Documente Academic
Documente Profesional
Documente Cultură
version 7.0
COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Contents
Preface
About this guide . . . . . . . Audience . . . . . . . . . . Conventions . . . . . . . . Find additional information Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
.7 .7 .7 .8 .8
11
. 11 . 12 . 12 . 13 . 13 . 13 . 13 . 14 . 14 . 15 . 15 . 15 . 15 . 16 . 16
19
. 19 . 19 . 20 . 22 . 23 . 24 . 25 . 26 . 27 . 28
29
. 29 . 29 . 30 . 30 . 31 . 34 . 37 . 41 . 41 . 41 . 46 . 47 . 47 . 50 . 51
53
About filtering . . . . . . . . . . . . . . . . . . . Modules for delivering filtering information About rule elements . . . . . . . . . . . . . . . . . . Main elements of a rule . . . . . . . . . . . . . Rules on the user interface . . . . . . . . . . Complex criteria . . . . . . . . . . . . . . . . . . Properties . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . Events . . . . . . . . . . . . . . . . . . . . . . . . . About rule sets . . . . . . . . . . . . . . . . . . . . . Rules in rule sets . . . . . . . . . . . . . . . . . Rule set cycles . . . . . . . . . . . . . . . . . . . Rule set criteria . . . . . . . . . . . . . . . . . . Nested rule sets . . . . . . . . . . . . . . . . . . Implementing a rule set system . . . . . . . Sample wizard rule set system . . . . . . . . Default rule set system . . . . . . . . . . . . . Library rule sets . . . . . . . . . . . . . . . . . . Rule configuration . . . . . . . . . . . . . . . . . . . Rule Sets tab . . . . . . . . . . . . . . . . . . . . Adding a rule . . . . . . . . . . . . . . . . . . . . Create a sample rule . . . . . . . . . . . . . . . Sample rules . . . . . . . . . . . . . . . . . . . . Rule set configuration . . . . . . . . . . . . . . . . . Import a rule set . . . . . . . . . . . . . . . . . Add a new rule set . . . . . . . . . . . . . . . . List maintenance . . . . . . . . . . . . . . . . . . . . Lists tab . . . . . . . . . . . . . . . . . . . . . . . List types . . . . . . . . . . . . . . . . . . . . . . . Add a list . . . . . . . . . . . . . . . . . . . . . . . Add list entries . . . . . . . . . . . . . . . . . . . Inline lists . . . . . . . . . . . . . . . . . . . . . . Action and engine settings . . . . . . . . . . . . . Settings tab . . . . . . . . . . . . . . . . . . . . . Types of settings . . . . . . . . . . . . . . . . . Add settings . . . . . . . . . . . . . . . . . . . . . Access restrictions . . . . . . . . . . . . . . . . . . .
.. . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. 53 . 57 . 57 . 58 . 59 . 60 . 60 . 61 . 62 . 63 . 63 . 63 . 63 . 64 . 64 . 65 . 65 . 66 . 67 . 67 . 69 . 76 . 78 . 81 . 81 . 82 . 84 . 84 . 85 . 86 . 86 . 87 . 88 . 88 . 89 . 89 . 90
91
. . 91 . . 91 . . 92 . . 95 . . 96 . . 97 . . 97 . 105 . 106 . 107 . 108 . 109 . 109 . 112 . 112 . 113 . 113 . 113 . 114 . 115 . 115 . 117
Administrator accounts . . . . . . . . . . . . . . . . . . . . Internal management of administrator accounts Administrator roles . . . . . . . . . . . . . . . . . . . . Configure external account management . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
Web Filtering
Filtering web objects . . . . . . . . . . . . . . . . . . . . . . . Administering the filtering process . . . . . . . . . . . Functions for filtering web objects . . . . . . . . . . . . Virus and malware filtering . . . . . . . . . . . . . . . . . . . Whitelists for virus and malware filtering . . . . . . . Scanning module for virus and malware filtering . . Rules and rule sets for virus and malware filtering URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lists for URL filtering . . . . . . . . . . . . . . . . . . . . . Extended Lists for blocking URLs per category . . . Module for retrieving URL category information . . Rules and rule set for URL filtering . . . . . . . . . . . Media type filtering . . . . . . . . . . . . . . . . . . . . . . . . Lists for media type filtering . . . . . . . . . . . . . . . . Rules for media type filtering . . . . . . . . . . . . . . . HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rule set for HTML filtering . . . . . . . . . . . . . . . . . Module for opening embedded objects . . . . . . . . . Sample lists for HTML filtering . . . . . . . . . . . . . . Global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . Global whitelists . . . . . . . . . . . . . . . . . . . . . . . . Rule set for global whitelisting . . . . . . . . . . . . . . SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings for the SSL scanning modules . . . . . . . . SSL scanning lists . . . . . . . . . . . . . . . . . . . . . . . Rule set for SSL scanning . . . . . . . . . . . . . . . . . Supporting functions . . . . . . . . . . . . . . . . . . . . . . . Billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Progress Indication . . . . . . . . . . . . . . . . . . . . . . Next-hop proxies . . . . . . . . . . . . . . . . . . . . . . . User messages . . . . . . . . . . . . . . . . . . . . . . . . . . . Message templates . . . . . . . . . . . . . . . . . . . . . . Adapt a user message template . . . . . . . . . . . . . Template Editor . . . . . . . . . . . . . . . . . . . . . . . . Settings for message templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
123
. 123 . 123 . 124 . 125 . 125 . 128 . 133 . 139 . 140 . 142 . 144 . 146 . 148 . 148 . 150 . 155 . 155 . 161 . 162 . 163 . 163 . 164 . 165 . 165 . 169 . 170 . 175 . 175 . 178 . 180 . 184 . 184 . 185 . 185 . 188
System Configuration
Configuring the appliance system . . . . . . . . . Initial setup system settings . . . . . . . . . . System configuration after the initial setup System settings . . . . . . . . . . . . . . . . . . . . . . Appliances tab . . . . . . . . . . . . . . . . . . . . Configure the system settings . . . . . . . . . Date and Time system settings . . . . . . . . . DNS system settings . . . . . . . . . . . . . . . . License system settings . . . . . . . . . . . . . . Network system settings . . . . . . . . . . . . . Port Forwarding system settings . . . . . . . . Static Routes system settings . . . . . . . . . . User Interface system settings . . . . . . . . . System files . . . . . . . . . . . . . . . . . . . . . . . . File Editor tab . . . . . . . . . . . . . . . . . . . . . Database updates . . . . . . . . . . . . . . . . . . . . Update database information manually . . . Schedule automatic engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191
. 191 . 191 . 192 . 193 . 193 . 194 . 195 . 195 . 196 . 197 . 198 . 199 . 199 . 200 . 200 . 201 . 202 . 202
Automatic Engine Updates system settings . . . Central Management . . . . . . . . . . . . . . . . . . . . . Configure Central Management settings . . . . . Add an appliance to the appliance configuration Central Management system settings . . . . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
Monitoring
Monitoring the appliance . . . . . . . . . . . . . Monitoring functions . . . . . . . . . . . . . Troubleshooting functions . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . Access the dashboard . . . . . . . . . . . . Dashboard display options . . . . . . . . . Overview of the dashboard information Logging . . . . . . . . . . . . . . . . . . . . . . . . Log file types . . . . . . . . . . . . . . . . . . Sample logging rule . . . . . . . . . . . . . Viewing log files . . . . . . . . . . . . . . . . Create a sample logging rule . . . . . . . Create a log handler . . . . . . . . . . . . . Use self-configured log files . . . . . . . . Configuring log file settings . . . . . . . . Log file settings . . . . . . . . . . . . . . . . Log handler rule sets . . . . . . . . . . . . . Forwarding data to an ePO server . . . . . . Configure data forwarding . . . . . . . . . ePolicy Orchestrator system settings . . Bypass ePO requests library rule set . . Event monitoring with SNMP . . . . . . . . . . Configure SNMP monitoring . . . . . . . . SNMP system settings . . . . . . . . . . . . Error handling . . . . . . . . . . . . . . . . . . . . Create an error handler . . . . . . . . . . . Error handler rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
209
. . 209 . . 209 . . 209 . . 210 . . 210 . . 210 . . 211 . . 213 . . 213 . . 214 . . 215 . . 216 . . 218 . . 218 . . 219 . . 220 . . 222 . . 223 . . 223 . . 224 . . 224 . . 225 . . 225 . . 225 . . 227 . . 227 . . 228
Troubleshooting
Troubleshooting appliance problems . . . . . . . . . Files for recording appliance behavior . . . . . Network tools . . . . . . . . . . . . . . . . . . . . . . Backup and restore files . . . . . . . . . . . . . . Create a feedback file . . . . . . . . . . . . . . . . . . . Enable the creation of core files . . . . . . . . . . . . Enable the creation of connection tracing files . . Generate a TCPdump . . . . . . . . . . . . . . . . . . . Use network tools . . . . . . . . . . . . . . . . . . . . . Back up and restore the appliance configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . .
229
. 229 . 229 . 229 . 230 . 230 . 230 . 231 . 231 . 232 . 232
233
. 233 . 234 . 238 . 263 . 263 . 264 . 266
Index
269
Preface
Audience
This guide is intended for network and security administrators. It assumes familiarity with system administration, operating systems, networks, the Internet, and related terminology.
Conventions
When this guide mentions the appliance, this refers to the McAfee Web Gateway appliance. Other conventions used in the text are as follows:
Table 1 Conventions Convention Description Identifies commands and key words you type at a system prompt Indicates a placeholder for text you type Used to show text that appears on a computer screen Identifies the names of files and directories Also used for emphasis (for example, when introducing a new term) Identifies buttons, field names, and tabs that require user interaction Signals conditional or optional text and instructions (for example, instructions that pertain only to a specific configuration) Used for a helpful suggestion or a reference to material not covered elsewhere in the guide
Courier plain
Plain text italics Plain text bold [ ]
Note:
Note: The screen captures and graphics used in this guide are for illustration purposes only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features may be enabled in screen captures to make them clear, however, not all features are appropriate or desirable for your setup.
Acronyms
Acronyms used in this guide:
Table 3 Acronyms Acronym AIM CIDR CLI DHCP DNS EDH ePO FTP HA HTML HTTP HTTPS ICAP ICQ ID IM IP LAN LDAP LRU MIB MLOS Description AOL Instant Messenger Classless Inter-Domain Routing Command Line Interface Dynamic Host Configuration Protocol Domain Name Server Ephemeral Diffie-Hellman ePolicy Orchestrator File Transfer Protocol High Availability Hypertext Markup Language Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Content Adaption Protocol I seek you Identity, Identification, Identifier Instant Messaging/Messenger Internet Protocol Local Area Network Lightweight Directory Access Protocol Least Recently Used Management Information Base McAfee Linux Operating System
Acronyms
Table 3 Acronyms <Comment>(continued) Acronym MTU NTLM NTP Regex RTSP SNMP SSH SSL URL VRRP WCCP Description Maximum Transmission Unit New Technology LAN Manager Network Time Protocol Regular Expression Real-Time Streaming Protocol Small Network Management Protocol Secure Socket Shell Secure Socket Layer Uniform Resource Locator Virtual Router Redundancy Protocol Web Cache Communication Protocol
Acronyms
10
Contents Comprehensive web security for your network Deployment of the McAfee Web Gateway appliance Main components of the McAfee Web Gateway appliance Filtering rules on the McAfee Web Gateway appliance Chapters of this guide
The appliance is installed as a gateway that connects your network to the web. Following the implemented web security rules, it filters the requests that users send to the web from within your network. Responses sent back from the web and embedded objects sent with requests or responses are also filtered. Malicious and inappropriate content is blocked, while useful matter is allowed to pass through.
11
About the McAfee Web Gateway Appliance Comprehensive web security for your network
12
About the McAfee Web Gateway Appliance Deployment of the McAfee Web Gateway appliance
Platform
You can run the appliance on different platforms. Hardware-based appliance On a physical hardware platform. Virtual appliance On a virtual machine.
Network integration
In your network, the appliance can intercept, filter, and transmit web traffic in different modes. Explicit proxy mode The clients that the appliance communicates with are aware of it. You must conifgure them explicitly to direct their traffic to the appliance. Transparent modes The clients are not aware of the appliance. Transparent bridge The appliance acts as an invisible bridge between its clients and the web. You need not configure the clients for this. Transparent router The appliance routes traffic according to a routing table, which you need to fill out.
13
About the McAfee Web Gateway Appliance Main components of the McAfee Web Gateway appliance
Appliance subsystems
The subsystems of the appliance and their modules do the following: Core subsystem Provides a proxy module for intercepting web traffic and a rule module for processing the filtering rules that make up your web security policy. Provides furthermore the modules (also known as engines) that do special jobs for the filtering rules and can be configured by you, for example, the Antimalware engine, the TrustedSource engine, or the authentication engine. A flow manager module ensures efficient cooperation between the modules. Coordinator subsystem Stores all configuration data processed on the appliance. Provides update and Central Management functions. Configurator subsystem Provides the user interface (internal subsystem name is Konfigurator).
14
About the McAfee Web Gateway Appliance Filtering rules on the McAfee Web Gateway appliance
Operating system
The subsystems of the appliance rely on the functions of its operating system, which is MLOS (McAfee Linux Operating System) version 1.0. The operating system provides functions for executing the actions that the filtering rules trigger, file and network reading and writing, and access control.
15
16
Monitoring Explains how to monitor web usage, filtering activities, and key system parameters, using the dashboard and several log files, as well as external systems, such as the ePolicy Orchestrator. Troubleshooting Explains the functions the appliance provides for troubleshooting, such as the use of core files or TCP dumps. The chapter explains also how you create a backup of the appliance configuration.
17
18
Contents Setting up the McAfee Web Gateway appliance Performing the initial configuration Logging on to the user interface Working with the user interface
19
VMware ESX
VMware ESXi
VMware workstation version 5.5 or later Virtual machine host system with the following requirements: CPU: 64-bit capable Virtualization extension: VT-x/AMD-V Virtual machine with the following requirements: Memory: 2 GB Hard-disk space: 200 GB CPU cores: 2 (minimum)
20
The procedures for setting up a virtual machine differ for each VMware type. When setting up McAfee Web Gateway as a virtual appliance, make sure you configure the settings in the table below.
Note: For parameters that are not listed, use the default values given in the procedures. Parameter names can also differ in each procedure.
Table 2-1 : Virtual machine settings Parameter Configuration type Installation mode Operating system Memory Hard-disk space Number of processors Network connection mode CD/DVD drive with assigned ISO image Value Typical | Advanced (recommended for virtual appliance setup) Install from disk | ISO image (required for virtual appliance setup) | Install later Linux (64 bit) version 2.6 2 GB (recommended) 200 GB (recommended) 1 | 2 (required) Bridged (recommended) | NAT | ... <drive name>/<name of the ISO image>
3 Turn on the virtual machine. 4 When prompted, select CD/DVD as the boot device. Installation of the appliance system begins.
When the installation has ended, continue with Performing the initial configuration.
21
[Physical appliance] Turn on the appliance. The appliance system starts and several messages are displayed. [Virtual appliance] When an installation complete message appears at the end of the installation, press <RETURN>. The appliance system restarts and several messages are displayed.
2 When the following message appears, make the appropriate selection:
If you want to use the wizard, enter y. Continue with steps 3 and 4. If you want to use the default settings, let the timeout elapse or press ESC. The initial configuration is completed and the dynamically configured IP address is displayed. Continue with Logging on to the user interface.
3 Use the wizard windows to configure the following:
Primary network interface IP address, entered manually or configured dynamically by DHCP. Host name DNS server
4 Review the summary that is displayed after configuring the host name.
If you approve of the summary, confirm and configure the remaining settings: Root password Remote logon with SSH The initial configuration is completed with your settings and the IP address is displayed. Continue with Logging on to the user interface. If you need to make changes, click Cancel and return to step 3.
22
http://<IP address>:4711 or https://<IP address>:4712 using the address configured during the initial configuration.
Note: Under HTTPS, accept the self-signed certificate that appears.
23
24
Importing a license
The first time you log on to the user interface after the initial configuration of the appliance, you also need to import a license. This is done after implementing a web security policy. Complete the following procedure to implement a license:
1 On the user interface, go to Configuration | Appliances and select License. Settings for importing
the checkbox in the same line. The License File input field and the Browse button become available.
3 Click Browse and browse to the location where your license file is stored. Select the file and click
Activate. The license is imported and license information appears below the input field. An automatic update of virus signatures and other important information for the appliance modules is started after the initial configuration. It can take several minutes.
Note: During the update, attempts to access the web from the user interface lead to an error message stating that a module, for example, the Antimalware engine, cannot be loaded (because updated information is needed for this).
After the update has been completed, the user interface is available for administering the appliance. For more information, see Working with the user interface.
25
Navigation pane
Settings pane
26
Configuration For configuring the system settings of the appliance For more information, see System Configuration.
Accounts For managing administrator accounts. For more information, see Administrator accounts.
Troubleshooting For solving problems on the appliance. For more information, see Troubleshooting.
Tab bar Toolbar (on tab) Navigation pane Settings pane Logout
Provides the tabs of the currently selected top-level menu. Provides varying tools (depending on the selected tab). Provides tree structures of configuration items, such as rules, lists, and settings. Provides the settings of the item currently selected on the navigation pane for editing. Lets you log out of the user interface. Opens the online help. The chapters and sections of this Product Guide are provided there. You can browse through its pages or navigate on a tree structure and perform a full text search or search for index terms.
Search
Opens the Search window with the following options: Search for objects Lets you search for rule sets, rules, lists, and settings. Typing a search term in the input field displays all objects with names matching the search term. Search for objects referring to Lets you select a list, property, or settings and displays all rules that use the selected item.
Save Changes
Lets you save your changes. For more information, see Configuration support functions.
27
Appears if you attempt to log out without having saved your changes. You have two options then: Yes Log out without saving No Acknowledge and save
28
Contents Intercepting web traffic Network modes Common proxy settings Helix proxy configuration Web cache
Proxy settings
You can review and modify the settings for the proxy functions on the Appliances tab of the Configuration top-level menu under Proxies (HTTP(S), FTP, ICAP, and IM). After the initial setup, these settings have preconfigured values. The most important of them are: Network mode Explicit proxy Network protocol HTTP If you keep the explicit proxy mode, you need to configure the clients of the appliance, so that they direct their requests for web access to it. This applies also to a proxy-chain configuration when the appliance is not immediately connected to a client. If you modify the preconfigured settings, you might not need to configure clients in this way, but other network components that are then involved. For more information, see Network modes and Common proxy settings.
29
Network modes
The appliance can operate in different network modes to intercept and filter web traffic. This section explains these modes and tells you how to configure them. Explicit proxy mode In this mode, the clients of the appliance are generally aware of its existence. You can use one of the following options to implement this mode: Proxy This is the explicit proxy mode proper. It is preconfigured on the appliance. Proxy with WCCP Clients can immediately be directed to the appliance and are then aware of its existence. However, they can also be directed to the appliance by WCCP services without being aware of it. Proxy HA The appliance operates as an explicit proxy that is configured as a part of a high-availability configuration. Transparent bridge mode Clients are unware of the appliance, which serves as an (invisible) bridge between a firewall and the rest of your network. Transparent router mode Clients are unware of the appliance, which serves as a router in your network, directing web traffic according to a routing table.
30
Proxy and WCCP For an explicit proxy mode with client requests being directed immediately to the appliance or by WCCP services
Note: After selecting this option, specific WCCP settings appear below the Network Setup settings.
For more information, see WCCP system settings, Proxy HA system settings, and Common proxy settings.
31
WCCP services List of services redirecting web traffic to the appliance under the WCCP protocol For the redirecting to work, the IP addresses of the clients that have their requests redirected must be visible on the appliance. They must not be converted using the NAT (Network Address Translation) method. Entries in the services lists are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-1 WCCP Services List Option Service ID WCCP router definition Ports to be redirected Definition ID of a service that redirects web traffic to the appliance under the WCCP protocol Multicast IP address and DNS name of the router (or switch with routing functions) that redirects web traffic to the appliance using the WCCP service
Note: You can configure multiple routers here, separating entries by commas.
Ports on web servers that data packets must have in their destination addresses to be redirected
(The main item does not appear in the list, but is visible in the Add and Edit windows. The two elements shown below are related to it, specifying the method used for load distribution.) Assignment by mask When selected, masking of the parameter specified above is used for load distribution. Assignment by hash When selected, a hash algorithm is used for load distribution.
Assignment weight
Value determining how much load is assigned to a proxy. This way you can assign more load to a proxy on an appliance that has more CPU capacity than others. 0 means that no load is distributed to a proxy. When selected, data packets are encapsulated by the router before being redirected. When selected, data packets are redirected to the appliance by replacing the MAC address of the next device (on the route to the web server) with that of the appliance. This is done on layer two (L2) of the standard communication model. Network interface on an appliance that data packets are redirected to Plain-text comment on the WCCP service
32
Table 3-2 Virtual IP List Option Virtual IP address Network interface Comment Definition Virtual IP address Network interface on the appliance that data packets with the virtual IP address are routed through Plain-text comment on the virtual IP address
Virtual router IP IP address of the virtual router VRRP interface Network interface on the appliance for sending and receiving heartbeat messages
configured during the initial setup of the appliance. If you use the Microsoft Internet Explorer on your clients and a Windows Active Directory to administer them, you can configure the appliance as a proxy on all your clients in a single procedure.
33
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup settings.
4 Configure specific and common settings for this mode as needed. 5 Click Save Changes.
For more information, see Transparent Bridge system settings and Common proxy settings. For a sample configuration, see Sample configuration Director and scanning nodes in transparent router mode.
34
Director priority Priority (ranging from 0 to 99) an appliance takes in directing data packets. The highest value prevails. 0 means an appliance never directs data packets, but only filters them. The value for this priority is set on a slider scale. Management IP Source IP address of the appliance that directs data packets when sending heartbeat messages to other appliances IP spoofing When selected, the appliance keeps the destination IP address contained in a client request and uses it in communication with the requested web server. The appliance does not verify this address.
35
11 On the Advanced tab, select Bridge enabled. 12 In the Name field, type ibr0 as the name of the interface. 13 On the IPv4 tab, under IP Settings, select Disable IPv4. 14 Enable the network interface you assigned to ibr0 in step 3. 15 Select Central Management. 16 In the Central Management Settings section, add the IP address you configured for ibr0 to the
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup settings.
19 Set Director priority to a value > 0. 20 Configure proxy ports and port redirects for HTTP and FTP as needed. 21 Configure also IP spoofing as needed. 22 In the Management IP field, type the IP address you configured for ibr0. 23 Click Save Changes.
If you are going to configure another appliance as a director node, be sure to configure the same proxy ports and port redirects as for the initial director node and to add the port redirects in the same order as for that node. Set up a scanning node To configure an appliance as a scanning node in transparent bridge mode, you need to enable this mode and configure an IP address that allows the node to access the network interface of the director node. The scanning role is configured by giving the node 0 as a priority value. Complete the following procedure to set up a scanning node:
1 Go to Configuration | Appliance. 2 On the Appliances tree, go to the appliance you want to set up as a scanning node and select Proxies
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup settings.
4 Set Director priority to 0. 5 Configure the same HTTP and FTP proxy ports and port redirects as for the director node. 6 Configure also IP spoofing in the same way as for the director node. 7 Click Save Changes.
36
Note: After selecting this option, specific Transparent Router settings appear below the Network Setup settings.
4 Configure specific and common settings for this mode as needed. 5 Click Save Changes.
For more information, see Transparent Router system settings and Common proxy settings. For a sample configuration, see Sample configuration Director and scanning nodes in transparent router mode.
37
Director priority Priority (ranging from 0 to 99) an appliance takes in directing data packets. The highest value prevails. 0 means an appliance never directs data packets, but only filters them. The value is set on a slider scale. Management IP Source IP address of the appliance that directs data packets in a given high-availaibility configuration when sending heartbeat messages to other appliances Virtual IPs List of virtual IP addresses The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-5 Virtual IP list Option Virtual IP address Network interface Comment Definition Virtual IP address Network interface on the appliance used for heartbeats under VRRP (Virtual Router Redundancy Protocol) Plain-text comment on the virtual IP address
Virtual router IP IP address of the virtual router VRRP interface Network interface on the appliance for sending and receiving heartbeat messages IP spoofing When selected, the appliance keeps the destination IP address contained in a client request and uses it in communication with the requested web server. The appliance does not verify whether this address matches the host name of the request. Otherwise, a domain name server is called to verify the host name after looking it up using the module that retrieves URL information.
38
Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup settings.
8 Set Director priority to a value > 0. 9 Configure proxy ports and port redirects for HTTP and FTP as needed. 10 Configure virtual IP addresses for the inbound and outbound network interfaces, using free IP
you configured for the inbound network interfaces. If you are going to configure another appliance as a director node, be sure to configure the same virtual IP addresses as for the initial director node. The proxy ports and port redirects and the order of the port redirects must also be the same as for that node.
39
Set up a scanning node To configure an appliance as a scanning node in transparent router mode, you need to enable this mode and configure at least one network interface for outbound web traffic. The scanning role is configured by giving the node 0 as its priority value. Complete the following procedure to set up a scanning node:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to set up as a scanning node and select
Network.
3 Configure network interfaces as is suitable for your network. You need at least one interface for
Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup settings.
8 Set Director priority to 0. 9 Configure the same HTTP and FTP proxy ports and port redirects as for the director node. 10 Configure also IP spoofing in the same way as for the director node. 11 Click Save Changes.
40
Network Setup Settings for selecting a network mode HTTP Proxy, FTP Proxy (and other settings) Settings for the network protocols Web Cache Setting for enabling or disabling the cache Timeouts for HTTP(S), FTP, ICAP Settings for timeouts applying to some protocols Advanced Settings Settings for advanced proxy functions
4 Click Save Changes.
For more information on these settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system settings.
Network Setup
Settings for selecting a network mode Proxy When selected, the explicit proxy mode proper is used. Proxy and WCCP When selected, the explicit proxy mode is used and WCCP services can redirect web traffic to the appliance. Proxy HA When selected, the explicit proxy mode with high-availability features is used. Transparent router When selected, the transparent router mode is used. Transparent bridge When selected, the transparent bridge mode is used. In addition to the common proxy settings, specific settings exist for all these modes, except for the explicit proxy mode proper. For more information, see WCCP system settings, Proxy HA system settings, Transparent Bridge system settings and Transparent Router system settings.
41
HTTP Proxy
Settings for the appliance when running as a proxy under HTTP. This protocol is used for transferring web pages and other data (providing SSL-encryption for enhanced security). Enable HTTP proxy When selected, the appliance runs as a proxy under the HTTP protocol. HTTP port definition list List of ports on the appliance that listen to client requests. The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-6 HTTP Port Definition List Option Listener address Serve transparent requests Ports treated as SSL Definition Local IP address of the appliance running as an HTTP proxy and port for listening to client requests When selected, the HTTP proxy processes also client requests sent in transparent mode. Ports on destination servers indicating to the HTTP proxy that requests with these numbers are SSL-secured Note: It can be necessary to specify these numbers when the appliance processes requests in transparent mode since there is then no CONNECT header to indicate a request is SSL-secured. Transparent common name handling for proxy requests McAfee Web Gateway uses passive FTP over HTTP connections When selected, the HTTP proxy does not use the destination IP address of a request to create a common name for the certificate it issues. Instead, it copies the common name of the certificate that the destination server delivered. This might cause a problem if there is a common name mismatch in this certificate. When selected, the HTTP proxy uses connections in passive mode for transmitting requests to an FTP server. Note: The passive mode might be required for the data connection (used under FTP in addition to the control connection). In some cases, an FTP server is not allowed to use the data connection in active mode, for example, when a firewall rule enforces this in a company network. Plain-text comment on the HTTP proxy port
Comment
42
FTP Proxy
Settings for the appliance as a proxy under FTP . This protocol is used for transferring files, using separate connections for control functions and data transfer. Enable FTP proxy When selected, the appliance runs as a proxy under the FTP protocol. FTP port definition list List of ports on the appliance that listen to client requests The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-7 FTP Port Definition List Option Listener address Data port Port range for client listener Port range for server listener Allow clients to use passive FTP connections Definition Local IP address of the appliance running as an FTP proxy and port for listening to client requests Port number sent with the source IP address of the FTP proxy when it opens a data connection to a client Range of numbers for the ports on the FTP proxy that listen to client requests Range of numbers for the ports on the FTP proxy that listen to responses from web servers When selected, clients can send requests to the FTP proxy in passive mode, which is an option of the FTP protocol. Note: The passive mode can be required for the data connection (used under FTP in addition to the control connection). In some cases, FTP clients are not allowed to use the data connection in active mode, for example, when a firewall rule has been implemented in a company network to enforce this. When selected, the FTP proxy uses connections in passive mode for transmitting requests to an FTP server. Note: The passive mode can be required for the data connection (used under FTP in addition to the control connection). In some cases, the FTP server is not allowed to use the data connection in active mode, for example, when a firewall rule has been implemented in a company network to enforce this. Plain-text comment on the FTP proxy port
Comment
43
ICAP Server
Settings for the appliance when running as an ICAP server, modifying requests and responses in communication with ICAP clients. Enable ICAP server When selected, the appliance takes the role of an ICAP server. ICAP port definition list List of ports on the appliance that listen to requests from ICAP clients The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-8 ICAP Port Definition List Option Listener address Send early 204 responses Wait for complete ICAP request Definition Local IP address of the appliance running as an ICAP server and port for requests from ICAP clients When selected, the appliance sends 204 responses early to clients before a request is fully transferred. Note: Some clients do not support early 204 responses. (The main item does not appear in the table, but is visible in the Add and Edit windows. The next four elements in the table are related to it, specifying when the ICAP server should wait until a request is complete.) Waiting for the complete request can be necessary when clients are not capable of receiving parts of the filtered data in response while other parts of the request are still being sent to the server. The normal behavior for the ICAP server is to try to filter and send back data chunk by chunk to reduce latency time. Maximal concurrent REQMOD connections Maximal concurrent RESPMOD connections Preview size Never When selected, the ICAP server never waits. Only for REQMOD requests When selected, the ICAP server waits if the mode for modifying requests is used. Only for FTP requests When selected, the ICAP server waits if a request was sent under FTP. Always When selected, the ICAP server always waits.
Maximum number of connections the ICAP server can use simultaneously when modifying requests Maximum number of connections the ICAP server can use simultaneously when modifying responses Size (in bytes) of the portion of a request sent by a client to the ICAP server at the beginning of the communication. The server asks for more data or lets the rest of the data pass through unmodified. Plain-text comment on the ICAP server port
Comment
Web Cache
Setting for enabling the appliance web cache Enable cache When selected, the web cache is enabled. You can then have it controlled by an appropriate rule set.
