loaded<br />
there.<br />
2 Certificate Chain Filter 4<br />
1652 An updated Certificate Revocation List (CRL) could not<br />
not be downloaded onto the appliance.<br />
1653 All Certificate Revocation Lists (CRLs) used by the SSL<br />
Scanner module have up-to-date status.<br />
3000 At least one node in central management is not in<br />
synchronized state (regarding storage and<br />
configuration). The number of unsynchronized nodes<br />
changes. This incident is only recorded on the root node.<br />
3001 After incident 3000 has occurred, all nodes in central<br />
management are in synchronized state again (regarding<br />
storage and configuration).<br />
3004 At least one node in central management did not respond<br />
properly after shared data was sent out. The number of<br />
not properly responding nodes changes. This incident is<br />
only recorded on the root node and only if the shared<br />
data was intended to go to all nodes.<br />
3005 After incident 3004 has occurred, all nodes in central<br />
management have properly responded to the sending of<br />
shared data to them.<br />
2 Certificate Chain Filter<br />
2 Certificate Chain Filter 6<br />
3 Centralized Management 3<br />
3 Centralized Management 6<br />
3 Centralized Management 3<br />
3 Centralized Management 6<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 329
Appendix: Configuration lists<br />
List of properties<br />
List of properties<br />
The following table provides a list of properties that can be configured in web security rules on the<br />
appliance.<br />
The properties are listed in alphabetical order. The listing considers, however, the parts of the property<br />
names, which are separated by full stops. For example, SSL.Server.Certificate.DaysExpired is listed<br />
before SSL.Server.CertificateChain.ContainsExpiredCA.<br />
Note: To view an example of how a property is used in a rule or rule set, click the name of a rule or rule set<br />
that appears under Description. Use the search function of the user interface to view a list of all rules that use<br />
a given property.<br />
Table A-5 List of properties<br />
Name Type Description Parameters<br />
Antimalware.Infected Boolean If true, a web object has been found to<br />
be infected<br />
Used in rule: Block if virus was found<br />
Antimalware.Proactive.<br />
Number Probability that a web object is malware<br />
Probability<br />
(in percent)<br />
Antimalware.VirusNames List of String List with names of viruses that a web<br />
object has been found to be infected<br />
with<br />
Authentication.Authenticate Boolean If true, the authentication engine has<br />
been called to apply the configured<br />
method, for example, NTLM, to the<br />
credentials of a user and the user has<br />
successfully been authenticated<br />
Values have also been set for the<br />
Authentication.IsAuthenticated and<br />
Authentication.UserName properties.<br />
If false, it was not possible to apply the<br />
configured authentication method<br />
successfully, for example, because no<br />
credentials or incorrect credentials were<br />
submitted<br />
Used in rule: Authenticate with User<br />
Database<br />
Authentication.Failed Boolean If true, credentials were provided by a<br />
user, but authentication has failed<br />
Used in criteria of rule set: Authenticate<br />
with User Database<br />
Authentication.FailureReason Number Number identifying the reason why<br />
authentication has failed for a user<br />
Authentication.GetUserGroups List of String List of user groups that the<br />
authentication process isapplied to<br />
Authentication.IsAuthenticated Boolean If true, a user has been successfully<br />
authenticated<br />
Used in criteria of rule set: Authenticate<br />
with User Database<br />
Authentication.<br />
Boolean If true, cookie authentication has been<br />
IsLandingOnServer<br />
applied for a user<br />
Authentication.IsServerRequest Boolean If true, authentication has been<br />
requested for a user under the<br />
Authentication Server method.<br />
Authentication.Method String Method used for authenticating a user,<br />
for example, LDAP<br />
330 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
Authentication.RawCredentials String Credentials of a user in the format<br />
originally received on the appliance<br />
from a client or other instances of the<br />
network<br />
Using this property for rule<br />
configuration will speed up processing<br />
because it saves the time used for<br />
converting user credentials to a human<br />
readable format, as it is done for the<br />
simple Authentication.UserName<br />
property.<br />
Authentication.RawUserName String Name of a user in the format originally<br />
received on the appliance from a client<br />
or other instances of the network<br />
Using this property for rule<br />
configuration will speed up processing<br />
because it saves the time used for<br />
converting the user name to a human<br />
readable format, as it is done for the<br />
simple Authentication.UserName<br />
property.<br />
Authentication.Realm String Authentication realm, for example, a<br />
Windows domain<br />
Authentication.UserGroups List of String List of user groups that the<br />
authentication process is applied to<br />
Used in rule: Only allow users of<br />
Allowed User Groups<br />
Authentication.UserName String Name of a user that the authentication<br />
process is applied to<br />
Block.ID Number ID of an action that blocked a request<br />
Block.Reason String Name of the reason for an action that<br />
blocked a request<br />
BlockingSession.IsBlocked Boolean If true, a blocking session has been<br />
activated for a user<br />
Used in rule: Block user if blocking<br />
session is active<br />
BlockingSession.<br />
RemainingSession<br />
Number Remaining time of a blocking session (in<br />
minutes)<br />
BlockingSession.SessionLength Number Time length of a blocking session (in<br />
minutes)<br />
Body.ChangeHeaderMime Boolean If true, the header sent in MIME format<br />
with the body of a web object has been<br />
changed<br />
Body.ClassID String ID for a class of web objects<br />
Body.Equals Boolean If true, the body of a web object<br />
matches the pattern specified by the<br />
property parameters<br />
Body.FileName String Name of a file that is embedded in the<br />
body of a web object, for example, an<br />
archived file<br />
1. Number: Position<br />
of byte where pattern<br />
begins<br />
2. String: Pattern<br />
a. String embedded<br />
in double quotes<br />
(“ ...”, can also<br />
contain hex values<br />
preceded by \)<br />
or:<br />
b. Sequence of hex<br />
values<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 331
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
Body.FullFileName String Name of a file that is embedded in the<br />
body of a web object, including also the<br />
names of the embedding entities, such<br />
as documents or archives<br />
Name parts are separated by the |<br />
(pipe) symbol, for example,<br />
test.zip|test.doc.<br />
Body.HasMimeHeader Boolean If true, the body of an extracted<br />
multi-part object sent in MIME format<br />
has a specified header<br />
String: Header name<br />
Body.<br />
HasMimeHeaderParameter<br />
332 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Boolean If true, the body of an extracted<br />
multi-part object sent in MIME format<br />
has a specified header parameter<br />
Body.IsAboveSizeLimit Boolean If true, the body of a web object is<br />
above a size limit<br />
Body.IsCompleteWithTimeout Boolean If true, the body of a web object has<br />
been completely sent to the appliance<br />
before the time (in milliseconds)<br />
specified by the property parameter has<br />
elapsed<br />
Body.IsCorrupted Object Boolean If true, an archive contained in the body<br />
of a web object is corrupted<br />
Body.IsEncrypted Object Boolean If true, an archive contained in the body<br />
of a web object is encrypted.<br />
Body.IsMultiPartObject Boolean If true, an archive contained in the body<br />
of a web object is complex, including<br />
multiple parts<br />
Body.IsSupportedByOpener Boolean If true, an opener device is available on<br />
the appliance for the body of a web<br />
object that is composite, for example,<br />
the body of an archive<br />
Body.<br />
MimeHeaderParameterValue<br />
String Value of a header parameter in the body<br />
of a web object sent in MIME format<br />
Body.MimeHeaderValue String Value of a header in the body of a web<br />
object sent in MIME format<br />
Body.Modified Boolean If true, an appliance module has<br />
modified the body of a web object<br />
Body.NestedArchive Level Number Current level of an archive part in an<br />
archive<br />
Body.NotEquals Boolean If false, the body of a web object<br />
matches the pattern specified by the<br />
property parameters<br />
Body.NumberOf Children Number Number of objects embedded in the<br />
body of a web object<br />
1. String: Header<br />
name<br />
2. String: Header<br />
parameter name<br />
1. Number: Time<br />
allowed to send<br />
object completely (in<br />
milliseconds)<br />
1. String: Header<br />
name<br />
2. String: Header<br />
parameter value<br />
String: Header value<br />
1. Number: Position<br />
of byte where pattern<br />
begins<br />
2. String: Pattern<br />
a. String embedded<br />
in double quotes<br />
(“ ...”, can also<br />
contain hex values<br />
preceded by \)<br />
or:<br />
b. Sequence of hex<br />
values
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
Body.PositionOfPattern Number Position of the byte where the search for<br />
a pattern in the body of a web object<br />
begins<br />
Returns -1 if the pattern is not found<br />
Body.Size Number Size of the body of a web object (in<br />
bytes)<br />
Body.Text String Text in the body of a web object<br />
Used in rule: Set<br />
User-Defined.listOfWords<br />
Body.ToNumber Number Part of the body of a web object<br />
converted into a number (maximum 8<br />
bytes beginning at a specified position)<br />
The big-endian or little-endian format<br />
can be used for the conversion.<br />
Body.ToString String Part of the body of a web object<br />
converted into a string<br />
Body.Uncompressed Size Number Size of the body of an archived web<br />
object (in bytes) after having been<br />
extracted from the archive<br />
1. String: Pattern to<br />
search for<br />
a. String embedded<br />
in double quotes<br />
(“ ...”, can also<br />
contain hex values<br />
preceded by \)<br />
or:<br />
b. Sequence of hex<br />
values<br />
2. Number: Position<br />
of byte where search<br />
for pattern begins<br />
3. Number: Search<br />
length (in bytes, 0<br />
means search from<br />
offset to end of<br />
object)<br />
1. Number: Position<br />
of byte where<br />
converted part<br />
begins<br />
2. Number: Length<br />
of converted part (in<br />
bytes, maximum 8)<br />
0 for the first<br />
parameter and the<br />
respective value of<br />
the Body.Size<br />
property for the<br />
second means the<br />
whole body is<br />
converted.<br />
3. Boolean: If true,<br />
little-endian format is<br />
used for conversion,<br />
otherwise big-endian<br />
1. Number: Position<br />
of byte where<br />
converted part<br />
begins<br />
2. Number: Length of<br />
converted part (in<br />
bytes)<br />
0 for the first<br />
parameter and the<br />
respective value of<br />
the Body.Size<br />
property for the<br />
second means the<br />
whole body is<br />
converted.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 333
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
BooleanToString String Boolean value converted into a string Boolean: Boolean<br />
value to convert<br />
BytesFromClient Number Number of bytes received in a request<br />
from a client<br />
BytesFromServer Number Number of bytes received in a response<br />
from a web server<br />
BytesToClient Number Number of bytes in a web server<br />
response that is forwarded to a client<br />
BytesToServer Number Number of bytes in a client request that<br />
is forwarded to a web server<br />
Cache.IsCacheable Boolean If true, an object sent in response from<br />
a web server can be stored in the web<br />
cache<br />
Cache.IsFresh Boolean If true, an object stored in the web<br />
cache has either been downloaded from<br />
the web or has been verified<br />
Cache.Status String Cache status for a web object<br />
Values:<br />
• TCP_HIT - A web object was<br />
requested by a user and found in the<br />
cache.<br />
• TCP_MISS - A web object was<br />
requested by a user and not found in<br />
the cache.<br />
• TCP_MISS_RELOAD - A web object<br />
was requested by a user, but was<br />
not taken from the cache because<br />
the user required it to be fetched<br />
directly from the web server in<br />
question by clicking the Refresh<br />
button. The object was then entered<br />
into the cache again.<br />
• TCP_MISS_VERIFY - A web object<br />
was requested by a user and existed<br />
in the cache, but verification<br />
information from the web server in<br />
question showed it was outdated. An<br />
updated version of the object was<br />
received from the server and<br />
entered in the cache.<br />
Category.ToShortString String URL category converted into a string<br />
that is the category abbreviation<br />
334 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Category: Category<br />
to convert<br />
Category.ToString String URL category converted into a string Category: Category<br />
to convert<br />
Client.IM.Login String ID used by a client to log on to the<br />
appliance under an instant messaging<br />
protocol<br />
Client.IM.ScreenName String Screen name of of a client<br />
communicating with the appliance<br />
under an instant messaging protocol<br />
Client.IP IP IP address of a client<br />
Used in rules:<br />
Client IP is in list Allowed Clients<br />
Need to authorize Client IP?<br />
Client.NumberOfConnections Number Number of connections from a client to<br />
the appliance at the same time
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
Command.Categories List of String List of categories that a command<br />
belongs to, for example, to the FTP<br />
command category<br />
Command.Name String Name of a command<br />
Command.Parameter String Parameter of a command<br />
Connection.Aborted Boolean If true, communication on a connection<br />
has finally failed and the connection is<br />
closed<br />
Connection.IP IP IP address used on a connection<br />
Connection.Protocol String Protocol used for communication on a<br />
connection, for example, HTTP<br />
Used in criteria of rule set: Authenticate<br />
and Authorize<br />
Connection.Protocol.IsIM Boolean If true, communication on a connection<br />
uses an instant messaging protocol<br />
Connection.RunTime Number Time (in seconds) a connection has<br />
been running since it was opened until<br />
the current second<br />
Connection.SSL.<br />
