WG 70 PG Product 7002514A00 En-Us

Product Guide
McAfee Web Gateway
version 7.0
COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
McAfee Web Gateway 7.0 Product Guide
Contents
Preface
About this guide . . . . . . . Audience . . . . . . . . . . Conventions . . . . . . . . Find additional information Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
.7 .7 .7 .8 .8
About the McAfee Web Gateway Appliance

Comprehensive web security for your network . . . . . . . Main functions of the McAfee Web Gateway appliance Main administrator activities . . . . . . . . . . . . . . . . . Deployment of the McAfee Web Gateway appliance . . . . Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network integration . . . . . . . . . . . . . . . . . . . . . . . Administration and updates . . . . . . . . . . . . . . . . . . Main components of the McAfee Web Gateway appliance Appliance subsystems . . . . . . . . . . . . . . . . . . . . . . Operating system . . . . . . . . . . . . . . . . . . . . . . . . . Filtering rules on the McAfee Web Gateway appliance . . Rule sets for filtering . . . . . . . . . . . . . . . . . . . . . . . Lists and modules for filtering . . . . . . . . . . . . . . . . Modifying the filtering process . . . . . . . . . . . . . . . . Chapters of this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
. 11 . 12 . 12 . 13 . 13 . 13 . 13 . 14 . 14 . 15 . 15 . 15 . 15 . 16 . 16
Setup and Logon

Setting up the McAfee Web Gateway appliance Setting up a physical appliance . . . . . . . . . Setting up a virtual appliance . . . . . . . . . . Performing the initial configuration . . . . . . . . Logging on to the user interface . . . . . . . . . . Implementing a web security policy . . . . . Importing a license . . . . . . . . . . . . . . . . . Working with the user interface . . . . . . . . . . . Main elements of the user interface . . . . . Configuration support functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
. 19 . 19 . 20 . 22 . 23 . 24 . 25 . 26 . 27 . 28
Proxies and Caching

Intercepting web traffic . . . . . . . . . . . . . . . . . Proxy settings . . . . . . . . . . . . . . . . . . . . . Web cache settings . . . . . . . . . . . . . . . . . . Network modes . . . . . . . . . . . . . . . . . . . . . . . Explicit proxy mode . . . . . . . . . . . . . . . . . . Transparent bridge mode . . . . . . . . . . . . . . Transparent router mode . . . . . . . . . . . . . . Common proxy settings . . . . . . . . . . . . . . . . . Configure common proxy settings . . . . . . . . Proxies (HTTP(S), FTP, ICAP, and IM) system Helix proxy configuration . . . . . . . . . . . . . . . . Web cache . . . . . . . . . . . . . . . . . . . . . . . . . . Rules for the web cache . . . . . . . . . . . . . . . Bypass lists for the web cache . . . . . . . . . . Verify enabling of the web cache . . . . . . . . ...... ...... ...... ...... ...... ...... ...... ...... ...... settings ...... ...... ...... ...... ...... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
. 29 . 29 . 30 . 30 . 31 . 34 . 37 . 41 . 41 . 41 . 46 . 47 . 47 . 50 . 51
Rules and Rule Sets
53
Filtering controlled by rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
About filtering . . . . . . . . . . . . . . . . . . . Modules for delivering filtering information About rule elements . . . . . . . . . . . . . . . . . . Main elements of a rule . . . . . . . . . . . . . Rules on the user interface . . . . . . . . . . Complex criteria . . . . . . . . . . . . . . . . . . Properties . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . Events . . . . . . . . . . . . . . . . . . . . . . . . . About rule sets . . . . . . . . . . . . . . . . . . . . . Rules in rule sets . . . . . . . . . . . . . . . . . Rule set cycles . . . . . . . . . . . . . . . . . . . Rule set criteria . . . . . . . . . . . . . . . . . . Nested rule sets . . . . . . . . . . . . . . . . . . Implementing a rule set system . . . . . . . Sample wizard rule set system . . . . . . . . Default rule set system . . . . . . . . . . . . . Library rule sets . . . . . . . . . . . . . . . . . . Rule configuration . . . . . . . . . . . . . . . . . . . Rule Sets tab . . . . . . . . . . . . . . . . . . . . Adding a rule . . . . . . . . . . . . . . . . . . . . Create a sample rule . . . . . . . . . . . . . . . Sample rules . . . . . . . . . . . . . . . . . . . . Rule set configuration . . . . . . . . . . . . . . . . . Import a rule set . . . . . . . . . . . . . . . . . Add a new rule set . . . . . . . . . . . . . . . . List maintenance . . . . . . . . . . . . . . . . . . . . Lists tab . . . . . . . . . . . . . . . . . . . . . . . List types . . . . . . . . . . . . . . . . . . . . . . . Add a list . . . . . . . . . . . . . . . . . . . . . . . Add list entries . . . . . . . . . . . . . . . . . . . Inline lists . . . . . . . . . . . . . . . . . . . . . . Action and engine settings . . . . . . . . . . . . . Settings tab . . . . . . . . . . . . . . . . . . . . . Types of settings . . . . . . . . . . . . . . . . . Add settings . . . . . . . . . . . . . . . . . . . . . Access restrictions . . . . . . . . . . . . . . . . . . .
.. . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. 53 . 57 . 57 . 58 . 59 . 60 . 60 . 61 . 62 . 63 . 63 . 63 . 63 . 64 . 64 . 65 . 65 . 66 . 67 . 67 . 69 . 76 . 78 . 81 . 81 . 82 . 84 . 84 . 85 . 86 . 86 . 87 . 88 . 88 . 89 . 89 . 90
Authentication and Account Management