44
Yahoo
Settings for instant messaging under the Yahoo! protocol
Enable Yahoo proxy When selected, the appliance runs as a proxy for instant messaging under the Yahoo protocol. Listener address IP address of the proxy and number of the port for listening to client requests Support file transfer over 0.0.0.0:80 When selected, requests for file transfers can use this IP address and port Login server Host name and port number of the server that users log on to before sending requests Relay server Host name and port number of the server used as a relay station when transferring files Yahoo client connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a client Yahoo server connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a server
ICQ/AIM
Settings for instant messaging under the OSCAR protocol provided by AIM
Enable ICQ/AIM proxy When selected, the appliance runs as a proxy for instant messaging under OSCAR. Login and file transfer proxy port IP address of the proxy and number of the port for handling logon and file transfer BOS listener port IP address of the proxy and number of the port for listening to Basis Oscar Service (BOS) requests, which include chat messages (as opposed to, for example, file transfers) ICQ/AIM login server Host name and port number of the server that users log on to before sending requests ICQ/AIM client connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a client ICQ/AIM server connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a server that was the destination of a client request
45
Advanced Settings
Settings for advanced proxy functions Number of working threads Number of threads used by the proxies on an appliance for transmitting and filtering web traffic Use TCP no delay When selected, delays on the proxy connection are avoided by not using the Nagle algorithm to assemble data packets. This algorithm enforces that packets are not sent before a certain amount of data has been gathered Maximal TTL for DNS cache in seconds Maximum time (in seconds) for storing host name information in the DNS cache Timeout for errors for long running connections in minutes Time to elapse (in minutes) before a long running connection that is inactive due to an error is closed Check interval for long running connections in minutes Time to elapse (in minutes) between check messages sent on long running connections Internal path ID ID of the path the appliance uses to forward internal requests (not requests received from clients), for example, requests for style sheets to display error messages Bypass RESPmod for responses that must not contain a body When selected, responses sent in ICAP communication are not modified using the RESPmod mode if they do not include a body.
service helix-proxy activate You are asked to enter a user name and password for the initial administrator account.
2 Enter both. The Helix proxy is started.
Note: After the start, you can find configuration files for the proxy in the /opt/helix-proxy folder on the appliance and modify them manually as needed.
3 Connect to the user interface of the proxy:
http://<IP address of the proxy>:21774/admin/index.html The user interface appears and displays a logon window.
4 Enter the user name and password from step 2.
After a successful logon, the user interface of the proxy is available for administering it.
5 Configure your real-player application to use the appliance as a proxy, for example, as follows: a Start the real player. b On its user interface, go to the proxy settings. c
In the appropriate input field, for example, the RTSP (Real-Time Streaming Protocol) field, enter the IP address of the appliance with 554 as the port number.
For more information, refer to the user documentation of the Helix proxy.
46
Web cache
A web cache is provided on the appliance for storing web objects to speed up responses to client requests. This section explains the handling of this cache. Use of the web cache is controlled by rules for reading objects from it or writing them to it. This means a rule set must must be implemented that contains such rules. Optionally, bypass lists can contain web objects that should not be cached. In addition to this, the web cache must be enabled as an option of the common proxy settings. So administering the use of the web cache includes the following activities: Reviewing and modifying the web cache rules You can review the implemented rule set system to see whether it includes a web cache rule set. If it does not, you can import a rule set from the library or create a rule set with web cache rules of your own. Maintaining the bypass lists You can maintain these lists if you want particular objects not to be read from the cache or written to it. Verifying that the web cache is enabled You can do this by reviewing the web cache section of the common proxy settings. For more information, see Rules for the web cache, Bypass lists for the web cache, and Verify enabling of the web cache.
47
Two rule sets are nested in this rule set. Read from Cache Write to Cache Read from Cache library rule set The Read from Cache rule set enables the reading of web objects from the cache and forbids it for URLs on a bypassing list. It is processed in request cycles when users request access to web objects. There is no particular criteria for this rule set. When the process flow reaches it, it is always processed.
Nested library rule set Read from Cache Criteria Always Cycles Requests (and IM)
The rule set contains the following rules: Do not cache URLs in Web Cache URL Bypass List URL matches in list Web Cache URL Bypass List > Stop Rule Set The rule uses the URL property to check for requested URLs whether they are on the specified whitelist. If they are, processing of the rule set stops. The rule that enables writing to the cache is then not processed. Processing continues with the next rule set.
Note: This rule is not enabled initially.
Enable Web Cache Always > Continue Enable Web Cache The rule is always processed unless it is skipped because the bypassing rule placed before it in the rule set applies. It enables the web cache, so objects stored in it can be read. Processing continues with the next rule in the next rule set.
48
Write to Cache library rule set The Write to Cache rule set enables the writing of web objects to the cache and forbids it for URLs and media types on particular bypassing lists. It is processed in response cycles when objects are sent from the web in response to user requests. There is no particular criteria for this rule set. When the process flow reaches it, it is always processed.
Nested library rule set Write to Cache Criteria Always Cycles Responses
The rule set contains the following rules: Do not cache URLs in Web Cache URL Bypass List URL matches in list Web Cache URL Bypass List > Stop Rule Set The rule uses the URL property to check for a URL sent from the web whether it is on the specified bypass list. If it is, processing of the rule set stops. The rule that enables writing to the cache is then not processed. Processing continues with the next rule set.
Note: This rule is not enabled initially.
Do not cache objects larger than X bytes String.ToNumber (Response.Headers.GetHeader (Content-Length)) greater than 8388608 > Stop Rule Set The rule uses the String.ToNumber property to convert a string in a response header that is sent with an object to indicate its content length into a numerical value. Then it checks whether this value is greater than the number specified here. If it is, processing of the rule set stops and the writing rule of the rule set is not processed. Processing continues with the next rule set.
Note: This rule is not enabled initially.
Do not cache media types in Web Cache Media Type Black List MediaTypeEnsured at least one in list Web Cache Media Type Blacklist > Stop Rule Set The rule uses the Media.TypeEnsured property to check for media that have their type ensured with a probability of more than 50% if they are on the specified bypass list. If the type of the media is on the list, processing of the rule set stops. The writing rule of the rule set is then not processed. Processing continues with the next rule set.
Note: This rule is not enabled initially.
Enable Web Cache Always > Continue Enable Web Cache The rule is always processed unless it is skipped because the rules preceding it it in the rule set apply. It enables the web cache, so objects can be written to it. Processing continues with the next rule in the next rule set.
49
When you import the Web Cache rule set from the library, bypass lists are also implemented. You can edit these lists and also create lists of your own. The procedures used to maintain bypass lists differ according to the list type. For example, you can add URLs to a bypass list for URLs by typing them into the list. When adding media types, however, you select them from folders with media type groups. For more information, see Add a URL to a web cache bypass list, Add a media type to a web cache bypass list, and Sample web cache lists.
example, Web Cache URL Bypass List. The list entries appear on the settings pane.
3 Click Add. The Add Wildcard Expression window opens. 4 In the Wildcard expression field, type a URL.
Note: To add multiple URLs at once, click Add multiple and type every URL in a new line.
5 [Optional] In the Comment field, type a comment on the URL. 6 Click OK. The window closes and the URL appears on the whitelist. 7 Click Save Changes.
list for media types, for example, Web Cache Media Type Blacklist. The list entries appear on the settings pane.
3 Click Edit. And Edit window opens. It displays a list of group folders with media types. 4 Expand the group folder with the media type you want to add, for example, Document, and select
50
Web Cache Media Type Blacklist Library list of media types that should not be read to or written from the web cache. Type: Media type Initial entries: application/mpegurl MP3 Playlist File application/x-pn-realaudio RealMedia streaming file video/x-la-asf Streaming Audio/Video File The table below describes the list entries.
Table 3-10 Web Cache Media Type Blacklist Option Media type Comment Definition Media type that is not cached (in Wildcard expression format). Plain-text comment on the media type
51
52
Contents Filtering controlled by rules About rule elements About rule sets Rule configuration Rule set configuration List maintenance Action and engine settings Access restrictions
About filtering
This section explains some basic concepts of the filtering process that goes on when the implemented rules are processed on the appliance. In this process, the appliance filters web traffic. It blocks some objects and lets others pass through, like a tea sieve or strainer that catches the tea leaves and allows the liquid to flow through its perforations. So how does the appliance tell the tea leaves from the liquid? The tea strainer obviously uses dimension as a key concept. If something is too big, it cannot pass through. Similarly, the appliance uses all kinds of properties that web objects can have or that are related in some way to web objects to make its filtering decisions.
53
Giving an answer to the second question leads to a rule: If the value of property p is x, action y is required. A property is a key element in every rule on the appliance. Understanding the property is essential to understanding the rule. When you are creating a rule, begin by thinking about the property you want to use. Using a property of an already existing rule as an example, you might consider something like the following: I want to filter viruses and other malware. I use the property being virus-infected and build a rule around it. I let this rule require a blocking action to be taken if a given object has this property. This rule could look as follows: If being virus-infected has the value true (for a given object), block this object. The object could, for example, be a file that a web server has sent because a user of your network requested it and that is intercepted and filtered on the appliance. Properties can be related to web objects, but also to the users that request them. For example, a rule could use the property user groups that user is member of to block requests sent by users who are not in an allowed group: If user groups that user is member of (for a given user) are not on the list of allowed groups, block requests sent by his user. Properties and rules are explained in this section using normal language. However, the format they have on the user interface of the appliance does not differ from this very much.
Filtering cycles
The filtering process on the appliance has three cycles: the request cycle, the response cycle, and the embedded objects cycle. Only one of these can go on at a given moment. The response cycle is used for filtering requests that users of your network send to the web (1), the response cycle is for the responses received upon these requests from the web (2).
54
When embedded objects are sent with requests or responses (3), the embedded objects cycle is used as an additional cycle of processing.
An embedded object could, for example, be a file sent with a request to upload a file and embedded in this file. The filtering process begins with the request cycle, filtering the request and checking the file that is requested for uploading. Then the embedded objects cycle is started for the embedded file. Similarly, the response cycle and the embedded objects cycle are started one after another for a file that is sent in response from a web server and has another file embedded in it. For every rule on the appliance, it is specified in which cycle it is processed. However, the cycle is not specified individually for a rule, but for the rule set that contains it. A rule set can be processed in just one cycle or in a combination of cycles.
Process flow
In the filtering process, the implemented rules are processed one after another. The order of the rules is determined by the positions they take in their rule sets. The rule sets themselves are processed in the order of the rule set system, which is shown on the Rule Sets tab of the user interface. In each of the three cycles, the implemented rules sets are looked up one after another to see which must be processed in this cycle. When a rule is processed and found to apply, it triggers an action. The action executes a filtering measure, such as blocking a request or removing a requested object. In addition to this, it has an impact on the filtering process. It can specify that the filtering process must stop completely, or skip some rules and then continue, or simply continue with the next rule. Processing also stops after all implemented rules have been processed. Accordingly, the process flow can be as follows: All rules have been processed for each of the cycles and no rule has been found to apply. > Processing stops. In the request cycle, the request is allowed to pass through to the appropriate web server. In the response cycle, the response sent from the web is forwarded to the appropriate user. In the embedded objects cycle, the embedded object is allowed to pass through with the request or response it was sent with. Processing begins again when the next request is received.
55
>
Processing stops. An example of a rule that stops processing completely is a rule with a blocking action. If, for example, a request is blocked because the requested URL is on a blocking list, it is no use to process anything else. No response is going to be received because the request was blocked and not passed on to the appropriate web server. Filtering an embedded object that might have been sent with the request is also not needed because the request is blocked anyway. A message is sent to the user who is affected by the action, for example, to inform this user that a request was blocked and why. Processing begins again when the next request is received.
A rule applies and specifies that processing must stop for the current rule set.
>
Processing stops for this rule set. The rules that follow the stopping rule in the rule set are skipped. An example of a rule that stops the processing of a rule set is a whitelisting rule followed by a blocking rule in the same rule set. When a requested object is found on a whitelist, the request is allowed to pass through without further filtering. Therefore the rule set is not processed any further and the rule that eventually blocks the object is skipped. Processing continues with the next rule set. The next rule set can contain rules that, for example, block a request, although it was allowed to pass through the preceding rule set.
A rule applies and specifies that processing must stop for the current cycle.
>
Processing stops for this cycle. The rules and rule sets that follow the stopping rule in the cycle are skipped. An example of a rule that stops the processing of a cycle is a global whitelisting rule. When a requested object is found on a global whitelist, the request is allowed to pass through to the appropriate web server. To ensure the request is not blocked eventually by any of the following rules and rule sets, the request cycle is not processed any further. Processing continues with the next cycle.
A rule applies and specifies that processing continues with the next rule.
>
Processing continues with the next rule. This can be the next rule in the current rule set or the first rule in the next rule set or cycle. An example of a rule that lets the filtering process continue unimpeded is a billing rule. This rule just counts requests by increasing a counter and does otherwise nothing.
56
57
If the category of a URL is on a particular list, block the URL. If a user is not a member of an allowed user group, block requests from this user.
(2) Action that is executed if the criteria is matched: ... block the URL The third element is optional: (3) Event (or more than one) that is to happen if the criteria is matched. ... and log this action.
The criteria has again three elements: (a) Property (of a web object or user) the category of a URL ... (b) Operator that links the property to an operand ... is on list (c) Operand specifying with the operator a value for the property ... x (list name)
Note: The operand is also known as parameter on the appliance.
58
The rule blocks a URL if its category is on a blocking list, notifies the user who requested the URL of the blocking, and writes a log file entry. The table below provides an overview of the individual rule elements and their meanings.
Table 4-1 Overview of rule elements Option Enabled Name Block URLs ... CategoryBlackList Yellow triangle Definition Allows you to enable or disable the rule Name of the rule Name text In name text: List used by the rule Next to a list name: Indicates that the list is initially empty Criteria of the rule Property Settings of the module that retrieves a value for the property Operator Operand (here: a list used by the rule) Clicking on the list name opens the list for editing. The list name appears both in the rule name and the criteria to let it be available when the criteria is not visible. Yellow triangle Next to a list name: Indicates that the list is initially empty Action of the rule Block <URLBlocked> Name of the action Settings of the action (here: settings specifying that a block message is sent to the user who is affected by the blocking) One (or more) events of the rule Name of an event Parameter of the event (here: the text of an entry that is written into a log file) Settings of the module that handles the event Clicking on the settings name opens the settings for editing. The symbol varies with the action. Clicking on the settings name opens the settings for editing. Clicking on the settings name opens the settings for editing. The criteria is only visible after clicking the toggle button Show Details. Clicking on the list name opens the list for editing. Comment
Action
59
Complex criteria
The criteria of a rule can be made complex by configuring it with two or more parts. Each of the parts then has a property with operator and operand. The parts are linked by AND or OR. The following is an example of complex criteria:
AND/OR OR Property URL.Categories<Default> URL.Categories<Default> Operator at least one in list at least one in list Operand Drugs Games/Gambling
The criteria is matched if a filtered URL belongs to a category that is on any of the two specified category lists (or on both). If you configure criteria with three or more parts and use both AND and OR between them, you also need to put brackets to indicate how the parts are logically connected. For example, a AND (b OR c) differs in meaning from (a AND b) OR c. When you add a third criteria part on the user interface, lowercase letters appear before the parts and an additional field is inserted at the bottom of the configuration window. The field displays your criteria parts in short, for example, a AND b OR c. You can then type brackets into the field as needed.
ID a b c AND OR AND/OR Property URL.Categories<Default> URL.Categories<Default> Antimalware.Infected <Gateway AntiMalware> (a AND b) OR c Operator at least one in list at least one in list equals Operand Drugs Games/Gambling true
Criteria Combination
Properties
A property is a key element in every rule. If it has a particular value, the criteria of the rule is matched and the rule applies, which means that the rule action is triggered. For example, if the property Antimalware.Infected has the value true in the criteria of a particular rule for virus and malware filtering, the rule triggers its blocking action. A property in a rule is a property of a web object or of something that is related to a web object, such as the user who requests it. For example, Antimalware.Infected is the property of a web object that is requested by a user or sent in response by a web server or embedded in another object. A property has a name, a type, and a value. For every property, a particular range of values is possible. A value within this range is found for it during the filtering process by running a special module or by going through a particular list. In the following, some examples of properties are given. Property of a web page or a file
Property Antimalware.Infected Type Boolean Values true | false
The meaning of this property can be paraphrased as being infected by a virus or other malware. A rule using this property could apply if its value is true. The Antimalware module scans web objects when the rule is processed to find out what the value of the property is.
60
Property of a URL
Property URL.Categories Type List of categories Values Lists of URL categories
The meaning of this property can be paraphrased as belonging to (one or more) URL categories. A rule using this property could apply if one of these categories is on a blocking list. The TrustedSource module retrieves information on which category or categories a given URL belongs to. Property of a website or page
Property URL Type String Values Lists of URLs
The meaning of this property can be paraphrased as having a URL. A rule using this property could apply if a URL is on a blocking list. During the filtering process, it is looked up whether the URL is on the list. No special module is needed for this lookup. For a list of the available properties with explanations, see List of properties in the appendix.
Actions
An action is the element of a rule that is executed if the criteria of the rule is matched. For example, if an object sent by a web server in response to a user request is found to be virus-infected, the criteria of a particular rule for virus and malware filtering is matched, and the rule triggers the Block action. Settings can be configured for some actions to determine the way they are executed. For example, the Block action has settings that specify a corresponding user message. The settings can also specify the blocking reason for logging purposes. Every action has an impact on the filtering process. This process can be stopped by an action, or the remaining rules in a rule set or cycle are skipped when an action has been executed, or the process just continues after an action. In the following, some examples of actions are given.
Action Block Settings Specifying a message template and the blocking reason Impact Stops the filtering process
The blocking effect of this action is achieved by stopping the filtering process. If, for example, a request is blocked, processing stops completely and the request is not passed on to the appropriate web server. The user who sent the request, is informed of the blocking. Different settings can be configured for the action, according to whether the blocking reason was a found virus or an inappropriate URL category, and so on.
Action Stop Rule Set Settings None Impact Stops processing of the current rule set and lets processing continue with the next rule set.
This action can be used by a whitelisting rule to skip a blocking rule that follows it in the same rule set. Since this action does not affect the user, no settings for a user message are required.
61
Action Continue Settings None Impact Lets processing continue with the next rule after the rule that triggered this action.
This action does not affect a user and accordingly no settings are needed for a user message. For a list of the available actions, see List of actions in the appendix.
Events
If the criteria of rule matches, an event or several of them can optionally be triggered. For example, if an object is found to be virus-infected and blocked, an event can be triggered that writes the blocking action into a log file. The way an event is executed can be configured through parameters and settings. For example, the text of a log file entry can be specified as an event parameter and rotation of the log files as part of the event settings. Other activities executed by events are, for example: Setting a value Adding a request header Incrementing a counter For a list of the available events, see List of events in the appendix.
62
63
64
The table below shows the rule sets belonging to this system (nested rules sets are not shown).
Table 4-2 Wizard rule set system (commercial Europe limited) Rule set Global Whitelist Global Block Media Type Filtering Content Filter Gateway AntiMalware SSL Scanner Description Lets whitelisted IP addresses, URLs, and responses with empty bodies skip all further filtering. Blocks IP addresses, authenticated users, and URLs entered in blocking lists. Controls media type filtering with nested rule sets for uploading and downloading media types. Exempts users if entered in a whitelist. Blocks users if entered in a blocking list. Blocks URLs belonging to various categories. Controls virus and malware filtering. Prepares SSL-secured web traffic for processing by other filtering functions with nested rule sets for certificate verification and inspection enabling.
If this system were implemented on your appliance and you wanted to modify it, you could, for example, add a rule set for authentication. You could import it from the library or create one yourself. You might also move the SSL Scanner rule set to a position at the beginning of the rule set, for example, following Global Whitelist. If a SSL-secured request is blocked because the certificate submitted with it has expired or due to another reason, it is not necessary to apply virus and malware filtering and other filtering functions to it. The rule sets that provide these functions are not processed if processing is stopped before by a rule of the SSL Scanner rule set.
This rule set system has a rule set for authentication. The SSL Scanner rule set is placed before the filtering functions for URLs, media types, viruses and other malware. They are not applied if a rule of the SSL Scanner rule set blocks a request.
65
Detailed descriptions of the library rule sets are given in the chapters that deal with individual filtering functions. For example, the Gateway AntiMalware library rule set is described in detail in the section on Virus and malware filtering.
66
Rule configuration
Rules and rules sets are implemented on the appliance to ensure web security. This section explains how you can work with them to make them even more suitable for your network. It explains some sample rules and provides detailed information on how to modify and create rules and rule sets.
The main elements of the tab are: Rule Sets toolbar Items for working with the rule sets on the Rule Sets tree Rule Sets tree Tree structure displaying the rule sets of the appliance configuration Rule Sets menu Buttons for displaying tree structures of: (General) rule sets Log Handler rule sets Error Handler rule sets User defined properties (for use in rule and rule set criterial) Rules toolbar Items for working with list entries Rules Rules of the currently selected rule set
67
(Log Handler is selected) Lets you select Log Handler from a menu as the only accessible item to open the Add New Log Handler window for adding a new Log Handler rule set. (Error Handler is selected) Lets you select Error Handler from a menu as the only accessible item to open the Add New Error Handler window for adding a new Error Handler rule set. (User-Defined Property is selected) Lets you select User-Defined Property to open the Add New User-Defined Property window for adding a property.
Export Edit Delete Move up Move down Move out of Move into Expand all Collapse all Edit Enabled Criteria
Opens the Export Rule Set window for exporting a rule set to the library or into a file. Opens the Edit Rule Set window for editing a selected rule set. Deletes a selected rule set. A window opens to let you confirm the deletion. Moves a rule set up among other rules sets on the same level. Moves a rule set down among other rule sets on the same level. Moves a rule out of its nesting rule set and onto the same level as the nesting rule set. Moves a rule set out of its nesting rule set and into the rule set following this rule set. Expands all collapsed items on the Rule Sets tree. Lets all expanded items on the Rule Sets tree collapse. Opens the Edit Rule Set window for editing a selected rule set (same function as the corresponding item above the Rule Sets tree). Allows you to enable or disable a selected rule set. Displays the criteria of a selected rule set.
The following three items above the Rules toolbar are also for handling rule sets.
68
Adding a rule
This section describes the Add Rule window and explains in detail the steps you can complete using the window to add a new rule to a rule set. Use the Add Rule window to add new rules to rule sets. It opens after clicking Add Rule on the Rules toolbar of the Rule Sets tab.
Note: There is also an Edit Rule window where the same options can be used for editing a rule.
Note: You can select a step by clicking it or use Next and Back to navigate. Provides different items for completing each step. Assists you in completing the steps with messages and symbols. Takes you back to the previous step. Takes you to the next step. Finishes the procedure. Leaves the procedure without adding a rule.
To add a rule, complete the steps in the window. For more information, see: Add name, comment, and enabling Add the criteria Add an action Add an event
Note: You can at any time select the Summary step to review your settings.
69
Name Name of the rule Enable rule When selected, the rule is enabled [Optional] Comment Plain-text comment on the rule Continue with another step, preferably with Add the criteria, or click Finish and then Save Changes.
70
Figure 4-6 Add Rule Criteria 2 In the Apply this rule section, configure when the rule is applied:
Always The rule is always applied. If the following criteria is matched The rule is applied if the criteria configured below is matched.
71
3 In the Criteria section, click Add. The Add Criteria window opens.
Figure 4-7 Add Criteria window (with property selected) 4 In the Property area, use the following items to configure a property:
Property List for selecting a property (property types shown in brackets) Search Opens the Property Search window to let you search for a property. Parameter Opens the Property Parameters window for adding up to three parameters, see Step 5.
Note: The icon is grayed out if the property has no parameters.
Settings List for selecting the settings of the module that delivers a value for the property (module name shown in brackets).
Note: The icon is grayed out if no settings are required for the property and (not needed) is added.
Add Opens the Add Settings window for adding new settings to the list. Edit Opens the Edit Settings window for editing the selected settings. If no parameters need to be configured for the property, click OK and continue with Step 6.
5 [Conditional] To add property parameters: a Click Parameter. The Property Parameters window opens.
Figure 4-8 Property Parameters window b Add as many parameters as needed. A parameter can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Then click OK. Property Follow the instructions for configuring properties, beginning again with Step 4.
6 From the Operator list, select an operator.
72
7 In the Parameter area, add a parameter (also known as operand). This can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Property Follow the instructions for editing properties, beginning again with Step 4.
8 Click OK to close the Add Criteria window.
Note: Repeat steps 3 to 8 to add more criteria parts for complex criteria. Connect them by AND or OR (these options are then provided) and, for three or more criteria parts, type brackets to indicate how they are logically connected in the Criteria Combination field (appears then).
9 Continue with another adding procedure, preferably with Add an action, or click Finish and then Save
Changes.
Add an action
Complete the following procedure to add an action to a rule:
1 In the Add Rule window, select Action.
Figure 4-9 Add Rule Action 2 Use the following items to configure an action:
Action List for selecting an action: Continue Continue with processing the next rule Block Block access to an object and stop processing rules Redirect Redirect the client that requested access to an object to another object Authenticate Stop processing the current cycle and send an authentication request Stop Rule Set Stop processing the current rule set and continue with the next rule set Stop Cycle Stop processing the current cycle, but do not block access to the requested object Remove Remove the requested object and stop processing the current cycle.
73
Settings List for selecting settings for the Block, Redirect, and Authenticate actions.
Note: The list is grayed out if no settings are required for an action and (not needed) is added.
Add Opens the Add Settings window for add new settings to the list. Edit Opens the Edit Settings window for editing the selected settings. Continue with another adding procedure, preferably with Add an event, or click Finish and then Save Changes.
Add an event
Complete the following procedure to add an event (or more than one) to a rule:
1 In the Add Rule window, select Events.
Figure 4-10 Add Rule Events 2 In the Events section, click Add. A drop-down menu opens.
74
Figure 4-11 Add Event window 4 Use the following items to configure an event:
Note: Repeat this part of the procedure to add more than one event.
Event List for selecting an event (event types shown in brackets). Parameters Opens the Property Parameters window for adding up to three parameters, see Step 5.
Note: The icon is grayed out if the event has no parameters.
Add Opens the Add Settings window for adding new settings to the list. Edit Opens the Edit Settings window for edit ing the selected settings . If no parameters need to be configured for the event, click OK and continue with Step 6.
5 [Conditional] To add parameters to an event: a Click Parameters. The Property Parameters window opens: b Add parameters as needed. A parameter can be a:
Value (String, Boolean, or numerical): Configure it inthe Value area. Then click OK. Property Configure it in the Property area. Then click OK.
6 [Conditional] If this is the last of the adding procedures: a [Optional] In the Add Rule window, select Summary to review what you have configured. b Click Finish and then Save Changes.
75
Rule Name Block if virus was detected Criteria Antimalware.Infected<Gateway AntiMalware> equals true Procedure Complete the following procedure to create this rule:
Note: Comments in italics explain what you are doing through the step or steps that follow.
1 Go to Policy | Rule Sets.
its current rules appear on the settings pane. Opening the Add Rule window
3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In
the main window area, items appear for adding a name and other general settings. Adding general settings
4 Add the following general settings: a Name Type Block if virus was detected. b Enable rule Deselect this checkbox, so the sample rule gets not enabled. c
The Antivirus engine runs with these settings when it scans web objects, using virus signatures and proactive methods.
c
d In the Parameter area, select true from the Value list as operand (parameter) for the criteria.
8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area.
76
10 Add an action with special settings (Block<VirusFound>): a From the Action list, select Block. b From the Settings list, select VirusFound.
Under these settings, a block message is sent to the user who requested an object when the object is blocked. Reviewing the rule
11 Skip the Events step and select Summary to review what you have configured.
set.
Note: The rule is grayed out because it is not enabled.
13 Click Save Changes.
For more information, see About rule elements, Adding a rule, and Block if virus was found (Sample rule).
77
Sample rules
This section explains in detail three sample rules from the library rule sets of the appliance: Do not filter URLs in Global Whitelist Block URLs whose category is in CategoryBlackList Block if virus was found The Block if virus was found rule is also used in another section as an example for explaining step by step how a rule is created. For more information, see Create a sample rule.
In plain text, the rule could be rendered as follows: If a URL is on a particular global whitelist, stop the current processing cycle. Purpose of the rule The rule is implemented to provide you with a means of ensuring that particular URLs can be accessed by the users of your network and are not blocked by any other rules. To achieve this, URLs are entered on a whitelist. If a whitelist URL is requested, the rule stops processing the request cycle. This means all following rules of this cycle, including those that might eventually block the URL, are not processed. When this rule and its rule set are implemented in a rule set system, it should obviously be placed at the beginning of the system to ensure there are no rule sets before it that block URLs. In this case, the whitelisting rule is truly global. It overrules all other measures that might be taken for URLs by the implemented rule set system. Property and Criteria The property used in the criteria of the rule is URL. Its meaning can be paraphrased as being a URL. If a requested web object is a URL, then the rule is processed to see if it is on a particular whitelist. The whitelist is specified in the rule criteria as Global Whitelist. For looking up whether a given URL is on it, no special module is needed. Therefore the criteria includes no settings for a module. Action If the criteria of the rule matches, the rule applies and the Stop Cycle action is executed, with the impact that is the purpose of the rule. All measures that might prevent users from accessing the URL are avoided. The Stop Cycle action stops the request cycle when a request for access to the URL has been received. Since the rule set of the rule is processed in all three cycles of the filtering process, the Stop Cycle action can also stop the response or the embedded object cycle if a whitelisted URL is involved in these. The Stop Cycle action does not affect a user in the way that a blocking action would do. If the action and its rule work as intended, the user is allowed to access the requested URL. No message to the user is therefore needed, so the action of this rule has no settings to specify such a message.
78
Process flow If processing the rule leads to the result that a URL is on the specified whitelist, the current cycle of the filtering process stops, according to what the rule says. Other cycles of the process can go on. For example, if an embedded object was sent with the request, the embedded object cycle could be started to filter this object. If the request cycle is stopped after the whitelisted URL has been sent, the request is passed on the appropriate web server. The appliance then waits for a response from this server, and if this is received, the response cycle of the filtering process is started to process this reponse.
79
80
If conflicts arise when importing this rule set, they are displayed in the window.
Note: Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist in an appliance configuration.
5 Use one of the following methods to solve conflicts:
Click Auto-Solve Conflicts and choose one of the following strategies for all conflicts: Solve by referring to the existing objects If rules of the imported rule set refer to objects existing in the appliance configuration under the same names, references are made to apply to these existing objects. Solve by copying and renaming to suggested If rules of the imported rule set refer to objects existing in the appliance configuration under the same names, these objects are also used, but are renamed, so as to avoid conflicts. Click the listed conflicts one after another and solve them individually by choosing either of the two above strategies each time.