TransparentCNHandling<br />
Boolean If true, communication on a connection<br />
is SSL-secured and runs in transparent<br />
mode<br />
Used in criteria of rule set: Verify<br />
Common Name (transparent setup)<br />
Cycle.LastCall Boolean If true, processing of data is complete<br />
for a cycle<br />
Cycle.Name String Name of a processing cycle<br />
Cycle.TopName String Name of a cycle (Requests or<br />
Responses) that is processed before a<br />
web object is processed in the<br />
Embedded Objects cycle<br />
Used in rule: Remove partial content<br />
for HTTP requests<br />
DataTrickling.Enabled Boolean If true, data trickling is used for<br />
downloading web objects<br />
DateTime.Date.<br />
MonthDayNumber<br />
Number Number of day in month<br />
DateTime.Date.MonthNumber Number Number of month<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 335
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
DateTime.Date.ToString String String representing current date (in the<br />
format specified by the property<br />
parameters)<br />
DateTime.Date.<br />
WeekDayNumber<br />
Number Number of day in week (1 is Sunday)<br />
DateTime.Date.Year Number Year (four digits)<br />
DateTime.Date.YearTwoDigits Number Year (last two digits)<br />
DateTime.Time.Hour Number Hour (in 24-hours format, for example,<br />
1 p. m. is 13)<br />
DateTime.Time.Minute Number Minute in hour<br />
DateTime.Time.Second Number Second in minute<br />
336 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
String including the<br />
following three parts:<br />
1. %YYYY (for the<br />
year)<br />
or:<br />
%YY (last two digits)<br />
or:<br />
%Y (last two digits,<br />
but only one digit if<br />
the last two digits<br />
begin with 0, for<br />
example, 9 for 2009)<br />
2. %MM (for the<br />
month number with 0<br />
inserted before<br />
one-digit numbers)<br />
or:<br />
%M (0 is not<br />
inserted, for<br />
example, 3 for March<br />
and 12 for<br />
December)<br />
3. %DD (for the day)<br />
or:<br />
%D<br />
If no parameter is<br />
specified, the format<br />
is:<br />
%YYYY/%MM /%DD
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
DateTime.Time.ToString String String representing current time (in the<br />
format specified by the property<br />
parameters)<br />
DateTime.ToGMTString String String representing current date and<br />
time in Greenwich Mean Time format<br />
For example, “Mon, 22 March 2010<br />
11:45:36 GMT”<br />
DateTime.ToISOString String String representating current date and<br />
time in ISO format<br />
For example, "2010-03-22 11:45:12"<br />
DateTime.ToNumber Number Number of seconds since beginning of<br />
1/1/1970 (UNIX epoch time)<br />
DateTime.ToString String String representing current date and<br />
time (in the format specified by the<br />
property parameters)<br />
DateTime.<br />
To<strong>Web</strong>ReporterString<br />
String String representing current date and<br />
time in <strong>Web</strong> Reporter format<br />
For example, “29/Oct/2010:14:28:15<br />
+0000”<br />
String including the<br />
following three parts:<br />
1. %h (for the hour)<br />
or:<br />
%hh (with 0 inserted<br />
before a one-digit<br />
hour)<br />
2. %m (for the<br />
minute)<br />
or:<br />
%mm<br />
3. %s (for the<br />
second)<br />
or:<br />
%ss<br />
If no parameter is<br />
specified, the format<br />
is:<br />
%hh:%mm:%ss<br />
String including the<br />
part of the DateTime.<br />
Date.ToString and<br />
DateTime.Time.<br />
ToString properties<br />
If no parameter is<br />
specified, the format<br />
is:<br />
%YYYY/%MM /%DD<br />
%hh:%mm:%ss<br />
Dimension.ToString String Dimension converted into a string Dimension:<br />
Dimension to convert<br />
DNS.Lookup List of IP List of IP addresses found in a DNS<br />
lookup for a host name<br />
String: Host name<br />
DNS.Lookup.Reverse List of String List of host names found in a reverse<br />
DNS lookup for an IP address<br />
IP: IP address<br />
Error.ID Number ID of an error<br />
Used in rule: Block if Anti-Malware<br />
engine is overloaded<br />
Used in criteria of rule set: Long<br />
Running Connections<br />
Error.Message String Message text describing an error<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 337
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
FileSystemLogging.Make<br />
Anonymous<br />
338 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
String String made anonymous by encryption String: String to<br />
encrypt<br />
GTI.RequestSentToCloud Boolean If true, a lookup request for URL<br />
category information was sent to the<br />
Global Threat Intelligence server<br />
Header.Block.Exists Boolean If true, a specified block header exists String: Header name<br />
Header.Block.Get String First value found for a specified block<br />
header<br />
String: Header name<br />
Header.Block.GetMultiple List of String List of values found for a specified block<br />
header<br />
String: Header name<br />
Header.Exists Boolean If true, a specified header is contained<br />
in a request or response that is<br />
processed on the appliance<br />
It depends on the current processing<br />
cycle whether it is actually a request or<br />
response that contains the header.<br />
String: Header name<br />
Header.Get String First value found for the specified<br />
header in a request or response that is<br />
processed on the appliance.<br />
It depends on the current processing<br />
cycle whether it is actually a request or<br />
response that contains the header.<br />
Header.GetMultiple List of String List of values found for a specified<br />
header in a request or response that is<br />
processed on the appliance.<br />
It depends on the current processing<br />
cycle whether it is actually a request or<br />
response that contains the header.<br />
Header.ICAP.Request.Exists Boolean If true, a specified header is contained<br />
in a request sent in ICAP<br />
communication<br />
Header.ICAP.Request.Get String First value found for a specified header<br />
in a request sent in ICAP<br />
communication.<br />
Header.ICAP.Response.Exists Boolean If true, a specified header is contained<br />
in a response received in ICAP<br />
communication<br />
Header.ICAP.Response.Get String First value found for a specified header<br />
in a response received in ICAP<br />
communication.<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
Header.Request.Exists Boolean If true, a specified header is contained<br />
in a request<br />
String: Header name<br />
Header.Request.Get String First value found for a specified header<br />
in a request<br />
String: Header name<br />
Header.Request.GetMultiple List of String List of values found for a specified<br />
header in a request<br />
String: Header name<br />
Header.Response.Exists Boolean If true, a specified header is contained<br />
in a response<br />
String: Header name<br />
Header.Response.Get String First value found for a specified header<br />
in a response<br />
String: Header name<br />
Header.Response.GetMultiple List of String List of values found for a specified<br />
header in a response<br />
String: Header name<br />
Hex.ToString String Hex value converted into a string Hex: Hex value to<br />
convert<br />
HTML.Element.Attribute String String representing an attribute of an<br />
HTML element<br />
Used in rule: Java applets
Table A-5 List of properties (continued)<br />
ICAP.ReqMod.ResponseHeader.<br />
Get<br />
ICAP.ReqMod.ResponseHeader.<br />
GetMultiple<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
HTML.Element.Dimension Dimension Dimension of an HTML element (width<br />
and height)<br />
HTML.Element.HasAttribute Boolean If true, an HTML element has a specified String: Attribute<br />
attribute<br />
Used in rule: Java applets<br />
name<br />
HTML.Element.Name String Name of an HTML element<br />
Used in rule: Java applets<br />
HTML.Element.ScriptType String Script type of an HTML element, for<br />
example, JavaScript or Visual Basic<br />
Script<br />
Used in rule: JavaScript<br />
ICAP.Policy String Name of a policy included in an ICAP<br />
request for a URL<br />
ICAP.ReqMod.ResponseHeader. Boolean If true, a response sent from an ICAP String: Header name<br />
Exists<br />
server in REQMOD mode contains a<br />
specified header<br />
String First value found for a specified header<br />
in a REQMOD response<br />
List of String List of values found for a specified<br />
header in a REQMOD response<br />
ICAP.ReqMod.Satisfaction Boolean If true, an ICAP server has replaced a<br />
request with a response<br />
The ICAP server does this after sending<br />
a message that a particular request is<br />
blocked.<br />
Used in rule: Call ReqMod server<br />
ICAP.RespMod.Encapsulated<br />
HTTPChanged<br />
ICAP.RespMod.<br />
ResponseHeader.Exists<br />
ICAP.RespMod.<br />
ResponseHeader.Get<br />
ICAP.RespMod.<br />
ResponseHeader.GetMultiple<br />
Boolean If true, an ICAP server has changed the<br />
HTTP state for a response sent in<br />
RESPMOD mode<br />
Boolean If true, a response sent from an ICAP<br />
server in RESPMOD mode contains a<br />
specified header<br />
String First value found for a specified header<br />
in a RESPMOD response<br />
List of String List of values found for a specified<br />
header in a RESPMOD response<br />
IM.Direction String Direction of a chat message sent or a<br />
file transferred under an instant<br />
messaging protocol and processed on<br />
the appliance<br />
For a chat message sent from a client to<br />
the appliance, the direction could, for<br />
example, be specified as out, for a<br />
message sent from a server to the<br />
appliance it could be specified as in.<br />
IM.FileName String Name of a file transferred under an<br />
instant messaging protocol<br />
IM.FileSize Number Size of a file transferred under an<br />
instant messaging protocol (in bytes)<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
String: Header name<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 339
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
IM.MessageCanSendBack Boolean If true, a block message or other<br />
message can be sent from the appliance<br />
to a user of an instant messaging<br />
service<br />
A block message is, for example, sent<br />
back to a user who submitted a chat<br />
message during a time interval that is<br />
not allowed for chatting.<br />
A message can typically not be sent<br />
before a user has completed the<br />
procedure for logging on to the instant<br />
messaging service.<br />
IM.Notification String Name of a template used for sending a<br />
notification from the appliance to a user<br />
of an instant messaging service, for<br />
example, a block message<br />
IM.Recipient String Name of a client that receives a chat<br />
message or file under an instant<br />
messaging protocol<br />
This name can also be a group name<br />
(group ID) when a chat message is sent<br />
to a group of recipients.<br />
IM.Sender String Name of a client that sends a chat<br />
message or file under an instant<br />
messaging protocol<br />
Incident.AffectedHost IP IP address of a host that is involved in<br />
an incident, for example, a web server<br />
that the appliance cannot connect to<br />
Incident.Description String Plain-text description of an incident<br />
Incident.ID Number ID of an incident<br />
For a list of these IDs, see List of<br />
incident IDs<br />
Incident.Origin Number Number specifying the appliance<br />
component that is the origin of an<br />
incident<br />
The following are some origin numbers<br />
that are presently in use:<br />
1 - Appliance system<br />
2 - Core subsystem<br />
3 - Coordinator subsystem<br />
4 - Anti-Malware process<br />
5 - Log File Manager<br />
6 - sysconf daemon<br />
9 - Unidentified origin<br />
The origin of an incident is further<br />
specified by the Incident.OriginName<br />
property.<br />
340 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
Incident.OriginName String Name of an appliance component that is<br />
the origin of an incident<br />
The origin name can also specify a<br />
subcomponent that is a part of the<br />
component specified by the origin<br />
number.<br />
For example, origin number 2 (Core)<br />
can be further specified by the origin<br />
name as:<br />
• Core<br />
• Proxy<br />
• Anti-Malware Filter<br />
• URL Filter<br />
• and other names of subcomponents<br />
Incident.Severity Number Severity of an incident<br />
Severity levels are as follows:<br />
0 - Emergency<br />
1 - Alert<br />
2 - Critical<br />
3 - Error<br />
4 - Warning<br />
5 - Notice<br />
6 - Informational<br />
7 - Debug<br />
These levels are the same as those used<br />
in syslog entries.<br />
IP.ToString String IP address converted into a string IP: IP address to<br />
convert<br />
IPRange.ToString String Range of IP addresses converted into a<br />
string<br />
License.RemainingDays Number Remaining time until license expires (in<br />
days)<br />
IPRange: Range of IP<br />
addresses to convert<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 341
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
List.LastMatches String String containing all elements that have<br />
been found to match when two lists are<br />
compared using an operator such as at<br />
least one in list or all in list<br />
Matches are only added to the list as<br />
long it has not yet been decided<br />
whether the relationship between the<br />
lists that the operator evaluates exists<br />
or not.<br />
For example, list a contains the<br />
elements 1, 2, 3, list b contains 1, 2, 4.<br />
Both lists are compared using the at<br />
least one in list operator.<br />
To find out that list a actually contains<br />
at least one element of list b, the<br />
operator only needs to compare<br />
element 1 in both lists and detect that<br />
they match.<br />
List.LastMatches then contains 1<br />
because it has been found to be a<br />
match.<br />
2 is also a match in the two lists, but is<br />
not contained in List.LastMatches<br />
because it was not evaluated by the<br />
operator and found to be a match.<br />
This was not done because the operator<br />
had already found out after evaluating<br />
the 1 in both lists that at least one<br />
element of list a was also in list b.<br />
Used in modification of rule: Write<br />
access.log<br />
List.OfCategory.Append List of Category List of URL categories that a category is<br />
appended to<br />
List.OfCategory.ByName List of Category List of URL categories (specified by its<br />
name)<br />
List.OfCategory.Erase List of Category List of URL categories with specified<br />
category erased<br />
List.OfCategory.<br />
EraseElementRange<br />
342 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of Category List of URL categories with specified<br />
range of categories erased<br />
List.OfCategory.EraseList List of Category List of URL categories with categories<br />
that are also on other list erased<br />