Filtering users . . . . . . . . . . . . . . . . . . . . . . . . . Administering authentication and accounts . . Authentication process on the appliance . . . . Database authentication . . . . . . . . . . . . . . . . . . Implementation of an authentication rule set . Configure an authentication method . . . . . . . Authentication engine settings . . . . . . . . . . . Join the appliance to a Windows domain . . . . Windows Domain Membership system settings Authenticate and Authorize library rule set . . Cookie authentication . . . . . . . . . . . . . . . . . . . . Configure settings for cookie authentication . . Cookie Authentication library rule set . . . . . . Quotas and coaching . . . . . . . . . . . . . . . . . . . . Quota and coaching modes . . . . . . . . . . . . . Configure quotas and coaching . . . . . . . . . . . Coaching engine settings . . . . . . . . . . . . . . . Time Quota engine settings . . . . . . . . . . . . . Volume Quota engine settings . . . . . . . . . . . Authorized override engine settings . . . . . . . Quota and coaching lists . . . . . . . . . . . . . . . Rule sets for quotas and coaching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
91
. . 91 . . 91 . . 92 . . 95 . . 96 . . 97 . . 97 . 105 . 106 . 107 . 108 . 109 . 109 . 112 . 112 . 113 . 113 . 113 . 114 . 115 . 115 . 117
Administrator accounts . . . . . . . . . . . . . . . . . . . . Internal management of administrator accounts Administrator roles . . . . . . . . . . . . . . . . . . . . Configure external account management . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. 120 . 120 . 121 . 122
Web Filtering
Filtering web objects . . . . . . . . . . . . . . . . . . . . . . . Administering the filtering process . . . . . . . . . . . Functions for filtering web objects . . . . . . . . . . . . Virus and malware filtering . . . . . . . . . . . . . . . . . . . Whitelists for virus and malware filtering . . . . . . . Scanning module for virus and malware filtering . . Rules and rule sets for virus and malware filtering URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lists for URL filtering . . . . . . . . . . . . . . . . . . . . . Extended Lists for blocking URLs per category . . . Module for retrieving URL category information . . Rules and rule set for URL filtering . . . . . . . . . . . Media type filtering . . . . . . . . . . . . . . . . . . . . . . . . Lists for media type filtering . . . . . . . . . . . . . . . . Rules for media type filtering . . . . . . . . . . . . . . . HTML filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rule set for HTML filtering . . . . . . . . . . . . . . . . . Module for opening embedded objects . . . . . . . . . Sample lists for HTML filtering . . . . . . . . . . . . . . Global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . Global whitelists . . . . . . . . . . . . . . . . . . . . . . . . Rule set for global whitelisting . . . . . . . . . . . . . . SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings for the SSL scanning modules . . . . . . . . SSL scanning lists . . . . . . . . . . . . . . . . . . . . . . . Rule set for SSL scanning . . . . . . . . . . . . . . . . . Supporting functions . . . . . . . . . . . . . . . . . . . . . . . Billing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Progress Indication . . . . . . . . . . . . . . . . . . . . . . Next-hop proxies . . . . . . . . . . . . . . . . . . . . . . . User messages . . . . . . . . . . . . . . . . . . . . . . . . . . . Message templates . . . . . . . . . . . . . . . . . . . . . . Adapt a user message template . . . . . . . . . . . . . Template Editor . . . . . . . . . . . . . . . . . . . . . . . . Settings for message templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
123
. 123 . 123 . 124 . 125 . 125 . 128 . 133 . 139 . 140 . 142 . 144 . 146 . 148 . 148 . 150 . 155 . 155 . 161 . 162 . 163 . 163 . 164 . 165 . 165 . 169 . 170 . 175 . 175 . 178 . 180 . 184 . 184 . 185 . 185 . 188
System Configuration
Configuring the appliance system . . . . . . . . . Initial setup system settings . . . . . . . . . . System configuration after the initial setup System settings . . . . . . . . . . . . . . . . . . . . . . Appliances tab . . . . . . . . . . . . . . . . . . . . Configure the system settings . . . . . . . . . Date and Time system settings . . . . . . . . . DNS system settings . . . . . . . . . . . . . . . . License system settings . . . . . . . . . . . . . . Network system settings . . . . . . . . . . . . . Port Forwarding system settings . . . . . . . . Static Routes system settings . . . . . . . . . . User Interface system settings . . . . . . . . . System files . . . . . . . . . . . . . . . . . . . . . . . . File Editor tab . . . . . . . . . . . . . . . . . . . . . Database updates . . . . . . . . . . . . . . . . . . . . Update database information manually . . . Schedule automatic engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191
. 191 . 191 . 192 . 193 . 193 . 194 . 195 . 195 . 196 . 197 . 198 . 199 . 199 . 200 . 200 . 201 . 202 . 202
Automatic Engine Updates system settings . . . Central Management . . . . . . . . . . . . . . . . . . . . . Configure Central Management settings . . . . . Add an appliance to the appliance configuration Central Management system settings . . . . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. 202 . 204 . 205 . 205 . 206
Monitoring
Monitoring the appliance . . . . . . . . . . . . . Monitoring functions . . . . . . . . . . . . . Troubleshooting functions . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . Access the dashboard . . . . . . . . . . . . Dashboard display options . . . . . . . . . Overview of the dashboard information Logging . . . . . . . . . . . . . . . . . . . . . . . . Log file types . . . . . . . . . . . . . . . . . . Sample logging rule . . . . . . . . . . . . . Viewing log files . . . . . . . . . . . . . . . . Create a sample logging rule . . . . . . . Create a log handler . . . . . . . . . . . . . Use self-configured log files . . . . . . . . Configuring log file settings . . . . . . . . Log file settings . . . . . . . . . . . . . . . . Log handler rule sets . . . . . . . . . . . . . Forwarding data to an ePO server . . . . . . Configure data forwarding . . . . . . . . . ePolicy Orchestrator system settings . . Bypass ePO requests library rule set . . Event monitoring with SNMP . . . . . . . . . . Configure SNMP monitoring . . . . . . . . SNMP system settings . . . . . . . . . . . . Error handling . . . . . . . . . . . . . . . . . . . . Create an error handler . . . . . . . . . . . Error handler rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
209
. . 209 . . 209 . . 209 . . 210 . . 210 . . 210 . . 211 . . 213 . . 213 . . 214 . . 215 . . 216 . . 218 . . 218 . . 219 . . 220 . . 222 . . 223 . . 223 . . 224 . . 224 . . 225 . . 225 . . 225 . . 227 . . 227 . . 228
Troubleshooting
Troubleshooting appliance problems . . . . . . . . . Files for recording appliance behavior . . . . . Network tools . . . . . . . . . . . . . . . . . . . . . . Backup and restore files . . . . . . . . . . . . . . Create a feedback file . . . . . . . . . . . . . . . . . . . Enable the creation of core files . . . . . . . . . . . . Enable the creation of connection tracing files . . Generate a TCPdump . . . . . . . . . . . . . . . . . . . Use network tools . . . . . . . . . . . . . . . . . . . . . Back up and restore the appliance configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. . . . . . . . . . . . . . . . . . . . .
229
. 229 . 229 . 229 . 230 . 230 . 230 . 231 . 231 . 232 . 232
Appendix: Configuration Lists