6 Click OK. The rule set is inserted in the rule sets tree. It is enabled by default.
Note: Together with the rule set, lists and settings can be implemented in your configuration. The rules of the rule set need these items to make decisions on blocking and other actions.
7 If necessary, use the blue arrows above the Rule Sets tree, to move the rule set to where you want
it to be.
8 Click Save Changes.
81
xxx
Name Name of the rule Enable When selected, the rule set is enabled [Optional] Comment Plain-text comment on the rule set
6 In the Applies to section, configure the processing cycles. You can select only one cycle, or any
combination of these three: Requests The rule set is processed when requests from the users of your network are received on the appliance. Responses The rule set is processed when responses from web servers are received. Embedded objects The rule set is processed for embedded objects sent with requests and responses.
7 In the Apply this rule set section, configure when the rule set is applied:
Always The rule set is always applied. If the following criteria is matched The rule set is applied if the criteria configured below is matched.
82
8 In the Criteria section, click Add. The Add Criteria window opens.
Figure 4-13 Add Criteria window (with property selected) 9 In the Property area, use the following items to configure a property:
Property List for selecting a property (property types shown in brackets) Search Opens the Property Search window to let you search for a property. Parameter Opens the Property Parameters window for adding up to three parameters, see Step 10.
Note: The icon is grayed out if the property has no parameters.
Settings List for selecting the settings of the module that delivers a value for the property (module names shown in brackets).
Note: The icon is grayed out if no settings are required for the property and (not needed) is added.
Add Opens the Add Settings window for adding new settings to the list. Edit Opens the Edit Settings window for editing the selected settings. If no parameters need to be configured for the property, click OK and continue with Step 11.
10 [Conditional] To add property parameters: a Click Parameter. The Property Parameters window opens. b Add as many parameters as needed. A parameter can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Then click OK. Property Follow the instructions for configuring properties, beginning with Step 4.
11 From the Operator list, select an operator. 12 In the Parameter area, add a parameter (also known as operand). This can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Property Follow the instructions for editing properties, beginning with Step 4.
13 Click OK to close the Add Criteria window. 14 (Optional] Select the Permissions tab and configure who is allowed to access the new rule set. 15 Click OK to close the Add New Rule Set window. The rule set is inserted in your rule set system. 16 Click Save Changes.
83
List maintenance
Web security rules use lists, such as whitelists and blocking lists, for retrieving information on web objects and users. This section tells you how to maintain these lists. There are several ways to access a list: Lists tab Select the Lists tab and navigate to a list. Rules Sets tab Select the Rule Sets tab and click a list name in a rule name or rule criteria. Search function Click the Search button and use the Search objects function for lists.
Lists tab
Use the Lists tab to maintain lists on the appliance. It is selected from the Policy top-level menu.
L ists toolbar
Lists tree
The main elements of the tab are: Lists toolbar Items for working with the lists on the Lists tree Lists tree Tree structure displaying the lists of the appliance configuration List entries toolbar Items for working with list entries List entries Entries of the currently selected list
84
List types
The following types of lists exist on the appliance: Custom lists These lists can be modified by you. They are displayed on the upper branch of the Lists tree on the Lists tab. Custom lists include string, number, category, and other types of lists. Different list types can require different methods of maintaining them. System lists These lists cannot be modified. They are displayed on the lower branch of the Lists tree on the Lists tab. System lists include category and media type lists. Inline lists These lists can also be modified, but they do not appear on the Lists tab. They appear inline as part of the settings of a configuration item, for example, as part of the settings of a network protocol.
85
Add a list
Complete the following procedure to add a list to the appliance configuration:
1 Go to Policy | Lists. 2 On the Lists tree, go to the position where you want to add the list. 3 Click Add on the toolbar. The Add List window opens, with the Add List tab selected. 4 Use the following items to configure general settings for the list:
Name Name of the list Comment [Optional] Plain-text comments on the list Type List for selecting the a list type
5 [Optional] Select the Permissions tab and configure who is allowed to view the list and edit it. 6 Click OK. The Add List window closes and the new list appears on the Lists tree. 7 Click Save Changes.
You can now fill the list with entries. For more information, see Access restrictions and Add list entries.
String window.
Note: It depends on the list type, how an entry can be added to a list. For example, if the type is String, you can add entries by typing strings in the String field of the Add String window. If the type is MediaType, you need to select an entry from a media type folder, which is part of a system of folders. For the String and Wildcard Expression types, there is the option to add multiple entries in one go by clicking Add multiple and typing text for each entry in a new line. For wildcard expressions, there is also an option to test it by using the Test button in the corresponding window.
4 Add an entry in the way it is done for a particular type. 5 [Optional] In the Comment field, type a plain-text comment on the list entry. 6 Click OK. The Add <List type> window closes and the entry is added to the list. 7 For more entries, repeat steps 3 to 6 as often as needed. 8 Click Save Changes.
86
Inline lists
Inline lists do not appear on the Lists tab, they appear inline as a part of the settings for a configuration item on the settings pane. Their handling does not differ much from that of normal custom lists. This section gives an example of an inline list and shows you how to work with it.
Forwarding. The list of port forwarding rules appears on the settings pane.
3 Use the items on the toolbar to configure port forwarding rules as needed. Table 5 Port Forwarding Rules list Option Add Edit Delete Move up Move down Filter Definition Opens the AddAppliancePortForwarding window for adding a list entry. Opens the EditAppliancePortForwarding window for editing a selected list entry. Deletes a selected list entry. A window opens to let you confirm the deletion. Moves an entry up the list. Moves an entry down the list. Input field for typing a filtering term to display only matching list entries. Note: The filtering functions works as soon as you type a character in the field.
When adding or editing thet rules in the port forwarding inline list rules, you need to know the meanings of the elements that a rule can have. They are described in the table below, which you find also in the section on port forwarding the System Configuration chapter of this guide. Corresponding tables are provided in sections on other functions when their configuration involves the use of an inline list.
Table 6 Port Forwarding Rules list Option Source Host Source Port Destination Host Destination Port Comment Definition IP address of the host that is the source of web traffic in a port forwarding rule. Port used on this host for outgoing web traffic. IP address of the host that web traffic from the source host should be directed to. Port used on this host for web traffic coming in from the source host and port. Plain-text comment on the port forwarding rule
87
Settings tab
Use the Settings tab to configure actions and engines on the appliance. It is selected from the Policy top-level menu.
Settings toolbar
Settings tree
Settings
The main elements of the tab are: Settings toolbar Items for working with the actions and engines on the Settings tree Settings tree Tree structure displaying actions and engines of the appliance configuration Settings Settings of the currently selected item on the Settings tree The Settings toolbar provides the following options:
Table 4-1 Settings toolbar Option Add Edit Delete Expand all Collapse all Definition Opens the Add Settings window for adding a setting. Opens the Edit Settings window for editing a selected setting. Deletes a selected setting. A window opens to let you confirm the deletion. Expands all collapsed items on the Settings tree. Lets all expanded items on the Settings tree collapse.
88
Types of settings
Two types of settings can be configured on the Settings tab of the user interface: Action settings Settings for the actions that rules execute, for example, Block or Authenticate. These settings are mainly configured for specifying the user messages that are sent when actions affect users. Actions that do not affect users have no settings, for example, Continue or Stop Rule Set. You can access these settings on the upper branch of the Settings tree on the tab.
Note: When settings of this type are described in this guide, the section title always contains the words action settings, for example, Authenticate action settings.
Engine settings Settings for the modules (or: engines) that retrieve information for rules. For example, the TrustedSource engine retrieves information to deliver values for the URL.Categories property in URL filtering rules. You can access these settings on the lower branch of the Settings tree on the tab.
Note: When settings of this type are described in this guide, the section title always contains the words engine settings, for example, Antimalware engine settings.
A third type of settings is not configured on the Settings tab: System settings Settings of the appliance system, for example, network interface settings or domain name server settings. You can access these settings on the Appliances tab of the Configuration top-level menu.
Note: When settings of this type are described in this guide, the section title always contains the words system settings, for example, DNS system settings.
For more information on action and system settings, see User messages and System Configuration. For more information on engine settings, see the sections on functions with rules using these engines, for example, Virus and malware filtering.
Add settings
When adding settings to the appliance configuration, you do not create them completely new, but use existing settings that you give a new name and modify as needed. Complete the following procedure to add settings:
1 Go to Policy | Settings. 2 From the Actions or Engines branch of the Settings tree, select the settings you want to use as the
them.
8 Click OK and then Save Changes.
89
Access restrictions
When you add or edit a new list, new settings, or a new rule set to your configuration, you can restrict access to them for users and roles. Complete the following procedure to restrict access for a newly added item:
1 Go to Policy | Lists (or Rule Sets). 2 On the tree structure, go to the position where you want to add the new item. 3 Click Add. above the tree structure. The adding window opens. 4 Complete the steps for adding a new item. Then select the Permissions tab.
Three modes of access can be configured: Read and Write, Read, and No Access.
5 Click Add under the Read and Write pane. The Add Role or User window opens. 6 Select a role or a user (or more than one of each type at once) from the list in the corresponding
pane. Or type a wildcard expression as name of a role or user in the Wildcard field.
7 Add as many entries to the Read and Write list as needed. Use the Delete button under the pane
to delete entries.
8 Fill the Read and No Access panes in the same way. 9 Use the radio buttons under All others have to configure access for all roles and users that are not
90
Contents Filtering users Database authentication Cookie authentication Quotas and coaching Administrator accounts
Filtering users
Users can be filtered on the appliance, which means you can allow web access only for those who are able to authenticate. Administrators need to have accounts with roles and privileges. This gives you control over who is active in your network. The sections of this chapter explain how to configure the authentication process, for example, by joining the appliance to a Windows domain to retrieve user information, or by using an LDAP or a RADIUS server, or a database on another server. They also explain how to guide users by configuring quotas for their web usage and coaching them. And they tell you how to set up accounts and roles for administrators and grant them privileges.
91
Configure quotas and coaching To restrict web usage for the users of your network, you can configure time and volume quotas and coach their web access. Overriding quotas is possible if users authenticate. Manage administrator accounts You can set up accounts for administrators in addition to the one that exists after the initial setup. A role concept allows you to create roles and grant a different access privileges to each of them. For example, you can let an administrator only view the dashboard or access lists, but not rules, and so on. For general information on filtering rules and user messages, see Rules and Rule Sets and User messages. For more information on user filtering, see Database authentication, Cookie authentication, Quotas and coaching, and Administrator accounts.
92
When the user sends an authentication request including credentials, all implemented rules of the request cycle are processed again. When it comes to processing the authentication rules, the credentials are checked to see if they are sufficient to authenticate the user. If this is the case, the process continues as follows: > > User is authenticated? Yes. Processing continues with the next rules in the request cycle. If not blocked by any of these, the request is passed on the appropriate web server.
The authentication process uses the elements of an authentication rule in different ways. The rule criteria is processed to find out whether a user is already authenticated. The rule action eventually requests the user to authenticate.
93
The meaning of the Authentication.Authenticate property could be rendered as having been authenticated. The criteria could then be rephrased as follows: Having been authenticated is false (for the user who sent the request). Property A property is something related to a web object or a user. In this rule, having been authenticated is a property of the user who sent a request. Property names usually have two or more parts. For the Authentication.Authenticate property, the Authentication indicates that the property has something to do with authentication in general. The Authenticate part denotes a particular aspect of authentication like having been authenticated. Settings The sample rule also contains two terms in angle brackets: <User Database> and <Default>. Terms in angle brackets are alway settings in rules on the appliance. The <User Database> settings appear next to the property Authentication.Authenticate. They are the settings of the module that this property relies on for being assigned a value. The authentication module retrieves information from a database to let the rule know that Authentication.Authenticate (being authenticated) has the value false for a given user. The module settings are <User Database> in this rule, which means the module is to retrieve user information from the local user database. The rule action, which is Authenticate, has <Default> as its settings. Settings of an action are mainly for specifying a particular message that is sent to users who are affected by the action.
94
Database authentication
Differerent methods can be configured on the appliance for authenticating users. Each of them retrieves the information needed for this authentication in a different way. This section explains how to configure the following methods: NTLM Uses a database on a Windows domain server. NTLM-Agent Uses an external agent on a Windows-based system for applying the NTLM authentication method. User database Uses an internal database on the appliance. LDAP Uses a database on an LDAP server. Novell eDirectory Uses data from a directory on a server that takes the role of an LDAP server. RADIUS Uses a database on a RADIUS server. Kerberos Uses a database on a Kerberos server. Authentication server Uses a database on another external server. An authentication rule in a rule set specifies settings for the authentication module. Accordingly, the module uses one of these methods to retrieve user information. So, to configure an authentication method, do the following: Make sure an authentication rule set is implemented An authentication rule set is not implemented on the appliance after the initial setup, but you can import one from the appliance library or create a rule set of your own. Configure settings for the authentication module The settings of the authentication module include an option for selecting an authentication method. You can configure additional settings to determine the way the module executes the method. For more information, see Implementation of an authentication rule set and Configure an authentication method.
95
Note: Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist in an appliance configuration.
6 Click OK. The rule set appears in the rule sets tree. 7 Disable the nested authorization rule set, which is not needed for implementing authentication: a Go to Policy | Rule Sets and expand the Authenticate and Authorize rule set. b Select the nested Authorize rule set and deselect Enable on the settings pane. 8 Click Save Changes.
For more information on the rule set and both its nested rule sets, see Authenticate and Authorize library rule set.
If you want to keep the User Database authentication method, you can still review the other options of the settings and modify them. When you are done, click Save Changes. If you want to use a different method, continue with steps 3 to 5.
3 Under Authentication Method, select a method, for example, NTLM. 4 Configure settings for this method. 5 Click Save Changes.
Note: It is recommended that if you have changed the authentication method, you rename the settings, the authentication rule and the nested rule set, accordingly. For example, rename the settings to NTLM and both the rule and the nested rule set to Authenticate with NTLM.
For more information on the rule set, see Rules and Rule Sets. For the settings, see Configure an authentication method.
96
For more information, see Authentication engine settings and Join the appliance to a Windows domain.
Authentication Method
Settings for selecting an authentication method You can select one of the following: NTLM NTLM-Agent User Database LDAP Novell eDirectory RADIUS Kerberos Authentication Server After selecting a method, the settings that are specific to this method appear below the Common Authentication Parameters.
Note: The specific settings are described here after the Common Authentication Parameters, using the above order.
97
Authentication Test
Settings for testing whether a user with given credentials would be authenticated. User User name that is tested Password Tested password Authenticate User Executes the test. Test result Displays the outcome of the test.
Get global groups When selected, information on global user groups is searched for on the Windows domain server. Get local groups When selected, information on local user groups is searched for on the Windows domain server. Prefix group name with domain name (domain\group) When selected, the name of the Windows domain appears before the name of the user group when authentication information on this group is sent from the domain server. Enable basic authentication When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. Enable integrated authentication When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. Enable NTLM cache When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. NTLM cache TTL Time (in minutes) that authentication information is stored in this cache International text support Set of characters used by default for a request sent from a client, for example, ISO-8859-1
98
Default NTLM domain, Get global groups, ... The remaining parameters have the same usage and meanings as for tne NTML authentication method. For more information, see NTLM Specific Parameters.
99
List of certificate authorities Lists of certificate authorities for providing certificates when a Secure LDAP (S-LDAP) connection is used for communication with the LDAP server. The table below describes the list entries. Use the buttons provided here to add and edit entries. For general information on how to maintain lists, see List maintenance.
Table 5-1 Certificate authorities list Option Certificate Certificate revocation list Trusted Comment Definition Name of a certificate List with information on when the certificate becomes invalid and URI used to access it Information on whether the certificate is trusted on the appliance Plain-text comment on the certificate
Credentials User name of the appliance for logging on to the LDAP server Password Password for that user name Clicking Set opens a window for configuring a new password. International text support Set of characters used by default for a request sent from a client, for example, ISO-8859-1 Enable LDAP version 3 When selected, version 3 of the LDAP protocol is used. Allow LDAP library to follow referrals When selected, the lookup of user information can be redirected from the LDAP server to other servers. Connection live check Time (in minutes) to elapse between checks to see whether the connection to the LDAP server is still active LDAP operation timeout Time (in seconds) to elapse before the connection to the LDAP server is closed if no communication occurs Base distinguished name to user objects Distinguished name (DN) in the directory on the LDAP server where the lookup of user attributes should begin Map user name to DN When selected, the name of the user who asks for authentication must map to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server. Filter expression to locate a user object Filtering term for restricting the lookup of user attributes To substitute the user name in the filtering term, u% is used as a variable. Get user attributes When selected, user attributes are looked up on the LDAP server to authenticate a user.
100
User attributes to retrieve List of user attributes to retrieve from the LDAP server The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 6 User attributes list Option String Comment Definition User attribute Plain-text comment on the user attribute
Attributes concatenation string String for separating user attributes found by the lookup, for example, / (slash) Get groups attributes When selected, user group attributes are also looked up on the LDAP server to authenticate a user. Base distinguished name to group objects Distinguished name (DN) in the directory on the LDAP server where the lookup of group attributes should begin Filter expression to locate a group object Filtering term for restricting the lookup of group attributes To substitute the user name in the filtering term, u% is used as a variable Group attributes to retrieve List of group attributes to retrieve from the LDAP server The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7 Group attributes list Option String Comment Definition Group attribute Plain-text comment on the group attribute
Attributes concatenation string String for separating group attributes found in the lookup, for example, / (slash)
101
List of certificate authorities, Credentials ... Other parameters for the Novell eDirectory authentication method have the same usage and meaning as the parameters used under the same names for the LDAP authentication method. In addition to these, you need to configure the following parameters: eDirectory network address attribute Name of the attribute that provides the network addresses used for the eDirectory server. eDirectory network login time attribute Name of the attribute that provides the login time used on the eDirectory server. eDirectory network minimal update interval Time to elapse (in seconds) before information from the eDirectorry server is updated. For more information, see LDAP Specific Parameters.
102
Default domain name Name of the domain that information is retrieved from if no other domain is specified Shared secret Password used by the appliance to get access to the RADIUS server Radius connection timeout in seconds Time (in seconds) to elapse before the connection to the RADIUS server is closed if no traffic occurs International text support Set of characters used by default for a request sent from a client, for example, ISO-8859-1 Value of attribute with code Code value for the attribute retrieved with the user group information, according to RFC 2865. For example, 25 is the code for the class attribute Vendor specific attribute with vendor ID Vendor ID for retrieving vendor-related data in the search for user group information According to RFC 2865, the vendor ID is a part of the vendor attribute, followed by a number of subattributes. Its code value is 26 Vendor subattribute type Code value for the type of subattributes included in a vendor attribute. according to RFC 2865 Since not all vendors adhere to this structure, it is recommended to specify 0 as values here. This allows the authentication module to retrieve all available vendor information.
103
For more information, see Kerberos Administration system settings. Kerberos Administration system settings Settings for the Kerberos authentication method Key tab file Input field for entering the file that contains the key required to access the Kerberos server. You can type a file name or use the Browse button to browse to file and enter it in the field Kerberos realm Location of the Kerberos server Maximal time difference between appliance and client Time (in seconds) to elapse between requests and responses in the communication between both
Note: Configuring Kerberos as the authentication method can lead to problems when particular browsers are used for sending requests: When the Microsoft Internet Explorer is used in a version lower than 7.0, Kerberos authentication might not be possible at all. When this explorer runs on Windows XP, Kerberos authentication might not work as expected. When Mozilla Firefox is used, Kerberos authentication must be configured in the browser settings to enable this authentication method.
104
of this domain.
Note: Repeat steps 3 to 5 to add multiple domains.
6 Use the other icons on the toolbar to work with the list:
Modify Opens a window to let you modify a domain entry. Leave Removes a domain from the list and lets the appliance leave this domain. Filter Lets you enter a filtering term to display only domains with matching names. Refresh Refreshes the list. For more information, see Join the appliance to a Windows domain and Configure an authentication method.
105
Password
106
The following rule sets are nested in this rule set: Authenticate with User Database Authorize Process flow
The rule set contains the following rule: Authenticate with User Database Authentication.Authenticate<User Database> equals false > Authenticate<Default> The rule uses the Authentication.Authenticate property to check whether a user who sends a request is authenticated. Settings that have the internal user database configured as the authentication method are specified with the property. If a user has not been authenticated by information from the internal database, the rule applies. Processing stops and the user is asked to authenticate. Processing continues when the next request is received, which can be an authentication request by the same user.
The rule set contains the following rule: Only allow users of Allowed User Groups Authentication.Attributes none in list Allowed User Groups > Block<AuthorizedOnly> The rule uses the Authentication.Attributes property to allow only users access who are members of a group on the specified whitelist. If a user is not in one of the groups on the list, the rule applies and stops processing of all rules. The request is not passed on to a web server and blocked this way. The action settings specify that a notification is sent to the requesting user. Processing continues when the next request is received.
107
Cookie authentication
Users can be authenticated using cookies once they have successfully authenticated on the appliance. This section tells you how to configure cookie authentication and describes a library rule set you can use for this purpose. A rule set with appropriate rules must be implemented on the appliance to enable cookie authentication. The rules of this rule set say that a cookie is stored for a successfully authenticated user and what should be done when this user sends another request. Typically, the user does then not need to authenticate again. Like other authentication activities, cookie authentication is handled by the authentication module of the appliance.
Note: The size of a cookie grows with the user information it contains. This can cause a problem for the browser you use to log on to the appliance. The Mozilla Firefox browser version 3.5 or higher does not support cookies bigger than 32 KB. So cookie authentication might not work for a user who is a member of many user groups.
To configure cookie authentication, you need to complete the following activities: Make sure a cookie rule set is implemented A cookie authentication rule set is not implemented on the appliance after the initial setup, but you can import one from the appliance library or create a rule set of your own. Configure settings for the authentication module When the library cookie rule set is imported, settings for this module are also implemented. These include options to enable cookie authentication and for configuring the time that cookies are stored. For more information, see Import a rule set, Cookie Authentication library rule set, and Configure settings for cookie authentication
108
configure. After importing the cookie authentication rule set from the library, the following settings are available: Local cookie authentication server Settings for verifying whether a cookie is valid The library rules specify the Authentication Server method for this. After selecting these settings, the corresponding section of the authentication module appears on the settings pane. User database at authentication server Settings for authenticating users who send requests from clients without cookies According to the library rules, this authentication uses the User Database method. After selecting these settings, the corresponding section of the authentication module appears on the settings pane.
3 Configure these settings as needed. 4 Click Save Changes.
Library rule set Cookie Authentication Criteria Always Cycle Requests (and IM)
The following rule sets are nested in this rule set: Cookie Authentication at HTTP proxy Set Cookie Authentication for Authenticated Clients Authenticate Clients with Authentication Server Cookie Authentication at Authentication Server Authentication Server Request
109
The following rule sets are nested in this rule set: Set Cookie Authentication for Authenticated Clients Authenticate Clients with Authentication Server
The rule set contains the following rule: Set cookie and redirect client to the requested URL Always > Redirect<Redirect back from authentication server> The rule sets a cookie for a client if the user who sent a request from it has successfully authenticated. It also redirects the client. The action settings specify that a redirect message is sent to the user. Processing continues with the next rule set.
The rule set contains the following rule: Redirect clients that do not have valid cookie to the authentication server Authentication .Authenticate<Local cookie authentication server> equals false > Authenticate<Default> The rule asks users who have no cookies set on their clients to authenticate. Information for this authentication is retrieved from the configured authentication server. The settings for the module that verifies whether a cookie is set are specified with the property. The action settings specify the authentication message that is sent to the user. Processing continues with the next rule set.
110
The following rule set is nested in this rule set: Authentication Server Request.
The rule set contains the following rules: Do not authenticate clients that have valid cookies Auth.Authenticate<Local cookie authentication server> equals true > Redirect <Redirect back from authentication server> The rule lets authentication be skipped when a user sends a request from a client with a valid cookie. It redirects the client to the requested URL. The settings for the module that verifies the cookies are specified with the property. The action settings specify that a redirect message is sent to the user. Authenticate against user database Auth.Authenticate<User database at authentication server> equals false > Authenticate <Default> The rule asks a user who is not yet authenticated under the configured method to authenticate. The settings for the module that checks whether the user is authenticated are specified with the property. The action settings specify that an authentication message is sent to the user. Redirect authenticated client to the proxy Always Redirect <Redirect back from authentication server> The rule redirects the client that a user sent a request from. The action settings specify that a redirect message is sent to the user.
111
112
An option for using media types is provided when responses are processed and the volume quota is checked. A response is then blocked if:
The configured volume quota is exceeded AND The media type sent in response is on a quota list.
Coaching Length of the coached session time Time quota Time length of the quotas Volume quota Number of bytes for the quotas Authorized Override Time length for sessions that allow users an authorized override
4 Click Save Changes.
For more information on these settings, see Coaching engine settings, Time Quota engine settings, Volume Quota engine settings, and Authorized override engine settings.
113
Hours and Minutes for Time Quota per Day (Week, Month, or Session Time)
Settings to configure time for the quota according to the selected mode Hours Allowed hours per day, week, month, or session Minutes Allowed hours per day, week, month, or session
Hours and Minutes for Volume Quota per Day (Week, Month, or Session Time)
Settings to configure the volume quotas according to the selected mode Hours Allowed hours per day, week, month, or session Minutes Allowed hours per day, week, month, or session
114
User Blocklist for Time Quota List of user names. When the configured time quota is exceeded, a request is blocked if the user who requests access to an object is on the list. Type String The list is initially empty. The table below describes the list entries.
Table 5-3 User Blocklist for Time Quota Option String Comment Definition User name Plain-text comment on the user
115
IP Blocklist for Time Quota List of IP addresses. When the configured time quota is exceeded, a request is blocked if the IP address of the client the request was sent from is on the list. Type IP The list is initially empty. The table below describes the list entries.
Table 5-4 User Blocklist for Time Quota Option IP Comment Definition IP address Plain-text comment on the IP address
Other lists for quotas and coaching Other lists are used by the library quota and coaching rules in the same way as the URL Blocklist, the IP Blocklist, and the User Blocklist for Time Quota. When the quota is exceeded, the relevant rule checks whether an object is on a list. If it is, the rule applies, and an action is triggered, for example, a request is blocked. These lists include: URL Blocklist, IP BLocklist, and User Blocklist for Time Session URL Blocklist, IP BLocklist, User Blocklist, and Media Type Blocklist for Volume Quota URL Blocklist, IP BLocklist, User Blocklist, and Media Type Blocklist for Volume Session URL Blocklist, IP BLocklist, and User Blocklist for Authorized Override URL Blocklist, IP BLocklist, and User Blocklist for Coaching
116
The rule set contains the following rules: Redirecting after authenticating for authorized override AuthOverride.lsActivationRequest<default> equals true > Redirect<RedirectQuotaBack> The rule redirects a request and lets a user again access an object after session time has expired and the user has chosen to continue with a new session. The user must authenticate before being again allowed access. The settings of the module that handles the authorized override are specified with the property. The action settings specify that a message about the redirect and the need to authenticate is sent to the user. Authorized Override for URLs that are in URL Blocklist for Authorized Override URL.categories<Default> at least one in list URL Blocklist for Authorized Override AND AuthOverride.SessionExceeded<default> equals true > Block<ActionAuthOverBlocked> The rule informs the user that session time has expired if the category of the requested URL is on a quota list. Allows the user to authenticate and continue. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify a message to the requesting user. Other rules Two more rules in the rule set do the same as the URL-based rule if the client IP address of a request or the user is on a quota list.
Note: These rules are not initially enabled.
117
The rule set contains the following rules: Redirecting after starting new time session TimeQuota.lsActivationRequest equals true > Redirect<RedirectQuotaBack> The rule redirects a request and lets a user again access an object after session time has expired and the user has chosen to continue with a new session. The action settings specify a message to the requesting user. Time session counting for URLs that are in URL Blocklist for Time Session URL.categories<Default> at least one in list URL Blocklist for Time Session AND TimeQuota.SessionExceeded<default> equals true > Block<ActionTimeSessionBlocked> The rule informs the user that session time has expired if the category of the requested URL is on a quota list. Provides an option to continue with a new session. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify a message to the requesting user. Time session counting for URLs that are in URL Blocklist for Time Session URL.categories<Default> at least one in list URL Blocklist for Time Session AND TimeQuota.SessionExceeded<default> equals true > Block<ActionTimeQuotaBlocked> The rule blocks a request if the time quota is exceeded and the category of the requested URL is on a quota list. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify a message to the requesting user. Other rules Two more rules of the rule set do the same as the last two (URL-based) rules if the client IP address of a request is on a quota list. One rule provides an option for a new session if quota time is still left , the other blocks if time is completely exhausted. Two more rules do the same if the requesting user is on a quota list.
Note: These rules are not initially enabled.
118
The rule set contains rules that do the same as the rules of the Time Quota rule set, after checking volume quotas instead of time quotas. It contains two more (not initially enabled) rules for media type handling. These do the same for media types as the corresponding rules for users, IP addresses, and URLs. One of them provides an option for a new session if quota time is still left and the media type sent in response is on a quota list, the other blocks if time is completely exhausted and the media type is on the list.
The rule set contains the following rules: Redirecting after starting new coaching session Coaching.lsActivationRequest<default> equals true > Redirect<RedirectQuotaBack> The rule redirects a client and lets a user again access an object after session time has expired and the user has chosen to continue with a new session. The settings of the module that handles the authorized override are specified with the property. The action settings specify a message to the requesting user. Coaching for URLs that are in URL Blocklist for Coaching URL.categories<Default> at least one in list URL Blocklist for Coaching AND Coaching.SessionExceeded<default> equals true > Block<ActionCoachingBlocked> The rule displays a coaching page informing the user that session time has expired if the category of the requested URL is on a quota list. Leaves it to the user to continue. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify that a coaching page is sent to the user. Other rules Two more rules in the rule set do the same as the URL-based rule if the client IP address of a request or the user is on a quota list.
Note: These rules are not initially enabled.
119
Administrator accounts
Administrator accounts can be set up and managed on the appliance or on an external server. This section tells you how to do this and how to create administrator roles with different access privileges for administrators.
Note: On the Administrator Accounts tab, an administrator and a role have already been inserted at the initial setup.
2 Under Internal Administrator Accounts, click Add. The Add Administrator window opens. 3 Add a user name, a password, and other settings for the account. Then click OK. 4 Click OK and then Save Changes.
window opens.
Note: You can use the Filter input field to type a filtering term and display only accounts with matching names.