1. List of Category:<br />
List to append<br />
category to<br />
2. Category:<br />
Category to append<br />
String: List name<br />
1. List of Category:<br />
List with category to<br />
erase<br />
2. Number: Position<br />
of category to erase<br />
1. List of Category:<br />
List with categories<br />
to erase<br />
2. Number: Position<br />
of first category to<br />
erase<br />
3. Number: Position<br />
of last category to<br />
erase<br />
1. List of Category:<br />
List with categories<br />
to erase<br />
2. List of Category:<br />
List of categories to<br />
erase on first list
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List.OfCategory.Find Number Position of a URL category on a list 1. List of Category:<br />
List with category to<br />
find position for<br />
2. Category:<br />
Category to find<br />
position for<br />
List.OfCategory.Get Category URL category (specified by its position<br />
on a list)<br />
List.OfCategory.<br />
GetElementRange<br />
List of Category List of URL categories (extracted from<br />
other list)<br />
List.OfCategory.Insert List of Category List of URL categories with specified<br />
category inserted<br />
List.OfCategory.IsEmpty Boolean If true, the specified list is empty<br />
Used in rule: Allow uncategorized URLs<br />
List.OfCategory.Join List of Category List of URL categories created by joining<br />
two lists<br />
List.OfCategory.Reverse List of Category List of URL categories that has its<br />
original order reverted<br />
1. List of Category:<br />
List containing<br />
category<br />
2. Number: Position<br />
of category on list<br />
1. Category List: List<br />
with categories to<br />
extract<br />
2. Number: Position<br />
of first category to<br />
extract<br />
3. Number: Position<br />
of last category to<br />
extract<br />
1. List of Category:<br />
List to insert<br />
category in<br />
2. Category:<br />
Category to insert<br />
List of Category: List<br />
to check for being<br />
empty<br />
1. List of Category:<br />
First list to join<br />
2. List of Category:<br />
Second list to join<br />
List of Category: List<br />
in original order<br />
List.OfCategory.Size Number Number of URL categories on a list List of Category: List<br />
to provide number of<br />
categories for<br />
List.OfCategory.Sort List of Category List of URL categories sorted in<br />
alphabetical order<br />
List.OfCategory.ToShortString String List of URL categories converted into a<br />
list of their abbreviated name forms<br />
List.OfCategory.ToString String List of URL categories converted into a<br />
string<br />
List.OfDimension.Append List of<br />
Dimension<br />
List.OfDimension.ByName List of<br />
Dimension<br />
List.OfDimension.Erase List of<br />
Dimension<br />
List of dimensions that a dimension is<br />
appended to<br />
List of dimensions (specified by its<br />
name)<br />
List of dimensions with specified<br />
dimension erased<br />
List of Category: List<br />
to sort<br />
List of Category: List<br />
to convert<br />
List of Category: List<br />
to convert<br />
1. List of Dimension:<br />
List to append<br />
dimension to<br />
2. Dimension:<br />
Dimension to append<br />
String: List name<br />
1. List of Dimension:<br />
List with dimension to<br />
erase<br />
2. Number: Position<br />
of dimension to erase<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 343
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
List.OfDimension.<br />
EraseElementRange<br />
List of<br />
Dimension<br />
List.OfDimension.EraseList List of<br />
Dimension<br />
344 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of dimensions with specified range<br />
of dimensions erased<br />
List of dimensions with dimensions that<br />
are also on other list erased<br />
1. List of Dimension:<br />
List with dimension<br />
range to erase<br />
2. Number: Position<br />
of first dimension to<br />
erase<br />
3. Number: Position<br />
of last dimension to<br />
erase<br />
1. List of Dimension:<br />
List with dimensions<br />
to erase<br />
2. List of Dimension:<br />
List of dimensions to<br />
erase on first list<br />
List.OfDimension.Find Number Position of a dimension on a list 1. List of Dimension:<br />
List with dimension to<br />
find position for<br />
2.List of Dimension:<br />
Dimension to find<br />
position for<br />
List.OfDimension.Get Dimension Dimension (specified by its position on a<br />
list)<br />
List.OfDimension.<br />
GetElementRange<br />
List of<br />
Dimension<br />
List.OfDimension.Insert List of<br />
Dimension<br />
List of dimensions (extracted from other<br />
list)<br />
List of dimensions with specified<br />
dimension inserted<br />
1. List of Dimension:<br />
List containing<br />
dimension<br />
2. Number: Position<br />
of dimension on list<br />
1. List of Dimension:<br />
List with dimensions<br />
to extract<br />
2. Number: Position<br />
of first dimension to<br />
extract<br />
3. Number: Position<br />
of last dimension to<br />
extract<br />
1. List of Dimension:<br />
List to insert<br />
dimension in<br />
2. Dimension:<br />
Dimension to insert<br />
List.OfDimension.IsEmpty Boolean If true, the specified list is empty List of Dimension:<br />
List to check for<br />
being empty<br />
List.OfDimension.Join List of<br />
Dimension<br />
List.OfDimension.Reverse List of<br />
Dimension<br />
List of dimensions created by joining<br />
two lists<br />
List of dimensions that has its original<br />
order reverted<br />
1. List of Dimension:<br />
First list to join<br />
2. Dimension List:<br />
Second list to join<br />
List of Dimension:<br />
List in original order<br />
List.OfDimension.Size Number Number of dimensions on a list List of Dimension:<br />
List to provide<br />
number of<br />
dimensions for<br />
List.OfDimension.Sort List of<br />
Dimension<br />
List of dimensions sorted in alphabetical<br />
order<br />
List.OfDimension.ToString String List of dimensions converted into a<br />
string<br />
List of Dimension:<br />
List to sort<br />
List of Dimension:<br />
List to convert
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List.OfHex.Append List of Hex List of hex values that a hex value is<br />
appended to<br />
List.OfHex.ByName List of Hex List of hex values (specified by its<br />
name)<br />
List.OfHex.Erase List of Hex List of hex values with specified value<br />
erased<br />
List.OfHex.EraseElementRange List of Hex List of hex values with specified range of<br />
values erased<br />
List.OfHex.EraseList List of Hex List of hex values with values that are<br />
also on other list erased<br />
1. List of Hex: List to<br />
append hex value to<br />
2. Hex: Hex values to<br />
append<br />
String: List name<br />
1. List of Hex: List<br />
with hex value to<br />
erase<br />
2. Number: Position<br />
of hex value to erase<br />
1. List of Hex: List<br />
with hex values to<br />
erase<br />
2. Number: Position<br />
of first hex value to<br />
erase<br />
3. Number: Position<br />
of last hex value to<br />
erase<br />
1. List of Hex: List<br />
with hex values to<br />
erase<br />
2. List of Hex: List of<br />
hex values to erase<br />
on first list<br />
List.OfHex.Find Number Position of a hex value on a list 1. List of Hex: List<br />
with hex value to find<br />
position for<br />
2. Hex: Hex value to<br />
find position for<br />
List.OfHex.Get Hex Hex value (specified by its position on a<br />
list)<br />
List.OfHex.GetElementRange List of Hex List of hex values (extracted from other<br />
list)<br />
List.OfHex.Insert List of Hex List of hex values with specified value<br />
inserted<br />
1. List of Hex: List<br />
containing hex value<br />
2. Number: Position<br />
of hex value on list<br />
1. List of Hex: List<br />
with hex values to<br />
extract<br />
2. Number: Position<br />
of first hex value to<br />
extract<br />
3. Number: Position<br />
of last hex value to<br />
extract<br />
1. List of Hex: List to<br />
insert hex value in<br />
2. Hex: Hex value to<br />
insert<br />
List.OfHex.IsEmpty Boolean If true, the specified list is empty List of Hex: List to<br />
check for being<br />
empty<br />
List.OfHex.Join List of Hex List of hex values created by joining two<br />
lists<br />
List.OfHex.Reverse List of Hex List of hex values that has its original<br />
order reverted<br />
1. List of Hex: First<br />
list to join<br />
2. List of Hex:<br />
Second list to join<br />
List of Hex: List in<br />
original order<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 345
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
List.OfHex.Size Number Number of hex values on a list List of Hex: List to<br />
provide number of<br />
hex values for<br />
List.OfHex.Sort List of Hex List of sorted hex values List of Hex: List to<br />
sort<br />
List.OfHex.ToString String List of hex values converted into a<br />
string<br />
List.OfIP.Append List of IP List of IP addresses that an IP address<br />
is appended to<br />
List.OfIP.ByName List of IP List of IP addresses (specified by its<br />
name)<br />
List.OfIP.Erase List of IP List of IP addresses with specified<br />
address erased<br />
List.OfIP.EraseElementRange List of IP List of IP addresses with specified range<br />
of addresses erased<br />
List.OfIP.EraseList List of IP List of IP addresses with addresses that<br />
are also on other list erased<br />
346 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of Hex: List to<br />
convert<br />
1. List of IP: List to<br />
append IP address to<br />
2. IP: IP address to<br />
append<br />
String: List name<br />
1. List of IP: List with<br />
IP address to erase<br />
2. Number: Position<br />
of IP address to erase<br />
1. List of IP: List with<br />
IP addresses to erase<br />
2. Number: Position<br />
of first IP address to<br />
erase<br />
3. Number: Position<br />
of last IP address to<br />
erase<br />
1. List of IP: List with<br />
IP addresses to erase<br />
2. List of IP: List of<br />
IP addresses to erase<br />
on first list<br />
List.OfIP.Find Number Position of an IP address on a list 1. List of IP: List with<br />
IP address to find<br />
position for<br />
2.IP: IP address to<br />
find position for<br />
List.OfIP.Get IP IP address (specified by its position on a<br />
list)<br />
List.OfIP.GetElementRange List of IP List of IP addresses (extracted from<br />
another list)<br />
List.OfIP.Insert List of IP List of IP addresses with specified<br />
address inserted<br />
1. List of IP: List<br />
containing IP address<br />
2. Number: Position<br />
of IP address on list<br />
1. List of IP: List with<br />
IP addresses to<br />
extract<br />
2. Number: Position<br />
of first IP address to<br />
extract<br />
3. Number: Position<br />
of last IP address to<br />
extract<br />
1. List of IP: List to<br />
insert IP address in<br />
2. IP: IP address to<br />
insert<br />
List.OfIP.IsEmpty Boolean If true, the specified list is empty List of IP: List to<br />
check for being<br />
empty
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List.OfIP.Join List of IP List of IP addresses created by joining<br />
two lists<br />
List.OfIP.Reverse List of IP List of IP addresses that has its original<br />
order reverted<br />
1. List of IP: First list<br />
to join<br />
2. List of IP: Second<br />
list to join<br />
List of IP: List in<br />
original order<br />
List.OfIP.Size Number Number of IP addresses on a list List of IP: List to<br />
provide number of IP<br />
addresses for<br />
List.OfIP.Sort List of IP List of sorted IP addresses List of IP: List to sort<br />
List.OfIP.ToString String List of IP addresses converted into a<br />
string<br />
List.OfIPRange.Append List of IPRange List of IP address ranges that an IP<br />
address range is appended to<br />
List.OfIPRange.ByName List of IPRange List of IP address ranges (specified by<br />
its name)<br />
List.OfIPRange.Erase List of IPRange List of IP address ranges with specified<br />
range erased<br />
List.OfIPRange.<br />
EraseElementRange<br />
List of IPRange List of IP address ranges with specified<br />
ranges erased<br />
List.OfIPRange.EraseList List of IPRange List of IP address ranges with ranges<br />
that are also on other list erased<br />
List of IP: List to<br />
convert<br />
1. List of IPRange:<br />
List to append<br />
IP address range to<br />
2. IPRange:<br />
IP address range to<br />
append<br />
String: List name<br />
1. List of IPRange:<br />
List with IP address<br />
range to erase<br />
2. Number: Position<br />
of IP address range<br />
to erase<br />
1. List of IPRange:<br />
List with IP address<br />
ranges to erase<br />
2. Number: Position<br />
of first IP address<br />
range to erase<br />
3. Number: Position<br />
of last IP address<br />
range to erase<br />
1. List of IPRange:<br />
List with IP address<br />
range to erase<br />
2. List of IPRange:<br />
List of IP address<br />
ranges to erase from<br />
first list<br />
List.OfIPRange.Find Number Position of an IP address range on a list 1. List of IPRange:<br />
List with IP address<br />
range to find position<br />
for<br />
2.IPRange: IP<br />
address range to find<br />
position for<br />
List.OfIPRange.Get IPRange IP address range (specified by its<br />
position on a list)<br />
1. List of IPRange:<br />
List containing IP<br />
address range<br />
2. Number: Position<br />
of IP address range<br />
on list<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 347
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
List.OfIPRange.<br />
GetElementRange<br />
348 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of IPRange List of IP address ranges (extracted<br />
from other list)<br />
List.OfIPRange.Insert List of IPRange List of IP address ranges with specified<br />
range inserted<br />
1. List of IPRange:<br />
List with IP address<br />
ranges to extract<br />
2. Number: Position<br />
of first IP address<br />
range to extract<br />
3. Number: Position<br />
of last IP address<br />
range to extract<br />
1. List of IPRange:<br />
List to insert IP<br />
address range in<br />
2. IP: IP address<br />
range to insert<br />
List.OfIPRange.IsEmpty Boolean If true, the specified list is empty List of IPRange: List<br />
to check for being<br />
empty<br />
List.OfIPRange.Join List of IPRange List of IP address ranges created by<br />
joining two lists<br />
List.OfIPRange.Reverse List of IPRange List of IP address rangess that has its<br />
original order reverted<br />
1. List of IPRange:<br />
First list to join<br />
2. List of IPRange:<br />
Second list to join<br />
List of IPRange: List<br />
in original order<br />
List.OfIPRange.Size Number Number of IP address ranges on a list List of IPRange: List<br />
to provide number of<br />
IP address ranges for<br />
List.OfIPRange.Sort List of IPRange List of sorted IP address ranges List of IPRange: List<br />
to sort<br />
List.OfIPRange.ToString String List of IP address ranges converted into<br />
a string<br />
List.OfMediaType.Append List of<br />
MediaType<br />