List of actions . . . . . . . . . . . . . . . . . . . . . . List of events . . . . . . . . . . . . . . . . . . . . . . List of properties . . . . . . . . . . . . . . . . . . . . Wildcard expressions . . . . . . . . . . . . . . . . . Test a wildcard expression . . . . . . . . . . . List of important special Glob characters . List of important special Regex characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
233
. 233 . 234 . 238 . 263 . 263 . 264 . 266
Index
269
Preface
About this guide

This Product Guide describes the features and capabilities of McAfee Web Gateway version 7.0, providing an overview of the product, as well as detailed instructions on how to set it up, configure, and maintain it.
Audience
This guide is intended for network and security administrators. It assumes familiarity with system administration, operating systems, networks, the Internet, and related terminology.
Conventions
When this guide mentions the appliance, this refers to the McAfee Web Gateway appliance. Other conventions used in the text are as follows:
Table 1 Conventions Convention Description Identifies commands and key words you type at a system prompt Indicates a placeholder for text you type Used to show text that appears on a computer screen Identifies the names of files and directories Also used for emphasis (for example, when introducing a new term) Identifies buttons, field names, and tabs that require user interaction Signals conditional or optional text and instructions (for example, instructions that pertain only to a specific configuration) Used for a helpful suggestion or a reference to material not covered elsewhere in the guide
Courier bold Courier italic
Courier plain
Plain text italics Plain text bold [ ]
Note:
Note: The screen captures and graphics used in this guide are for illustration purposes only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features may be enabled in screen captures to make them clear, however, not all features are appropriate or desirable for your setup.
Find additional information
Find additional information