3 Edit the settings of the account as needed. 4 Click OK and then Save Changes.
120
[Optional] Name Real name of the person that the account is set up for
Administrator roles
You can set up roles and use them to configure administrator accounts.
Note: On the Administrator Accounts tab, an administrator and a role have already been inserted after the initial setup.
2 Under Roles, click Add to add a role. The Add Role window opens. 3 In the Name field, type a role name. 4 Configure access rights for the dashboard, rules, lists, and other items. 5 Use the Edit and Delete icons to edit and delete roles.
Note: The added and modified roles appear also in the list of administratrator roles under Internal Administrator Accounts and the deleted disappear.
6 Click OK and then Save Changes.
121
settings appear.
3 Under Authentication Server Details, configure settings for the external server. These settings
determine the way the authentication module on the appliance retrieves information from that server.
4 Use the settings under Authentication group = role mapping, to map user groups and individual
Click OK.
Note: You can use the Edit and Delete icons to edit and delete roles.
e Click OK and then Save Changes.
For information on the settings for the authentication server, see Authentication engine settings.
122
Web Filtering
Contents Filtering web objects Virus and malware filtering URL filtering Media type filtering HTML filtering Global whitelisting SSL scanning Supporting functions User messages
123
The sections of this chapter explain these activities in detail for individual filtering functions. They assume that you have read the Rule and Rule Sets chapter, which provides general information on handling rules and how they use filter lists and modules. For more information, see these sections, for example, Virus and malware filtering, and also Rules and Rule Sets and User messages.
124
Whitelists are created at the initial setup of the appliance together with the corresponding rules and rule sets. You can also create lists of your own. The procedures used to maintain whitelists differ according to the list type. For example, you can add URLs to a whitelist for URLs by typing them into the list. When adding media types, however, you select them from folders with media type groups. For more information, see Add a URL to a virus and malware filtering whitelist, Add a media type to a virus and malware filtering whitelist, and Sample whitelists for virus and malware filtering.
125
URLs, for example, AV URL Whitelist. The list entries appear on the settings pane.
3 Click Add. The Add Wildcard Expression window opens. 4 In the Wildcard expression field, type a URL.
Note: To add multiple URLs at once, click Add multiple and type every URL in a new line.
5 [Optional] In the Comment field, type a comment on the URL. 6 Click OK. The window closes and the URL appears on the whitelist. 7 Click Save Changes.
filtering whitelist for media types, for example, AV Media Type Whitelist. The list entries appear on the settings pane.
3 Click Edit. And Edit window opens. It displays a list of group folders with media types. 4 Expand the group folder with the media type you want to add, for example, Document, and select
126
AV Media Type Whitelist Library list of media types that are allowed to skip virus and malware filtering Type Wildcard Expression Initial entries application/ogg Audio/Video files in OGG format application/vnd.ms-af Microsoft Multimedia Container and others The table below describes the list entries.
Table 6-2 AV Media Type Whitelist Option Media type Comment Definition Media type that is allowed to skip filtering. For example, application/ogg, audio/mp4, video/mpeg. Plain-text comment on the media type
127
The module has three submodules, which can run in different combinations. Each submodule uses different methods to detect infections in web objects. McAfee Gateway Anti-Malware Uses proactive methods. You can configure several advanced settings for this submodule, however not for the other two. McAfee Anti-Malware Uses virus signatures. In contrast to the proactive methods, virus signatures can only be applied to detect viruses that are already known. Avira Provides the scanning methods of a third-party product. The submodules and their methods can be combined into scanning modes as follows: Mode a: proactive + signatures + third-party Mode b: proactive + signatures Mode c: signatures only Other module settings are for the AV PreScan option, which reduces the scanning load, or the Mobile Code Behavior option, which lets you set a level of strictness in classifying code. For more information, see Configure the Antimalware module and Antimalware engine settings.
Gateway AntiMalware.
3 Configure these settings as needed.
Select Scanning Engines For selecting the scanning mode. Mobile Code Behavior For configuring the risk of obtaining false positives and false negatives when classifying mobile code. Advanced Settings For all submodules. Advanced Settings for McAfee Gateway Anti-Malware For this submodule only.
4 Click Save Changes.
128
Select Scanning Engines Settings for selecting a combination of submodules to determine the scanning mode McAfee Gateway Anti-Malware including McAfee Anti-Malware When selected, these two submodules and Avira are active. Web objects are then scanned using: proactive methods + virus signatures + third-party module functions McAfee Gateway Anti-Malware including McAfee Anti-Malware without Avira When selected, only the first two submodules are active. Web objects are then scanned using: proactive methods + virus signatures McAfee Anti-Malware only When selected, only this submodule is active. Web objects are then scanned using: signatures only Mobile Code Behavior Settings for configuring a risk level in classifying mobile code The risk level can take values from 60 to 100. A low value means the risk in proactively scanning the behavior of mobile code and not detecting that it is malware is low because the scanning methods are applied very strictly. Mobile code will then be classified as malware even if only a few criteria of being potentially malicious have been detected. This can lead to classifying mobile code as malware that is actually not malicious (false positives). While more proactive security is achieved with a stricter setting, accuracy in determining which mobile code is really malicious will suffer. Consequently, the appliance might block web objects that you want to get through to your users. A high value means the risk in not detecting malicious mobile code is high (more false negatives), but more accuracy is achieved in classifiying mobile code correctly as malicious or not (fewer false positives).
Classification threshold
Slider scale for setting a risk level as described above. Minimum value (maximum proactivity): 60 Maximum value (maximum accuracy): 100 Advanced Settings Settings for all submodules. Enable AV PreScan When selected, performance of the submodules is improved by reducing the load sent to them for scanning.
Note: This option is by default selected. It is generally recommended not to change this setting.
129
Advanced Settings for McAfee Gateway Anti-Malware Settings applying only to the McAfee Gateway Anti-Malware submodule.
Note: The following options are by default selected. It is generally recommended not to change these settings. (General Settings)
Settings for some general scanning methods. Enable Artemis queries When selected, queries regarding infected objects are also performed on an Artemis database. Enable heuristic scanning When selected, heuristic methods are used in scanning web objects. Enable detection for potentially unwanted programs When selected, web objects are also scanned for potentially unwanted programs. Enable mobile code scanning When selected, mobile code is scanned in general.
Note: Individual settings can be configured under Scan the following mobile code types. Scan the following mobile code types
Settings for including different types of mobile code in the scanning. Windows executables When selected, these are scanned. Once downloaded from the web or received by email, these executables can become a threat when launched because they run with all the privileges of the current user. JavaScript When selected, this is scanned. JavaScript code can be embedded virtually anywhere, from web pages and PDF documents to video and HTML files. Flash ActionScript When selected, this is scanned. ActionScript code can be embedded in flash videos and animations and has access to the flash player and the browser with all their functions. Java applets When selected, these are scanned. Java applets can be embedded in web pages. Once activated, they can run at different permission levels, based on a digital certificate and the users choice. Java applications When selected, these are scanned. Java applications run stand-alone with all privileges of the current user. ActiveX controls When selected, these are scanned. ActiveX controls can be embedded in web pages and office documents. Once activated, they run with all privileges of the current user. Windows libraries When selected, these are scanned. These libraries usually come along with an executable in a setup package or are downloaded from the web by a running executable or by malicious code. Visual Basic script When selected, this is scanned. Visual Basic script code can be embedded in web pages or in emails. Visual Basic for applications When selected, this is scanned. Visual Basic macros can be embedded in office documents created with Word, Excel, or PowerPoint.
Block the following behavior
Settings for selecting code behavior that leads to blocking. Data theft: Backdoor When selected, the following is blocked: Malicious applications that grant an attacker full remote access and control to a victims system through existing or newly created network channels. Data theft: Keylogger When selected, the following is blocked: Malicious applications that hook into the operating system to record and save keyboard strokes. The captured information, such as passwords, is sent back to the attacking party. Data theft: Password stealer When selected, the following is blocked: Malicious applications that gather, store, and leak sensitive information, such as the system configuration, confidential data, credentials, and other data for user authentication.
130
System compromise: Code execution exploit When selected, the following is blocked: Exploiting vulnerabilities in any client applications, such as browsers, office programs, or multi-media players, that could allow an attacker to run arbitrary code on the compromised system. System compromise: Browser exploit When selected, the following is blocked: Exploits for vulnerabilities in browser applications and plug-ins that could allow the attacker to run arbitrary code, steal sensitive data, or escalate privileges. System compromise: Trojan When selected, the following is blocked: Malicious applications that pretend to be harmless or useful, but actually perform malicious activities. Stealth activity: Rootkit When selected, the following is blocked: Malicious applications or device drivers that manipulate the operating system and hide presence of malware on infected systems. After the compromise, files, registry keys, and network connections belonging to the malware processes turn invisible and could be hard to recover. Viral Replication: Network worm When selected, the following is blocked: Malicious applications or device drivers that self-replicate using email, the internet, peer-to-peer networking, or by copying themselves onto removable media such as USB devices. Viral Replication: File infector virus When selected, the following is blocked: Self-replicating applications that infect existing files on the hard-disk, embedding viral code in order to spread through the newly infected host file. System compromise: Trojan downloader When selected, the following is blocked: Malicious applications or script code that download and execute additional payload from the internet. System compromise: Trojan dropper When selected, the following is blocked: Malicious applications that carry hidden payload, extract and launch it upon execution. System compromise: Trojan proxy When selected, the following is blocked: Malicious applications that allow to relay potentially malicious hidden network activity through the compromised system. Web threats: Infected website When selected, the following is blocked: Websites that contain injected malicious script code or request additional malicious code as soon as it is opened in a browser. The initial infection might have taken place through an SQL injection attack against the web server. Stealth activity: Code injection When selected, the following is blocked: Applications that copy their code into other, often legitimate processes, resulting in a hijacking of the respective privileges and trust. This technique is typically employed by malware that tries to hide its presence on compromised systems and tries to evade detection. Detection evasion: Obfuscated code When selected, the following is blocked: Applications that consist of highly scrambled of encrypted code. Detection evasion: Packed code When selected, the following is blocked: Applications whose content has been compressed by a run-time packer or protector. Applying a run-time packer to an application changes the way it looks so it is harder to it is harder to classify. Potentially unwanted: Ad-/Spyware When selected, the following is blocked: Applications that show potentially annoying or unwanted advertisements, but also track and analyze the users activities and behavior. Potentially unwanted: Adware When selected, the following is blocked: Applications that show potentially annoying or unwanted advertisements, but also track and analyze the users activities and behavior. Data theft: Spyware When selected, the following is blocked: Applications that track and analyze the users activities and behavior, steal sensitive data, and leak this data to the attackers servers. Potentially unwanted: Dialer When selected, the following is blocked: Applications that provide access to content, such as pornography, through a more expensive network connection. Web threats: Vulnerable ActiveX controls When selected, the following is blocked: Potentially vulnerable ActiveX controls that are restricted to other, on-browser usage and should not be used on a web page.
131
Potentially unwanted: Suspicious activity When selected, the following is blocked: Potentially malicious code that is identified by either non-standard or not fully trusted behavior. Web threats: Cross-site scripting When selected, the following is blocked: Malicious scripts that try to exploit browser or web application access-control vulnerabilities in browsers or web applications to steal user-specific data, such as cookies. Potentially unwanted: Deceptive behavior When selected, the following is blocked: Misleading messages, missing code tricks, and fake alerts presented to users. These threats might tell users that their systems are infected with spyware and promote so-called fake AV applications for cleaning. Potentially unwanted: Redirector When selected, the following is blocked: Redirecting code that forwards users visiting a website to other, potentially malicious locations. This behavior is often caused by an infection of a previously legitimate website. Potentially unwanted: Direct kernel communication When selected, the following is blocked: Applications that directly communicate with the Windows kernel or in kernel mode. These might try to install a rootkit or to destabilize the system. Potentially unwanted: Privacy violation When selected, the following is blocked: Potentially malicious code that accesses sensitive or private data. This could result in eavesdropping your clipboard content or reading registry keys. Network behavior and DLP Settings for handling unknown browsers, unwanted programs, and data leakage. Forbid unknown browsers to download executables When selected, requests for downloading executables submitted by unknown browsers are blocked. Block requests sent by PUPs When selected, requests sent by potentially unwanted programs (PUPs) are blocked. Treat as request sent by a PUP if probability is at least Slider scale to set the probability (in percent) for classifying a request as being sent by a potentially unwanted program. Detect unsolicited POSTs When selected, unsolicited POST requests, which could enable data leakage, are detected.
132
> Processing continues with the next rule in the rule set. Processing of rules stops. > The object is blocked (and not passed on to the user who requested it). A block message is sent to this user.
If the object were streaming media and on the whitelist, the process flow would be: Object is URL and on the whitelist? No. Object is streaming media and on the whitelist? Yes. Object isinfected bya virus or other malware? > > Processing continues with the next rule in the rule set. Processing of the rule set stops. This blocking rule is not processed. The object is not scanned for infections.
133
Blocking rule The following is an example of a blocking rule for virus and malware filtering. Name Block if virus was found Criteria Antimalware.Infected<Gateway AntiMalware> equals true In plain text, this rule can be rephrased as follows: If an object is infected by a virus or other malware, block access to it. The key element in the rule criteria is Antimalware.Infected. It is the property that is checked for a given web object. Antimalware.Infected is (equals) true if the object is actually infected by a virus or other malware. The Antimalware module is called to find out whether this is the case. If it is, the criteria is matched and the rule applies. The rule then executes its action, which is the Block action. It blocks access to the object. The Antimalware.Infected property has the Gateway AntiMalware settings specified for it. This means the module that scans objects for infections runs with these settings. The settings determine, for example, which methods are used for the scanning. The Block action also has settings specified for it. These settings determine that a message is sent to a user who is affected by the action and what this message looks like. For this virus and malware filtering rule, the VirusFound settings are specified, which means that the message mentions an infection of the requested object as the reason for the blocking. For more information, see Select a different mode for scanning web objects. Whitelisting rule The following is an example of a whitelisting rule for virus and malware filtering. Name Do not filter specific URLs Criteria URL matches in list AV.URL Whitelist > Action Stop Rule Set > Action Block<VirusFound>
In plain text, this rule can be rephrased as follows: If a URL is on the whitelist for virus and malware filtering, do not process the virus and malware filtering rule set any further. The property in the rule criteria is URL. When the rule is processed, it is checked for a given URL whether it is on the list (matches in list) specified in the criteria as the AV.URL Whitelist. If it is, the criteria matches and the rule applies. The rule then executes the Stop Rule Set action, which stops processing of the virus and malware filtering rule set and lets all rules of the rule set that follow this whitelisting rule be skipped, including the blocking rule (if placed behind this rule). For more information, see Change the list used by a whitelisting rule.
134
AntiMalware. The rules of this rule set appear on the settings pane.
3 Make sure Show details (above the list of rules) is enabled and in the criteria of the Block if virus
was found rule, select the module settings, for example Gateway AntiMalware. The Edit Settings window opens.
4 Scroll down to the Select scanning engines section and select a combination of submodules that
uses a particular scanning mode. McAfee Gateway Anti-Malware including McAfee Anti-Malware When selected, these two submodules and Avira are active. > Scanning mode: proactive methods + virus signatures + third-party module functions McAfee Gateway Anti-Malware including McAfee Anti-Malware without Avira When selected, only the first two submodules are active. > Scanning mode: proactive methods + virus signatures. McAfee Anti-Malware only When selected, only this submodule is active. > Scanning mode: signatures only
Note: If you select this mode for the Gateway AntiMalware rule set, you should rename the settings and the rule set, for example, to McAfee AntiMalware settings and rule set respectively, to indicate a key setting has changed. Alternatively, you can also import the (appropriately named) McAfee AV rule set from the rule set library. This rule has a blocking rule with module settings that have only the use of the McAfee Anti-Malware module selected. You can then disable or delete the other rule set.
5 Click OK and then Save Changes.
135
In the Name field, type a name for the new list, for example, My AV URL Whitelist. Permissions tab, configure who is allowed access to it.
d [Optional] In the Comment field, type a plain-text comment on the new list and on the e Click OK. The Add List window closes and the new list is inserted on the Lists tree under Wildcard
Expression.
2 Go to Policy | Rule Sets. 3 On the Rule Sets tree, select the virus and malware filtering rule set, for example, the Gateway
AntiMalware rule set. The rules of this rule set appear on the settings pane.
4 Select the whitelisting rule for URLs, for example, Do not filter specific URLs, and click Edit
immediately above the topmost rule. The Edit Rule window opens.
5 Select Rule Criteria and then the rule and click Edit. The Edit Criteria window opens. 6 From the drop-down list under Parameter Value, select the new list. 7 Click OK and Finish to close the open windows. The name of the new list appears in the criteria of
The whitelisting rule for URLs now uses your new list. You can fill this list with URLs to let them skip virus and malware filtering.
136
The rule set contains the following rules: Do not filter for viruses if user agent matching a special list Request.Headers.GetHeader (User-Agent) matches in list UserAgentWhiteList > Stop Rule Set The rule uses the Request.Headers.GetHeader property to check the User-Agent information that is sent with the header of a request. If the User-Agent in question is on the specified whitelist, processing of the rule set stops, so the blocking rule of the rule set is not processed and cannot block the request. A parameter of the property specifies that it is the User-Agent information that must be checked when the rule is processsed.
Note: This rule is not enabled initially.
Do not filter specific URLs URL matches in list AV URL Whitelist > Stop Rule Set The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, processing of the rule set stops and the blocking rule is not processed. Do not filter streaming media URL Categories<Default> contains Streaming Media AND MediaType.Ensured all in list AV Media Type Whitelist > Stop Rule Set The rule uses the URL.Categories property to check whether a given URL belongs to the Streaming Media category. The TrustedSource module, which is called to retrieve category information, runs with the Default settings, as specified with the property. The second part of the criteria uses the MediaType.Ensured property to check if the media type of a web object is found on the specified whitelist. When this property is used, media types are checked that have been ensured to match for their respective objects with a probability of more than 50 %. If the URL belongs to the Streaming Media category and the web object that is located by the URL is of a media type that is on the whitelist, processing of the rule set stops and the blocking rule is not processed.
137
Block if virus was found Antimalware.Infected<Gateway AntiMalware> equals true > Block<VirusFound> Statistics.Counter.Increment (BlockedByAntiMalware,1)<default> The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware. The Antimalware module, which is called to scan the object runs with the Gateway AntiMalware settings, as specified with the property. These settings let the module use all its three submodules and their methods to scan web objects. If the module finds that a web object is infected, processing of all rules stops and the object is not passed on any further. Access to it is blocked this way. In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The VirusFound action settings a message to the requesting user. The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the increment. The event settings specify the settings of the Statistics module, which executes the counting.
The rule set contains the same rules as the Gateway AntiMalware rule set, except for the rule that lets whitelisted streaming media skip the filtering. The process flow in the rule set is also the same. For more information, see Gateway AntiMalware library rule set.
138
URL filtering
The appliance filters URLs to block inappropriate or malicious content. This section explains the URL filtering process and tells you how to modify it. URL filtering is controlled by rules. One of these rules says, for example, that access to a URL is blocked if it is on a blocking list. Another rule blocks URLs if they belong to a category that is on a blocking list. This rule calls the TrustedSource module to retrieve category information for URLs from the global TrustedSource intelligence system. A whitelisting rule lets URLs skip URL filtering if they are on the list used by the rule. Administering the URL filtering process includes the following activities: Reviewing and modifying the filtering rules Rules for blocking and whitelisting URLs are contained in a URL filtering rule set. The whitelisting rules are placed and processed before the blocking rules. Maintaining the filter lists Each of the filtering rules uses its own list. Since a URL filtering rule set handles only URL filtering, whitelists are not needed for several types of objects like in virus and malware filtering, but only for one type (URLs). Maintaining Extended Lists In addition to the list that is used by the category blocking rule, you can maintain lists on which you enter URLs and assign categories to them yourself. You can then let one of these lists be included in the search when the TrustedSource module retrieves category information on URLs. Configuring settings for the TrustedSource module The TrustedSource module retrieves category and other information for URLs from the global Trusted Source intelligence system. Based on this information, the category blocking rule blocks access to URLs or lets them pass through. You can configure settings for this module, for example, to let it include category information retrieved from an Extended List that you provide or to perform a DNS lookup for URLs and include the corresponding IP address in the search for category information. For more information, see Rules and rule set for URL filtering, Lists for URL filtering, Extended Lists for blocking URLs per category, and Module for retrieving URL category information.
139
categories, for example, Category Blacklist. The list entries appear on the settings pane.
3 Click Edit. The Edit window opens. It displays a list of group folders with URL categories. 4 Expand the group folder with the category you want block, for example, Purchasing, and select the
140
URL Black List Library list of individual URLs that are blocked Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-4 URL Black List Option Wildcard Expression Comment Definition URL that is blocked (in wildcard expression format) Plain-text comment on the URL
URL White List Library list of individual URLs that are allowed to skip URL filtering. Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-5 URL White List Option Wildcard Expression Comment Definition URL that is allowed to skip filtering (in wildcard expression format) Plain-text comment on the URL
141
Protocol Network protocol that must be used if categorization and, eventually, blocking is to be applied for a URL. For example, if FTP is specified here, categories are not looked up and blocking is never applied when requests are sent under HTTP or HTTPs. URL URL that is categorized.
c
Under Categories, click the Edit symbol. An Edit window opens with a list of group folders containing URL categories. the checkbox next to this category, for example, Travel.
Note: Repeat this substep if you want to add more than one category.
d Expand the folder with the category you want to assign the URL to, for example, Lifestyle, and select
e Click OK. The Edit window closes and the category or categories appear on the list in the Add Extended
On the Lists tree under Extended List Element. Under the Extended List options of the Default settings for the TrustedSource engine.
9 Click Save Changes.
142
entries:.
Table 6-6 Extended List Option Protocol URL Categories Comment Definition Network protocol that must be used if categorization and, eventually, blocking is to be applied for a URL. URL that is categorized. URL categories that the URL is assigned to. Plain-text comment on the URL
143
Extended List For Extended Lists with URL categorizations of your own. Rating Settings For the search mode when category information is retrieved.
4 Click Save Changes.
Extended List Settings for Extended Lists. (Extended Lists list) List for selecting an Extended List. Add Opens the Add List window for adding an Extended List. Edit Opens the Edit List (Extended List) window for editing a selected Extended List.
144
Rating Settings Settings for the search performed to retrieve information on URLs and their categories. Search the CGI parameters for rating When selected, these are searched. CGI parameters in a URL trigger scripts or programs when the URL is accessed. Information on its CGIs can affect the categorization of a URL. Search for and rate embedded URLs When selected, these are searched for and rated. Information on an embedded URL can affect the categorization of the embedding URL.
Note: Searching for embedded URLs can reduce performance.
Do a forward DNS lookup to rate URLs When selected, a DNS lookup is performed for a URL that no relevant information has been found for. The IP address that was looked up is used for another search. Do a backward DNS lookup for unrated IP-based URLs When selected, a backward DNS lookup is performed for a URL that no relevant information has been found for, based on its IP address. The host name that was looked up is used for another search. Only use in-the-cloud rating services When selected, information is only searched for in the TrustedSource intelligence system, not in the local database of the appliance. The local database contains data retrieved through updates from the TrustedSource system. Do in-the-cloud rating if local rating yields no results When selected, information is searched for in the TrustedSource Intelligence system if the search in the local database yielded no results. Use the default TrustedSource server for in-the-cloud rating When selected, a default server is used to connect to the TrustedSource intelligence system. IP of the TrustedSource server IP address of the server used to connect to the TrustedSource intelligence system when the default server is not used. Port of the TrustedSource server Port on this server listening to requests from the appliance. Force rating attempts to run in synchronous mode When selected, the search is performed in synchronous mode. This means that if the TrustedSource intelligence system is included, the appliance connects to the TrustedSource server for processing a particular request and does not begin with processing other requests before the server has responded and processing of the first request has been completed.
Note: Using this option will reduce performance if the TrustedSource server is slow in responding.
145
Name Block URLs whose category is in URL Category Black List Criteria URL.Categories<Default> matches in list CategoryBlackList In plain text, this rule can be rephrased as follows: If a URL belongs to a category that is on a blocking list, block access to it. The property of the rule criteria is URL.Categories. This property is checked for a given URL and the TrustedSource module is called to find the categories the URL belongs to. If these are on the specified blocking list, the criteria is matched and the rule applies. The rule then executes its action, which is the Block action. It blocks access to the URL. If a URL belongs to more than one category, it is blocked if any of these categories is on the list. The URL.Categories property has the Default settings specified for it. This means the module that retrieves the category information runs with these settings. The settings determine, for example, whether a DNS lookup is performed for a URL and category information also searched for based on the corresponding IP address. The Block action also has settings. These specify a message that is sent to a user who is affected by the action. For this URL blocking rule, the URLBlocked settings are specified, which means that the message mentions the category that a requested URL belongs to as the reason for the blocking. > Action Block<URLBlocked>
146
The rule set contains the following rules: Allow URLs in URL White List URL matches in list URLWhiteList > Stop Rule Set The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, processing of the rule set stops and the blocking rules that follow the whitelisting rule are not processed. Block URLs whose category is in URL Category Black List URL.Categories<Default> at least one in list CategoryBlackList > Block<URLBlocked> Statistics.Counter.Increment (BlockedByURLFilter,1)<default> Uses the URL.Categories property to check whether one of the categories a given URL belongs to is on the specified blocking list. The TrustedSource module, which is called to retrieve information on these categories, runs with the Default settings, as specified with the property. If one of the URLs categories is on the list, processing of all rules stops and the request for access to the URL is not passed on to the appropriate web server. Access to it is blocked this way. The URLBlocked action settings specify that the user who requested this access is notified of the blocking. The rule also uses an event to count blocking due to URL filtering. The event parameters specify the counter that is incremented and the increment. The event settings specify the settings of the Statistics module, which executes the counting. Block URLs matching URL Black List URL matches in list URLBlackList > Block<URLBlocked> Statistics.Counter.Increment (BlockedByURLFilter,1)<default> The rules uses the URL property to check whether a given URL is on the specified blocking list. If it is, processing of all rules stops and the request for access to the URL is not passed on to the appropriate web server. Access to it is blocked this way. The URLBlocked action settings specify that the user who requested this access is notified of the blocking. The rule also uses an event to count blocking due to URL filtering in the same way as the preceding rule.
147
148
Upload Media Type Whitelist Library list of media types that users are allowed to upload to the web. Type Media Type The list is initially empty. The table below describes the list entries.
Table 6-8 Upload Media Type Whitelist Option Media type Comment Definition Media type that is allowed for uploading, for example, application/ogg, audio/mp4, video/mpeg Plain-text comment on the media type
149
Streaming Media Library system list of streaming media types that users are allowed to upload to the web.
Note: You can only view, not edit this list.
Type Media Type Initial entries video/x-la-asf Streaming Audio/Video file application/vnd.tmobile-livetv Mobile TV data file video/h261 H.261 Video Stream and others
Name Block types from Media Type Blacklist Criteria MediaType.EnsuredTypes at least one in list Media Type Blacklist > Action Block <MediaType (black list)>
In plain text, this rule can be rephrased as follows: If media belongs to a type that is on a particular blocking list, block access to it. The rule criteria checks the MediaType.EnsuredTypes property. Media have this property if it can be ensured with a probability of more than 50% that they are of a particular type. This is the case if a signature from an internal list on the appliance can be found in the object code of the media. For media that have their types ensured in this sense, the rule looks up the specified blocking list to see whether they are on it. It they are, the criteria is matched and the rule applies. If media belong to multiple types, already one of them on the list is sufficient to let the criteria match. The rule then executes the Block action. Processing of all rules stops and the media is not passed on to the user who requested it. This way, access to it is blocked. The settings of the Block action specify a message that is sent to a user who is affected by the action. The message mentions media type as the blocking reason.
150
For information on other properties, see the List of properties in the appendix. For a procedure to let a rule use a different property, see Change the property in a media type filtering rule.
window opens.
c
In the Name field, type a name for the new list, for example, Not Ensured Media Type Blocking List. Permissions tab, configure who is allowed to access it.
d [Optional] In the Comment field, type a plain-text comment on the new list and on the e Click OK. The Add List window closes and the new list is inserted on the Lists tree under Media
Type.
151
2 Go to Policy | Rule Sets. 3 On the Rule Sets tree, select the rule set for media type downloads, for example, Media Type
Download.
4 Select a blocking rule, for example, Block Types from Media Type Blacklist, and click Edit
immediately above the topmost rule. The Edit Rule window opens.
Note: If you want to have two rules, one for blocking ensured and another for blocking not ensured media types, copy the existing blocking rule for ensured media types, insert it into the rule set, and modify the inserted rule.
5 Select Rule Criteria and then the rule and click Edit. The Edit Criteria window opens. 6 From the drop-down list under Property select a new property, for example,
List.
8 Click OK and Finish to close the open windows. The new property and list name appear in the criteria
The rule now blocks not ensured media types from your new list. You need to fill this list with entries, so the rule knows what to block.
Two rule sets are nested in this rule set. Media Type (upload)
Note: This rule set is not enabled initially.
Media Types (download) Media Type Filtering (upload) library rule set This rule set allows the upload of whitelisted media types. It is processed in request cycles when users request to upload media to the web.
Nested library rule set Media Type Filtering (upload) Criteria Always Cycle Requests (and IM)
The rule set contains the following rule: Only allow types from Upload Media Type Whitelist Media.TypeEnsured at least one in list Upload Media Type Whitelist > Stop Rule Set The rule uses the Media.TypeEnsured property to check for media that have their type ensured with a probability of more than 50% if they are on the specified whitelist. If they are, processing of the rule set stops. It is continued with the next rule set.
152
Media Type Filtering (download) library rule set This rule set blocks the download of media types if they are on a blocking list and according to some other criteria. It is processed in response cycles when media are sent from the web for download in response to user requests. It is also processed in embedded object cycles when media are sent embedded in responses.
Nested library rule set Media Type Filtering (download) Criteria Always Cycle Responses and embedded objects
The rule set contains the following rules: Enable Composite Opener Always > Continue Enable Composite Opener The rule triggers an event that enables the composite opener. This module opens composite web objects, for example, archives, to make media types embedded in them accessible to further filtering. The rule is always applied, which means the opener is always enabled. The rule is appropriately placed before the filtering rules proper. When its event has been executed, processing continues with the next rule in the rule set. Block types from Media Type Blacklist MediaTypeEnsured at least one in list Media Type Blacklist > Block <MediaType (black list)> The rule uses the Media.TypeEnsured property to check for media that have their type ensured with a probability of more than 50% if they are on the specified blocking list. If they are, processing of all rules stops and the media is not passed on to the user who requested it. Access to it is blocked this way. The action settings specify that the user is notified of the blocking. Block not detectable data List.MediaType.IsEmpty (MediaType.Ensured) equals true > Block <MediaType (not detected)> The rule uses the List.MediaType.IsEmpty properties to check for media whether their type can be found on a list of media types. For the media types on this list , it can be ensured with a probability of more than 50% that filtered media actually have these types. If the media type cannot be found on the list, it is blocked. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule.