List.OfMediaType.ByName List of<br />
MediaType<br />
List.OfMediaType.Erase List of<br />
MediaType<br />
List.OfMediaType.<br />
EraseElementRange<br />
List of<br />
MediaType<br />
List.OfMediaType.EraseList List of<br />
MediaType<br />
List of media types that a media type is<br />
appended to<br />
List of media types (specified by its<br />
name)<br />
List of media types with specified type<br />
erased<br />
List of media types with specified range<br />
of types erased<br />
List of media types with types that are<br />
also on other list erased<br />
List of IPRange: List<br />
to convert<br />
1. List of MediaType:<br />
List to append media<br />
type to<br />
2. MediaType: Media<br />
type to append<br />
String: List name<br />
1. List of MediaType:<br />
List with media type<br />
to erase<br />
2. Number: Position<br />
of media type to<br />
erase<br />
1. List of MediaType:<br />
List with media type<br />
to erase<br />
2. Number: Position<br />
of first media type to<br />
erase<br />
3. Number: Position<br />
of last media type to<br />
erase<br />
1. List of MediaType:<br />
List with media types<br />
to erase<br />
2. List of MediaType:<br />
List of media types to<br />
erase on first list
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List.OfMediaType.Find Number Position of a media type on a list 1. List of MediaType:<br />
List with media type<br />
to find position for<br />
2. MediaType: Media<br />
type to find position<br />
for<br />
List.OfMediaType.Get MediaType Media type (specified by its position on<br />
a list)<br />
List.OfMediaType.GetElems List of<br />
MediaType<br />
List.OfMediaType.Insert List of<br />
MediaType<br />
List of media types (extracted from<br />
other list)<br />
List of media types with specified type<br />
inserted<br />
1. List of MediaType:<br />
List containing media<br />
type<br />
2. Number: Position<br />
of media type on list<br />
1. List of MediaType:<br />
List with media types<br />
to extract<br />
2. Number: Position<br />
of first media type to<br />
extract<br />
3. Number: Position<br />
of last media type to<br />
extract<br />
1. List of MediaType:<br />
List to insert media<br />
type in<br />
2. MediaType: Media<br />
type to insert<br />
List.OfMediaType.IsEmpty Boolean If true, the specified list is empty List of MediaType:<br />
List to check for<br />
being empty<br />
List.OfMediaType.Join List of<br />
MediaType<br />
List.OfMediaType.Reverse List of<br />
MediaType<br />
List of media types created by joining<br />
two lists<br />
List of media types that has its original<br />
order reverted<br />
1. List of MediaType:<br />
First list to join<br />
2. List of MediaType:<br />
Second list to join<br />
List of MediaType:<br />
List in original order<br />
List.OfMediaType.Size Number Number of media types on a list List of MediaType:<br />
List to provide<br />
number of media<br />
types for<br />
List.OfMediaType.Sort List of<br />
MediaType<br />
List of media types sorted in<br />
alphabetical order<br />
List.OfMediaType.ToString String List of media types converted into a<br />
string<br />
List.OfNumber.Append List of Number List of numbers that a number is<br />
appended to<br />
List of MediaType:<br />
List to sort<br />
List of MediaType:<br />
List to convert<br />
1. List of Number:<br />
List to append<br />
number to<br />
2. Number: Number<br />
to append<br />
List.OfNumber.ByName List of Number List of numbers (specified by its name) String: List name<br />
List.OfNumber.Erase List of Number List of numbers with specified number<br />
erased<br />
1. List of Number:<br />
List with number to<br />
erase<br />
2. Number: Position<br />
of number to erase<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 349
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
List.OfNumber.<br />
EraseElementRange<br />
350 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of Number List of numbers with specified range of<br />
numbers erased<br />
List.OfNumber.EraseList List of Number List of numbers with numbers that are<br />
also on other list erased<br />
1. List of Number:<br />
List with numbers to<br />
erase<br />
2. Number: Position<br />
of first number to<br />
erase<br />
3. Number: Position<br />
of last number to<br />
erase<br />
1. List of Number:<br />
List with numbers to<br />
erase<br />
2. List of Number:<br />
List of numbers to<br />
erase from first list<br />
List.OfNumber.Find Number Position of a number on a list 1. List of Number:<br />
List with number to<br />
find position for<br />
2. Number: Number<br />
to find position for<br />
List.OfNumber.Get Number Number (specified by its position on a<br />
list)<br />
List.OfNumber.<br />
GetElememtRange<br />
List of Number List of numbers (extracted from other<br />
list)<br />
List.OfNumber.Insert List of Number List of numbers with specified number<br />
inserted<br />
1. List of Number:<br />
List containing<br />
number<br />
2. Number: Position<br />
of number on list<br />
1. List of Number:<br />
List with numbers to<br />
extract<br />
2. Number: Position<br />
of first number to<br />
extract<br />
3. Number: Position<br />
of last number to<br />
extract<br />
1. List of Number:<br />
List to insert number<br />
in<br />
2. Number: Number<br />
to insert<br />
List.OfNumber.IsEmpty Boolean If true, the specified list is empty List of Number: List<br />
to check for being<br />
empty<br />
List.OfNumber.Join List of Number List of numbers created by joining two<br />
lists<br />
List.OfNumber.Reverse List of Number List of numbers that has its original<br />
order reverted<br />
1. List of Number:<br />
First list to join<br />
2. List of Number:<br />
Second list to join<br />
List of Number: List<br />
in original order<br />
List.OfNumber.Size Number Number of numbers on a list List of Number: List<br />
to provide number of<br />
numbers for<br />
List.OfNumber.Sort List of Number List of sorted numbers List of Number: List<br />
to sort<br />
List.OfNumber.ToString String List of numbers converted into a string Number List: List to<br />
convert<br />
List.OfString.Append List of String List of strings that a string is appended<br />
to<br />
1. List of String: List<br />
to append string to<br />
2. String: String to<br />
append
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List.OfString.ByName List of String List of strings (specified by its name) String: List name<br />
List.OfString.Erase List of String List of strings with specified string 1. List of String: List<br />
erased<br />
with string to erase<br />
2. Number: Position<br />
of string to erase<br />
List.OfString.<br />
List of String List of strings with specified range of 1. List of String: List<br />
EraseElementRange<br />
strings erased<br />
with strings to erase<br />
2. Number: Position<br />
of first string to erase<br />
3. Number: Position<br />
of last string to erase<br />
List.OfString.EraseList List of String List of strings with strings that are also 1. List of String: List<br />
on other list erased<br />
with strings to erase<br />
2. List of String: List<br />
of strings to erase on<br />
first list<br />
List.OfString.Find Number Position of a string on a list 1. List of String: List<br />
with string to find<br />
position for<br />
2. String: String to<br />
find position for<br />
List.OfString.Get String String (specified by its position on a list) 1. List of String: List<br />
containing string<br />
2. Number: Position<br />
of string on list<br />
List.OfString.GetElementRange List of String List of strings (extracted from other list) 1. String List: List<br />
with regular<br />
expressions to<br />
extract<br />
2. Number: Position<br />
of first string to<br />
extract<br />
3. Number: Position<br />
of last string to<br />
extract<br />
List.OfString.Insert List of String List of strings with specified string 1. List of String: List<br />
inserted<br />
to insert string in<br />
2. String: String to<br />
insert<br />
List.OfString.IsEmpty Boolean If true, the specified list is empty List of String: List to<br />
check for being<br />
empty<br />
List.OfString.Join List of String List of strings created by joining two 1. List of String: First<br />
lists<br />
list to join<br />
2. List of String:<br />
Second list to join<br />
List.OfStringMapInList List of String String specified by a parameter and 1. List of String: List<br />
contained in a list with an index for the containing string<br />
position this string has in another list<br />
2. List of String: List<br />
If the specified string is not contained in containing string<br />
the first list or does not exist as a<br />
position in the second list, the string is<br />
empty.<br />
3. String: String<br />
contained in first and<br />
seconds lists or<br />
empty string<br />
List.OfString.Reverse List of String List of strings that has its original order List of String: List in<br />
reverted<br />
original order<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 351
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
List.OfString.Size Number Number of strings on a specified list List of String: List to<br />
provide number of<br />
strings for<br />
List.OfString.Sort List of String List of strings sorted in alphabetical<br />
order<br />
352 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of String: List to<br />
sort<br />
List.OfString.ToString String List of strings converted into a string List of String: List to<br />
convert<br />
List.OfWildcard.Append List of Wildcard<br />
Expression<br />
List.OfWildcard.ByName List of Wildcard<br />
Expression<br />
List.OfWildcard.Erase List of Wildcard<br />
Expression<br />
List.OfWildcard.<br />
EraseElementRange<br />
List of Wildcard<br />
Expression<br />
List.OfWildcard.EraseList List of Wildcard<br />
Expression<br />
List of wildcard expressions that an<br />
expression is appended to<br />
List of wildcard expressions (specified<br />
by its name)<br />
List of wildcard expressions with<br />
specified expression erased<br />
List of wildcard expressions with<br />
specified range of expressions erased<br />
List of wildcard expressions with<br />
expressions that are also on other list<br />
erased<br />
List.OfWildcard.Find Number Position of a wildcard expression on a<br />
list<br />
List.OfWildcard.Get Wildcard<br />
Expression<br />
Wildcard expression (specified by its<br />
position on a list)<br />
1. List of Wildcard<br />
Expression: List to<br />
append wildcard<br />
expression to<br />
2. Wildcard<br />
Expression: Wildcard<br />
expression to append<br />
String: List name<br />
1. List of Wildcard<br />
Expression: List with<br />
wildcard expression<br />
to erase<br />
2. Number:<br />
Position of wildcard<br />
expression to erase<br />
1. List of Wildcard<br />
Expression: List with<br />
wildcard expressions<br />
to erase<br />
2. Number: Position<br />
of first wildcard<br />
expression to erase<br />
3. Number: Position<br />
of last wildcard<br />
expression to erase<br />
1. List of Wildcard<br />
Expression: List with<br />
wildcard expressions<br />
to erase<br />
2. Wildcard<br />
Expression: List of<br />
wildcard expressions<br />
to erase on first list<br />
1. List of Wildcard<br />
Expression: List with<br />
wildcard expression<br />
to find position for<br />
2. Wildcard<br />
Expression: Wildcard<br />
Expression to find<br />
position for<br />
1. List of Wildcard<br />
Expression: List<br />
containing wildcard<br />
expression<br />
2. Number:<br />
Position of wildcard<br />
expression on list
Table A-5 List of properties (continued)<br />
List.OfWildcard.<br />
GetElementRange<br />
List of Wildcard<br />
Expression<br />
List.OfWildcard.Insert List of Wildcard<br />
Expression<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List of wildcard expressions (extracted<br />
from other list)<br />
List of wildcard expressions with<br />
specified expression inserted<br />
1. List of Wildcard<br />
Expression: List with<br />
wildcard expressions<br />
to extract<br />
2. Number: Position<br />
of first wildcard<br />
expression to extract<br />
3. Number: Position<br />
of last wildcard<br />
expression to extract<br />
1. List of Wildcard<br />
Expression: List to<br />
insert wildcard<br />
expression in<br />
2. Wildcard<br />
Expression: Wildcard<br />
expression to insert<br />
List.OfWildcard.IsEmpty Boolean If true, the specified list is empty List of Wildcard<br />
Expression: List to<br />
check for being<br />
empty<br />
List.OfWildcard.Join List of Wildcard<br />
Expression<br />
List.OfWildcard.Reverse List of Wildcard<br />
Expression<br />
List of wildcard expressions created by<br />
joining two lists<br />
List of wildcard expressions that has its<br />
original order reverted<br />
1. List of Wildcard<br />
Expression: First list<br />
to join<br />
2. List of Wildcard<br />
Expression: Second<br />
list to join<br />
List of Wildcard<br />
Expression: List in<br />
original order<br />
List.OfWildcard.Size Number Number of wildcard expressions on a list List of Wildcard<br />
Expression: List to<br />
provide number of<br />
wildcard expressions<br />
for<br />
List.OfWildcard.Sort List of Wildcard<br />
Expression<br />
List of sorted wildcard expressions List of Wildcard<br />
Expression: List to<br />
sort<br />
List.OfWildcard.ToString String List of wildcard expressions converted<br />
into a string<br />
List of Wildcard<br />
Expression: List to<br />
convert<br />
Math.Abs Number Absolute value of specified number Number: Number<br />
that absolute value is<br />
provided for<br />
Math.Random Number Random number between specified<br />
minimum and maximum values<br />
(including these values)<br />
MediaStreamProbability Number Probability that the streaming media in<br />
question matches the found media type<br />
(in percent)<br />
MediaType.EnsuredTypes List of<br />
MediaType<br />
List of media types that are ensured for<br />
the respective media with a probability<br />
of more than 50%<br />
Used in rules:<br />
Block types from list Upload Media<br />
Type Blocklist<br />
Block types from Download Media Type<br />
Blocklist<br />
1. Number: Minimum<br />
value<br />
2. Number:<br />
Maximum value<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 353
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
MediaType.FromFileExtension List of<br />
MediaType<br />
MediaType.FromHeader List of<br />
MediaType<br />
354 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
List of media types that are found using<br />
the file extension of the media<br />
List of media types that are found using<br />
the content-type header sent with the<br />
media<br />
MediaType.HasOpener Boolean If true, an opener module is available on<br />
the appliance for media of a given type<br />
MediaType.IsCompositeObject Boolean If true, media of a given type is a<br />
composite object, for example, is an<br />
archive<br />
MediaType.MagicBytes<br />
Mismatch<br />
MediaType.NotEnsuredTypes List of<br />