You can find additional product information at the following locations:
Table 2 Additional product information Information Product Documentation (ServicePortal) Location 1 Go to the McAfee Technical Support ServicePortal at: http://mysupport.mcafee.com 2 Under Self Service, click Product Documentation. 3 Select a Product, then a Version. 4 Select a document. Product Documentation (Extranet) 1 Go to the Extranet for McAfee Web Gateway at: https://extranet.webwasher.com/documentation_mwg7 2 Enter your user name and password. 3 Select a document. KnowledgeBase Answers and Articles 1 Go to the McAfee Technical Support ServicePortal at: http://mysupport.mcafee.com 2 Click one of the following: Search the KnowledgeBase for answers to your product questions. Browse the KnowledgeBase for articles listed by product and version.
Acronyms
Acronyms used in this guide:
Table 3 Acronyms Acronym AIM CIDR CLI DHCP DNS EDH ePO FTP HA HTML HTTP HTTPS ICAP ICQ ID IM IP LAN LDAP LRU MIB MLOS Description AOL Instant Messenger Classless Inter-Domain Routing Command Line Interface Dynamic Host Configuration Protocol Domain Name Server Ephemeral Diffie-Hellman ePolicy Orchestrator File Transfer Protocol High Availability Hypertext Markup Language Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Content Adaption Protocol I seek you Identity, Identification, Identifier Instant Messaging/Messenger Internet Protocol Local Area Network Lightweight Directory Access Protocol Least Recently Used Management Information Base McAfee Linux Operating System
Acronyms
Table 3 Acronyms <Comment>(continued) Acronym MTU NTLM NTP Regex RTSP SNMP SSH SSL URL VRRP WCCP Description Maximum Transmission Unit New Technology LAN Manager Network Time Protocol Regular Expression Real-Time Streaming Protocol Small Network Management Protocol Secure Socket Shell Secure Socket Layer Uniform Resource Locator Virtual Router Redundancy Protocol Web Cache Communication Protocol
Acronyms
10
About the McAfee Web Gateway Appliance
Contents Comprehensive web security for your network Deployment of the McAfee Web Gateway appliance Main components of the McAfee Web Gateway appliance Filtering rules on the McAfee Web Gateway appliance Chapters of this guide
Comprehensive web security for your network

The McAfee Web Gateway appliance ensures comprehensive web security for your network. It protects your network against threats arising from the web, such as viruses and other malware, inappropriate content, data leaks, and related issues. It also ensures regulatory compliance and a productive work environment.
The appliance is installed as a gateway that connects your network to the web. Following the implemented web security rules, it filters the requests that users send to the web from within your network. Responses sent back from the web and embedded objects sent with requests or responses are also filtered. Malicious and inappropriate content is blocked, while useful matter is allowed to pass through.
Figure 1-1 Filtering web traffic
11
About the McAfee Web Gateway Appliance Comprehensive web security for your network
Main functions of the McAfee Web Gateway appliance

Filtering web traffic is a complex process. The main functions of the appliance contribute to it in different ways: Filtering web objects Special anti-virus and anti-malware functions on the appliance scan and filter web traffic and block objects when they are infected. Other functions filter requested URLs, using information from the global TrustedSource intelligence system, or do media type and HTML filtering. They are supported by functions that do not filter themselves, but do such jobs as counting user requests or indicating the progress made in downloading web objects. Filtering users This is done by the authentication functions of the appliance, using information from internal and external databases and methods such as NTLM, LDAP, RADIUS, Kerberos, and others. In addition to filtering normal users, the appliance also gives you control over administrator rights and responsibilities. Intercepting web traffic This is a prerequisite for any filtering of web objects or users. It is achieved by the gateway functions of the appliance, using different network protocols, such as HTTP, HTTPS, FTP, Yahoo, ICQ, Windows Live Messenger, and others. As a gateway, the appliance can run in explicit proxy mode or in transparent bridge or router mode. Monitoring the filtering process The monitoring functions of the appliance allow you a continuous overview of the filtering process. They include a dashboard, providing information on web usage, filtering activities, and system behavior, as well as logging and tracing functions and options to forward data to an ePolicy Orchestrator or do event monitoring with an SNMP agent.
Main administrator activities