Note: The rule is not enabled initially.
Block not supported archives MediaType.Ensured at least one in list Archives AND MediaType.IsSupported equals false > Block <MediaType (common)> The rule uses the Media.TypeEnsured the MediaType.IsSupported properties to check for media embedded in archives whether the media type is on the specified archive list and whether this type of archive is supported (can be opened on the appliance). If the media is on the list, but not supported, it is blocked. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule. The archive list is a system list and cannot be edited.
Note: The rule is not enabled initially.
153
Block multimedia files MediaType.Ensured at least one in list Audio OR MediaType.Ensured at least one in list Video > Block <MediaType (common)> The rule uses the Media.TypeEnsured property to block multimedia files that are on one of the two specified blocking lists (or on both). These lists are system lists and cannot be edited. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule.
Note: The rule is not enabled initially.
Block streaming media MediaType.Ensured at least one in list Streaming Media > Block <MediaType (common)> The rule uses the Media.TypeEnsured property to block streaming media that is on the specified blocking list. This list is a system lists and cannot be edited. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule.
Note: The rule is not enabled initially.
154
HTML filtering
The appliance filters HTML pages and removes embedded objects from them. This section explains the rules used for HTML filtering and the lists and module settings involved in the filtering process. HTML filtering rules say which embedded objects are removed and which are kept. They evaluate object types and use also filter lists. They call an opener module to make embedded objects accessible for filtering. Administering HTML filtering includes the following activities: Importing and modifying filtering rules You can import an HTML filtering rule set from the library and modify its rules or create a rule set of your own. Configuring settings for the HTML opener module You can configure settings for this module to tell it which object types to open. Maintaining the filter lists You can maintain lists of objects types for use by the filtering rules. The filtering rules can remove the following types of objects: Java applets Are embedded in HTML pages (unlike the stand-alone Java applications) and run, once their certificates are accepted, with all privileges of the current user. ActiveX controls Run with all privileges of the user. Scripts Include JavaScript, JScript, and Visual Basic Script. Media types Include text, audio, image, streaming, and other media types. For more information, see Rule set for HTML filtering, Module for opening embedded objects,and Sample lists for HTML filtering.
The rule set contains a rule and the following two nested rule sets: Enable HTML Filtering HTML Filtering
155
The following is the rule of the rule set: Remove Content-Encoding header Always > Continue Header.RemoveAll (Accept-Encoding) The rule uses the Header.RemoveAll event to remove the content encoding header from a request. This header is not needed because filtering is only applied to the content, which is eventually sent in not encoded format to the user who requested it. The name of the header is specified by the event parameter. Processing continues with the first rule of the next rule set. Nested Enable HTML Filtering library rule set The nested Enable HTML Filtering library rule set prepares HTML filtering by enabling the HTML opener and removing a header element.
Nested library rule set Enable HTML Filtering Criteria Always Cycles Requests (and IM) and responses
The rule set contains the following rule: Enable HTML opener Always > Continue Enable HTML Opener<HTML Filtering> The rule enables the HTML opener. The settings of the module are specified with the event. Processing continues with the next rule. Nested HTML Filtering library rule set The nested Enable HTML Filtering library rule set removes different types of embedded objects from HTML pages, using a nested rule set for each of the types.
Nested library rule set Enable HTML Filtering Criteria MediaType.EnsuredTypes contains text/html Cycles Embedded objects
The rule set contains the following nested rule sets: Embedded Objects Embedded Scripts ActiveX Controls
Note: This rule set is not enabled initially.
Advertising Filter
Note: This rule set is not enabled initially.
156
Nested Embedded Objects library rule set The nested Embedded Objects library rule set removes Java applets embedded in HTML pages, as well as other embedded media types if they are on a blocking list. It is processed in the embedded object cycle when these objects are sent with requests or responses.
Nested library rule set Embedded Objects Criteria Always Cycle Embedded objects
The rule set contains the following rules: Java applets HTMLElement.Name equals APPLET OR ( HTMLElement.Name equals OBJECT AND HTMLElement..HasAttribute (codetype) equals true AND HTMLElement.Attribute (codetype) equals application/java) > Remove The rule uses several HTMLElement ... properties to remove an element from an HTML page if it is found that particular values are true for these properties. An element is removed if its name is APPLET or if its name is OBJECT and has a code type attribute with application/java as its value. Processing of the embedded object cycle stops then and the HTML page is forwarded without the removed element to the user who requested it or to the web if a user attempted to upload it. Stop if element is not interesting (HTMLElement.Name does not equal OBJECT AND HTMLElement.Name does not equal embed) OR HTMLElement.HasAttribute (type) equals false > Stop Rule Set The rule uses several HTMLElement ... properties to check whether an element needs not be removed. An element needs not be removed if its name is neither OBJECT nor embed or has no type attribute at all. Processing of the rule set stops then, so the rule that removes elements from HTML pages (and follows this rule in the rule set) is not processed. Processing continues with the next rule set. Default action for unlisted media types HTMLElement.Attribute (type) is not in list Media Type Whitelist HTMLElement.Attribute (type) is not in list Media Type Blocklist > Stop Rule Set The rule uses the HTMLElement.Attribute property to check whether an element is of a type that is neither on the relevant whitelist nor the blocking list. In this case, a default action is executed, which for this rule is Stop Rule Set. Processing of the rule set stops then, so the whilelisting and blocking rules for media types that follow in the rule set are not processed. Processing continues with the next rule set. Handle whitelisted media types HTMLElement.Attribute (type) is in list Mediatype whitelist The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a media type whitelist. If it is, the rule applies. Processing of the rule set stops then, so the removing rule that follows this rule in the rule set is not processed. Processing continues with the next rule set.
Note: This rule is not enabled initially.
157
Handle blacklisted media types HTMLElement.Attribute (type) is in list Mediatype blacklist > Remove The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a media type blacklist. If it is, the rule applies and the media type in question is removed from the HTML page. Processing of the embedded objects cycle stops then and the HTML page is forwarded without the removed element to the user who requested it or to the web if a user attempted to upload it. Nested Embedded Scripts library rule set The nested Embedded Scripts library rule set removes script code embedded in HTML pages, providing options for keeping some code types. It is processed in the embedded object cycle when this code is sent with requests or responses.
Nested library rule set Embedded Scripts Criteria HTMLElement.Name equals SCRIPT Cycle Embedded objects
The rule set contains the following rules: Variable resetter Always > Continue Set User-Defined.removeOneScript = false The rule sets the User-Defined.removeOneScript property to false, so the break rules that follow this rule later in the rule set do not apply. Processing continues with the next rule.
Note: This rule is not enabled initially.
JavaScript HTMLElement.Script.Type (type) equals text/javascript > Stop Rule Set Set User-Defined.removeOneScript = true The rule uses the HTMLElement.Script.Type property to check whether an element is of the JavaScript type. If it does, the rule applies. Processing of the rule set stops then, so the rule that removes script code at the end of the rule set is not processed. This way, the embedded script code is kept in the HTLM page. Processing continues with the next rule set. If you want to remove JavaScript code, replace the Stop Rule Set by the Remove action. The rule also sets the User-Defined.removeOneScript property to true. This property is evaluated by the break rule that follows this JavaScript rule. When this rule applies with Stop Rule Set or Remove as its action, processing of the rule set is stopped. If you let the rule use an action that does not stop the rule set, you can enable the break rule. It will find that the value for the User-Defined.removeOneScript property is true and stop processing of the rule set accordingly. To reset the value of the User-Defined.removeOneScript property to false, you need to enable the reset rule at the beginning of the rule set. With this value for the property, the break rules of the rule set will not apply. Break; User-Defined.removeOneScript equals true > Stop Rule Set The rule stops processing of the rule set if the User-Defined.removeOneScript property has true as its value. Processing continues with the next rule set.
Note: This rule is not enabled initially.
158
JScript HTMLElement.Script.Type equals text/jscript > Stop Rule Set Set User-Defined.removeOneScript = true This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule. Break; User-Defined.removeOneScript equals true > Stop Rule Set This rule works in the same way as the break rule that follows the JavaScript rule.
Note: This rule is not enabled initially.
Visual Basic script HTMLElement.Script.Type text/vbscript equals vbscript > Stop Rule Set Set User-Defined.removeOneScript = true This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule. Break; User-Defined.removeOneScript equals true > Stop Rule Set This rule works in the same way as the break rule that follows the JavaScript rule.
Note: This rule is not enabled initially.
Other scripts Always > Remove The rule removes all embedded script code from HTML pages, unless it is kept from doing so by one of the rules preceding it in the rule set. These can stop the rule set before the process reaches the removing rule. They can do so for JavaScript, JSCript, and Visual Basic script code if enabled. If you want this to happen for other script code as well, you can add appropriate rules. The break rules of the rule set can also stop it and let the removing rule not be processed. If the removing rule is processed, it stops processing of the embedded objects cycle. Processing then continues with the next cycle.
159
Nested ActiveX Controls library rule set The nested ActiveX Controls library rule set removes ActiveX controls embedded in HTML pages. It is processed in the embedded object cycle when this code is sent with requests or responses.
Note: This rule set is not enabled initially.
Nested library rule set ActiveX Controls Criteria Always Cycle Embedded objects
The rule set contains several rules and the nested Filter ActiveX in Scripts rule set. Nested Advertising Filter library rule set The nested Advertising Filter library rule set removes advertising elements embedded in HTML pages, such as images, layers, forms, and others. It is processed in the embedded object cycle when this code is sent with requests or responses.
Note: This rule set is not enabled initially.
Nested library rule set Advertising Filter Criteria Always Cycle Embedded objects
The rule set contains a rule and the following nested rule sets: Link Filter Dimension Filter Popup Filter Script Filter
160
List of objects that the module should open Setting for opening only objects with external sources
4 Click Save Changes.
For more information on these settings, see Enable HTML Opener engine settings.
HTML Opener Configuration Settings for the HMTL opener. (HTML opener list) List of objects embedded in an HTML page that the module should open. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 6-10 HTML Opener list Option Node name Only open start tags Comment Definition Type of an object that the HTML opener should open. When selected, the HTML opener opens only starts tags. These contain the attributes that are checked by the the rules. Plain-text comment on the element
Only open elements that refer to external sources When selected, the HTML opener opens only these elements, for example, when pictures are transmitted from an external server. You can select these settings if you think that HTML pages stored on the local server are trustworthy and need not have elements removed.
161
Media Type Blacklist List of media types embedded in HTML pages you want to remove. Type String The list is initially empty. The table below describes the list entries.
Table 6-12 Upload Media Type Whitelist Option Media type Comment Definition Media type that is removed by HTML filtering Plain-text comment on the media type
162
Global whitelisting
URLs and other web objects can be placed on global whitelists to let them skip all further filtering. This section explains global whitelisting and describes the library rule set for this function and the list used by its rule. A global whitelist is used by a rule in a global whitelisting rule set. The rule stops the filtering process for objects it finds on the list. So administering global whitelisting includes the following activities: Maintaining the global whitelists You can add objects to these lists and remove them as needed. Modify the global whitelisting rule set You can have whitelisting rules for different types of objects in this rule set. You can modify a rule, for example, by replacing the list it uses with another list. For more information, see Global whitelists and Global Whitelist library rule set.
Global whitelists
You can maintain lists for use by the global whitelisting rules. This section tells you how to add an object to such a list and describes a sample list that is used by a library rule.
Note: To add multiple URLs at once, use the Add multiple icon and type every URL in a new line.
5 [Optional] Type a comment on the URL in the Comment field. 6 Click OK. The window closes and the URL appears on the whitelist. 7 Click Save Changes.
163
For general information on how to maintain lists, see List maintenance. Global Whitelist List of URLs that are allowed to skip all further filtering Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-13 Global WhItelist Option Wildcard Expression Comment Definition URL that is allowed to skip al further filtering (in Wildcard Expression format) Plain-text comment on the URL
The rule set contains the following rule: Do not filter URLs in GlobalWhiteList URL matches in list GlobalWhiteList > Stop Cycle The rule uses the URL property to check whether a URL is on the specified whitelist. If it is, the rule applies and stops the current processing cycle. In the request cycle, this means that a request to access the URL is forwarded to the appropriate web server. In the response cycle, the URL sent in response from a web server is forwarded to the user who requested it. In the embedded object cycle, the embedded object in question is also forwarded.
164
SSL scanning
SSL-secured requests can be inspected by an SSL scanning module before other appliance functions filter them. This section explains the SSL scanning process and tells you how you can modify it. The rules in the rule set for SSL scanning call the an SSL scanning module to let it verify the certificates sent with SSL-secured requests. If certificate verification does not lead to blocking a request, the rules call the module to enable content inspection and have the request filtered by the other implemented rule sets. The rules also handle the CONNECT request that SSL-secured communication begins with if it does not use the transparent mode. Whitelists of hosts and certificates can be used to skip certificate verification and content inspection. Administering the SSL scanning process includes the following activities: Configuring the module settings You can configure settings for the SSL scanning module that verifies certificates and enables content inspection, as well as for two other modules that deal with certificates. Maintaining the SSL scanning lists You can maintain the whitelists used by the SSL scanning rules to let request skip certificate verification or content inspection and also some other lists used in the process. Modifying the SSL scanning rule set You can review the rules in this rule set and modify them. The rules of the library SSL Scanner rule set are explained in detail in this section to show how the SSL scanning process works. For more information, see Settings for the SSL scanning modules, SSL scanning lists, and Rule set for SSL scanning.
165
For more information, see Import a certificate authority and Enable SSL Scanner engine settings.
166
select or deselect Trusted, according to the status the new certificate authority should have.
6 Click Import. A window opens to let you access your file system. 7 Browse to the file for the certificate authority you want to import and click Open. The window closes
and information on the new certificate authority appears in the Add Certificate Authority window.
8 Click OK. The window closes and the new certificate authority appears on the list in the Edit List
Enable SSL Scanner Settings for the Enable SSL Scanner module Server cipher list String of Open SSL symbols used for decrypting server data The module uses different strings to do the default certificate verification and a special kind of verification for certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. SSL session cache TTL Time (in seconds) for keeping the parameter values of an SSL-secured session in the cache. Certificate verification When selected, the module verifies certificates. Content inspection When selected, the modules enablesss the inspection of SSL-secured content.
167
Define SSL Client Enable SSL Scanner Settings for the Enable SSL Client Context module Current root CA Parameters and values of the root CA that is currently in use on the appliance. It is recommended that you generate your own root CA. Use the Generate New button and the other buttons provided here to do this. Send certificate chain When selected, the appliance sends a certificate chain (rather than a single certificate to its clients. Certificate chain Input field for entering the certificate chain Server cipher list String of Open SSL symbols used for decrypting server data The module uses different strings to do the default certificate verification and a special kind of verification for certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. SSL session cache TTL Time (in seconds) for keeping the parameter values of an SSL-secured session in the cache.
Certificate Verification Settings for the Certificate Chain module List of certificate authorities List of the certificate authorities that can be used to configure a certificate chain. The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 6-14 Certificate Authorities list Option Certificate Certificate revocation list Trusted Comment Definition Name of a certificate List with information on when the certificate becomes invalid and URI used to access it Information on whether the certificate is trusted on the appliance Plain-text comment on the certificate
168
For general information on how to maintain lists, see List maintenance. Allowed CONNECT Ports List of ports that are allowed CONNECT ports on destination servers Type Number Initial entry 443 Default HTTPS port The table below describes the list entries.
Table 6-15 Allowed CONNECT Ports list Option Number Comment Definition Number of a port that is an allowed CONNECT port on a destination server. Plain-text comment on the port.
Certificate White List List of certificates that are not verified by the SSL scanning module Type Host and Certificate The list is initially empty. The table below describes the list entries.
Table 6-16 Certificate White List Option Certificate Host Comment Definition Name of a whitelisted certificate Host that the certificate proves to be trustworthy (in regular expression format). Plain-text comment on the certificate
No-EDH Server List of hosts that are non-EDH servers. When requests are sent from these hosts, the SSL scanning module verifies the certificate with special settings. Type String The list is initially empty The table below describes the list entries.
Table 6-17 No-EDH Server list Option String Comment Definition Host name of a non-EDH server Plain-text comment on the server
169
SSL Inspection White List List of hosts. For requests sent to these hosts, the SSL scanning module does not enable content inspection. Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-18 SSL Inspection White List Option Wildcard expression Comment Definition Name of a whitelisted host (in regular expression format including also wildcards) Plain-text comment on the host
The following rule sets are nested in this rule set: Handle Connect Call Certificate Verification. Verify Common Name (proxy setup) Content Inspection Verify Common Name (transparent setup)
170
The rule set contains the following rules: Set client context Always > Continue Enable SSL Client Context<Default CA> The rule enables the use of a server certificate that is sent to a client. The event settings specify the McAfee Web Gateway root certificate authority (CA) as the default issuer of this certificate. Tunneled hosts URL.Host is in list SSL Host Tunnel List > Stop Cycle The rule lets requests for access to hosts with a URL that is on the specified whitelist skip SSL scanning. Restrict destination ports to allowed CONNECT ports URL.Port is not in list Allowed Connect Ports > Block<Connect not allowed> The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports. The action settings specify a message to the requesting user. Enable certificate verification without EDH for hosts in no-EDH server list URL.Host is in list No-EDH server > Stop Rule Set Enable SSL Scanner<Certificate Verification without edh> The rule enables the certificate verification for requests sent from a host on the no-EDH (Ephemeral Diffie-Hellman) server list. The event settings specify running in verification mode for the SSL scanning module and a special cipher string for data encryption on non-EDH hosts. Enable certificate verification Always > Stop Rule Set Enable SSL Scanner<Default certificate verification> The rule enables certificate verification. The event settings specify that the SSL scanning module runs in verification mode.
171
The rule set contains the following rules: Skip verification for certificates found in Certificate Whitelist Certificate.SSL.HostAndCertificate is in list Certificate Whitelist > Stop Rule Set The rule lets whitelisted certificates skip verification. Block self-signed certificates Certificate.SSL.SelfSigned equals true > Block <Certificate incident> The rule blocks requests with self-signed certificates. The action settings specify a message to the requesting user. Block expired server (7 day tolerance) and expired CA certificates Certificate.SSL.DaysExpired greater than 7 OR CertificateChain.SSL.ContainsExpiredCA<Default> equals true > Block <Certificate incident> The rule blocks requests with expired server and CA certificates. The action settings specify a message to the requesting user. Block too long certificate chains CertificateChain.SSL.PathLengthExceeded<Default> equals true > Block <Certificate incident> The rule blocks a certificate chain if it exceeds the path length. The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user. Block revoked certificates CertificateChain.SSL.ContainsRevoked<Default> equals true > Block <Certificate incident> The rule blocks a certificate chain if one of the included certificates has been revoked. The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user.. Block unknown certificate authorities CertificateChain.SSL.FoundKnownCA<Default> equals false > Block <Certificate incident> The rule blocks a certificate chain if none of the certificate authoritiies (CAs) issuing the included certificates is a known CA . The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user. Block untrusted certificate authorities CertificateChain.SSL.FirstKnownCAIsTrusted<Default> equals false > Block <Certificate incident> The rule blocks a certificate chain if the first known CA that was found is not trusted. The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user.
172
Nested Verify Common Name (proxy setup) library rule set This rule set verifies set the common name in a certificate. It applies only to requests sent in non-transparent mode.
Nested library rule set Verify Common Name (proxy setup) Criteria Connection.TransparentSSL equals false Cycle Requests (and IM)
The rule set contains the following rules: Allow matching hostname URL.Host equals Certificate.SSL.CN > Stop Rule Set The rule allows a request if the URL of the requested host is the same as the common name in the certificate. Allow wildcard certificates Certificate.SSL.CN.HasWildcards equals true AND URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) > Stop Rule Set The rule allows requests to hosts sending certificates that have wildcards in their common names matching the URLs of the hosts. To verify that a common name containing wildcards matches a host, this name is converted into a regular expression. Allow alternative common names URL.Host is in list Certificate.SSL.AlternativeCNs > Stop Rule Set The rule allows requests to hosts with alternative common names in their certificates and the host matches at least one of them. Block incident Always > Block <Common name mismatch> If any of the rules for allowing matching common names applies, processing of the rule set stops and this rule is not processed. Otherwise, requests are blocked by this rule due to a common name mismatch. The action settings specify a message to the requesting user.
The rules of the rule set check the same criteria to verify a common name as those of the Verify Common Name rule set for the non-transparent mode. However, in the latter mode the host name to be checked is taken from the CONNECT request, which is not sent under the transparent mode. In this mode, the host name is just taken from the request that is sent. For more information, see Nested Verify Common Name (proxy setup) library rule set.
173
The rule set contains the following rules: Skip content inspection for hosts found in SSL Inspection Whitelist Connection.SSL.Transparent equals false AND URL.Host matches in list SSL Inspection Whitelist > Stop Rule Set The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in non-transparent mode. Skip content inspection for CN found in SSL Inspection Whitelist Connection.SSL.Transparent equals true AND Certificate.SSL.CN matches in list SSL Inspection Whitelist > Stop Rule Set The rule lets requests with whitelisted common names in their certificates skip content inspection. It applies only in transparent mode.
Note: This rule is not enabled initially.
Do not inspect connections with client certificates Connection.Client.CertificateIsRequested equals true > Stop Rule Set The rule lets requests skip inspection if they require the use of client certificates.
Note: This rule is not enabled initially.
Enable content inspection Always > Continue Enable SSL Scanner<Enable content inspection> The rule enables content inspection. The event settings specify that the SSL scanning module runs in inspection mode. If any of the rules for skipping content inspection applies, processing of the rule set stops and this last rule, which enables the inspection, is not processed. Otherwise, content inspection is enabled by this rule.
174
Supporting functions
Some functions on the appliance do not filter web objects or users, but support the filtering process in various ways. This section explains some of these functions. You can use them to do, for example, the following: Count user requests You can count the number of requests for web access sent by individual users of your network. Show download progress You can configure methods to show users the progress made in downloading web objects. Route requests through next-hop proxies When requests are directed at internal destinations, you can use these proxies to route them. For more information, see Billing, Progress Indication, and Next-hop proxies.
Billing
User requests for web access can be counted on the appliance in a process known as billing. This section explains how to implement and maintain this process. When the process is implemented, a rule in a billing rule set calls a module that increments a counter every time a user sends a request for web access to the appliance. Administering this process on the appliance includes the following activities: Implementing a billing rule set A rule set with billing rules is not implemented on the appliance after the initial setup. You can import a rule set from the library or create a rule set of your own. Creating billing rules The library rule set contains rules that count requests by two dummy users, based on the IP address ranges of the clients that the requests are sent from. You need a separate billing rule for every user whose requests you want to count. Configuring settings for the billing module When a counter needs to be incremented, the billing rule calls the Statistics module. The rule specifies settings for the module, which include a list of counters. The rule also specifies the counter on the list that the module must increment. When you import the library rule set, module settings are also imported. You can configure these settings, adding as many counters to the list as you need for counting your user requests. For more information, see Import a rule set, Billing library rule set, Add a request counter, and Add a billing rule.
175
The rule set contains the following rules: Count customer one requests Client.IP is in range 10.0.0.0 - 10.0.225.255 > Continue Execute IncrementCounter (customer one request count, 1) <default custom counters> The rule uses the Execute IncrementCounter event to increment a counter for each request sent from a client with an IP address in the specified range. The event parameters specify the name of the counter and the increment. The event settings specify the list on which the counter can be found. Processing continues with the next rule. Count customer two requests Client.IP is in range 10.149.0.0 - 10.149.255.255 Continue Execute IncrementCounter (customer two request count, 1) <default custom counters> The rule lets a counter be incremented in the same way as the first rule, but for a different IP addrress range.
Then click OK. The window closes and he new counter appears on the list.
5 Click Save Changes.
176
Statistics User Defined Counters Settings for the billing module. List of user-defined counters List of counters for counting user requests The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 6-19 List of user-defined counters Option Name Comment Definition Name of a countedr, for example, customer one request count Plain-text comment on the counter
set. The rules of this rule set appear on the settings pane.
3 Select an existing rule, for example, Count customer one requests, and click Copy. 4 Click Paste. The rule is inserted below the last rule. 5 Click Edit. The Edit Rule window opens. 6 Modify the copied rule as follows: a Select the Name step of the window and type, for example, Count customer three requests as
Under Parameter (IP Range), type the IP address range of a client and click OK. The rule then counts user requests sent from this client.
d Select Events, select the event , and click Edit. The Edit Event window opens. e Click Parameters. The Property Parameters window opens. f
Under Parameter 1, type the name of the counter the billing module should use, for example, customer three requests count. Leave Parameter 2 (the increment) and the settings as they are.
g Click twice OK and then Finish to close the open windows. 7 Click Save Changes.
177
Progress Indication
The progress made in downloading objects from the web can be shown to users in different ways. This section explains how to configure the methods for showing this progress. It depends on the userss browser which method of progress indication is appropriate. Accordingly, the rules of a progress indication rule set call different modules that use one or the other method to show download progress. Administering progress indication on the appliance includes the following activities: Make sure a progress indication rule set is implemented The rule set that is implemented as part of the default system contains rules calling a module that displays a progress page for Mozilla browsers and another module that uses data trickling for all others. You can also create a rule set of your own and let it contain different rules. Configuring the settings of the progress indication modules When the default rule set is implemented, module settings are also available. You can modify the settings of the module that executes data trickling and of the one that uses a progress page. For more information, see Default Progress Indication rule set and Configure the progress indication modules.
The rule set contains the following rules: Progress Page Header.Request.Get (User-Agent) matches *(Mm)ozilla* > Stop Rule Set Enable Progress Page <Default> The rule enables a progress page for Mozilla browsers. The event settings specify what the progress page looks like, for example, the language it uses. Data Trickling Always > Stop Rule Set Enable Data Trickling<Default> The rule enables data trickling for all browsers that are not Mozilla. The event settings specify the chunk and block sizes used for the trickling.
178
and select the settings you want to configure, for example, Default.
3 Configure these settings as needed.
Data trickling For all browsers that are not Mozilla. You can configure the size of the first chunk, the block size, and other settings. Progress page For Mozilla browsers. You can configure a page for the progress bar, a page for download completion, and other settings. Templates are used to provide these two pages. You can configure them in the same way as the templates for user messages.
4 Click Save Changes.
For more information, see Enable Data Trickling engine settings, Enable Progress Page engine settings, and User messages.
Data Trickling Parameters Settings for chunks and blocks used in data trickling Size of first chunk (in bytes) Block size (in bytes) Trickle bytes per block size (in bytes) Enable data trickling during scan When selected, the scanning of an object that is being downloaded can begin while the download is not yet complete and data trickling is still going on.
Progress Page Parameters Settings for templates and timeouts Templates Settings for progress page templates Language Language of a progress page Template collection List of template collections for different settings, for example, Default. Template name for progress bar page List of templates Template name for download finished page List of templates Timeout Settings for the availability of objects Time a file is available before download by user (in minutes) Time a file is available after successful download by user (in minutes)
179
Next-hop proxies
The appliance can use next-hop proxies for routing client requests to internal destinations. This section explains how to implement and configure these proxies. When next-hop proxies are implemented, a rule in a corresponding rule set uses a module to call proxies that are on a list when an internal request is received. Administering next -hop proxies on the appliance includes the following activities: Implementing a next-hop proxy rule set A rule set with a rule for using next-hop proxies is not implemented on the appliance after the initial setup. You can import a rule set from the library or create a rule set of your own. Maintaining a list of next-hop proxy servers When you import the next-hop proxy rule set, a server list is also imported, which is initially empty and must be filled by you. You can also create more than one list and use for routing in different situations. Configuring settings for the next-hop proxy module Settings for the next-hop proxy module are also imported with the library rule set. You can configure these settings to let the module use a particular next.-hop proxy list and to determine the mode of calling the proxies (round-robin or fail-over). For more information, see Next-hop proxy modes, Import a rule set, Fail-over mode, and c.
180
When routing a request in fail-over mode, the next-hop proxy module calls the first server on the list. If the server fails to respond, the call is repeated until the configured number of retries is reached. Only then is the next server in the list tried. It is called in the same way as the first, and eventually the next server in the list is tried. This is continued until a server responds or all servers in the list were found to be unavailable.
The rule set contains the following rule: Use internal proxy for internal host URL.Destination.IP is in range 10.0.0.0 - 10.255.255.255 > Continue Enable Next Hop Proxy<Internal Proxy> The rule lets internal next-hop proxies route requests when a URL has a destination IP addresses in the specified range. The event settings specify settings that include the next-hop proxy list and the mode for calling proxies.
181
For general information on how to maintain lists, see List maintenance. Internal Proxies list List of servers that the appliance can use as next-hop proxies Type Next Hop Proxy The list is initially empty. The table below describes the list entries.
Table 6-20 Internal Proxies list Option Identifier Host Port User Password Number of retries Wait time after failure Comment Definition Unique name given to a next-hop proxy Host name or IP address of the next-hop proxy. Number of the port used by the next-hop proxy for listening to requests sent by the appliance User name submitted on the appliance for logon to the next-hop proxy Password submitted on the appliance for logon under the above user name Number of attempts made by the appliance to connect to the next-hop proxy before another server is tried Time (in seconds) the appliance waits after an unsuccessful attempt to connect to the next-hop proxy before it tries again . Plain-text comment on the next-hop proxy
For more information on these settings, see Enable SSL Scanner engine settings.
182
Next-hop proxy server Settings for using servers as next-hop proxies List of next-hop proxy servers List for selecting a next-hop proxy server list The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 6-21 List of next-hop proxy server lists Option Name Comment Definition Name of the next-hop proxy server list Plain-text comment on the next-hop proxy servers list
Round robin When selected, the next-hop proxy module uses the next-hop proxy following the one in the list that has been used last. When the end of the list has been reached, the first next-hop proxy in the list is again selected. Fail over When selected, the next-hop proxy module tries the first next-hop proxy in the list first. If it fails, it is retried until the configured retry maximum has been reached. Then the second next-hop proxy in the list is tried, and so on, until a server responds or all are found to be unavailable.