MediaType<br />
Boolean If true, the media type specified in the<br />
header sent with the media does not<br />
match the type that was found on the<br />
appliance by examining the magic bytes<br />
actually contained in the media<br />
List of media types that are ensured for<br />
the respective media with a probability<br />
of less than 50%<br />
MediaType.ToString String Media type converted into a string MediaType: Media<br />
type to convert<br />
Message.Language String Name of language for messages sent to<br />
users in short form, for example, en, de,<br />
ja<br />
Message.TemplateName String Name of a template for messages sent<br />
to users<br />
Number.ToString String Number converted into a string Number: Number to<br />
convert<br />
Number.ToVolumeString String Number of bytes that a volume amounts<br />
to converted into a string<br />
NumberOfClientConnections Number Number of connections to clients that<br />
are open on the appliance at the same<br />
time<br />
PDStorage.GetAllData List of String List containing all permanently stored<br />
data in string format<br />
PDStorage.GetAllGlobalData List of String List containing all permanently stored<br />
global data in string format<br />
PDStorage.GetAllUserData List of String List containing all permanently stored<br />
user data in string format<br />
Number: Byte<br />
number to convert<br />
PDStorage.GetGlobalData.Bool Boolean Global variable of type Boolean String: Variable key<br />
PDStorage.GetGlobalData.<br />
Category<br />
Boolean Global variable of type Category String: Variable key<br />
PDStorage.GetGlobalData.<br />
Dimension<br />
Boolean Global variable of type Dimension String: Variable key<br />
PDStorage.GetGlobalData.Hex Hex Global variable of type Hex String: Variable key<br />
PDStorage.GetGlobalData.IP IP Global variable of type IP String: Variable key<br />
PDStorage.GetGlobalData.<br />
IPRange<br />
IPRange Global variable of type IPRange String: Variable key<br />
PDStorage.GetGlobalData.List.<br />
Category<br />
List of Category Global variable of type List of Category String: Variable key<br />
PDStorage.GetGlobalData.List. List of<br />
Global variable of type List of Dimension String: Variable key<br />
Dimension<br />
Dimension<br />
PDStorage.GetGlobalData.List.<br />
Hex<br />
List of Hex Global variable of type List of Hex String: Variable key<br />
PDStorage.GetGlobalData.List.<br />
IP<br />
List of IP Global variable of type List of IP String: Variable key
Table A-5 List of properties (continued)<br />
PDStorage.GetGlobalData.List.<br />
IPRange<br />
PDStorage.GetGlobalData.List.<br />
MediaType<br />
PDStorage.GetGlobalData.List.<br />
Number<br />
PDStorage.GetGlobalData.List.<br />
String<br />
PDStorage.GetGlobalData.List.<br />
Wildcard<br />
PDStorage.GetGlobalData.<br />
MediaType<br />
PDStorage.GetGlobalData.<br />
Number<br />
PDStorage.GetGlobalData.<br />
String<br />
PDStorage.GetGlobalData.<br />
Wildcard<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
List of IPRange Global variable of type List of IPRange String: Variable key<br />
List of<br />
MediaType<br />
Global variable of type List of<br />
MediaType<br />
String: Variable key<br />
List of Number Global variable of type List of Number String: Variable key<br />
List of String Global variable of type List of String String: Variable key<br />
List of Wildcard<br />
Expression<br />
Global variable of type List of Wildcard<br />
Expression<br />
String: Variable key<br />
MediaType Global variable of type MediaType String: Variable key<br />
Number Global variable of type Number String: Variable key<br />
String Global variable of type String String: Variable key<br />
Wildcard<br />
Expression<br />
Global variable of type Wildcard<br />
Expression<br />
String: Variable key<br />
PDStorage.GetUserData.Bool Boolean User variable of type Boolean String: Variable key<br />
PDStorage.GetUserData.<br />
Category<br />
Category User variable of type Category String: Variable key<br />
PDStorage.GetUserData.<br />
Dimension<br />
Dimension User variable of type Dimension String: Variable key<br />
PDStorage.GetUserData.Hex Hex User variable of type Hex String: Variable key<br />
PDStorage.GetUserData.IP IP User variable of type IP String: Variable key<br />
PDStorage.GetUserData.<br />
IPRange<br />
IPRange User variable of type IPRange String: Variable key<br />
PDStorage.GetUserData.List.<br />
Category<br />
List of Category User variable of type List of Category String: Variable key<br />
PDStorage.GetUserData.List. List of<br />
User variable of type List of Dimension String: Variable key<br />
Dimension<br />
Dimension<br />
PDStorage.GetUserData.List.<br />
Hex<br />
List of Hex User variable of type List of Hex value String: Variable key<br />
PDStorage.GetUserData.List.IP List of IP User variable of type List of IP String: Variable key<br />
PDStorage.GetUserData.List.<br />
IPRange<br />
List of IPRange User variable of type List of IPRange String: Variable key<br />
PDStorage.GetUserData.List. List of<br />
User variable of type List of MediaType String: Variable key<br />
MediaType<br />
MediaType<br />
PDStorage.GetUserData.List.<br />
Number<br />
List of Number User variable of type List of Number String: Variable key<br />
PDStorage.GetUserData.List.<br />
String<br />
List of String User variable of type List of String String: Variable key<br />
PDStorage.GetUserData.List. List of Wildcard User variable of type List of Wildcard Variable Key: String<br />
Wildcard<br />
Expression Expression<br />
PDStorage.GetUserData.<br />
MediaType<br />
MediaType User variable of type MediaType String: Variable key<br />
PDStorage.GetUserData.<br />
Number<br />
Number User variable of type Number String: Variable key<br />
PDStorage.GetUserData.String String User variable of type String String: Variable key<br />
PDStorage.GetUserData. Wildcard User variable of type Wildcard<br />
String: Variable key<br />
Wildcard<br />
Expression Expression<br />
PDStorage.HasGlobalData Boolean If true, permanently stored global data<br />
is available<br />
String: Variable key<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 355
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
PDStorage.HasUserData Boolean If true, permanently stored user data is<br />
available<br />
String: Variable key<br />
ProgressPage.Enabled Boolean If true, download progress is indicated<br />
to the user by a progress page<br />
Protocol.FailureDescription String String containing description of a<br />
connection error under the current<br />
protocol<br />
Proxy.EndUserURL String String representing URL for display to a<br />
user<br />
Proxy.IP IP IP address of connection<br />
Proxy.Port Number Number of port used for a connection<br />
Quota.AuthorizedOverride.<br />
IsActivationRequest<br />
Quota.AuthorizedOverride.<br />
JS.ActivateSession<br />
Quota.AuthorizedOverride.<br />
RemainingSession<br />
Quota.AuthorizedOverride.<br />
SessionExceeded<br />
Quota.AuthorizedOverride.<br />
SessionLength<br />
Quota.Coaching.<br />
IsActivationRequest<br />
Quota.Coaching.<br />
JS.ActivateSession<br />
Quota.Coaching.<br />
RemainingSession<br />
Quota.Coaching.<br />
SessionExceeded<br />
356 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Boolean If true, an authorized user has chosen<br />
to continue with a authorized override<br />
session after session time has been<br />
exceeded<br />
Used in rule: Redirect after<br />
authenticating for authorized override<br />
String String in JavaScript code calling the<br />
function that is executed when an<br />
authorized user chooses to start a new<br />
session by clicking the appropriate<br />
button in the authorized override<br />
template.<br />
The code is provided when the template<br />
is created and displayed to the user.<br />
Number Remaining time for an authorized<br />
override session (in seconds)<br />
Boolean If true, the time allowed for an<br />
authorized override session has been<br />
exceeded<br />
Used in rule: Check if authorized<br />
override session has been exceeded<br />
Number Time length for an authorized override<br />
session (in seconds)<br />
Boolean If true, a user has chosen to continue<br />
with a new coaching session after<br />
session time has been exceeded<br />
Used in rule: Redirecting after starting<br />
new coaching session<br />
String String in JavaScript code calling the<br />
function that is executed when a user<br />
chooses to start a new session by<br />
clicking the appropriate button in the<br />
coaching session template.<br />
The code is provided when the template<br />
is created and displayed to the user.<br />
Number Remaining time for a coaching session<br />
(in seconds)<br />
Boolean If true, the time allowed for a coaching<br />
session has been exceeded<br />
Used in rule: Check if coaching session<br />
has been exceeded<br />
Quota.Coaching.SessionLength Number Time length for a coaching session (in<br />
seconds)<br />
Quota.Time.Exceeded Boolean If true, the time quota has been<br />
exceeded<br />
Used in rule: Check if time quota has<br />
been exceeded
Table A-5 List of properties (continued)<br />
Quota.Time.<br />
IsActivationRequest<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
Boolean If true, a user has chosen to continue<br />
with a new time session after session<br />
time has been exceeded<br />
Used in rule: Redirecting after starting<br />
new time session<br />
Quota.Time.JS.ActivateSession String String in JavaScript code calling the<br />
function that is executed when a user<br />
chooses to start a new session by<br />
clicking the appropriate button in the<br />
time session template.<br />
The code is provided when the template<br />
is created and displayed to the user.<br />
Quota.Time.RemainingDay Number Time remaining from the configured<br />
time quota for the current day (in<br />
seconds)<br />
Quota.Time.RemainingMonth Number Time remaining from the configured<br />
time quota for the current month<br />
Quota.Time.RemainingSession Number Remaining time for a time session (in<br />
seconds)<br />
Quota.Time.RemainingWeek Number Time remaining from the configured<br />
time quota for the current week (in<br />
seconds)<br />
Quota.Time.SessionExceeded Boolean If true, the time allowed for a time<br />
session has been exceeded<br />
Used in rule: Check if time session has<br />
been exceeded<br />
Quota.Time.SessionLength Number Time length for a time session (in<br />
seconds)<br />
Quota.Time.SizePerDay Number Time allowed per day under the<br />
configured quota (in seconds)<br />
Quota.Time.SizePerMonth Number Time allowed per month under the<br />
configured quota (in seconds)<br />
Quota.Time.SizePerWeek Number Time allowed per week under the<br />
configured quota (in seconds)<br />
Quota.Volume.Exceeded Boolean If true, the volume quota has been<br />
exceeded<br />
Used in rule: Check if volume quota has<br />
been exceeded<br />
Quota.Volume.<br />
IsActivationRequest<br />
Quota.Volume.JS.<br />
ActivateSession<br />
Boolean If true, a user has chosen to continue<br />
with a new volume session after session<br />
time has been exceeded<br />
Used in rule: Redirecting after starting<br />
new volume session<br />
String String in JavaScript code calling the<br />
function that is executed when a user<br />
chooses to start a new session by<br />
clicking the appropriate button in the<br />
volume session template.<br />
The code is provided when the template<br />
is created and displayed to the user.<br />
Quota.Volume.RemainingDay Number Volume remaining from the configured<br />
volume quota for the current day (in<br />
bytes)<br />
Quota.Volume.RemainingMonth Number Volume remaining from the configured<br />
volume quota for the current month (in<br />
bytes)<br />
Quota.Volume.<br />
RemainingSession<br />
Number Remaining time for a volume session (in<br />
seconds)<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 357
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
Quota.Volume.RemainingWeek Number Volume remaining from the configured<br />
volume quota for the current week (in<br />
bytes)<br />
Quota.Volume.<br />
SessionExceeded<br />
358 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Boolean If true, the time allowed for a volume<br />
session has been exceeded<br />
Used in rule: Check if volume session<br />
has been exceeded<br />
Quota.Volume.SessionLength Number Time length for a volume session (in<br />
seconds)<br />
Quota.Volume.SizePerDay Number Volume allowed per day under the<br />
configured quota (in seconds)<br />
Quota.Volume.SizePerMonth Number Volume allowed per month under the<br />
configured quota (in seconds)<br />
Quota.Volume.SizePerWeek Number Volume allowed per week under the<br />
configured quota (in seconds)<br />
Redirect.URL String String representing a URL that a user is<br />
redirected to by an authentication or<br />
quota rule<br />
Reporting.URL.Categories List of Category List of all URL categories used on the<br />
appliance<br />
Reporting.URL.Reputation List of Number List of all reputation score values used<br />
on the appliance<br />
Request.Header.FirstLine String First line of a header sent with a request<br />
Request.ProtocolAndVersion String Protocol and protocol version used<br />
when a request is sent<br />
Response.ProtocolandVersion String Protocol and protocol version used<br />
when a response is sent<br />
Response.Redirect.URL String URL that a user is redirected to when a<br />
response is sent<br />
Response.StatusCode String Status code of a response<br />
Rules.CurrentRuleID String ID of the rule that is currently processed<br />
Rules.CurrentRuleName String Name of the rule that is currently<br />
processed<br />
Rules.CurrentRuleSetName String Name of the rule set that is currently<br />
processed<br />
Rules.EvaluatedRules List of String List of all rules that have been<br />
processed<br />
Rules.EvaluatedRules.Names List of String List with names of all rules that have<br />
been processed<br />
Rules.FiredRules List of String List of all rules that have applied<br />
Rules.FiredRules.Names List of String List with names of all rules that have<br />
applied<br />
SecureReverseProxy.<br />
Embedded Host<br />
SecureReverseProxy.<br />
Embedded Protocol<br />
SecureReverseProxy.<br />
Embedded URL<br />
SecureReverseProxy.<br />
GetDomain<br />
String Host name of a URL in an HTTP request<br />
that is embedded in an HTTPS request<br />
String Protocol of a URL in an HTTP request<br />
that is embedded in an HTTPS request<br />
String URL in an HTTP request that is<br />
embedded in an HTTPS request<br />
This is the URL for the host specified by<br />
the value of the SecureReverseProxy.<br />
EmbeddedHost property<br />
String Domain specified in the settings for the<br />
SecureReverseProxy module<br />
String: Host name of<br />
the URL<br />
S
Table A-5 List of properties (continued)<br />
SecureReverseProxy.<br />
IsValidReverseProxyRequest<br />