The following are the main activities needed to administer the appliance: Perform the initial setup You can set up the appliance on a physical hardware platform or on a virtual machine. The setup procedure includes the initial configuration of system parameters, such as host name and IP address, implementing an initial system of filtering rules, and licensing. Two wizards are available in this phase, one for the initial configuration, another for the filtering rules. Configure the gateway functions After the initial setup, explicit proxy mode and the HTTP protocol are preconfigured on the appliance. You can modify this and also configure other network components that the appliance communicates with. Modify filtering rules The filtering rules are the building blocks of your web security policy. You can review the system of filtering rules that has been implemented during the initial setup and modify it. Authentication is not implemented initially. Working on the filtering rules includes also maintaining the lists that these rules use and configuring the settings for rule actions and for the modules involved in the filtering processs. Monitor the appliance When you have configured the appliance according to your requirements, you can monitor it to see how it performs the filtering process. You can also monitor system functions, such as CPU and memory usage.
12
About the McAfee Web Gateway Appliance Deployment of the McAfee Web Gateway appliance
Deployment of the McAfee Web Gateway appliance

Before you set up the McAfee Web Gateway appliance, consider how you want to use it. There are different options regarding the platform on which you can run it and its integration into your network. You can also set up multiple appliances and administer them as nodes in a complex configuration.
Platform
You can run the appliance on different platforms. Hardware-based appliance On a physical hardware platform. Virtual appliance On a virtual machine.
Network integration
In your network, the appliance can intercept, filter, and transmit web traffic in different modes. Explicit proxy mode The clients that the appliance communicates with are aware of it. You must conifgure them explicitly to direct their traffic to the appliance. Transparent modes The clients are not aware of the appliance. Transparent bridge The appliance acts as an invisible bridge between its clients and the web. You need not configure the clients for this. Transparent router The appliance routes traffic according to a routing table, which you need to fill out.
Administration and updates

You can administer the appliance and have updates distributed in different ways. Standalone Administer the appliance separately and let it not receive updates from other appliances. Central Management Set up the appliance as a node in a complex configuration and administer other nodes on its user interface, including the distribution of updates. You can then also administer the appliance on other nodes and let it receive updates from them.
13
About the McAfee Web Gateway Appliance Main components of the McAfee Web Gateway appliance
Main components of the McAfee Web Gateway appliance

The McAfee Web Gateway appliance uses several subsystems to provide filtering and other functions, based on its operating system.
Appliance subsystems
The subsystems of the appliance and their modules do the following: Core subsystem Provides a proxy module for intercepting web traffic and a rule module for processing the filtering rules that make up your web security policy. Provides furthermore the modules (also known as engines) that do special jobs for the filtering rules and can be configured by you, for example, the Antimalware engine, the TrustedSource engine, or the authentication engine. A flow manager module ensures efficient cooperation between the modules. Coordinator subsystem Stores all configuration data processed on the appliance. Provides update and Central Management functions. Configurator subsystem Provides the user interface (internal subsystem name is Konfigurator).
Figure 1-2 Appliance subsystems and modules
14
About the McAfee Web Gateway Appliance Filtering rules on the McAfee Web Gateway appliance
Operating system
The subsystems of the appliance rely on the functions of its operating system, which is MLOS (McAfee Linux Operating System) version 1.0. The operating system provides functions for executing the actions that the filtering rules trigger, file and network reading and writing, and access control.
Filtering rules on the McAfee Web Gateway appliance

Rules control the filtering process on the appliance. Reviewing these rules lets you understand what the appliance does to ensure web security. You need not set up these rules yourself, a wizard does this for you, following your instructions, or a default system of rules is implemented, but you can modify every detail of the implemented system. It is the job of the filtering rules to look at web objects before users of your network are allowed to access them and also at these users. So the rules check the properties of objects and users and if, for example, an object is virus-infected or a user not in an allowed user group, they block access to this object or let the user not complete further activities.
Rule sets for filtering

A rule usually works with other rules to do its job. For example, a blocking rule might work with a few whitelisting rules to do URL filtering. The whitelisting rules say which URLs are allowed and the blocking rule says which are not or simply blocks the rest. Together, these rules are in a URL filtering rule set. The implemented system of rule sets is displayed on the Rule Sets tab of the user interface. When you review it, you will see rule sets there for URL filtering, virus and malware filtering, media type filtering, and other purposes. When you open a rule set, you can see the individual rules that are contained in it. Even a rule that works on its own, like a global whitelisting rule might do, is embedded in a corresponding rule set. Some rule sets have other rule sets nested in them. This way, for example, media type filtering might be split up between a nested rule set that filters media type uploads and another nested rule set that filters the downloads.
Lists and modules for filtering