183
User messages
Messages can be sent to users when a filtering rule blocks their requests for web access or affects them in other ways. This sections tells you how to work on these messages. Messages are sent to users based on templates. To modify what messages look like, you adapt these templates. This is done under the settings for the actions that affect users. Authenticate Template-based message tells a user that authentication is required to access a URL. Block Template-based message tells a user that a request was blocked for various reasons, for example, because a virus was detected in the requested object. Redirect Template-base message tells a user that redirecting to another URL is needed for accessing the requested object.
Message templates
Message templates contain standard text with variables. The variables are filled with values as needed in a given situation. For example, a Virus Found message might have the following text and variables: Standard text The transferred file contained a virus and was therefore blocked. Variables as follows: URL URL that the user requested to access the file. The variable used to display a URL is $URL$. Virus name Name of the found virus that triggered the blocking of the file. The variable used to display a virus name is $StringList.ToString$.
Note: All variables used in message templates are also properties used by rules. For example, URL is a variable in a message text and a property used in the rule that exempts URLs from filtering.
Different versions can exist of a particular template regarding: File format .html or .txt. Language Templates can exist for multiple languages. An English version is provided by default for all initially existing templates. You can group templates into collections and have, for example, a default collection and collections for other purposes. You can edit message templates when you edit the settings for particular actions. For more information, see Adapt a user message template.
184
configure, for example, the Virus Found settings of the Block action.
3 Configure these settings as needed.
On the templates tree, double-click the Virus Found folder. The folder opens and displays templates in the available languages and file formats (.html and .txt). pane. Initially, the template text reads as follows: The transferred file contained a virus and was therefore blocked.
d Select, for example, en for English and html. The corresponding template appears on the settings
e Edit this text as needed. 4 Click Save Changes on the Template Editor.
For more information, see Template Editor and Settings for message templates.
Template Editor
The template editor is a device on the user interface that allows you to edit existing templates for user messages.
Note: The template editor opens when you click Edit for a selected template or template collection on the Settings tab of the Policy top-level menu (after selecting the settings of the Authenticate, Block, or Redirect action on the Settings tree).
When editing a message template, you can do the following: Select a language for the message of the template Edit the text of the message Replace the variables of the template Provide a block reason for logging purposes (only for Block action templates) Provide a URL for redirecting (only for Redirect action templates)
185
The table below describes the options of the Template Editor in detail.
Table 6-22 Template Editor Option Templates Definition Displays a tree structure (for viewing templates and selecting them for editing) with the following elements: Template collections Collections of templates, for example, the Default collection. Templates Templates belonging to a collection, for example, Virus Found. For each template, the following is provided under a tree node:
de, en ... Language versions of the template html version in .html format txt version in .txt format
When you select a format, the template content appears on the HTML Editor pane. (Expand All) Expands all collapsed items on the Templates tree. (Collapse All) Lets all expanded items collapse.
A right-click on a collection, template, language version, or format opens a menu with the following options (the selection of the options varies with the item): File System Clone Opens the Clone <item> window for inserting a copy of an item under a new name into a collection. Add <item> Opens the Add <item> window for adding an item of the same type. Rename Opens the Rename <item> window for renaming an item. Change Opens the Change Language window for changing a language version. Delete Deletes an item. A window opens to let you confirm the deletion.
Displays a tree structure (for completing general tasks, such as adding, renaming, and deleting template files) with the following elements: Template collections Collections of templates, for example, the Default collection. Language versions Templates sorted by language versions (and within a language group first by names and then by formats). For example, the en language group contains:
...
When you select a format, the template content appears on the HTML Editor pane (same function as on the Templates pane). Images Image files (with images used in templates) sorted by name Add Opens the following menu:
New File Opens the Filename window for adding a file with a new name. New Directory Opens the Rename Directory window for adding a selected folder of the tree structure under a new name. Existing File or Directory Opens your file manager for selecting and adding a file or folder. Edit Opens the following menu: Rename Opens the Rename <item> window for renaming an item. Delete Deletes an item. A window opens to let you confirm the deletion. Cut Copies and deletes a selected item. Copy Copies a selected item. Paste Pastes a copied item. Delete Deletes a selected item. (Expand All) Expands all collapsed items on the File System tree. (Collapse All) Lets all expanded items collapse.
A right-click on an item opens a menu with the above options (options that do not apply for an item are grayed out).
186
Table 6-22 Template Editor (continued) Option HTML Editor Definition Displays the content the template that is currently selected on the Templates or File System pane. Add Opens the following menu:
Resource Reference Opens the Insert Resource Path window for entering the path to a resource, such as an image or other graphical element, that appears in a template. Property Opens the Choose Property window for adding a property that appears as a variable in a template, for example, $URL$. Edit Opens the following menu: Cut Copies and deletes a selected portion of template content. Copy Copies a selected portion. Paste Pastes a copied portion. Delete Deletes a selected portion. Select All Selects the complete template content. Discard Changes Undoes your changes of a template.
Viewer (visible instead of the HTML Editor when an image file is selected on the File System tree) Save Template Changes Cancel
Show Source Toggle button to display the HTML source code of a template Languages drop-down menu Lets you select the language of the preview. Preview Displays a preview of a template. Zoom In Enlarges an image. Zoom Out Reduces the size of an image. Fit to Window Lets an image fill out the Viewer pane. Original Size Displays an image in original size again.
Saves your changes to a template. Lets you leave the Template Editor without changes.
187
188
189
190
System Configuration
Contents Configuring the appliance system System settings System files Database updates Central Management
191
192
System settings
This section tells you where you can configure the settings of the appliance system on the user interface and describes individual system settings.
Appliances tab
Use the Appliances tab to configure the settings of the appliance system. It is selected from the Configuration top-level menu.
Appliance toolbar (appears when an appliance name is selected, for example, mwgappl) Appliance settings
Appliances tree
The main elements of the tab are: Appliances toolbar Options for adding and deleting appliances and updating all of them Appliances tree Tree structure displaying different appliances and system settings Appliance toolbar Options for working with a selected appliance (appears when the appliance name is selected, for example, mwgappl) Appliance settings System settings of the selected appliance
Appliances toolbar
The Appliances toolbar provides the following options:
Table 7-2 Appliances toolbar Option Add Delete Manual engine update Definition Opens the Add Appliance window for adding an appliance. Deletes a selected appliance. A window opens to let you confirm the deletion. Updates DAT files with virus signatures and other filtering information for all configured appliances.
193
Appliance toolbar
The Appliance toolbar provides the following options:
Note: This toolbar appears only when an appliance name is selected on the Appliances tree, for example, mwgappl.
Table 7-3 Appliance toolbar Option Reboot Flush cache Update appliance Shutdown Definition Restarts an appliance. Flushes the web cache of an appliance. Implements an updated version of the appliance. Lets an appliance become inactive.
example, Network.
3 Configure these settings as needed. 4 Click Save Changes.
194
Select time zone List for selecting a time zone Time synchronization performed by the NTP servers or manually set time refer to the time zone that you select here.
195
License administration
Settings for importing a license and reviewing license information. Import License Provides items for importing a license. License file Input field for entering the name of a license file. You can type a file name here or use the Browse button and select an appropriate file. Browse Opens the file manager on your system to let you browse to a license file. Activate Activates the license specified in the input field.
Note: The Activate button is grayed out as long as you have not entered a file name in the input field.
License information Displays information on the license that is currently in use on the appliance. The table below explains this information.
Table 7-6 License information Option Status Creation Expiration License ID Customer Seats Evaluation Definition Status of a license Date when the license was created. Date when the license expires. Numerical value that identifies the license. Name of the license owner Number of workplaces in the owners company that the license is valid for. Information whether the license has been evaluated.
196
IP address of the network interface (manually configured) Subnet mask of the network interface (manually configured) Default route for web traffic using the network interface (manually configured). Maximum number of bytes in a single transmission unit List of aliases for the IP address Add alias Opens the Input window for adding an alias Delete Deletes a selected alias
IPv6 Tab for configuring network interfaces under version 6 of the Internet Protocol. The table below describes this tab.
Table 7-8 IPv6 tab Option IP settings Definition List for selecting a method of configuring an IP address for a network interface Obtain automatically (DHCP) The IP adress is automatically obtained, using the Dynamic Network Host Protocol (DHCP). Solicit from router The IP address is obtained by a router. Configure manually The IP address is configured manually using the input fields below. Note: If this option is not selected, the input fields are grayed out. Disable IPv6 Version 6 of the Internet Protocol is not used for this interface.
These items have the same meanings as on the IPv4 tab, see above.
197
Advanced Tab for configuring additional media and a bridge for a network interface. The table below describes this tab.
Table 7-9 Advanced tab Options Media Definition List for selecting additional media for use with the network interface. Bridge enabled Automatically detect Media for use with the network interface are automatically detected if available in the network environment of the appliance. 1000BaseT-FD, 1000Base-HD, ... The selected media item is used with the network interface.
When selected, web traffic is routed through the network interface in transparent bridge mode. Name Name of the transparent bridge
Port Forwarding
Settings for configuring port forwarding rules. Port forwarding rules List of port forwarding rules The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-10 Elements of an entry in the Port Forwarding Rules list Option Source Host Source Port Destination Host Destination Port Comment Definition IP address of the host that is the source of web traffic in a port forwarding rule. Port used on this host for outgoing web traffic. IP address of the host that web traffic from the source host should be directed to. Port used on this host for web traffic coming in from the source host and port. Plain-text comment on the port forwarding rule
198
Static routes
Settings for configuring static routes. Static Routes List List of static routes used under version 4 of the Internet Protocol. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-11 Static Routes List Option Destination Gateway Device Description Comment Definition IP address and (optionally) netmask of the host that is the destination for a static route. IP address of the gateway for routing web traffic from the appliance to this host. Interface used on this gateway for the static route. Plain-text description of the static route Plain-text comment on the static route
Static Routes List (IPv6) List of static routes used under version 6 of the Internet Protocol. The elements of the entries in this list have the same meanings as under version 4, see above.
Enable local user interface over HTTPS When enabled, you can connect to the user interface using the HTTPS protocol. HTTPS connector Port for connecting to the user interface under HTTPS.
Note: You can specify multiple ports here, separated by commas.
Session timeout Time (in minutes) to elapse before a session on the user interface is closed if no activities occur.
Note: The range of allowed values is 1 to 9999.
199
System files
You can edit the system files of the appliance with a file editor. This section tells you how to work with this editor.
Appliances
Toolbar
System files
File text
The main elements of the tab are: Appliances Tree structure of appliances that can be administered from this appliance System files Tree structure of system files for an appliance Toolbar Items for editing a system file File text Text of the currently selected system file
200
Table 7-12 File Editor too bar Option Select All Discard Changes Definition Selects the complete text. Discards text changes. A window opens to let you confirm the discarding.
Database updates
Information retrieved from external databases for use in the filtering process needs to be updated on the appliance from time to time. This section tells you how you can schedule automatic updates and also how to update this information manually. Web objects are filtered on the appliance in a rule-based process. The filtering rules need information on these objects before they can trigger actions, such as blocking access to an object or allowing it. They rely for this information on special modules. For example, a virus and malware filtering rule relies on the Antivirus module (or engine) to find out whether an object is virus-infected, or a URL filtering rules relies on the TrustedSource module for URL category information. The modules retrieve this information, for example, virus signatures stored in DAT files, from external databases. The database updates on the appliance are updates of this information. You can update database information on the appliance using different methods. Manual engine update You can manually update database information for the modules of the appliance you are currently logged on to. If you are running multiple appliances and use Central Management functions to administer them, this manual update applies also to all appliances that you have included as nodes in this Central Management configuration. Automatic engine update You can also configure automatic updates in regular intervals for the modules of the appliance you are currently logged on to. These updates can retrieve information: From the internet Information is then downloaded from the relevant external databases.
Note: Database information is updated in this way immediately after the initial setup of an appliance.
From other nodes in a Central Management configuration Information is then downloaded from these nodes. For every node, you can in turn configure whether uploading linformation from it to other nodes is allowed. You can configure these updates when you set up the Central Management configuration, specifying for each node how it should behave regarding automatic updates.
201
Enabling of automatic updates To make sure updates can happen automatically on an appliance at all. Sources of the updates These can be external databases on the internet. In a Central Management configuration, these can also be other nodes. Update intervals With a special setting for updating certificate revocation lists (CRLs). Use of update proxies To enable a fail-over when systems become unavailable. Advanced update settings For the upload of updated information from one node to others in a Central Management configuration and other functions.
4 Click Save Changes.
Enable automatic updates When selected, database information is automatically updated. Allow to download updates from the internet When selected, database updates are downloaded from the internet. Allow to download updates from other nodes When selected, database updates are downloaded from other nodes in a Central Management configuration. Update interval Time (in minutes) to elapse before database information is again updated. The time is set on a slider scale.
Note: The range of allowed values is 15 to 360.
202
CRL update interval Time (in hours) to elapse before certificate revocation lists used in filtering SSL-secured web traffic are updated. This update uses a method that differs from those of other updates and must therefore be configured separately. The time is set on a slider scale.
Note: The range of allowed values is 3 to 168.
Enable update proxies When selected, proxy servers are used for routing updated database information. Update proxies (fail over) List of proxy servers used for routing updated database information. The proxy servers are used in fail-over mode. The first server on the list is tried first and only if the configured timeout has elapsed is the next server tried. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-13 Update Proxies list Option Host Port User Password Comment Definition Host name or IP address of the server that is used as proxy for routing updates, Port on the proxy that listens for update requests. User name of the user who is authorized to request updates that use the proxy. Password of this user Plain-text comment on the proxy
Advanced Settings
Settings for advanced update functions Allow to upload updates to other nodes When selected, updated database information can be uploaded from the appliance (as a a node in a Central Management configuration) to other nodes. The first time an update starts, it should wait an appropriate time before starting Time (in seconds) to elapse before an update is started.
Note: The range of allowed values is 5 to 1200.
The first time an automatic update starts, it uses the startup interval to update Time (in seconds) to elapse between attempts to start an automatic update for the first time. During an update, the coordinator subsystem, which stores updated information on the appliance, tries to connect to the appliance core, where the modules reside that use this information. A low value for this interval can therefore speed up updates because it reduces the time the coordinator might have to wait until the core is ready to receive data.
Note: The range of allowed values is 5 to 600.
Try to update with start interval Maximum number of attempts (1 to 9) the appliance makes when trying to start an update. Use alternative URL URL of an update server that is used instead of the default server. Verify SSL tunnel When selected, an option to tunnel SSL-secured web traffic is used for updates.
203
Central Management
This section explains how to configure a Central Management configuration. You can run multiple appliances within your network and use Central Management functions to administer them. The appliances then have the following connections: Each of the appliances has clients that direct their web traffic to it. The appliances are joined in an appliance group that allows, for example, updates from one appliance to others. An appliance can be a member of different groups at the same time. After setting up an appliance, you can configure Central Management settings for it. You can then add other appliances that you want to be in the same group to the configuration. After adding an appliance, you can view and configure its system settings on the user interface of the appliance that the other appliance was added to. The diagram below shows a group of appliances in a Central Management configuration.
204
Communication parameters The IP address used for communication with other nodes, a timeout, and the maximum number of retries Group membership The group or groups that an appliance belongs to Update schedules Methods and intervals for database updates Advanced settings For storing configuration data and other functions
4 Click Save Changes.
Host name or IP Of the added appliance Network group Group that the appliance belongs to (selected from a list)
4 Click OK. The new appliance appears on the Appliances tree. 5 Click Save Changes.
205
Timeout of distribute messages to other nodes Time (10 to 600 seconds) to elapse before the node makes the next attempt to send a message to another node that has not yet responded The value for this priority is set on a slider scale. Attempts to distribute messages per address Maximum number of attempts (1 to 5) the node makes when trying to reach another node under a particular IP address that has not yet responded The number is set on a slider scale.
The value for this priority is set on a slider scale. Allow a GUI server to attach to this node When selected, a server providing an additional user interface for the appliance is allowed to connect to the node. Allow to attach a GUI server from non-local host When selected, a server with an additional user interface that is not running within your network is allowed to connect to the node. GUI control address IP address and port number of the server that provides an additional user interface GUI request address IP address and port number of this server used when sending requests to it Contact other nodes unencrypted When selected, messages sent from this node to other nodes in the configuration are not encrypted.
206
207
208
Monitoring
Contents Monitoring the appliance Dashboard Logging Forwarding data to an ePO server Event monitoring with SNMP Error handling
Monitoring functions
This section gives an overview of the monitoring functions that are available on the appliance. Dashboard The user interface provides a dashboard, where you can view information on web usage, filtering activities, and system behavior. Logging The appliance provides two default logs for storing log files. Entries in these files are written by rules in corresponding rule sets. You can configure the handling of these log files, such as rotation, deletion, and pushing. Other log files are not maintained by rules. The default rule-based logs are: Access log Records requests for access to the web received on the appliance. Viruses Found log Records viruses and other malware that infected requested objects. Monitoring with external devices You can forward information on the appliance status to an ePolicy Orchestrator (ePO) server and monitor events on the appliance with an agent application under the SNMP protocol.
Troubleshooting functions
When problems arise in working with the appliance, you might want to take troubleshooting measures. Monitoring what has happened in a problem situation can be one of the means for troubleshooting. The user interface provides a Troubleshooting top-level menu, which also includes some monitoring functions. For more information, see Troubleshooting.
209
Monitoring Dashboard
Dashboard
The dashboard on the user interface of the appliance allows you to monitor web usage, filtering activities, and system behavior. This section tells you how to access the dashboard and gives an overview of the information it provides.
Table 8-1 Options for displaying dashboard information Option Show last Resolution Definition Drop-down list for selecting a time interval: 1 hour | 3 hours | ... | 1 year Displays the time unit used for the diagram that shows the development of a parameter over the selected interval. Resolution varies with the interval. For example, when 1 hour is selected, the diagram uses 1 minute as the time unit, when 1 year is selected, the diagram uses 1 day. View Drop-down menu for selecting: Display mode: Line | Stacked Average values
Refreshes the view. For displaying static information Top Drop-down list for selecting how many of the items with the highest scores are shown: 10 | 25 | ... | 1000 For example, the 25 URL categories that were most often requested can be shown. Refreshes the view.
210
Monitoring Dashboard
Categories by Hits Malwares by Hits System Summary Network Utilization System Utilization Update Status
Last Update Open Ports WCCP Services Active Proxy Connections Web Traffic Summary Traffic per Protocol Requests per Protocol ICAP Traffic Summary ICAP Traffic ICAP Requests Traffic Volume Top-Level Domains by Bytes Transferred Top-Level Domains by Number of Requests Destinations by Bytes Transferred Destinations by Number of Requests Source IPs by Bytes Transferred Source IPs by Number of Requests Web Cache Statistics Web Cache Efficiency Web Cache Object Count
Shows how numbers of caching requests developed during the selected interval and sorts them into hits and misses. Shows how numbers of objects in the cache developed during the selected interval.
211
Monitoring Dashboard
Table 8-2 Overview of dashboard information (continued) Information Web Cache Usage Malware Statistics Malware URLs by Hits Malware by Hits URL Filter Statistics Category Reputation Categories by Hits Sites Not Categorized by Hits Malicious Sites by hits Media Type Statistics Media Type Groups by Hits Media Types by Bytes Media Types by Hits Certificate Statistics Certificate Incidents Shows how numbers of incidents developed during the selected interval and sorts them according to the events that caused the incident, for example, expired certificates or common name mismatches. Shows how numbers of requests sent and received developed during the selected interval. Shows how CPU usage developed during the selected interval. Shows how the usage of memory developed during the selected interval. Shows how usage of virtual memory developed during the selected interval. Shows how usage of the file systemdeveloped during the selected interval. Shows usage of the file system per partition. Shows how number of open TCP ports developed during the selected interval. Shows how numbers of requested media type groups developed during the selected interval and sorts the different types into audio files, images, and others. Lists the media types that were most requested according to the number of bytes transferred. Lists the media types that were most requested according to the numbers of successful requsts fo them. Shows how numbers of requested URL categories developed during the selected interval. Shows how numbers of requests developed during the selected interval and sorts them according to the reputation of the requested URLs. Lists the URL categories that were most requested. Lists among the sites that are not categorized those that were most requested. Lists among the sites that were found to be infected those that were most requested. Lists the URLs infected by viruses and other malware that were most requested. Lists the malware types that most requests were made for. Description Shows how usage of the cache developed during the selected interval.
System Details Network Utilization CPU Utilization Memory Usage Swap Space (Virtual Memory) Usage File System Utilization File System Utilization Open TCP Ports
212
Monitoring Logging
Logging
Appliance behavior can be recorded in log files. This section describes the available log file types, explains their handling, and gives an example of configuring a log file to record found viruses.
213
Monitoring Logging
Name Write Found Viruses Log Criteria Antimalware.Infected equals true > Action Continue
Events Set User-Defined.LogLine = [ + DateTime.ToString ( ) + ] + Authentication.Username + + String.IP.ToString (Client.IP) + + String.List.String.ToString (Antimalware. VirusNames) + + URL + Execute FileSystemLogging.WriteLogEntry (User-Defined.LogLine)<FoundVirusesLog>
The rule applies when a requested object has been found to be infected. Then it triggers two events, one to set parameter values, including the names of the found viruses and malware items and related information, and another to write an entry with these values into a log file. The elements of this rule have the following meanings: Criteria Antimalware.Infected equals true The criteria of the rule uses the Antimalware.Infected property. It is matched when it has the value true. This means that the rule applies when a filtered object is infected. Action Continue When it applies, the rule triggers the Continue action. This action lets processing continue with the next rule after the events of the current rule have been executed. Events When it applies, the rule also triggers two events: Set User-Defined.LogLine = ... Sets the parameter values that are logged, including: DateTime.ToString ( ). Date and Time of the request for the object that was found to be infected. The value is converted into a string before being logged. Authentication.Username Name of the authenticated user who requested the object. String.IP.ToString (Client.IP) IP address of the client the request was sent from. The address is converted into a string. String.List.String.ToString (Antimalware.VirusNames) List with the names of the found viruses and other malware items. The list is converted into a string. URL URL that was requested.
214
Monitoring Logging
Execute FileSystemLogging.WriteLogEntry ... Executes the write event. The entry that is to be written and the log file it is written into are specified with the event: (User-Defined.LogLine) Event parameter specifying the entry. This is a log file line with the parameter values that have been set by the other event of the rule. <Found Viruses Log> Event settings specifying the log file.
Note: Clicking the settings name on the user interface opens the settings for editing.
You can modify this logging rule or create similar rules of your own. For more information, see Create a sample logging rule.
rule-based log files that are provided by default appear: access.log foundViruses.log
4 Double-click a folder to view a list of log files with names, sizes, and dates.
Using the items on the toolbar, you can: View file content
Note: You can also double-click a log file to view its content.
files for McAfee Web Gateway. Using your file manager, navigate to the location where these program files are stored and go to: /opt/mwg/log/user-defined-logs/<log file name>/<log file name>
215
Monitoring Logging
A list of log file folders appears on the settings pane with folders for system-maintained and rule-based log files.
3 Double-click a folder, for example, audit, to view a list of system-maintained log files with names,
sizes, and dates. Using the items on the toolbar, you can: View file content
Note: You can also double-click a log file to view its content.
the main window area, items appear for adding a name and other general settings.
4 Add the following general settings: a Name Type Write Found Malware Log.
Note: The name of the already existing logging rule is Write Found Viruses Log.
b Enable rule Deselect this checkbox, so the sample rule gets not enabled. 5 Select Rule Criteria. Items for adding the criteria appear. 6 Click Add. The Add Criteria window opens. 7 Add the criteria of the rule (Antimalware.Infected equals true): a From the Property list, select Antimalware.Infected. b In the Operator list, leave equals. c
8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area. It
lets the rule write a log file entry if an object is actually found to be infected.
9 Select Action and from the Action list, select Continue. This action lets the filtering process continue
216
Monitoring Logging
click OK.
b Click Add again, select Property, and from the properties list, select DateTime.ToString
(String).
c
Click Parameters and in the Property Parameters window (where Value is selected) , click OK. Then click OK again to close the preceding window.
d Click Add, select Value and enter a closing square bracket. Then click OK.
This adds the date and time part included in square brackets and with an output field for the date and time value.
e Click Add, select Property, and from the properties list select Authentication.UserName. Then
click OK.
f
Click Add and in the Value field, type . Then click OK. This adds the user name part with an output field for the value.
g Use the appropriate items to add properties and output fields for the client IP address and the
log file.
18 Click OK on both open windows to close them. 19 Select Summary to review what you have configured. 20 Click Finish. The sample logging rule is inserted in the Found Viruses Log rule set. Click Delete to
remove it again.
21 Click Save Changes.
217
Monitoring Logging
click Add.
4 From the drop-down menu that appears, select Log Handler. The Add New Log Handler window
Name Name of the log handler Enable When selected, the log handler is enabled. [Optional] Comment Plain-text comment on the log handler.
6 [Optional] Select the Permissions tab and configure who is allowed to access the new log handler. 7 Click OK to close the Add New Log Handler window. The log handler is inserted into the tree structure. 8 Click Save Changes.
You can now insert one or more nested rule sets into the log handler and fill these with rules. For more information, see Add a new rule set, Create a sample logging rule, and Access restrictions.
Configuration. These will serve as the starting point for creating new setting, including settings for a new log.
c
Click Add above the Settings tree. The Add Settings window opens.
d In the Name field, enter a name for the new settings. e [Optional] Type a comment on the new settings and use the Permission tab to configure who is
Under Name of the log, type the name of the new log.
g Configure other items of the new settings as needed. h Click OK. The Add Settings window closes and the new settings appear under File System
218
Monitoring Logging
4 Go to Policy | Rule Sets and insert a logging rule that triggers events when its criteria is matched
into the rule set you created in step 2. The logging rule should triggers the following events if its criteria is matched: A set event that sets parameter values for a log file entry. A write event that writes the entry into a log file of the log you created.
Note: The criteria of the logging rule relates to what you want to log, for example, Antimalware.Infected equals true as the criteria if you want to log requests for infected objects. Then the set and write events are triggered if an object is found to be infected.
5 Click Save Changes.
The new log and the log files are stored in a folder of the program files for McAfee Web Gateway. To view them, navigate with your file manager to the location where these program files are stored and go to: /opt/mwg/log/user-defined-logs/<log file name>/<log file name> For more information, see Create a log handler, Add a new rule set, Create a sample logging rule, Configuring log file settings, and Access restrictions.
Log settings For log name, log file header, and other parameters. Log file settings For rotation, deletion, and pushing of log files.
4 Click Save Changes.
File Manager.
3 Configure these system settings as needed. They include settings for rotation, deletion, and pushing
of log files.
4 Click Save Changes.
219
Monitoring Logging
File System Logging Settings Settings for a log that stores log files Name of the log Log name Enable log buffering When selected, the log is buffered. The buffer interval is 30 seconds. Enable header writing When selected, the header below is added to all log files. Log header Input field for typing a header for all log files Encrypt the log file When selected, log files are stored encyrpted. First password, Repeat password Input field for creating a password for access to encrypted log files [Optional] Second password, Repeat password Input field for creating an second password for access to encrypted log files Settings for Rotation, Deletion, and Pushing Settings for handling log files Enable specific settings for User-Defined Log When selected, the settings configured in the following apply to the user-defined logs, which store the log files that are rule-based. Otherwise the system settings configured for the Log File Manager function apply also to this log. Auto Rotation Settings for rotating log files automatically according to size and time of day Enable auto rotation When selected, log files are rotated according to the following settings.
Note: You can configure just one of the two settings or both.
Enable log file rotation if log file size exceeds When selected, log files are rotated according to the size (in MiB) specified in the input field provided here. Enable scheduling of log file rotation When selected, log files are rotated according to the time of day (in hours and minutes) specified in the input field provided here.
Note: The 24-hours format is used here, for example, 1:30 p. m. is 13:30.
Auto Deletion Settings for deleting log files automatically according to size and last time of modification Enable auto rotation When selected, log files are deleted according to the following settings.
Note: You can configure just one of the two settings or both.
Enable log file deletion if log file size exceeds When selected, log files are rotated according to the size (in MiB) specified in the input field provided here. Enable autodeletion of unchanged files When selected, log files are deleted after the time (in days) specified in the input field provided here.
220
Monitoring Logging
Auto Pushing Settings for pushing rotated log files to another server Enable auto pushing When selected, rotated log files are pushed from the local database to the server specified by the following settings. Destination Network protocol, host name, and path of the server User name Name of the user who is authorized to push log files to the server Enable pushing log files directly after rotation When selected, pushing follows rotation immediately. Push interval Time (in hours) to elapse before the next log files are pushed (if not pushed immediately after rotation)
Global Log File Settings Settings for all log files that no specific settings have been configured for Auto Rotation, Auto Deletion, Auto Pushing Meanings and usage of these settings are the same as of the corresponding settings for the File System Logging module. Settings for the Update Log Enable specific settings for Update Log When selected, the settings configured in the following apply to the Update Log. Otherwise the global log file settings apply. Auto Rotation, Auto Deletion, Auto Pushing Meanings and usage of these settings are the same as of the corresponding settings for the File System Logging module. Settings for the Audit Log Enable specific settings for Audit Log When selected, the settings configured in the following apply to the Audit Log. Otherwise the global log file settings apply. Auto Rotation, Auto Deletion, Auto Pushing Meanings and usage of these settings are the same as of the corresponding settings for the File System Logging module. For more information, see File System Logging engine settings.
221
Monitoring Logging
The rule set contains the following rule: Write access.log Always > Continue Set User-Defined.LogLine = [ + DateTime.ToString() + ] ... Execute FileSystemLogging.WriteLogEntry (User-Defined.LogLine) <Access Log Configuration> The rule uses an event to fill a log file entry with parameter values relating to requests sent by users, such as user names or request headers. It uses another event to write this entry to a log file. The log file entry is specified as a parameter in both events. The log that stores the log file is specified by the settings of the write event. Values for the following parameters are set and logged by the events of the rule (properties used by the set event in italics): Date and time DateTime.ToString User name Authentication.UserName Client IP String.IP.ToString(Client.IP) Response status String.Number.ToString (Response.StatusCode) Request header RequestHeader.FirstLine URL category List.Category.ToString (URL.Categories<Default>) URL category List.Category.ToString (URL.Categories<Default>) URL reputation String.Number.ToString (URL.Reputation<Default>) The logging rule applies whenever request for access to the web is received. The two rule events for filling and writing a log entry are then executed and the filtering process is continued with the next rule or rule set. Media type String.MediaType.ToString (MediaType.Header) Body size String.Number.ToVolumeString (Body.Size) User agent Header.Get(User-Agent) Virus and malware names String.List. String.ToString (Antimalware.VirusNames) <Gateway Antimalware>) Block action ID String.Number.ToString (Block.ID)
222
The ePolicy Orchestrator is a monitoring tool for web security products, which can also include the McAfee Web Gateway appliance. If you configure the orchestrator and the appliance accordingly, you can log on to the appliance from the ePO user interface and have monitoring data forwarded from the appliance to the ePO server. When forwarding data to the ePO server is configured, this server sends SSL-secured requests for collecting data to the appliance in regular intervals. Then you need to allow the CONNECT request that the SSL-secured communication begins with to bypass the normal processing of web security rules, so it does not get blocked on the appliance. For example, if you have authentication rules implemented, this would lead to blocking because the ePO server does not support authentication. You can import an appropriate rule set from the library to enable the bypassing or create a rule set of your own. For more information, see Configure data forwarding, Import a rule set, and Bypass ePO requests library rule set.
appliance that is needed to forward the data and settings for the data collection process.