SecureReverseProxy.<br />
URLToEmbed<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
Boolean If true, the URL submitted in a request<br />
has the format rrequired in a<br />
SecureReverseProxy configuration<br />
String URL submitted in a HTTP request that is<br />
embedded in a HTTPS request<br />
SecureToken.CreateToken String Encrypted string<br />
This string serves as a token for<br />
securing an IP address. An AES-128-bit<br />
algorithm is used to create the token.<br />
Depending on the value of a parameter<br />
in the settings of the SecureReverse<br />
Proxy module, the string includes a time<br />
stamp.<br />
SecureToken.IsValid Boolean If true, the specified token is valid and<br />
has not expired<br />
Depending on the on the value of a<br />
parameter in the settings of the<br />
SecureReverse Proxy module, the token<br />
string includes no time stamp.<br />
Expiration of the token is then not<br />
checked.<br />
SecureToken.GetString String String serving as a token for securing an<br />
IP address<br />
If the token is invalid or has expired, the<br />
string is empty.<br />
SNMP.Trap.Additional String Additional message sent to a trap under<br />
the SNMP protocol<br />
SSL.Certificate.CN.ToWildcard Wildcard<br />
Expression<br />
Common name in an SSL certificate<br />
converted into a wildcard expression<br />
SSL.ClientContext.IsApplied Boolean If true, parameters for setting the client<br />
context in SSL-secured communication<br />
have been configured<br />
SSL.Server.Certificate.<br />
AlternativeCNs<br />
List of Wildcard<br />
Expression<br />
List of alternative common names for a<br />
web server as used in SSL certificates<br />
SSL.Server.Certificate.CN String Common name of a web server<br />
provided in a certificate for SSL-secured<br />
communication<br />
SSL.Server.Certificate.CN.<br />
HasWildcards<br />
SSL.Server.Certificate.<br />
DaysExpired<br />
SSL.Server.Certificate.<br />
HostAndCertificate<br />
SSL.Server.Certificate.<br />
SelfSigned<br />
SSL.Server.Certificate.<br />
SHA1Digest<br />
Boolean If true, the common name for a web<br />
server in an SSL certificate includes<br />
wildcards<br />
Used in rule: Allow wildcard certificates<br />
Number Number of days that an SSL certificate<br />
for a web server has expired<br />
Used in rule: Block expired server (7<br />
day tolerance) and expired CA<br />
certificates<br />
HostAnd<br />
Certificate<br />
Host name and certificate for a web<br />
server in SSL-secured communication<br />
Used in rule: Skip verification for<br />
certificates found in Certificate<br />
Whitelist<br />
Boolean If true, an SSL certificate for a web<br />
server is self-signed<br />
Used in rule: Block self-signed<br />
certificates<br />
String String representing an SHA1Digest of a<br />
SSL certificate for a web server<br />
String: String to<br />
encrypt<br />
String: Token to be<br />
checked<br />
Number: Time (in<br />
seconds) to elapse to<br />
let the token expire<br />
String: Token to be<br />
checked<br />
Number: Time (in<br />
seconds) to elapse to<br />
let the token expire<br />
String: Common<br />
name to convert<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 359
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
SSL.Server.CertificateChain.<br />
AllRevocationStatiKnown<br />
SSL.Server.CertificateChain.<br />
ContainsExpiredCA<br />
SSL.Server.CertificateChain.<br />
ContainsRevoked<br />
SSL.Server.CertificateChain.<br />
FirstKnownCAIsTrusted<br />
SSL.Server.CertificateChain.<br />
FoundKnownCA<br />
SSL.Server.CertificateChain.<br />
IsComplete<br />
SSL.Server.CertificateChain.<br />
Length<br />
SSL.Server.CertificateChain.<br />
PathLengthExceeded<br />
SSL.Server.Handshake.<br />
IsRequested<br />
360 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Boolean If true, it is known of all SSL certificates<br />
in a certificate chain for a web server<br />
whether they are revoked or not<br />
Boolean If true, an SSL certificate in a certificate<br />
chain for a web server has expired<br />
Used in rule: Block expired server (7<br />
day tolerance) and expired CA<br />
certificates<br />
Boolean If true, an SSL certificate in a certificate<br />
chain for a web server has been revoked<br />
Used in rule: Block revoked certificates<br />
Boolean If true, a the certificate authority for<br />
issuing SSL certificates that has been<br />
found first in a certificate chain for a<br />
web server is trusted<br />
Used in rule: Block untrusted certificate<br />
authorities<br />
Boolean If true, a known certificate authority for<br />
issuing SSL certificates has been found<br />
in a certificate chain for a web server<br />
Used in rule: Block unknown certificate<br />
authorities<br />
Boolean If true, the chain of SSL certificates for<br />
a web server is complete<br />
Number Number of SSL certificates in a<br />
certificate chain for a web server<br />
Boolean If true, the chain of SSL certificates for<br />
a web server exceeds the allowed<br />
length<br />
Used in rule: Block too long certificate<br />
chains<br />
Boolean If true, a handshake is requested for<br />
setting up a connection to web server in<br />
SSL-secured communication<br />
Statistics.Counter.Get Number Number of occurrences of an activity or<br />
situtation recorded on a counter<br />
Statistics.Counter.GetCurrent Number Number of occurrences of an activity or<br />
situtation recorded on a counter (fully<br />
completed) during the last minute<br />
Stopwatch.GetMacroSeconds Number Time measured for rule set processing<br />
in milliseconds<br />
Stopwatch.GetMilliSeconds Number Time measured for rule set processing<br />
in macroseconds<br />
String.BackwardFind Number Position where a substring begins that is<br />
found in a string by a backward search<br />
Returns -1 if the substring is not found<br />
String.Base64Decode String Decoded format of a string specified in<br />
base-64 encoded format<br />
String.Base64Encode String Base-64 encoded format of a specified<br />
string<br />
String: Name of<br />
counter<br />
String: Name of<br />
counter<br />
String: Name of rule<br />
set<br />
String: Name of rule<br />
set<br />
1. String: String<br />
containing substring<br />
2. String: Substring<br />
3. Number: Position<br />
where backward<br />
search for substring<br />
begins<br />
String: String in<br />
encoded format<br />
String: String to<br />
encode<br />
String.Concat String Concatenation of two specified strings 1. String: First string<br />
to concatenate<br />
2. String: Second<br />
string to concatenate
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
String.CRLF String Carriage-return line-feed<br />
String.Find Number Position where a substring begins that is 1. String: String<br />
found in a string by a forward search containing substring<br />
Returns -1 if the substring is not found 2. String: Substring<br />
3. Number: Position<br />
where forward search<br />
for substring begins<br />
String.FindFirstOf Number Position of the first character of a 1. String: String<br />
substring found in a string<br />
containing substring<br />
Returns -1 if the substring is not found 2. String: Substring<br />
3. Number: Position<br />
where search for<br />
substring begins<br />
String.FindLastOf Number Position of the last character of a 1. String: String<br />
substring found in a string<br />
containing substring<br />
Returns -1 if the substring is not found 2. String: Substring<br />
3. Number: Position<br />
where search for<br />
substring begins<br />
String.GetWordCount Number Number of words in a string String: String to get<br />
number of words for<br />
String.IsEmpty Boolean If true, the specified string is empty String: String<br />
checked for being<br />
empty<br />
String.Length Number Number of characters in a string String: String to<br />
count characters for<br />
String.LF String Line-feed<br />
String.MatchWildcard List of String List of terms in a string that match a 1. String: String with<br />
wildcard expression<br />
matching terms<br />
2. Wildcard<br />
Expression: Wildcard<br />
expression to match<br />
String.Replace String String having a substring replaced by a 1. String: String<br />
string as specified<br />
containing substring<br />
to replace<br />
2. Number: Position<br />
where replacement<br />
begins<br />
3. Number: Number<br />
of characters to<br />
replace<br />
4. String: Replacing<br />
string<br />
String.ReplaceAll String String having each occurrence of a 1. String: String<br />
substring replaced by string as specified containing substring<br />
to replace<br />
2. String: Replacing<br />
substring<br />
3. String: Substring<br />
to replace<br />
String.ReplaceAllMatches String String having each occurrence of a 1. String: String<br />
substring that matches a wildcard containing substring<br />
expression replaced by a string as to replace<br />
specified<br />
2. Wildcard<br />
Expression: Wildcard<br />
expression to match<br />
3. String: Replacing<br />
string<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 361
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
String.ReplaceFirst String String having first occurrence of a<br />
substring replaced by a string as<br />
specified<br />
String.ReplaceFirstMatch String String having first occurrence of a<br />
substring that matches a wildcard<br />
expression replaced by a string as<br />
specified<br />
String.ReplaceIfEquals String String having every occurrence of a<br />
substring replaced by a string as<br />
specified<br />
String.SubString String Substring contained in a string specified<br />
by start position and length<br />
String.SubStringBetween String Substring of string extending between<br />
two other substrings of this string<br />
The search for this substring begins<br />
with looking for the first of other<br />
substrings. If this string is found, the<br />
search is continued with looking for the<br />
second substring.<br />
If the first substring is not found, the<br />
search has no result. If the second<br />
substring is not found, the wanted<br />
substring extends from the end of the<br />
first substring to the end of the main<br />
string.<br />
362 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
1. String: String<br />
containing substring<br />
to replace<br />
2. String: Replacing<br />
string<br />
3. String: Substring<br />
to replace<br />
1. String: String<br />
containing substring<br />
to replace<br />
2. Wildcard<br />
Expression: Wildcard<br />
expression to match<br />
3. String: Replacing<br />
substring<br />
1. String: String<br />
containing substring<br />
to replace<br />
2. String: Substring<br />
to replace<br />
3. String: Replacing<br />
string<br />
1. String: String<br />
containing substring<br />
2. Number: Position<br />
where substring<br />
begins<br />
3. Number: Number<br />
of characters in<br />
substring<br />
If no number is<br />
specified, the substring<br />
extends to the<br />
end of the original<br />
string<br />
1. String: String<br />
containing substrings<br />
2. String: Substring<br />
ending immediately<br />
before the wanted<br />
substring<br />
3. String: Substring<br />
beginning<br />
immediately after the<br />
wanted substring<br />
String.ToCategory Category String converted into a category String: String to<br />
convert<br />
String.ToDimension Dimension String converted into a dimension String: String to<br />
convert<br />
String.ToHex Hex String converted into a hex value String: String to<br />
convert<br />
String.ToIP IP String converted into an IP address String: String to<br />
convert<br />
String.ToIPRange IPRange String converted into a range of IP<br />
addresses<br />
String: String to<br />
convert<br />
String.ToMediaType MediaType String converted into a media type String: String to<br />
convert
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
String.ToNumber Number String converted into a number String: String to<br />
convert<br />
String.ToStringList List of String String converted into a string list<br />
The string list is a list of the elements in<br />
the string to convert. For example, the<br />
string to convert can be a text and the<br />
string list a list of the words in this text.<br />
The delimiter is a substring that<br />
separates elements in the string to<br />
convert. For example, in a normal text,<br />
the delimiter is the whitespace. The<br />
substring can be a single character,<br />
such as the whitespace, or multiple<br />
characters. To specify the whitespace,<br />
hit the space bar.<br />
A trim character is a character that<br />
appears at the beginning or end of an<br />
element in the string to convert, but not<br />
in the string list. A trim character can,<br />
for example, be a comma, a period, or<br />
an inverted comma (quotation mark). It<br />
can also be an “invisible” character,<br />
such as a tab stop or a line feed.<br />
To specify trim characters, type them in<br />
the input field that is provided on the<br />
user interface without separating them<br />
from each other.<br />
Use the following combinations to type<br />
invisible characters:<br />
\t – tab stop<br />
\r – carriage return<br />
\n – line feed<br />
\b – backspace<br />
\\ – backslash<br />
If you specify a character as a delimiter,<br />
it is also deleted from the resulting<br />
string list, so you need not specify it as<br />
a trim character.<br />
Used in rule: Set<br />
User-Defined.listOfWords<br />
String.ToWildcard Wildcard<br />
Expression<br />
String converted into a wildcard<br />
expression<br />
String.URLDecode String Standard format of a URL that was<br />
specified in encoded format<br />
1. String: String to<br />
convert<br />
2. String: Delimiter<br />
3. String: Trim<br />
character or<br />
characters<br />
String: String to<br />
convert<br />
String: URL in<br />
encoded format<br />
String.URLEncode String Encoded format of a URL String: URL to<br />
encode<br />
System.HostName String Host name of an appliance<br />
System.UUID String UUID of an appliance<br />
Timer.FirstReceivedFirstSent<br />
Client<br />
Number Processing time consumed between<br />
receiving the first byte from a client on<br />
the appliance and sending the first byte<br />
to this client within a transaction<br />
Note: Using this property is only<br />
supported when HTTP or HTTPS<br />
connections are involved, but not for<br />
FTP connections.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 363
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
Timer.FirstSentFirstReceived<br />
Server<br />
364 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
Number Processing time consumed between<br />
sending the first byte from the<br />
appliance to a web server and receiving<br />
the first byte from this server within a<br />
transaction<br />
Note: Using this property is only<br />
supported when HTTP or HTTPS<br />
connections are involved, but not for<br />
FTP connections.<br />