Rules are interested in the properties of web objects and users. A blocking rule for URLs needs to know, for example, which categories URLs belong to, so it can block a URL that is in the online-shopping category and let the users of your network not access it. To get at the information they need, rules rely on: Filter lists A list might contain URLs of web sites for online shopping. When a user requests access to a particular URL, a blocking rule goes through the list to see if that URL is on it. Special modules Information on URL categories can also be retrieved from a global intelligence system (TrustedSource). A module on the appliance communicates with this system and tells the blocking rule about its findings. Other modules scan web objects for infections, inspect certificates, or check user credentials for authentication.
15
About the McAfee Web Gateway Appliance Chapters of this guide
Modifying the filtering process

You can modify the filtering process by working on the rules and rule sets that control it, as well as on the filter lists and the settings of the modules involved in this process. This includes: Maintaining filter lists You can add new items to blocking lists and whitelists, as they emerge, and remove others that do not need special attention anymore. Configuring module settings You can use these settings to determine the way the modules do their jobs, for example, use particular methods for detecting malware. Modifying filtering rules and rule sets You can modify blocking, whitelisting, and other rules and group them in rule sets as is appropriate for your network. The chapters of this guide provide information on all these activities. They explain general concepts, give step-by-step descriptions of key procedures, and inform you about the details of individual rules, lists, and module settings.
Chapters of this guide

The chapters of this guide deal with the main functions of the appliance and related subject matter in the following ways: About the McAfee Web Gateway appliance Introduces the appliance and provides overviews of its main functions, administrator activities, deployment options, and system architecture. Setup and Logon Explains how you setup the appliance and complete first steps up to the point where you configure proxy, authentication, and filtering functions. This includes information on the installation and the initial configuration of system parameters. The chapter also explains how you log on to the appliance and implement an initial system of filtering rules. An overview of the user interface is provided, as well as of options for integrating the appliance into your network. Proxies and Caching Explains how you configure the gateway functions of the appliance to let it run in explicit proxy or transparent mode, using different network protocols. This enables the appliance to intercept web traffic and apply authentication and other filtering functions to it. The chapter explains also the use of the web cache. Rules and Rule Sets The authentication and filtering functions that give you control over who accesses the web from within your network and what web objects can be accessed, all do what they are told by the implemented web security rules. This chapter explains in general how these rules work and provides information on the rule sets that contain them and the filtering process they contribute to. It tells you how to modify and create rules and rule sets and how to maintain and configure the lists and modules that the rules rely on. Authentication and Account Management Explains how you configure rules, lists, and modules for the authentication functions of the appliance. Explains also the options for setting up accounts and privileges for administrators. Web Filtering Explains how you configure rules, lists, and modules for filtering web objects on the appliance. The filtering process uses main functions, such as virus and malware or URL filtering, and supporting functions like billing or progress indication for downloads. Messages to users that inform them about filtering activities of the appliance are also explained. System Configuration Explains how you configure functions of the appliance system, such as domain name services, port forwarding, or static routes. Some of these are already configured at the initial setup. Functions for running appliance systems as nodes in a Central Management configuration are also explained.
16
Monitoring Explains how to monitor web usage, filtering activities, and key system parameters, using the dashboard and several log files, as well as external systems, such as the ePolicy Orchestrator. Troubleshooting Explains the functions the appliance provides for troubleshooting, such as the use of core files or TCP dumps. The chapter explains also how you create a backup of the appliance configuration.
17
18
Setup and Logon
Contents Setting up the McAfee Web Gateway appliance Performing the initial configuration Logging on to the user interface Working with the user interface
Setting up the McAfee Web Gateway appliance

You can set up McAfee Web Gateway as a physical or virtual appliance. Before setting up the appliance, make sure you read the release notes for version 7.0, which provide information on known issues. The release notes are available on the McAfee ServicePortal at http://mysupport.mcafee.com. On this portal, proceed as follows:
1 In the Self Service area, click Product Documentation. 2 Select Web Gateway and version 7.0. 3 From the document list that appears, select Release Notes.
Setting up a physical appliance

When using McAfee Web Gateway as a physical appliance, the appliance system is preinstalled and delivered to you on a hardware platform.
Check your shipment

Make sure you received the items needed for the setup: McAfee Web Gateway appliance (models vary) Power cord Network cables USB-PS/2 adapter cable (if you use a PS/2 keyboard for the initial configuration)
19
Setup and Logon Setting up the McAfee Web Gateway appliance
Gather necessary materials

You must provide the following: Standard VGA monitor and PS/2 keyboard or Serial console Administration system with: Windows or Linux operating system Java Runtime Environment (JRE) version 1.6 or later Microsoft Internet Explorer version 6.0 or later or Mozilla Firefox version 2.0 or later Network cables
Connect the appliance