4 Click Save Changes.
223
The rule set is processed when the SSL-secured communication between the ePO server and the appliance that is begins with a request from the server to connect to the appliance. It contains the following rule: Skip subsequent rules for ePO requests URL.Host equals 127.0.0.1 OR URL.Host equals [::1] > Stop Cycle Enable SSL Client Context <Default CA> Enable SSL Scanner <Certificate verification without edh> The rule uses the URL.Host property to identify the host of a requested URL, using the IP address of the host. If this address is 127.0.0.1, the host of the requested URL is the appliance. When the ePO server sends a request to connect to the appliance, it uses this address. So if 127.0.0.1 is the requested address, the rule applies and stops all further processing in the request cycle. The CONNECT request is allowed to pass through and the process of collecting appliance data for the ePO server can go ahead. The next step in this process, is sending and verifying certificates. The rule includes an event to enable the sending of a client certificate that is issued by the default certificate authority. You can modify the event settings to have the certificate issued by another authority. The rule also includes an event to enable verification of the certificate sent by the ePO server without using the EDH (Ephemeral Diffie-Hellman) method, which is the appropriate procedure for this server.
224
SNMP port settings For the ports that listen to requests from the SNMP agent. SNMP system information For the system that serves as a management station for the agent. SNMP protocol options For the communication between the appliance and the agent. SNMP trap sinks For the systems that are to receive messages on monitored events from the agent.
4 Click Save Changes.
225
SNMP v3 When selected, access is granted to users under this version of the protocol. SNMP v3 Users List of users with allowed access The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 8-4 SNMP v3 Users list Option User name Allowed root OID Authentication Encryption Read-only access Comment Definition Name of a user who is allowed access ID of the object that is the root of an allowed user Information on whether the user must authenticate to gain access Information on whether the monitoring data is provided for the user in encrypted format Information on whether a user is only allowed to read monitoring information Plain-text comment on the user
226
Error handling
Errors of the appliance system can be handled by rules. This main section describes how you can create a top-level error rule set (also known as error handler) for nesting rule sets with error rules. It also describes the rule sets that are provided by default for error handling on the appliance.
click Add.
4 From the drop-down menu that appears, select Error Handler. The Add New Error Handler window
Name Name of the error handler Enable When selected, the error handler is enabled. [Optional] Comment Plain-text comment on the log handler.
6 [Optional] Select the Permissions tab and configure who is allowed to access the new log handler. 7 Click OK to close the Add New Error Handler window. The error handler is inserted into the tree
structure.
8 Click Save Changes.
You can now insert one or more nested rule sets into the error handler and fill these with rules. For more information, see Add a new rule set, Access restrictions, and Error handler rule sets.
227
The rule set contains the following rule: Always block Always > Block<Internal Error> The rule blocks access to all objects when an internal error occurs. The action settings specify that a user who is affected of the blocking is notified. The rule in this rule set is for handling internal errors on the appliance. It is executed at the time when an internal error occurs, which can, of course, not be predicted and can happen at any time during the filtering process or not at all. In this sense, processing the rule is not part of the normal process flow. After executing the blocking, the rule stops all further processing of rules for the requests, responses, or embedded objects that were being filtered when the internal error occurred. This way it is ensured that no malicious or inappropriate web objects enter your network or leave it while the appliance is not fully available. The process flow continues when the next request is received if the internal error did not lead to an interruption of the appliance functions.
228
Troubleshooting
Contents Troubleshooting appliance problems Create a feedback file Enable the creation of core files Enable the creation of connection tracing files Generate a TCPdump Use network tools Back up and restore the appliance configuration
Network tools
You might need to test whether connections to other network components still work. The appliance provides several tools, including ping, nslookup, and traceroute, for doing this.
229
Note: It is recommended that you use this option to stop the appliance before creating the feedback file.
3 Click Create Feedback File. The file is created and appears with its name, size, and date in the list
under Feedback file. Using the items on the toolbar, you can: View file content Download files Copy link copy links to files
They can be viewed on a list after selecting the Troubleshooting top-level menu, navigating to an appliance, and selecting Core Files. Using the items on the toolbar, you can: View file content Download files Copy link copy links to files
230
Note: To trace only activities on a connection to a network component with a particular IP address, select Restrict tracing to only one IP and type the address in the IP field.
Connection tracing files can be viewed on a list after selecting the Troubleshooting top-level menu, navigating to an appliance, and selecting Connection Tracing. Using the items on the toolbar, you can: View file content Download files Copy link copy links to files
Generate a TCPdump
TCPdumps can be used on the appliance to review network activities of the appliances and detect reasons for errors and failures. Complete the following procedure to generate a TCPdump:
1 Go to Troubleshooting | TCPdump. 2 Under Command line parameters, type parameters for the TCPdump as needed. 3 Click tcpdump start. The dump is generated and appears with its name, size, and date in the dump
list under Results (dump). Using the items on the toolbar, you can: View dump content Download dumps Copy link copy links to dumps
231
Ping Ping6 nslookup traceroute traceroute6 The corresponding command is executed and the output displayed in the Results field, for example: Ping: unknown host testhost
To backup the configuration, click Backup to file. A window opens to let you select a file for storing the configuration. To restore the configuration, click Restore from file. A message informs you that you will be logged out after restoring and asks whether you really want to do it. If you confirm, a window opens to let you select a file for restoring the configuration.
Note: If you only want to restore the rules, lists, and settings that were configured on the tabs of the Policy top-level menu, make sure the Only restore policy checkbox is selected before clicking the button.
232
List of actions
The table below provides a list of the actions that can be configured in web security rules. The actions are listed in alphabetical order.
Table -1 List of actions Name Authenticate Block Continue Redirect Remove Stop Cycle Stop Rule Set Description Stops processing the rules in the current cycle. Sends an authentication request to the client of the user who requested access to an object. Blocks access to the requested object. Stops processing rules. Continues processing with the next rule. Redirects the client that requested access to an object to another object. Removes the requested object. Stops processing the rules in the current cycle. Stops processing the rules in the current cycle. Does not block access to the requested object. Stops processing the rules of the current rule set. Continues processing with the next rule set.
233
List of events
The table below provides a list of the events that can be configured in web security rules. The events are listed in alphabetical order.
Table -2 List of events Name Body.Insert Description Inserts a string into the body of a message. Parameters 1. Number: Byte position where the insertion begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values Body.Remove Removes a number of bytes from a body. 1. Number: Byte position where the removal begins 2. Number: Number of bytes to remove Body.Replace Replaces a portion of a body with a string. 1. Number: Byte position where the replacement begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values Email.Send Sends an email. 1. String: Recipient 2. String: Subject 3. String: Body Enable Cache Enable Composite Opener Enable Data Trickling Enable HTML Opener Enable Next Hop Proxy Enable RuleEngine Tracing Enable SSL Client Context Enable SSL Scanner Enable SafeSearchEnforcer Enable Workaround FileSystemLogging. WriteDebugEntry FileSystemLogging. WriteLogEntry HTMLElement. InsertAttribute HTMLElement. RemoveAttribute Enables the web cache. Enables the composite opener. Enables data trickling. Enables the HTML opener. Enables the use of next-hop proxies. Enables tracing of the rule processing module. Enables the sending of client certificates. Enables the SSL scanning module. Enables the SafeSearchEnforcer. Enables a workaround. Writes a debugging entry. 1. String: Debugging entry 2. Boolean: If true, the entry is written to stdout. Writes an entry into a log. Inserts an attribute into an HTML element. Removes an attribute from an HTML element. String: Log entry 1. String: Attribute name 2. String: Attribute value String: Attribute name
234
Table -2 List of events (continued) Name HTMLElement. SetAttributeValue Header.Add Header.AddMultiple Description Sets an attribute to a value. Parameters 1. String: Attribute name 2. String: Value to set the attribute to Adds a header to a request or response. Adds a header with a list of values to a request or response. Adds a block header to a request or response. Adds a block header with a list of values to a request or response. Removes all block headers with a given name from a request or response. Removes all headers with a given name from a request or response. Adds information to an ICAP request. Replaces a media type header with an appropriate header when it is found after inspection of the media body that the original header does not match the body. Writes an entry with notice level into syslog. Adds global variable of type Bool. Adds global variable of type Category. String: Log entry 1. String: Variable key 2. Boolean: Variable value 1. String: Variable key 2. Category: Variable value Adds global variable of type Dimension. 1. String: Variable key 2. Dimension: Variable value Adds global variable of type Hex. Adds global variable of type IP. Adds global variable of type IPRange. 1. String: Variable key 2. Hex: Variable value 1. String: Variable key 2. IP: Variable value 1. String: Variable key 2. IPRange: Variable value Adds global variable of type Category List. 1. String: Variable key 2. Category List: Variable value Adds global variable of type Dimension List. 1. String: Variable key 2. Dimension List: Variable value Adds global variable of type Hex List. Adds global variable of type IP List. Adds global variable of type IPRange List. 1. String: Variable key 2. Hex List: Variable value 1. String: Variable key 2. IP List: Variable value 1. String: Variable key 2. IPRange List: Variable value 1. String: Header name 2. String: Header value 1. String: Header name 2. List of String: List of header values 1. String: Header name 2. String: Header value Header.Block. AddMultiple Header.Block. RemoveAll Header.RemoveAll ICAP. AddRequestInformation MediaType.Header. FixContentType 1. String: Header name 2. List of String: List of header values String: Header name String: Header name 1. String: Name of the request 2. String: Added information
Header.Block.Add
Notice PDStorage. AddGlobalData.Bool PDStorage. AddGlobalData. Category PDStorage. AddGlobalData. Dimension PDStorage. AddGlobalData.Hex PDStorage. AddGlobalData.IP PDStorage. AddGlobalData. IPRange PDStorage. AddGlobalData.List. Category PDStorage. AddGlobalData.List. Dimension PDStorage. AddGlobalData.List.Hex PDStorage. AddGlobalData.List.IP PDStorage. AddGlobalData.List. IPRange
235
Table -2 List of events (continued) Name PDStorage. AddGlobalData.List. MediaType PDStorage. AddGlobalData.List. Number PDStorage. AddGlobalData.List. Regex PDStorage. AddGlobalData.List. String PDStorage. AddGlobalData. MediaType PDStorage. AddGlobalData.Number PDStorage. AddGlobalData.Regex PDStorage. AddGlobalData.String PDStorage. AddUserData.Bool PDStorage. AddUserData.Category PDStorage. AddUserData. Dimension PDStorage. AddUserlData.Hex PDStorage. AddUserData.IP PDStorage. AddUserData.IPRange PDStorage. AddUserData.List. Category PDStorage. AddUserData.List. Dimension PDStorage. AddUserData.List.Hex PDStorage. AddUserData.List.IP PDStorage. AddUserData.List. IPRange PDStorage. AddUserData.List. MediaType PDStorage. AddUserData.List. Number Description Adds global variable of type MediaType List. Parameters 1. String: Variable key 2. MediaType List: Variable value Adds global variable of type Number List. 1. String: Variable key 2. Number List: Variable value Adds global variable of type Regex List. 1. String: Variable key 2. Regex List: Variable value Adds global variable of type String List. 1. String: Variable key 2. String List: Variable value Adds global variable of type MediaType. 1. String: Variable key 2. MediaType: Variable value Adds global variable of type Number. Adds global variable of type Regex. Adds global variable of type String. Adds user variable of type Bool. Adds user variable of type Category. Adds user variable of type Dimension. 1. String: Variable key 2. Number: Variable value 1. String: Variable key 2. Regex: Variable value 1. String: Variable key 2. String: Variable value 1. String: Variable key 2. Boolean: Variable value 1. String: Variable key 2. Category: Variable value 1. String: Variable key 2. Dimension: Variable value Adds user variable of type Hex. Adds user variable of type IP. Adds user variable of type IPRange. Adds user variable of type Category List. 1. String: Variable key 2. Hex: Variable value 1. String: Variable key 2. IP: Variable value 1. String: Variable key 2. IPRange: Variable value 1. String: Variable key 2. Category List: Variable value Adds user variable of type Dimension List. 1. String: Variable key 2. Dimension List: Variable value Adds user variable of type Hex List. Adds user variable of type IP List. Adds user variable of type IPRange List. 1. String: Variable key 2. Hex List: Variable value 1. String: Variable key 2. IP List: Variable value 1. String: Variable key 2. IPRange List: Variable value Adds user variable of type MediaType List. 1. String: Variable key 2. MediaType List: Variable value Adds user variable of type Number List. 1. String: Variable key 2. Number List: Variable value
236
Table -2 List of events (continued) Name PDStorage. AddUserData.List. Regex PDStorage. AddUserData.List. String PDStorage. AddUserData. MediaType PDStorage. AddUserData.Number PDStorage. AddUserData.Regex PDStorage. AddUserData.String PDStorage.Cleanup PDStorage. DeleteAllUserData PDStorage. DeleteGlobalData PDStorage. DeleteUserData SNMP.Send.Trap. Application SNMP.Send.Trap. System SNMP.Send.Trap.User SNMP.Send.Trap. UserHost Description Adds user variable of type Regex List. Parameters 1. String: Variable key 2. Regex List: Variable value Adds user variable of type String List. 1. String: Variable key 2. String List: Variable value Adds user variable of type MediaType. 1. String: Variable key 2. MediaType: Variable value Adds user variable of type Number. Adds user variable of type Regex. Adds user variable of type String. Cleans up persistently stored data. Deletes all permanently stored user data. Deletes all permanently stored global variables of a given type. Deletes all permanently stored user variables of a given type. Sends an SNMP trap message with application information. Sends an SNMP trap message with system information. Sends an SNMP trap message with user information. Sends an SNMP trap message with information on the host of the user. 1. Number: User ID 2. String: Message body 1. Number: User ID 2. String: Message body 3. IP: IP address of the host Statistics.Counter. Increment Statistics.Counter. Reset Syslog Increments a counter. Resets a counter. Writes an entry into syslog. 1. String: Counter name 2. Number: Increment value String: Counter name 1. Number: Log level 0 emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 info 7 debugging 2. String: Log entry String: Variable key String: Variable key 1. String: Variable key 2. Number: Variable value 1. String: Variable key 2. Regex: Variable value 1. String: Variable key 2. String: Variable value
237
List of properties
The table below provides a list of the properties that can be configured in web security rules. The properties are listed in alphabetical order.
Table -3 List of properties Name Antimalware.Infected Antimalware.Proactive. Probability Antimalware.VirusNames Authentication.Attributes Authentication.Authenticate Type Boolean Number String List String List Boolean Description If true, an object has been found to be infected. Probability that an object is malware. Range: 1 to 100. List with names of viruses that an object has been found to be infected with List of user attributes If true, the authentication process has been applied to a user. The process sets values for the Authentication. IsAuthenticated, Authentication.UserName, and Authentication.Attributes properties. ID of the client that a user (who the authentication is applied to) sent a request from If true, user attributes were retrieved, resulting in values for the Authentication.Attributes property. If true, a user has been successfully authenticated. If true, cookie authentication has been applied for a user. If true, authentication has been requested under the Authentication Server method. Method used for authenticating a user, for example, LDAP Credentials retrieved if Authentication.GetAttributes is true User name retrieved if Authentication.GetAttributes is true Authentication realm, for example, a Windows domain Name of a user that the authentication process has been applied to Total value of a counter Value of a counter achieved during the last (fully completed) minute ID of an action that blocked a request Name of an action that blocked a request If true, the header of a request or response sent for an object has been changed. ID of an object class String: Name of the counter String: Name of the counter Parameters
Authentication.ClientID
Integer
Authentication.GetAttributes
Boolean
Authentication.IsAuthenticated Authentication. IsLandingOnServer Authentication.IsServerRequest Authentication.Method Auth.RawCredentials Auth.RawUserName Authentication.Realm Authentication.UserName Billing.Counter.Get Billing.Counter.GetCurrent Block.ID Block.Reason Body.ChangeHeaderMime
Boolean Boolean Boolean String String String String String Number Number Number String Boolean
Body.ClassID
String
238
Table -3 List of properties (continued) Name Body.Equals Type Boolean Description If true, the body of an object matches the pattern specified by the property parameters. Parameters 1. Integer: Position of the byte where the pattern begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values pre- ceded by \) or: b. sequence of hex values Body.FileName String Name of a file that is embedded in the body of an object, for example, an archived file If true, the body of an object is above a given size limit. If true, the body of an object is composite, consisting of multiple parts, for example, embedded in an archive If true, an archive contained in the body of an object is corrupt. If true, an archive contained in the body of an object is encrypted. If true, an archive contained in the body of an object is complex, consisting of multiple parts. If true, an appliance module has modified the body of an object. Current level of an archive part in an archive that has archive parts nested in it If false, the body of an object matches the pattern specified by the property parameters. 1. Integer: Position of the byte where the pattern begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values pre- ceded by \) or: b. sequence of hex values Body.NumberOf Children Integer Number of objects embedded in the body of an object
Boolean Boolean
239
Table -3 List of properties (continued) Name Body.PositionOfPattern Type Long (int64_t) Description Position of the byte where a searched for pattern in the body of an object begins Returns -1 if the pattern is not found. Parameters 1. String: Pattern that is searched for: a. string embedded in double quotes ( ..., can also contain hex values pre- ceded by \) or: b. sequence of hex values 2. Integer: Position of the byte where the search for the pattern begins 3. Integer: Search length (in bytes, 0 means search from offset to end of object) Body.Size Body.Text Body.ToString Integer String String Size of the body of an object (in bytes) Text in the body of an object Part of the body of an object (as specified by the property parameters) converted into a string 1. Integer: Position of the byte where converted part begins 2. Integer: Length of the converted part (in bytes) 0 for the first parameter and the value of the Body.Size property for the second mean the whole body is converted. Body.Uncompressed Size Integer Size of the body of an archived object (in bytes) after having been extracted from the archive If true, the cache is enabled. If true, a client has requested a reload of the cache. If true, an object sent in response from a web server can be stored in the cache. If true, an object stored in the cache has either been downloaded from the web or has been verified. Cache status for an object Values: CallErrorHandler Category.ToString String String TCP_HIT (Cache hit) TCP_MISS (Cache miss) TCP_MISS_RELOAD (Client does not allow use of cache) TCP_MISS_VERIFY (Verification failed)
Cache.Status
String
ID of an error handler rule set that is processed Name of a URL category converted into a string Category: Category that is converted
240
Table -3 List of properties (continued) Name Category.ToShortString Client.IMLogin Type String String Description Name of a URL category converted into a string that is the category abbreviation Login ID of a client communicating with the appliance under an Instant Messaging protocol Screen name of of a client communicating with the appliance under an instant messaging protocol IP address of a client Categories a command belongs to, for example, an FTP command Name of a command Parameter of a command If true, a read or send call has finally failed on a connection. If true, a web server requests a client to submit a certificate. Protocol of a connection, for example, HTTP If true, communication on a connection uses an instant messaging protocol. If true, communication on a connection is SSL-secured and uses a transparent mode. ID of a processing cycle If true, processing of data is complete for a cycle. Name of a processing cycle ID of the cycle (Requests or Responses) that is processed before an object is processed in the Embedded Objects cycle. Name of the cycle (Requests or Responses) that is processed before an object is processed in the Embedded Objects cycle. Size of blocks (in bytes) used for data trickling Number of bytes sent for each data block that is received If true, data trickling is used for downloading objects. Size of first chunk (in bytes) used for data trickling If true, data trickling goes on while an object is scanned. Number of month Number of day in month Number of day in week (1 is Sunday) Current year (four digits) Current year (last two digits) Hour (in 24-hours format, for example, 1 p. m. is 13 Parameters Category: Category that is converted
Client.IMScreenName
String
Client.IP Command.Categories Command.Name Command.Parameter Connection.Aborted Connection. ClientCertificateIsRequested Connection.Protocol Connection.Protocol.IsIM Connection.SSL.Transparent
Cycle.TopName
String
DataTrickling.BlockSize DataTrickling.BytesPer ReceivedBlock DataTrickling.Enabled DataTrickling.First ChunkSize DataTrickling.Trickle DuringScan DateTime.Date.MonthNumber DateTime.Date.MonthDay Number DateTime.Date.WeekDay Number DateTime.Date.Year DateTime.Date.YearTwoDigits DateTime.Time.Hour
Long Long Boolean Long Boolean Number Number Number Number Number Number
241
Table -3 List of properties (continued) Name DateTime.Time.Minute DateTime.Time.Second DateTime.Time.ToString Type Number Number String Description Minute in hour Second in minute String representation of current time (in the format specified by the property parameters) String: 1. %h (for the hour) or: %hh (with 0 inserted before a one-digit hour) 2. %m (for the minute) or: %mm 3. %s (for the second) or: %ss If no para meters are specified, the format is: %hh:%mm:%ss DateTime.Date.ToString String String representation of current date (in the format specified by the property parameters) String: 1. %YYYY (for the year) or: %YY (last two digits) or: %Y (last two digits, but only one digit if the last two digits begin with 0, for example, 9 for 2009) 2. %MM (for the month number with 0 inserted before one-digit numbers) or: %M (0 is not inserted, for example, 3 for March and 12 for December) 3. %DD (for the day) or: %D If no para meters are specified, the format is: %YYYY/%MM /%DD Parameters
242
Table -3 List of properties (continued) Name DateTime.ToString Type String Description String representation of current date and time (in the format specified by the property parameters) Parameters as for the DateTime.Time.ToStr ing and DateTime.Date. ToString pro- perties If no para meters are specified, the format is: %YYYY/%MM /%DD %hh:%mm:%ss DateTime.ToGMTString String String representation of current date and time in Greenwich Mean Time format, for example, Mon, 22 March 2010 11:45:36 GMT String representation of current date and time in ISO format, for example, 2010-03-22 11:45:36 Number of seconds since beginning of 1/1/1970 (UNIX epoch time) List of IP addresses found in a DNS lookup for the specified host name List of host names found in a reverse DNS lookup for the specified IP address Name of an error group, identifying the appliance module that caused the error, for example, the rule processing module or the TrustedSource engine ID of an error Message text describing an error Unique name of an error If true, an error has occurred on the appliance. If true, an error has occurred on the appliance. String made anonymous by appropriate encryption If true, the block header with the specified name exists. First value for the specified block header List of values for the specified block header If true, the header with the specified name exists. First value for the specified header (according to the current processing cycle: request or response header) List of values for the specified header (according to the cycle) If true, the request header with the specified name exists. First value for the specified request header List of values for the specified request header If true, the response header with the specified name exists. String: String that is encrypted String: Header name String: Header name String: Header name String: Header name String: Header name String: Host name IP: IP address of the host name
DateTime.ToISOString
String
Error.ID Error.Message Error.Name Error.Occurred Error.Occurred FileSystemLogging.Make Anonymous Header.Block.Exists Header.Block.Get Header.Block.GetMultiple Header.Exists Header.Get
Number String String Boolean Boolean String Boolean String String List Boolean String
String: Header name String: Header name String: Header name String: Header name String: Header name
243
Table -3 List of properties (continued) Name Header.Response.Get Header.Response.GetMultiple Header.Response.GetMultiple HTML.Element.Attribute Type String String List String List String Description First value for the specified response header List of values for the specified response header List of values for the specified response header String representing the numerical value of an attribute belonging to an HTML element If true, an HTML element has the specified attribute String representing the numerical values of the width and height of an HTML element Returns -1, -1 if the HTML element does not have these dimensions. HTML.Element.Name ICAP.Policy ICAP.Reqmod.Header.Exists String String Boolean Name of an HTML element Name of a policy included in an ICAP request for a URL If true, a response sent from an ICAP server in REQMOD mode contains the specified header. First value for the specified header contained in the REQMOD response List of values for the specified header contained in the REQMOD response If true, a response sent from an ICAP server in RESPMOD mode contains the specified header. First value for the specified header contained in the RESPMOD response List of values for the specified header contained in the RESPMOD response If true, the ICAP server has changed the HTTP state for the response sent in RESPMOD mode. Direction of a message sent (from a client or server to the appliance) under an instant messaging protocol Name of a file transferred under an instant messaging protocol Size of a file transferred under an instant messaging protocol Name of the template used for sending a message to a user communicating with the appliance under an instant messaging protocol Name of a client that a file is transferred to under an instant messaging protocol Name of a sender that sends a file to a client under an instant messaging protocol List of URL categories (specified by its ID) List of URL categories (specified by its name) String: List ID String: List name String: Header name String: Attribute name Parameters String: Header name String: Header name String: Header name
HTML.Element.HasAttribute HTML.Element.Dimension
Boolean String
String
IM.Recipient IM.Sender
String String
List.Category.ByID List.Category.ByName
244
Table -3 List of properties (continued) Name List.Category.Erase Type Category List Description List of URL categories with specified category erased Parameters 1. Category List: List with category to erase 2. Integer: Position of category to erase List.Category.EraseElems Category List List of URL categories with specified categories erased 1. Category List: List with catego- ries to erase 2. Integer: Position of first category to erase 3. Integer: Position of last category to erase List.Category.EraseList Category List List of URL categories with categories that are also on another list erased 1. Category List: List to erase categories from 2. Category List: List with catego- ries to erase from first list List.Category.Find Integer Position of a URL category on a list 1. Category List: List with category to find position for 2. Category: Category to find position for List.Category.Get Category URL category (specified by its position on a list) 1. Category List: List containing the category 2. Integer: Position of the category on the list List.Category.GetElems Category List List of URL categories (extracted from another list) 1. Category List: List with catego- ries to extract 2. Integer: Position of first category to ex tract 3. Integer: Position of last category to ex tract List.Category.Insert Category List List of URL categories with specified category inserted 1. Category List: List to insert the category in 2. Category: Category to insert List.Category.IsEmpty Boolean If true, the specified list is empty. Category List: List to check for being empty 1. Category List: First list to join 2. Category List: Second list to join List.Category.Reverse List.Category.Size Category List Integer List of URL categories that has its original order reverted Number of URL categories on a specified list Category List: List in original order Category List: List to provide number of categories for
List.Category.Join
Category List
245
Table -3 List of properties (continued) Name List.Category.Sort List.Category.ToString List.Category.ToShortString List.Dimension.ByID List.Dimension.ByName List.Dimension.Erase Type Category List String String Dimension List Dimension List Dimension List Description List of URL categories sorted in alphabetical order List of URL categories converted into a string List of URL categories converted into a list of their abbreviated name forms List of dimensions (specified by its ID) List of dimensions (specified by its name) List of dimensions with specified dimension erased Parameters Category List: List to sort Category List: List to convert Category List: List to convert String: List ID String: List name 1. Dimension List: List with dimension to erase 2. Integer: Position of dimension to erase List.Dimension.EraseElems Dimension List List of dimensions with specified dimensions erased 1. Dimension List: List with dimensions to erase 2. Integer: Position of first dimension to erase 3. Integer: Position of last dimension to erase List.Dimension.EraseList Dimension List List of dimensions with dimensions that are also on another list erased 1. Dimension List: List to erase dimensions from 2. Dimension List: List with dimensions to erase from first list List.Dimension.Find Integer Position of a dimension on a list 1. Dimension List: List with dimension to find position for 2.Dimension: Dimension to find position for List.Dimension.Get Dimension Dimension (specified by its position on a list) 1. Dimension List: List containing the dimension 2. Integer: Position of the dimension on the list List.Dimension.GetElems Dimension List List of dimensions (extracted from another list) 1. Dimension List: List with dimensions to extract 2. Integer: Position of first dimension to extract 3. Integer: Position of last dimension to extract List.Dimension.Insert Dimension List List of dimensions with specified dimension inserted 1. Dimension List: List to insert the dimension in 2. Dimension: Dimension to insert List.Dimension.IsEmpty Boolean If true, the specified list is empty. Dimension List: List to check for being empty
246
Table -3 List of properties (continued) Name List.Dimension.Join Type Dimension List Description List of dimensions created by joining two lists Parameters 1. Dimension List: First list to join 2. Dimension List: Second list to join List.Dimension.Reverse List.Dimension.Size Dimension List Integer List of dimensions that has its original order reverted Number of dimensions on a specified list Dimension List: List in original order Dimension List: List to provide number of dimensions for Dimension List: List to sort Dimension List: List to convert String: List ID String: List name 1. Hex List: List with hex value to erase 2. Integer: Position of hex value to erase List.Hex.EraseElems Hex List List of hex values with specified values erased 1. Hex List: List with hex values to erase 2. Integer: Position of first hex value to erase 3. Integer: Position of last hex value to erase List.Hex.EraseList Hex List List of hex values with values that are also on another list erased 1. Hex List: List to erase hex values from 2. Hex List: List with hex values to erase from first list List.Hex.Find Integer Position of a hex value on a list 1. Hex List: List with hex value to find position for 2. Hex: Hex value to find position for List.Hex.Get Hex Hex value (specified by its position on a list) 1. Hex List: List containing the hex value 2. Integer: Position of the hex value on the list List.Hex.GetElems Hex List List of hex values (extracted from another list) 1. Hex List: List with hex values to extract 2. Integer: Position of first hex value to extract 3. Integer: Position of last hex value to extract List.Hex.Insert Hex List List of hex values with specified value inserted 1. Hex List: List to insert the hex value in 2. Hex: Hex value to insert
List of dimensions sorted in alphabetical order List of dimensions converted into a string List of hex values (specified by its ID) List of hex values (specified by its name) List of hex values with specified value erased
247
Table -3 List of properties (continued) Name List.Hex.IsEmpty Type Boolean Description If true, the specified list is empty. Parameters Hex List: List to check for being empty 1. Hex List: First list to join 2. Hex List: Second list to join List.Hex.Reverse List.Hex.Size Hex List Integer List of hex values that has its original order reverted Number of hex values on a specified list Hex List: List in original order Hex List: List to provide number of hex values for Hex List: List to sort Hex List: List to convert String: List ID String: List name 1. IP List: List with IP address to erase 2. Integer: Position of IP address to erase List.IP.EraseElems IP List List of IP addresses with specified addresses erased 1. IP List: List with IP addresses to erase 2. Integer: Position of first IP address to erase 3. Integer: Position of last IP address to erase List.IP.EraseList IP List List of IP addresses with addresses that are also on another list erased 1. IP List: List to erase IP addresses from 2. IP List: List with IP addresses to erase from first list List.IP.Find Integer Position of an IP address on a list 1. IP List: List with IP address to find position for 2.IP: IP address to find position for List.IP.Get IP IP address (specified by its position on a list) 1. IP List: List containing the IP address 2. Integer: Position of the IP address on the list List.IP.GetElems IP List List of IP addresses (extracted from another list) 1. IP List: List with IP addresses to extract 2. Integer: Position of first IP address to extract 3. Integer: Position of last IP address to extract