Timer.HandleConnectToServer Number Processing time consumed for<br />
connecting to a web server within a<br />
transaction<br />
Timer.LastReceivedLastSent<br />
Client<br />
Timer.LastSentLastReceived<br />
FromServer<br />
Timer.ResolveHostNameVia<br />
DNS<br />
Timer.TimeConsumedByRule<br />
Engine<br />
Number Processing time consumed between<br />
receiving the last byte from a client on<br />
the appliance and sending the last byte<br />
to this client within a transaction<br />
Note: Using this property is only<br />
supported when HTTP or HTTPS<br />
connections are involved, but not for<br />
FTP connections.<br />
Number Processing time comsumed between<br />
sending the last byte from the appliance<br />
to a web server and receiving the last<br />
byte from this server within a<br />
transaction<br />
Note: Using this property is only<br />
supported when HTTP or HTTPS<br />
connections are involved, but not for<br />
FTP connections.<br />
Number Processing time consumed for looking<br />
up a host name on a DNS server within<br />
a transaction<br />
Note: Only lookups on external servers<br />
are considered. Cache lookups are<br />
disregarded.<br />
Number Time consumed by the rule engine to<br />
process a request throughout all<br />
relevant processing cycles<br />
Note: Processing a request through all<br />
relevant processing cycles is<br />
considered to be one transaction.<br />
Timer.TimeForTransaction Number Time consumed by the rule engine to<br />
process a request that has been<br />
received on the appliance through all<br />
relevant processing cycles<br />
Note: Using this property is only<br />
supported when HTTP and HTTPS<br />
connections are involved, but not for<br />
FTP connections.<br />
URL String URL of a web object<br />
Used in rules:<br />
Allow URLs that match in URL<br />
WhiteList,<br />
Block URLs with bad reputation<br />
URL.Categories List of Category List of URL categories that a URL<br />
belongs to<br />
Used in rules:<br />
Block URLs whose category is in URL<br />
Category BlockList<br />
Allow uncategorized URLs
Table A-5 List of properties (continued)<br />
Appendix: Configuration lists<br />
List of properties<br />
Name Type Description Parameters<br />
URL.CategoriesForURL List of Category List of URL categories that a specified<br />
URL belongs to<br />
URL.DestinationIP IP IP address for a URL as found in a DNS<br />
lookup<br />
Used in rule: Use internal proxy for<br />
internal host<br />
URL.FileName String Name of a file that can be accessed<br />
through a URL<br />
URL.Geolocation String ISO 3166 code for the country where<br />
the host that a URL belongs to is located<br />
If a value is to be assigned to this<br />
property, the following option of the<br />
settings for the URL Filter module must<br />
be enabled: Only use online GTI web<br />
reputation and categorization services.<br />
String: URL in string<br />
format<br />
URL.GetParameter String Parameter of a URL in string format String: Parameter<br />
name<br />
URL.HasParameter Boolean If true, a specified parameter belongs to<br />
the parameters of a URL<br />
URL.Host String Host that a URL belongs to<br />
Used in rules:<br />
Allow URL hosts that match in list<br />
Antimalware URL Whitelist<br />
Tunneled hosts<br />
URL.HostIsIP Boolean If true, the URL that is submitted for<br />
access to a host is an IP address<br />
URL.IsHighRisk Boolean If true, the reputation score of a URL<br />
falls in the high risk range<br />
Used in rule: Block URLs with bad<br />
reputation<br />
URL.IsMediumRisk Boolean If true, the reputation score of a URL<br />
falls in the medium risk range<br />
URL.IsMinimalRisk Boolean If true, the reputation score of a URL<br />
falls in the minimal risk range<br />
URL.IsUnverifiedRisk Boolean If true, the reputation score of a URL<br />
falls in the unverified risk range<br />
URL.Parameters List of String List of URL parameters<br />
URL.ParametersString String String containing the parameters of a<br />
URL<br />
Note: If the URL has parameters, the<br />
string begins with the ? character.<br />
URL.Path String Path name for a URL<br />
URL.Port Number Number of a port for a URL<br />
Used in rule: Restrict destination ports<br />
to Allowed CONNECT Ports<br />
URL.Protocol String Protocol for a URL<br />
URL.Raw String URL in the format originally received on<br />
the appliance from a client or other<br />
instances of the network.<br />
Using this property for rule<br />
configuration will speed up processing<br />
because it saves the time used for<br />
converting URL code to a human<br />
readable format, as it is done for the<br />
simple URL property.<br />
URL.Reputation Number Reputation score for a URL<br />
String: Parameter<br />
name<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 365
Appendix: Configuration lists<br />
List of properties<br />
Table A-5 List of properties (continued)<br />
Name Type Description Parameters<br />
URL.ReputationForURL Number Reputation score for a specified URL String: URL in string<br />
format<br />
URL.ReputationString String String representing reputation score for<br />
a URL<br />
User-Defined.cacheMessage String Message text providing information on<br />
web cache usage<br />
Used in event of rule: Create<br />
notification message (on web cache<br />
usage)<br />
User-Defined.eventMessage String Message text providing information on<br />
an event<br />
User-Defined.loadMessage String Message text providing information on<br />
CPU overload<br />
Used in event of rule: Create<br />
notification message (on CPU overload)<br />
User-Defined.logLine String Entry written into a log file<br />
User-Defined.<br />
monitorLogMessage<br />
String Entry written into a log file<br />
User-Defined.<br />
notificationMessage<br />
User-Defined.<br />
requestLoadMessage<br />
User-Defined.<br />
requestsPerSecond<br />
366 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
String Text of a notification message<br />
Used in event of rule: Create<br />
notification message (on Log File<br />
Manager incident)<br />
String Message text providing information on<br />
request overload<br />
Used in event of rule: Create<br />
notification message (on request<br />
overload)<br />
Number Number of requests processed on the<br />
appliance per second<br />
Used in event of rule: Create<br />
notification message (on request<br />
overload)<br />
Wildcard.ToString String Wildcard expression converted into a<br />
string<br />
Wildcard Expression:<br />
Wildcard expression<br />
to convert
Wildcard expressions<br />
Appendix: Configuration lists<br />
Wildcard expressions<br />
When completing configuration jobs on the appliance, you can use wildcard expressions for several<br />
purposes, for example, to match URLs on blocking lists and whitelists.<br />
There are two types of wildcard expressions you can use:<br />
• Glob expressions — Using these is the default.<br />
For information on some of the special characters used to create glob expressions, see List of<br />
important special glob characters.<br />
More information on using this type of expressions is, for example, provided on the following Linux<br />
man page:<br />
glob(7)<br />
• Regular expressions (Regex) — If you want to use these, you need to type the term regex first<br />
and then include the regular expression in round brackets, for example:<br />
regex(a*b)<br />
For information on some of the special characters used to create regular expressions, see List of<br />
important special regex characters.<br />
The regular expressions used on the appliance follow the Perl Regular Expression syntax.<br />
Information on this syntax is, for example, provided on the folIowing Linux man page:<br />
perlre(1)<br />
Test a wildcard expression<br />
When you add a wildcard expression to a list, you can test it before actually adding it. The Add Wildcard<br />
Expression window provides a Test button for this purpose.<br />
To test a wildcard expression:<br />
1 Go to Policy | Lists.<br />
Note: You can also go to Policy | Rule Sets and access a list of the Wildcard Expression type by clicking its<br />
name in a rule name or in rule criteria. Then proceed as described in steps 3 and 4.<br />
2 On the lists tree, go to Wildcard Expressions and select a list.<br />
3 Click Add on the settings pane. The Add Wildcard Expression window opens.<br />
4 Type a wildcard expression in the input field and click Test. The Wildcard Expression Test window<br />
opens and provides information on the expression.<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 367
Appendix: Configuration lists<br />
Wildcard expressions<br />
List of important special glob characters<br />
The following table provides a list of important special characters for creating glob type wildcard<br />
expressions.<br />
Table A-6 List of important special glob characters<br />
Character Description<br />
? (If not between square brackets:) Matches any single character<br />
For example, ?est matches:<br />
best<br />
rest<br />
test<br />
and others<br />
* (If not between square brackets:) Matches any string, including the empty string<br />
For example, b* matches:<br />
b<br />
best<br />
binary3<br />
and others<br />
[...] Matches any of the single characters included in the square brackets<br />
? and * are normal characters between square brackets.<br />
For example, [a5?] matches:<br />
a<br />
5<br />
?<br />
Note: The first character must not be an ! (exclamation mark).<br />
! Matches any single character except those following the exclamation mark<br />
For example, [!ab] matches:<br />
c<br />
S<br />
%<br />
and others, but not:<br />
a<br />
b<br />
- Is used to denote a range of characters<br />
For example, [a-f A-F 0-5] matches:<br />
d<br />
F<br />
3<br />
and others<br />
/ Is not matched by ? or * and cannot be included in [...] or be part of a range<br />
This means, for example, that http://linux.die.net/* does not match the following<br />
pathname:<br />
http://linux.die.net/man/7/glob<br />
The pathname is, however, matched by:<br />
http://linux.die.net/*/*/*<br />
368 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table A-6 List of important special glob characters (continued)<br />
Character Description<br />
\ If preceding ?, *, or [, these are normal characters<br />
For example, [mn\*\[] matches:<br />
m<br />
n<br />
*<br />
[<br />
. A file name beginning with a . (dot), must be matched explicitly.<br />
For example, the command:<br />
rm *<br />
will not remove the file .profile.<br />
However, the following command will:<br />
rm .*<br />
List of important special regex characters<br />
Appendix: Configuration lists<br />
Wildcard expressions<br />
The following table provides a list of important special characters for creating regex type wildcard<br />
expressions.<br />
Note: The examples given here include the term regex and round brackets, as you need to use them when<br />
working with these expressions on the appliance.<br />
Table A-7 List of important special regex characters<br />
Character Description<br />
. Matches any single character<br />
For example, regex(.est) matches:<br />
best<br />
rest<br />
test<br />
and others<br />
* Matches the preceding character zero or more times<br />
For example, regex(a*b) matches:<br />
b<br />
ab<br />
aaaaaab<br />
and others<br />
+ Matches the preceding character one or more times<br />
For example, regex(c+d) matches:<br />
cd<br />
cccccd<br />
and others<br />
? Matches the preceding character zero or one times<br />
For example, regex(m?n) matches:<br />
n<br />
mn<br />
^ Matches the beginning of a line<br />
$ Matches the end of a line<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 369
Appendix: Configuration lists<br />
Wildcard expressions<br />
Table A-7 List of important special regex characters (continued)<br />
Character Description<br />
{...}<br />
Are used to match a character as many times as specified<br />
Options:<br />
– a{n}<br />
Matches a character n times<br />
For example, regex(a{3}) matches:<br />
aaa<br />
– a{n,}<br />
Matches a character n and more times<br />
For example, regex(p{4,}) matches:<br />
pppp<br />
pppppp<br />
and others<br />
– a{n,m} Matches a character between n and m times, including the limiting values<br />
For example, regex(q{1,3}) matches:<br />
q<br />
qq<br />
qqq<br />
| Matches alternative expressions<br />
For example, regex(abc|jkl) matches:<br />
abc<br />
jkl<br />
(...) Are used to group characters in an alternative expression<br />
For example, regex(de(r|st)) matches:<br />
der<br />
dest<br />
[...] Matches any of the single characters included in the square brackets<br />
For example, regex([bc3]) matches:<br />
b<br />
c<br />
3<br />
- Is used to denote a range of characters in a bracket expression<br />
For example, regex([c-f C-F 3-5]) matches:<br />
d<br />
F<br />
4<br />
and others<br />
370 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Table A-7 List of important special regex characters (continued)<br />
Appendix: Configuration lists<br />
Wildcard expressions<br />
Character Description<br />
^ Matches any single character in a bracket expression except those following the accent<br />
circonflexe<br />
For example, regex([^a-d]) matches:<br />
e<br />
7<br />
&<br />
and others, but not:<br />
a<br />
b<br />
c<br />
d<br />
\ (If preceding a special character:) Turns it into a normal character<br />
For example, regex(mn\+) matches:<br />
mn+<br />
(If preceding some normal characters:) Matches a particular class of characters<br />
For information on these classes, refer to the perlre man page or other documentation. The<br />
following are examples of frequently used character classes.<br />
For example, regex(\d) matches all digits, such as:<br />
3<br />
4<br />
7<br />
and others<br />
regex(\w) matches all alphabetical characters, such as:<br />
a<br />
F<br />
s<br />
and others<br />
regex(\D) matches all characters that are not digits, such as:<br />
c<br />
T<br />
&<br />
and others<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 371
Appendix: Configuration lists<br />
Wildcard expressions<br />
372 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong>
Index<br />
A<br />
access restrictions 117<br />
action<br />
list of actions 319<br />
rule element 86<br />
samples 89<br />
settings 115<br />
Settings tab 115<br />
administrator<br />
accounts 165<br />
activities 14<br />
external accounts 167<br />
roles 166<br />
test account 166<br />
alerts 270<br />
anti-malware, see virus and malware filtering<br />
anti-virus, see virus and malware filtering<br />
appliance<br />
administration 14<br />
alerts 270<br />
authentication 119<br />
central management 260<br />
configurator 16<br />
coordinator 16<br />
core 16<br />
dashboard 270<br />
error handling 305<br />
filtering 81<br />
gateway 13<br />
help 30, 31<br />
license 29, 251<br />
logging 277<br />
logoff, see logout<br />
logon 27<br />
logout 30, 31<br />
main components 16<br />