Proceed as follows:
1 Connect the appliance to power and the network. 2 Connect a monitor and keyboard or a serial console to the appliance.
Continue with Performing the initial configuration.
Setting up a virtual appliance

When using McAfee Web Gateway as a virtual appliance, you need to obtain an ISO image of the appliance system and install it on a virtual machine.
Requirements for setting up a virtual appliance

To set up McAfee Web Gateway as a virtual appliance, you need the following: One of the following VMware types:
VMware ESX
VMware ESXi
VMware workstation version 5.5 or later Virtual machine host system with the following requirements: CPU: 64-bit capable Virtualization extension: VT-x/AMD-V Virtual machine with the following requirements: Memory: 2 GB Hard-disk space: 200 GB CPU cores: 2 (minimum)
20
Setup and Logon Setting up the McAfee Web Gateway appliance
Install the appliance system on a virtual machine

When you have obtained the ISO image of the appliance system, you can install it on a virtual machine.
1 Start VMware. 2 Set up a new virtual machine.
The procedures for setting up a virtual machine differ for each VMware type. When setting up McAfee Web Gateway as a virtual appliance, make sure you configure the settings in the table below.
Note: For parameters that are not listed, use the default values given in the procedures. Parameter names can also differ in each procedure.
Table 2-1 : Virtual machine settings Parameter Configuration type Installation mode Operating system Memory Hard-disk space Number of processors Network connection mode CD/DVD drive with assigned ISO image Value Typical | Advanced (recommended for virtual appliance setup) Install from disk | ISO image (required for virtual appliance setup) | Install later Linux (64 bit) version 2.6 2 GB (recommended) 200 GB (recommended) 1 | 2 (required) Bridged (recommended) | NAT | ... <drive name>/<name of the ISO image>
3 Turn on the virtual machine. 4 When prompted, select CD/DVD as the boot device. Installation of the appliance system begins.
When the installation has ended, continue with Performing the initial configuration.
21
Setup and Logon Performing the initial configuration
Performing the initial configuration

After installing the physical or virtual appliance, you need to perform the initial configuration. The settings in the table below are implemented by default. If you want to implement your own settings, use the wizard that appears during the initial configuration.
Table 2-2 : Default settings of the initial configuration Parameter Primary network interface Autoconfiguration with DHCP Host name Root password Remote root logon with SSH Default gateway DNS server 1 Start the initial configuration: Value eth0 yes mwgappl <last eight digits of appliances MAC address> off <configured by DHCP> <configured by DHCP>
[Physical appliance] Turn on the appliance. The appliance system starts and several messages are displayed. [Virtual appliance] When an installation complete message appears at the end of the installation, press <RETURN>. The appliance system restarts and several messages are displayed.
2 When the following message appears, make the appropriate selection:
Do you want to start the configuration wizard? (y/[n]):

Note: The timeout for responding is 30 seconds.
If you want to use the wizard, enter y. Continue with steps 3 and 4. If you want to use the default settings, let the timeout elapse or press ESC. The initial configuration is completed and the dynamically configured IP address is displayed. Continue with Logging on to the user interface.
3 Use the wizard windows to configure the following:
Primary network interface IP address, entered manually or configured dynamically by DHCP. Host name DNS server
4 Review the summary that is displayed after configuring the host name.
If you approve of the summary, confirm and configure the remaining settings: Root password Remote logon with SSH The initial configuration is completed with your settings and the IP address is displayed. Continue with Logging on to the user interface. If you need to make changes, click Cancel and return to step 3.
22
Setup and Logon Logging on to the user interface
Logging on to the user interface

You log on to the user interface and administer the appliance through an administration system. The first time you log on, you also need to implement a web security policy and import a license. To log on to the user interface:
1 Open the browser of your administration system and go to:
http://<IP address>:4711 or https://<IP address>:4712 using the address configured during the initial configuration.
Note: Under HTTPS, accept the self-signed certificate that appears.
A logon window opens.

2 Enter admin as the user name ander webgateway as the password.
After a successful logon, proceed as follows:

Note: While being logged on, you should not use your browser to log on to the same appliance again.
Continue with Implementing a web security policy.
23
Implementing a web security policy

The first time you log on to the user interface after the initial configuration of the appliance, a policy creation wizard appears. You can use this wizard to create a web security policy for your network, implementing rules and filter lists according to your selections. You can also choose not to make any selections and have a default web security policy implemented. In the wizard window, do one of the following to implement a web security policy: Select values for organization, location, and a level of permission or restriction. Then click OK. A web security policy is implemented accordingly.
Note: Your location and organization selections are used to implement standard whitelists and recommended blocking lists. Your selection regarding permission or restriction is used to implement filtering rules.
Click Default. A default web security policy is implemented.
Figure 2-3 Policy Creation Wizard
Continue with Importing a license.
24
Importing a license
The first time you log on to the user interface after the initial configuration of the appliance, you also need to import a license. This is done after implementing a web security policy. Complete the following procedure to implement a license:
1 On the user interface, go to Configuration | Appliances and select License. Settings for importing
a license appear on the settings pane.