List.Hex.Join
Hex List
List of sorted hex values List of hex values converted into a string List of IP addresses (specified by its ID) List of IP addresses (specified by its name) List of IP addresses with specified address erased
248
Table -3 List of properties (continued) Name List.IP.Insert Type IP List Description List of IP addresses with specified address inserted Parameters 1. IP List: List to insert the IP address in 2. IP: IP address to insert List.IP.IsEmpty List.IP.Join Boolean IP List If true, the specified list is empty. List of IP addresses created by joining two lists IP List: List to check for being empty 1. IP List: First list to join 2. IP List: Second list to join List.IP.Reverse List.IP.Size IP List Integer List of IP addresses that has its original order reverted Number of IP addresses on a specified list IP List: List in original order IP List: List to provide number of IP addresses for IP List: List to sort IP List: List to convert String: List ID String: List name 1. IP Range List: List with IP address range to erase 2. Integer: Position of IP address range to erase List.IPRange.EraseElems IP Range List List of IP address ranges with specified ranges erased 1. IP Range List: List with IP address ranges to erase 2. Integer: Position of first IP address range to erase 3. Integer: Position of last IP address range to erase List.IPRange.EraseList IP Range List List of IP address ranges with ranges that are also on another list erased 1. IP Range List: List to erase IP address ranges from 2. IP Range List: List with IP address ranges to erase from first list List.IPRange.Find Integer Position of an IP address range on a list 1. IP Range List: List with IP address range to find posi- tion for 2.IP Range: IP address range to find position for List.IPRange.Get IP Range IP address range (specified by its position on a list) 1. IP Range List: List containing the IP address range 2. Integer: Position of the IP address range on the list
List of sorted IP addresses List of IP addresses converted into a string List of IP address ranges (specified by its ID) List of IP address ranges (specified by its name) List of IP address ranges with specified range erased
249
Table -3 List of properties (continued) Name List.IPRange.GetElems Type IP Range List Description List of IP address ranges (extracted from another list) Parameters 1. IP Range List: List with IP address ranges to extract 2. Integer: Position of first IP address range to extract 3. Integer: Position of last IP address range to extract List.IPRange.Insert IP Range List List of IP address ranges with specified range inserted 1. IP Range List: List to insert the IP address range in 2. IP: IP address range to insert List.IPRange.IsEmpty Boolean If true, the specified list is empty. IP Range List: List to check for being empty 1. IP Range List: First list to join 2. IP Range List: Second list to join List.IPRange.Reverse List.IPRange.Size IP Range List Integer List of IP address rangess that has its original order reverted Number of IP address ranges on a specified list List of sorted IP address ranges List of IP address ranges converted into a string List of media types (specified by its ID) List of media types (specified by its name) List of media types with specified type erased IP RangeList: List in original order IP Range List: List to provide number of IP address ranges for IP Range List: List to sort IP Range List: List to convert String: List ID String: List name 1. Media Type List: List with media type to erase 2. Integer: Position of media type to erase List.MediaType.EraseElems Media Type List List of media types with specified types erased 1. Media Type List: List with media type to erase 2. Integer: Position of first media type to erase 3. Integer: Position of last media type to erase List.MediaType.EraseList Media Type List List of media types with types that are also on another list erased 1. Media Type List: List to erase media types from 2. Media Type List: List with media types to erase from first list
List.IPRangeP.Join
IP Range List
IP Range List String Media Type List Media Type List Media Type List
250
Table -3 List of properties (continued) Name List.MediaType.Find Type Integer Description Position of a media type on a list Parameters 1. Media Type List: List with media type to find position for 2.IP: Media type to find position for List.MediaType.Get Media Type Media type (specified by its position on a list) 1. Media Type List: List containing the media type 2. Integer: Position of the media type on the list List.MediaType.GetElems Media Type List List of media types (extracted from another list) 1. Media Type List: List with media types to extract 2. Integer: Position of first media type to extract 3. Integer: Position of last media type to extract List.MediaType.Insert Media Type List List of media types with specified type inserted 1. Media Type List: List to insert the media type in 2. Media Type: Media type to insert List.MediaType.IsEmpty Boolean If true, the specified list is empty. Media Type List: List to check for being empty 1. Media Type List: First list to join 2. Media Type List: Second list to join List.MediaType.Reverse List.MediaType.Size Media Type List Integer List of media types that has its original order reverted Number of media types on a specified list Media Type List: List in original order Media Type List: List to provide number of media types for Media Type List: List to sort Media Type List: List to convert String: List ID String: List name 1. Number List: List with number to erase 2. Integer: Position of number to erase List.Number.EraseElems Number List List of numbers with specified numbers erased 1. Number List: List with number to erase 2. Integer: Position of first number to erase 3. Integer: Position of last number to erase
List.MediaType.Join
Media Type List String Number List Number List Number List
List of media types sorted in alphabetical order List of media types converted into a string List of numbers (specified by its ID) List of numbers (specified by its name) List of numbers with specified number erased
251
Table -3 List of properties (continued) Name List.Number.EraseList Type Number List Description List of numbers with numbers that are also on another list erased Parameters 1. Number List: List to erase numbers from 2. Number List: List with numbers to erase from first list List.Number.Find Integer Position of a number on a list 1. Number List: List with number to find position for 2. Number: Number to find position for List.Number.Get Number Number (specified by its position on a list) 1. Number List: List containing the number 2. Integer: Position of the number on the list List.Number.GetElems Number List List of numbers (extracted from another list) 1. Number List: List with numbers to extract 2. Integer: Position of first number to extract 3. Integer: Position of last number to extract List.Number.Insert Number List List of numbers with specified number inserted 1. Number List: List to insert the number in 2. Number: Number to insert List.Number.IsEmpty Boolean If true, the specified list is empty. Number List: List to check for being empty 1. Number List: First list to join 2. Number List: Second list to join List.Number.Reverse List.Number.Size Number List Integer List of numbers that has its original order reverted Number of numbers on a specified list Number List: List in original order Number List: List to provide number of numbers for Number List: List to sort Number List: List to convert String: List ID String: List name 1. Regex List: List with regular expression to erase 2. Integer: Position of regular expression to erase
List.Number.Join
Number List
List of sorted numbers List of numbers converted into a string List of regular expressions (specified by its ID) List of regular expressions (specified by its name) List of regular expressions with specified expression erased
252
Table -3 List of properties (continued) Name List.Regex.EraseElems Type Regex List Description List of regular expressions with specified expressions erased Parameters 1. Regex List: List with regular expression to erase 2. Integer: Position of first regular expression to erase 3. Integer: Position of last regular expression to erase List.Regex.EraseList Regex List List of regular expressions with expressions that are also on another list erased 1. Regex List: List to erase regular expressions from 2. Regex List: List with regular expressions to erase from first list List.Regex.Find Integer Position of a regular expression on a list 1. Regex List: List with regular expression to find position for 2. Regex: Regular expression to find position for List.Regex.Get Regex Regular expression (specified by its position on a list) 1. Regex List: List containing the regular expression 2. Integer: Position of the regular expression on the list List.Regex.GetElems Regex List List of regular expressions (extracted from another list) 1. Regex List: List with regular expressions to extract 2. Integer: Position of first regular expression to extract 3. Integer: Position of last regular expression to extract List.Regex.Insert Regex List List of regular expressions with specified regular expression inserted 1. Regex List: List to insert the regular expression in 2. Regex: Regular expression to insert List.Regex.IsEmpty Boolean If true, the specified list is empty. Regex List: List to check for being empty 1. Regex List: First list to join 2. Regex List: Second list to join List.Regex.Reverse List.Regex.Size Regex List Integer List of regular expressions that has its original order reverted Number of regular expressions on a specified list Regex List: List in original order Regex List: List to provide number of regular expressions for Regex List: List to sort Regex List: List to convert
List.Regex.Join
Regex List
List.Regex.Sort List.Regex.ToString
List of sorted regular expressions List of regular expressions converted into a string
253
Table -3 List of properties (continued) Name List.String.ByID List.String.ByName List.String.Erase Type String List String List String List Description List of strings (specified by its ID) List of strings (specified by its name) List of strings with specified string erased Parameters String: List ID String: List name 1. String List: List with string to erase 2. Integer: Position of string to erase List.String.EraseElems String List List of strings with specified strings erased 1. String List: List with strings to erase 2. Integer: Position of first string to erase 3. Integer: Position of last string to erase List.String.EraseList String List List of strings with strings that are also on another list erased 1. String List: List to erase strings from 2. String List: List with strings to erase from first list List.String.Find Integer Position of a string on a list 1. String List: List with string to find position for 2. String: String to find position for List.String.Get String String (specified by its position on a list) 1. String List: List containing the string 2. Integer: Position of the string on the list List.String.GetElems String List List of regular expressions (extracted from another list) 1. String List: List with regular expressions to extract 2. Integer: Position of first regular expression to extract 3. Integer: Position of last regular expression to extract List.String.Insert String List List of regular expressions with specified regular expression inserted 1. String List: List to insert the regular expression in 2. String: String to insert List.String.IsEmpty Boolean If true, the specified list is empty. String List: List to check for being empty 1. String List: First list to join 2. String List: Second list to join List.String.Reverse List.String.Size String List Integer List of strings that has its original order reverted Number of strings on a specified list String List: List in original order String List: List to provide number of strings for String List: List to sort String List: List to convert
List.String.Join
String List
List.String.Sort List.String.ToString
List of strings sorted in alphabetical order List of strings converted into a string
254
Table -3 List of properties (continued) Name Math.Abs Type Number Description Absolute value of the specified number Parameters Number: Number that the absolute value is provided for
MediaType.EnsuredTypes
Media Type List Media Type List Media Type List Boolean
List of media types that are ensured for the media in question with a probability of more than 50% List of media types that are found using the file extension of the media in question List of media types that are found using the content-type header sent with the media in question If true, an object that is media of the type in question is composite, for example, is an archive. If true, an opener module exists on the appliance for the media type in question. If true, the media type specified in the header sent with media does not match the type that was found on the appliance by examining the magic bytes actually contained in it. List of media types that are ensured for the media in question with a probability of less than 50% Name of a directory containing template files for messages sent to users Short form of a language for messages sent to users, for example, en, de, ja Identical name part for different formats of template files for messages sent to users Name of a template file for messages sent to users ID for a list of next-hop proxies If true, the servers on a next-hop proxy list are called in round-robin mode. If false, they are called in failover mode. User variable of type Bool User variable of type Category User variable of type Hex User variable of type IP User variable of type IP Range User variable of type MediaType User variable of type Number User variable of type Regex User variable of type String User variable of type Category List User variable of type Hex List User variable of type IP List Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String
MediaType.FromFileExtension MediaType.FromHeader
MediaType.IsCompositeObject
Boolean Boolean
MediaType.NotEnsured
PDStorage.GetUserData.Bool PDStorage.GetUserData. Category PDStorage.GetUserData.Hex PDStorage.GetUserData.IP PDStorage.GetUserData. IPRange PDStorage.GetUserData. MediaType PDStorage.GetUserData. Number PDStorage.GetUserData.Regex PDStorage.GetUserData.String PDStorage.GetUserData.List. Category PDStorage.GetUserData.List. Hex PDStorage.GetUserData.List.IP
Bool Category Hex IP IP Range MediaType Number Regex String Category List Hex List IP List
255
Table -3 List of properties (continued) Name PDStorage.GetUserData.List. IPRange PDStorage.GetUserData.List. MediaType PDStorage.GetUserData.List. Number PDStorage.GetUserData.List. Regex PDStorage.GetUserData.List. String PDStorage.GetGlobalData.Bool PDStorage.GetGlobalData. Category PDStorage.GetGlobalrData.Hex PDStorage.GetGlobalData.IP PDStorage.GetGlobalData. IPRange PDStorage.GetGlobalData. MediaType PDStorage.GetGlobalData. Number PDStorage.GetGlobalData. Regex PDStorage.GetGlobalData. String PDStorage.GetGlobalData.List. Category PDStorage.GetGlobalData.List. Hex PDStorage.GetGlobalData.List. IP PDStorage.GetGlobalData.List. IPRange PDStorage.GetGlobalData.List. MediaType PDStorage.GetGlobalData.List. Number PDStorage.GetGlobalData.List. Regex PDStorage.GetGlobalData.List. String ProgressPage. Directory ProgressPage.Done.Template ProgressPage.Enabled ProgressPage.Hold AfterDownload ProgressPage.Hold BeforeDownload ProgressPage. Language Type IP Range List Media Type List Number List Regex List String List Bool Bool Hex IP IP Range MediaType Number Regex String Category List Hex List IP List IP Range List MediaType List Number List Regex List String List String String Boolean Number Number Description User variable of type IP Range List User variable of type MediaType List User variable of type Number List User variable of type Regex List User variable of type String List Global variable of type Bool Global variable of type Category Global variable of type Hex Global variable of type IP Global variable of type IP Range Global variable of type MediaType Global variable of type Number Global variable of type Regex Global variable of type String Global variable of type Category List Global variable of type Hex List Global variable of type IP List Global variable of type IP Range List Global variable of type MediaType List Global variable of type Number List Global variable of type Regex List Global variable of type String List Name of a directory containing progress page files Name of a template file for indicating that a download is complete If true, a progress page is used for indicating download progress. Time a file is kept after being downloaded Time a file is kept before being allowed for download after it has been scanned completely Name of the language used on a progress page Parameters Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String
String
256
Table -3 List of properties (continued) Name ProgressPage. Template Proxy.IP Proxy.Port Proxy.IP Proxy.Port Quota.AuthorizedOverride. Exceeded Quota.AuthorizedOverride. IsActivationRequest Quota.AuthorizedOverride. RemainingSession Quota.AuthorizedOverride. SessionIsActivated Quota.AuthorizedOverride. SessionIsStarted Quota.AuthorizedOverride. SessionLength Quota.Coaching.Exceeded Quota.Coaching. IsActivationRequest Quota.Coaching. RemainingSession Quota.Coaching. SessionIsActivated Quota.Coaching. SessionIsStarted Quota.Coaching.SessionLength Quota.Time.Exceeded Quota.Time. IsActivationRequest Quota.Time.RemainingDay Quota.Time.RemainingMonth Quota.Time.RemainingSession Quota.Time.RemainingWeek Quota.Time.SessionIsActivated Quota.Time.SessionIsStarted Quota.Time.SessionLength Quota.Time.SizePerDay Quota.Time.SizePerMonth Quota.Time.SizePerWeek Type String IP Integer IP Integer Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) Description Name of the template file for a progress page IP address used on a connection Port used for a connection IP address of connection Port of connection If true, the time for an authorized override session has been exceeded. If true, an authorized override session is in activation state. Remaining time for an authorized override session If true, an authorized authorized override session has been activated. If true, an authorized override session has been started. Time allowed for an authorized override session If true, the time for a coaching session has been exceeded. If true, a coaching session is in activation state. Remaining time for a coaching session If true, a coaching session has been activated. If true, a coaching session has been started. Time allowed for a coaching session If true, the time quota has been exceeded. If true, a time quota session is in activation state. Remaining time per day under the configured quota Remaining time per month under the configured quota Remaining time for a time quota session Remaining time per week under the configured quota If true, a time quota session has been activated. If true, a time quota session has been started. Time allowed for a time quota session Time allowed per day under the configured quota Time allowed per month under the configured quota Time allowed per week under the configured quota Parameters
257
Table -3 List of properties (continued) Name Quota.Volume.Exceeded Quota.Volume. IsActivationRequest Quota.Volume.RemainingDay Quota.Volume.RemainingMonth Quota.Volume. RemainingSession Quota.Volume.RemainingWeek Quota.Volume. SessionIsActivated Quota.Volume. SessionIsStarted Quota.Volume.SessionLength Quota.Volume.SizePerDay Quota.Volume.SizePerMonth Quota.Volume.SizePerWeek Redirect URL Reporting.URL.Categories Reporting.URL.Reputation Request.Header.FirstLine Request.ProtocolandVersion Response.ProtocolandVersion Response.Redirect.URL Response.StatusCode Rules.CurrentRuleID Rules.CurrentRuleName Rules.EvaluatedRules Rules.EvaluatedRules.Names Rules.FiredRules Rules.FiredRules.Names SNMP.Trap.Additional SNMP.Incident.ID Type Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) String Category List Number List String String String String String String String String List String List String List String List String String Description If true, the volume quota has been exceeded. If true, a volume quota session is in activation state. Remaining volume per day under the configured quota Remaining volume per month under the configured quota Remaining time for a volume quota session Remaining volume per week under the configured quota If true, a volume quota session has been activated. If true, a volume quota session has been started. Time allowed for a volume quota session Volume allowed per day under the configured quota Volume allowed per month under the configured quota Volume allowed per week under the configured quota URL that a user is redirected to by an authentication or quota rule List of all URL categories used on the appliance List of all reputation values used on the appliance First line of a header sent with a request under the HTTP protocol Protocol and protocol version used when sending a request Protocol and protocol version used when sending a response URL that a user is redirected to when a response has been sent Status code of a response that has been received ID of the rule that is currently processed Name of the rule that is currently processed List of all rules that have been processed List with names of all rules that have been processed List of all rules that have applied List with names of all rules that have applied Message sent to a trap under the SNMP protocol ID of an incident that is logged under the SNMP protoco Parameters
258
Table -3 List of properties (continued) Name SNMP.Incident.IDName SNMP.Incident.Origin SNMP.Incident.OriginName SNMP.Incident.Severity SNMP.Incident.AffectedHost SSL.HandshakeErrorMessage String.BackwardFind Type String Number String Number IP String Integer Description Text describing the incident Number indicating the system that triggered the incident Text describing the system Severity level of an incident IP address of the system that triggered an incident Text of an error message sent when an SSL handshake has failed Position where a substring begins that found in a specified string by a backward search Returns -1 if the substring is not found 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the backward search for the substring starts String.Base64Decode String.Base64Encode String.BooleanToString String.Concat String String String String Decoded format of a string specified in base-64 encoded format Base-64 encoded format of a specified string Boolean value converted into a string Concatenation of two specified strings String: String in encoded format String: String to encode Boolean: Value to convert 1. String: First string to concate- nate 2. String: Second string to concatenate String.Dimension.ToString String.Find String Integer Dimension converted into a string Position where a substring begins that is found in a specified string by a forward search Returns -1 if the substring is not found Dimension: Vaiue to convert 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the forward search for the substring starts String.FindFirstOf Integer Position of the first character of a substring found in a specified string Returns -1 if the substring is not found 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the search for the substring starts String.FindLastOf Integer Position of the last character of a substring found in a specified string Returns -1 if the substring is not found 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the search for the substring starts String.Hex.ToString String.IP.ToString String String Hex value converted into a string IP address converted into a string Hex: Vaiue to convert IP: Vaiue to convert Parameters
259
Table -3 List of properties (continued) Name String.IPRange.ToString String.Length String.List.Dimension.ToString String.List.Hex.ToString String.List.IP.ToString String.List.IPRange.ToString String.List.MediaType.ToString String.List.Number.ToString String.List.Regex.ToString String.Match.Regex Type String Number String String String String String String String String List Description IP address range converted into a string Number of characters of a string List of dimensions converted into a string List of hex values converted into a string List of IP addresses converted into a string List of IP address ranges converted into a string List of media types converted into a string List of numbers converted into a string List of regular expressions converted into a string List with terms in a string matching terms in a regular expression Parameters IP Range: Vaiue to convert String: String to count characters for Dimension List: List to convert Hex List: List to convert IP List: List to convert IP Range List: List to convert Media Type List: List to convert Number List: List to convert Regex List: List to convert 1. String: String to match 2. Regex: Regular expression to match String.MediaType.ToString String.Number.ToString String.NumberVolume.ToString String String String Media type converted into a string Number converted into a string Volume converted into a string and rounded to the appropriate unit, for example, to 1 GB or 3 MB Regular expression converted into a string String having a substring replaced by another substring Media Type: Value to convert Number: Value to convert Number: Volume to convert Regex: Value to convert 1. String: String containing the substring 2. Integer: Position where the replacement starts 2. Integer: Number of characters to replace 4. String: Replacing substring String.ReplaceAll String String having all occurrences of a substring replaced by another substring 1. String: String containing the substring 2. String: Replacing substring 3. String: Substring to replace String.ReplaceFirst String String having the first occurrence of a substring replaced by another substring 1. String: String containing the substring 2. String: Replacing substring 3. String: Substring to replace
String.Regex.ToString String.Replace
String String
260
Table -3 List of properties (continued) Name String.SubString Type String Description Substring contained in a specified string Parameters 1. String: String containing the substring 2. Integer: Position where the substring begins 3. Integer: Number of characters in the substring If no number is specified, the substring extends to the end of the original string String.ToNumber String.CRLF String.LF System.HostName System.URLDecode System.URLEncode System.UUID URL URL.Categories URL.CategoriesForURL URL.DestinationIP URL.Geolocation URL.GetParameter URL.HasParameter URL.Host URL.Host URL.IsHighRisk URL.IsMediumRisk URL.IsMinimalRisk URL.IsUnverifiedRisk URL.Path URL.Port URL.Protocol URL.Reputation URL.ReputationForURL String Reputation Reputation Number String String String String String String String Category List Category List IP String String Boolean String String Boolean Boolean Boolean Boolean String String converted into a number Carriage return line-feed Line-feed Host name of an appliance Standard format of URL for an appliance that was specified in encoded format Encoded format of a specified URL for an appliance UUID of an appliance URL of an object List of URL categories that a URL belongs to List of URL categories that a particular URL belongs to IP address for a requested URL as found in a DNS lookup ISO 3166 code for the country where the host that a URL belongs to is located Specified parameter of a URL in string format If true, the specified parameter exists in a URL Host that a URL belongs to Host that a URL belongs to If true, the reputation value of a URL falls in the high risk range of values. If true, the reputation value of a URL falls in the medium risk range of values. If true, the reputation value of a URL falls in the minimal risk range of values. If true, the reputation value of a URL falls in the unverified risk range of values. Path of a URL Port of a URL Protocol for a URL Reputation score for a URL Reputation score for a URL as input parameter. String: Parameter name String: Parameter name String: URL in encoded format String: URL to encode String: String to convert
261
Table -3 List of properties (continued) Name Workaround.IgnoreConflicting ContextLength Workaround.KeepLeadingSlash Workaround.NoPersistentClient Connection Workaround.NoChunkEncoding ToClient Workaround.NoPersistentClient Connection Type Boolean Boolean Boolean Description If true, a conflicting context length sent in a header is ignored. If true, the leading slash in URLs sent under the FTP protocol is kept. If true, no chunk encoding is used in a response sent from the appliance to a client. If true, no chunk encoding is used in a response sent from the appliance to a client. If true, the connection to a client is closed after processing the request sent by the client. Parameters
Boolean
Boolean
262
Wildcard expressions
When completing configuration jobs on the appliance, you can use wildcard expressions for several purposes, for example, to enter URLs onto blockings lists or whitelists. There are two types of wildcard expressions you can use: Glob expressions Using these is the default. For information on some of the special characters used to create Glob expressions, see List of important special Glob characters. Detailed information on using this type of expressions is, for example, provided on the following Linux man page: glob(7) Regular expressions (Regex) If you want to use these, you need to type the term regex first and then include the regular expression in round brackets, for example: regex(a*b) For information on some of the special characters used to create regular expressions, see List of important special Regex characters. The Regex expressions used on the appliance follow the Perl Regular Expression syntax. Information on this is, for example, provided on the folIowing Linux man page: perlre(1)
or criteria).
2 On the Lists tree, go to Wildcard Expressions, select a list, and click Add on the settings pane.
263
b best binary3
and others [...] Matches any of the single characters included in the square brackets. ? and * are normal characters between square brackets. For example, [a5?] matches:
a 5
?
c S %
and others, but not:
a b
Is used to denote a range of characters. For example, [a-f A-F 0-5] matches:
d F 3
and others / Is not matched by ? or *. Cannot be included in [...] or be part of a range. This means, for example, that http://linux.die.net/* does not match the following pathname:
http://linux.die.net/man/7/glob
However, this pathname is matched by:
http://linux.die.net/*/*/*
264
Table -4 List of important special Glob characters (continued) Character \ Description If preceding ?, *, or [, these are normal characters. For example, [mn\*\[] matches:
m n * [
. A file name beginning with a . (dot), must be matched explicitly. For example, the command:
rm *
will not remove the file .profile. However, the following command will:
rm .*
265
b ab aaaaaab
and others + Matches the preceding character one or more times. For example, regex(c+d) matches:
cd cccccd
and others ? Matches the preceding character zero or one times. For example, regex(m?n) matches:
n mn
^ $ {...} Options: a{n} Matches a character n times. For example, regex(a{3}) matches: Matches the beginning of a line. Matches the end of a line. Are used to match a character as many times as specified.
aaa
a{n,} Matches a character n and more times. For example, regex(p{4,}) matches:
pppp pppppp
and others a{n,m} Matches a character between n and m times, including the limiting values. For example, regex(q{1,3}) matches:
q qq qqq
266
Table -5 List of important special Regex characters(continued) Character | Description Matches alternative expressions. For example, regex(abc|jkl) matches:
abc jkl
(...) Are use to group characters in an alternative expression. For example, regex(de(r|st)) matches:
der dest
[...] Matches any of the single characters included in the square brackets. For example, regex([bc3]) matches:
b c
3 Is used to denote a range of characters in a bracket expression. For example, regex([c-f C-F 3-5]) matches:
d F 4
and others
267
Table -5 List of important special Regex characters(continued) Character ^ Description Matches any single character in a bracket expression except those following the accent circonflexe. For example, regex([^a-d]) matches:
e 7 &
and others, but not:
a b c d
\ (If preceding a special character:) Turns it into a normal character. For example, regex(mn\+) matches:
mn+
(If preceding some normal characters:) Matches a particular class of characters. For information on these classes, refer to the perlre man page or other documentation. The following are examples of frequently used character classes. For example, regex(\d) matches all digits, such as:
3 4 7
and others
regex(\D) matches all characters that are not digits, such as: c T &
and others
268
Index
A
access restrictions 90 administrator accounts 120 external accounts 122 roles 121 test account 121 anti-malware see virus and malware filtering anti-virus see virus and malware filtering appliance authentication 91 Central Management 204 dashboard 210 filtering functions 124 license 25 logon 23 logout 27 monitoring 209 physical 19 proxies 29 setup 19 troubleshooting 229 virtual 20 web security 11 authentication 95 administration 91 authorized override 112 coaching 112 common parameters 98 cookies 108 Kerberos 95 LDAP 95 methods 95 NTLM-Agent 95 process 92 quotas 112 RADIUS 95 settings 97 test 98 time quotas 112 user database 95 volume quotas 112 Windows domain 105 AV see anti-virus
B
Billling 175
C
cache see web cache Central Management 204 coaching 112 cookie authentication 108
D
dashboard access 210 display options 210 overview 211 data trickling 178 database updates 201
E
ePolicy Orchestrator 223 error handling 227 explicit proxy mode 31
F
file editor 200 filtering concepts 53 cycles 54 process flow 55 rules 53 filtering functions global whitelisting 163 HTML filtering 155 media type filtering 148 overview 124 SSL scanning 165 URL filtering 139 virus and malware filtering FTP proxy 43
G
global whitelisting administration 163 Global Whitelist library rule set 164 library rule set 164 lists 163 rule set 164
H
Helix proxy 46 high availability 30 HTML filtering
269
Index
administration 155 HTML filtering library rule set 155 library rule set 155 lists 162 opener module 161 rule set 155 HTTP proxy 42
common settings 41 explicit proxy 31 FTP 43 Helix 46 high availability 30 HTTP 42 ICAP server 44 ICQ 45 instant messaging 41 network modes 30 preconfigured settings 29 settings 29 transparent bridge 34 transparent router 37 WCCP 30 Windows Live Messenger 45 Yahoo 45
I
ICAP server 44 IM see instant messaging initial configuration 22 instant messaging AIM 45 ICQ 45 Windows Live Messenger 45 Yahoo 45
L
library 66 licensing 25 logging functions 213 logon 23 logout 27
Q
quotas 112
R
roles 121 rule sets default system 65 implementing methods 64 library 66 wizard-created 65 rules actions 61 complex criteria 60 criteria 58 cycles 54 elements 57 events 62 process flow 55 properties 53 property types 60 rule sets 63 user interface format 59
M
malware see virus and malware filtering McAfee Web Gateway see appliance media type filtering administration 148 library rule set 152 lists 148 Media Type Filtering library rule set 152 rule set 150 monitoring dashboard 210 ePO server 223 logging 213 SNMP 225
S
search function 27 setup initial configuration 22 license 25 logon 23 physical appliance 19 policy creation 24 virtual appliance 20 SNMP monitoring 225 SSL scanning administration 165 library rule set 170 lists 169 modules 165 rule set 170
N
next-hop proxies 180 NTLM 95
P
physical appliance 19 policy creation 24 process flow 55 progress indication data trickling 178 progress page 178 progress page 178 proxies advanced settings 46 AIM 45
270
Index
SSL Scanner library rule set 170 system files 200 system settings Central Management 204 configuration 194 overview 192
McAfee AV library rule set 138 rule sets 133 scanning module 128
W
WCCP 30 web cache 47 Web Gateway see appliance web security filtering 11 policy 24 rules 53 wildcard expressions 263 Windows domain 105 Windows Live Messenger 45 wizards initial configuration 22 policy creation 24
T
tabs administrator accounts 120 appliances 193 file editor 200 lists 84 overview 27 rule sets 67 settings 88 template Editor 185 time quotas, volume quotas 112 transparent modes bridge 34 router 37 troubleshooting 229 TrustedSource see URL filtering
U
URL filtering administration 139 extended lists 142 library rule set 147 lists 140 module 144 rule set 146 TrustedSource module 144 URL Filtering library rule set 147 user interface logon 23 logout 27 main elements 26 search function 27 settings 199 user messages adapt 185 settings 188 template Editor 185 templates 184
V
virtual appliance 20 virus see virus and malware filtering virus and malware filtering administration 125 Antimalware module 128 Gateway AntiMalware library rule set 137 library rule sets 137, 138 lists 125
271
Index
272
700-2514A00