main functions 14<br />
monitoring 269<br />
network 38<br />
operating system 17<br />
physical 21<br />
proxies 37<br />
setup 15, 21<br />
subsystems 16<br />
system architecture 16<br />
troubleshooting 315<br />
virtual 24<br />
web cache 75<br />
web filtering 169<br />
web security 13<br />
authentication<br />
advanced parameters 129<br />
Authenticate and Authorize rule set 124<br />
Authenticate with User Database rule set 125<br />
Authentication Server method 136, 137<br />
Authorize rule set 126<br />
common parameters 128<br />
cookies 143<br />
implement different method 126<br />
instant messaging 140<br />
join appliance to Windows domain 138<br />
Kerberos method 135<br />
LDAP method 131<br />
main rule set 124<br />
methods 124<br />
module 127<br />
module settings 142<br />
nested rule sets 124<br />
Novell eDirectory method 133<br />
NTLM method 129<br />
NTLM-Agent method 130<br />
process 119<br />
RADIUS method 134<br />
retrieve user information 122<br />
rules 124<br />
sample rule 121<br />
select method 128<br />
settings 127<br />
SSL client certificate 136<br />
test 128<br />
User Database method 128<br />
Windows domain 138<br />
Windows domain settings 139<br />
x.509 authentication 136<br />
Authentication Server, see authentication<br />
AV, see anti-virus<br />
Avira, see virus and malware filtering<br />
B<br />
bandwidth throttling 231<br />
C<br />
cache, see web cache<br />
central management<br />
add appliance 261<br />
advanced settings 262<br />
configure settings 261<br />
include node 263<br />
nodes 260<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 373
Index<br />
scheduled jobs 264<br />
settings 262<br />
cluster, see central management<br />
configurator subsystem 16<br />
cookie authentication<br />
Authenticate Clients With Server rule set 144<br />
Authentication Server Request rule set 145<br />
configure module 146<br />
Cookie Authentication at Proxy rule set 144<br />
Cookie Authentication at Server rule set 145<br />
Cookie Authentication rule set 143<br />
main rule set 143<br />
module 146<br />
module settings 146<br />
nested rule sets 143<br />
rules 143<br />
Set Cookie for Authenticates Clients rule set 144<br />
coordinator subsystem 16<br />
core subsystem 16<br />
criteria<br />
complex 88<br />
operand 86<br />
operator 86<br />
parameter 86<br />
property 86<br />
rule element 86<br />
D<br />
dashboard<br />
access 270<br />
alerts 270<br />
charts and tables 273<br />
evolving data 273<br />
top scores 273<br />
data leakage prevention<br />
data flow 73<br />
Data Leakage Prevention rule set 73<br />
data trickling 228<br />
database updates 257<br />
date and time 249, 253<br />
DNS, see domain name server<br />
domain name server<br />
proxies 57<br />
system settings 250<br />
E<br />
engines, see modules<br />
ePolicy Orchestrator 301<br />
error handling<br />
list of error IDs 320<br />
rule sets 307<br />
user of error IDs in rules 305<br />
event<br />
list of events 322<br />
rule element 86<br />
types 90<br />
374 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
explicit proxy mode 39<br />
F<br />
File Editor 256<br />
file server 250<br />
filtering<br />
authentication 119<br />
concept 81<br />
cycles 82<br />
global whitelisting 214<br />
HTML filtering 207<br />
media type filtering 200<br />
modules 85<br />
process flow 83<br />
properties 81<br />
rules 81<br />
URL filtering 187<br />
user filtering 119<br />
virus and malware filtering 171<br />
web filtering 169<br />
FTP, see proxies<br />
G<br />
gateway, see appliance<br />
glob expressions, see wildcard expressions<br />
Global Threat Intelligence, see URL filtering<br />
global whitelisting<br />
add wildcard expression to whitelist 215<br />
Global Whitelist rule set 214<br />
lists 215<br />
rules 214<br />
wildcard expressions 215<br />
H<br />
Helix proxy 72<br />
help<br />
button 30<br />
content 31<br />
high availability 44<br />
HTML filtering<br />
ActiveX controls 208<br />
advertising filter 208<br />
configure opener module 213<br />
embedded objects 208<br />
embedded scripts 208<br />
Enable HTML Filtering rule set 208<br />
HTML Filtering nested rule set 208<br />
HTML Filtering rule set 207<br />
lists 212<br />
main rule set 207<br />
module settings 213<br />
nested rule sets 207<br />
opener module 213<br />
rules 207<br />
HTTP, see proxies
I<br />
ICAP server, see proxies<br />
ICQ, see instant messaging<br />
IM, see instant messaging<br />
incidents<br />
list of incident IDs 327<br />
logging rule set 306<br />
parameters 306<br />
properties 306<br />
use in rules 305<br />
inline lists 114<br />
instant messaging<br />
authentication 140<br />
authentication module 142<br />
configure modules 142<br />
engines, see modules<br />
ICQ settings 58<br />
IM Authentication rule set 140<br />
IM Authentication Server rule set 140<br />
IM Proxy rule set 141<br />
logging module 142<br />
main authentication rule set 140<br />
nested rule sets 140<br />
Windows Live Messenger settings 58<br />
Yahoo settings 57<br />
K<br />
Kerberos, see authentication<br />
L<br />
LDAP, see authentication<br />
library 91, 94<br />
licensing<br />
initial setup 29<br />
system settings 251<br />
lists<br />
access restrictions 117<br />
add entries 113<br />
add list 113<br />
inline lists 114<br />
Lists tab 111<br />
maintain 111<br />
logging<br />
log blocking key words 283<br />
log file settings 291<br />
log file types 277<br />
log handler 282<br />
rule sample 279<br />
rules 278<br />
self-configured log files 282<br />
view log files 278<br />
logoff, see logout<br />
logon 27<br />
logout 30, 31<br />
M<br />
malware, see virus and malware filtering<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 375<br />
Index<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong>, see appliance<br />
media type filtering<br />
add media type to filter list 206<br />
change property in rule 204<br />
create filter list 203<br />
Download Media Types rule set 203<br />
lists 205<br />
main rule set 202<br />
Media Type Filtering rule set 202<br />
MIME data 201<br />
modify rule 203<br />
nested rule sets 202<br />
properties 201<br />
rules 200<br />
sample rule 200<br />
Upload Media Type rule set 202<br />
modules<br />
filtering 85<br />
settings 115<br />
Settings tab 115<br />
system architecture 16<br />
monitoring<br />
dashboard 270<br />
ePO server 301<br />
logging 277<br />
performance measurement 297<br />
SNMP 303<br />
N<br />
navigation pane 30, 31<br />
network interfaces 251<br />
network protection 253<br />
next-hop proxies 233<br />
Novell eDirectory, see authentication<br />
NTLM, see authentication<br />
NTLM-Agent, see authentication<br />
O<br />
online help, see help<br />
operating system 17<br />
P<br />
performance measurement 297<br />
physical appliance 21<br />
policy creation 28<br />
port forwarding 253<br />
proactive scanning, see virus and malware filtering<br />
progress indication<br />
data trickling 228<br />
progress page 228<br />
progress page 228<br />
property<br />
concept 81<br />
list of properties 330<br />
rule element 85, 86<br />
samples 88<br />
types 88
Index<br />
values 88<br />
proxies<br />
advanced settings 59<br />
auto-configuration files 70<br />
common settings 53<br />
configure nodes in transparent bridge mode 47<br />
configure nodes in transparent router mode 51<br />
configure proxy on clients 44<br />
domain name server settings 57<br />
explicit proxy 39<br />
FTP proxy settings 55<br />
Helix proxy 72<br />
high availabilty 44<br />
HTTP proxy settings 54<br />
ICAP server settings 56<br />
ICQ settings 58<br />
initial settings 37<br />
instant messaging 53<br />
network modes 38<br />
reverse HTTPS proxy 60<br />
settings 37<br />
transparent bridge 45<br />
transparent proxy 40<br />
transparent router 49<br />
WCCP settings 40<br />
Windows Live Messenger settings 58<br />
Yahoo settings 57<br />
Q<br />
quota management<br />
authorized override 149<br />
Authorized Override rule set 155<br />
blocking sessions 149<br />
Blocking Sessions rule set 157<br />
coaching 148<br />
Coaching rule set 153<br />
combined functions 149<br />
configure time quotas 158<br />
configure volume quotas 159<br />
module settings 160<br />
rules 149<br />
session time 148<br />
system settings 164<br />
time quota 147<br />
Time Quota rule set 149<br />
volume quota 147<br />
Volume Quota rule set 151<br />
R<br />
RADIUS, see authentication<br />
regex, see regular expressions<br />
regular expressions, see wildcard expressions<br />
roles 166<br />
rule<br />
access restrictions 117<br />
action 86<br />
376 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
add rule 98<br />
complex criteria 88<br />
configure 96<br />
create sample rule 104<br />
criteria 86<br />
cycle 82<br />
edit rule 98<br />
elements 85<br />
event 86<br />
format on user interface 87<br />
module 85<br />
operand 86<br />
operator 86<br />
parameter 86<br />
process flow 83<br />
property 81, 86<br />
rule set 91<br />
Rule Sets tab 96<br />
samples 105<br />
structure 85<br />
rule set<br />
access restrictons 117<br />
add new rule set 109<br />
criteria 91<br />
cycles 91<br />
default system 92, 93<br />
error handling 92<br />
implement 92<br />
import 108<br />
library 91, 94<br />
logging 92<br />
nested 92<br />
own 92<br />
Rule Sets tab 96<br />
rules 91<br />
system 92<br />
wizard-created 92, 93<br />
S<br />
Save Changes<br />
button 30<br />
functions 32<br />
options 31<br />
scheduled jobs<br />
add job 264<br />
settings 264<br />
search<br />
button 30<br />
functions 31<br />
settings pane 30, 31<br />
setup<br />
import license 29<br />
logon 27<br />
physical appliance 21<br />
policy creation 28<br />
virtual appliance 24
SNMP monitoring 303<br />
SSL scanning<br />
Certificate Chain module 223, 227<br />
Certificate Verification rule set 218<br />
CERTVERIFY call 220<br />
client certificate authentication 136<br />
common name (proxy setup) 219<br />
common name (transparent setup) 221<br />
configure module 223<br />
CONNECT call 217<br />
Content Inspection rule set 220<br />
engines, see modules<br />
Handle CONNECT call rule set 217<br />
lists 221<br />
main rule set 216<br />
modules 223<br />
nested rule sets 216<br />
rule sets 218<br />
rules 216<br />
SSL Client Context module 223, 225<br />
SSL Scanner module 223<br />
SSL Scanner rule set 216<br />
Verify Common Name (proxy setup) rule set 219<br />
Verify Common Name (transparent setup) rule set 221<br />
static routes 254<br />
sysconf daemon 17<br />
system architecture<br />
authentication module 16<br />
configurator 16<br />
coordinator 16<br />
core 16<br />
engines, see modules<br />
filter modules 16<br />
flow manager 16<br />
opener modules 16<br />
operating system 17<br />
proxy module 16<br />
rule processing module 16<br />
sysconf daemon 17<br />
system files 256<br />
system information line 30, 31<br />
system management tools 33<br />
system settings<br />
configure settings 248<br />
date and time 249, 253<br />
file server 250<br />
license 251<br />
list of settings 248<br />
network interfaces 251<br />
network protection 253<br />
port forwarding 253<br />
static routes 254<br />
types 246<br />
T<br />
tabs<br />
Administrator Accounts 165<br />
Alerts 270<br />
Appliances 247<br />
Charts and Tables 273<br />
File Editor 256<br />
Lists 111<br />
Rule Sets 96<br />
Settings 115<br />
Template Editor 238<br />
top-level menus<br />
Accounts 31<br />
Configuration 31<br />
Dashboard 31<br />
Policy 31<br />
positions 30<br />
Troubleshooting 31<br />
transparent modes<br />
bridge 45<br />
router 49<br />
troubleshooting<br />
back up and restore 318<br />
connection tracing 317<br />
core file 316<br />
feedback file 316<br />
files 315<br />
methods 315<br />
network tools 318<br />
packet tracing 317<br />
TCP dump 317<br />
tools 315<br />
<strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong> 377<br />
Index<br />
U<br />
URL filtering<br />
add URL category to blocking list 193<br />
configure module 195<br />
extended lists 193<br />
filtering process 187<br />
Global Threat Intelligence system 195<br />
lists 191<br />
modify rule to block uncategorized URLs 191<br />
module 195<br />
module settings 195<br />
proxy settings 197<br />
rules 188<br />
uncategorized URLs 190<br />
URL Filtering rule set 189<br />
User Database, see authentication<br />
user interface<br />
configuration support 32<br />
Help 30, 31<br />
logon 27<br />
Logout 30, 31<br />
main elements 30, 31<br />
navigation pane 30, 31<br />
Save Changes 30, 31, 32<br />
Search 30, 31
Index<br />
settings pane 30, 31<br />
system information line 30, 31<br />
system settings 254<br />
tabs 30, 31<br />
top-level menus 30, 31<br />
user messages<br />
adapt 238<br />
settings 242<br />
Template Editor 238<br />
templates 237<br />
user-defined properties<br />
location on Rule Sets tab 96<br />
use in rule events 308, 309, 310, 311, 312<br />
V<br />
virtual appliance 24<br />
virus and malware filtering<br />
add media type to whitelist 179<br />
add wildcard expression to URL whitelist 178<br />
add wildcard expression to user agent whitelist 179<br />
Anti-Malware module 181<br />
Avira 181<br />
change whitelist used by rule 180<br />
configure module 181<br />
engine, see Anti-Malware module<br />
filtering process 171, 173<br />
<strong>Gateway</strong> Antimalware rule set 175<br />
lists 177<br />
<strong>McAfee</strong> Anti-Malware module 181<br />
<strong>McAfee</strong> <strong>Gateway</strong> Anti-Malware module 181<br />
media types 179<br />
mobile code 183<br />
module 181<br />
module settings 183<br />
proactive scanning 181<br />
rules 172<br />
sample rules 174<br />
scanning mode 181<br />
scanning module 181<br />
select different scanning mode 182<br />
submodules 181<br />
URLs 178<br />
user agents 179<br />
view implemented rules 172<br />
virus signatures 181<br />
wildcard expressions 178, 179<br />
virus, see virus and malware filtering<br />
W<br />
WCCP, see proxies<br />
web cache<br />
add media type to filter list 78<br />
add wildcard expression for URLs to filter list 78<br />
enabling 78<br />
lists 77<br />
media types 78<br />
378 <strong>McAfee</strong> <strong>Web</strong> <strong>Gateway</strong> <strong>7.1.5</strong> <strong>Product</strong> <strong>Guide</strong><br />
nested rule sets 75<br />
Read from Cache rule set 75<br />
rules 75<br />
URLs 78<br />
wildcard expressions 78<br />
Write to Cache rule set 76<br />
<strong>Web</strong> <strong>Gateway</strong>, see appliance<br />
web security<br />
filtering 81<br />
policy 28<br />
rules 81<br />
wildcard expressions<br />
glob expressions 367<br />
list of special glob characters 368<br />
list of special Regex characters 369<br />
regular expressions 367<br />
test 367<br />
Windows domain 138<br />
Windows Live Messenger, see instant messaging<br />
wizards<br />
initial configuration 25, 26<br />
policy creation 28<br />
Y<br />
Yahoo, see instant messaging
700-3299A00