2 Under Import License, click end user license agreement and review the agreement. Then select
the checkbox in the same line. The License File input field and the Browse button become available.
3 Click Browse and browse to the location where your license file is stored. Select the file and click
Activate. The license is imported and license information appears below the input field. An automatic update of virus signatures and other important information for the appliance modules is started after the initial configuration. It can take several minutes.
Note: During the update, attempts to access the web from the user interface lead to an error message stating that a module, for example, the Antimalware engine, cannot be loaded (because updated information is needed for this).
After the update has been completed, the user interface is available for administering the appliance. For more information, see Working with the user interface.
25
Setup and Logon Working with the user interface
Working with the user interface

The main elements of the user interface are the system information line, several bars and buttons, the navigation pane, and the settings pane.
System information line Top-level menu bar Tab bar Toolbar (on tab) Logout and Help buttons Search and Save Changes buttons
Navigation pane
Settings pane
Figure 2-4 Main elements of the user interface
26
Main elements of the user interface

The table below describes the main elements of the user interface.
Table 2-3 Main elements of the user interface Option System information line Top-level menu bar Definition Displays system and user information. Lets you select one of the following menus: Dashboard Provides an overview of web usage, filtering activities, and system behavior. For more information, see Dashboard. Policy For configuring your web security policy. For more information, see Rule Sets tab, Lists tab, and Settings tab.
Configuration For configuring the system settings of the appliance For more information, see System Configuration.
Accounts For managing administrator accounts. For more information, see Administrator accounts.
Troubleshooting For solving problems on the appliance. For more information, see Troubleshooting.
Tab bar Toolbar (on tab) Navigation pane Settings pane Logout
Provides the tabs of the currently selected top-level menu. Provides varying tools (depending on the selected tab). Provides tree structures of configuration items, such as rules, lists, and settings. Provides the settings of the item currently selected on the navigation pane for editing. Lets you log out of the user interface. Opens the online help. The chapters and sections of this Product Guide are provided there. You can browse through its pages or navigate on a tree structure and perform a full text search or search for index terms.
Search
Opens the Search window with the following options: Search for objects Lets you search for rule sets, rules, lists, and settings. Typing a search term in the input field displays all objects with names matching the search term. Search for objects referring to Lets you select a list, property, or settings and displays all rules that use the selected item.
Save Changes
Lets you save your changes. For more information, see Configuration support functions.
27
Configuration support functions

The user interface provides several functions to support your configuration activities.
Table 2-4 Configuration support functions Option Input reminder Appears attached to the name of a list that is still empty and needs to be filled by you. Some filter lists are created, but not filled by the wizard because they are too sensitive. Input information Yellow text insert Input responses Appears in a window when the input you entered is valid. Appears in a window when the input you entered is invalid. Message text Light red color of input field Change reminders Save Changes The button turns red when you change an item. It turns gray again when you have saved your changes. Appears attached to tabs, icons, and list entries when you have changed an item and not yet saved. For example, when you have changed a rule, the small red triangle appears: Unsaved Changes message In the row of the rule entry On the symbol of the rule set On the projection of the rule sets tab On the Policy icon of the top-level menu bar Appears with the red symbol. Provides information on your invalid input. An input field is filled out in light red if you enter invalid input. Appears when you move your mouse pointer over an item on the user interface. Provides information on meaning and usage of the item. Definition
Appears if you attempt to log out without having saved your changes. You have two options then: Yes Log out without saving No Acknowledge and save
28
Proxies and Caching
Contents Intercepting web traffic Network modes Common proxy settings Helix proxy configuration Web cache
Intercepting web traffic

The McAfee Web Gateway appliance is installed as a gateway that intercepts web traffic to filter it and ensure web security for your network. It does this in explicit proxy mode or in transparent mode, using particular network protocols. The sections of this chapter tell you how to configure the use of network modes and protocols. They also tell you how to configure the web cache, which stores frequently requested objects locally to speed up browsing.
Proxy settings
You can review and modify the settings for the proxy functions on the Appliances tab of the Configuration top-level menu under Proxies (HTTP(S), FTP, ICAP, and IM). After the initial setup, these settings have preconfigured values. The most important of them are: Network mode Explicit proxy Network protocol HTTP If you keep the explicit proxy mode, you need to configure the clients of the appliance, so that they direct their requests for web access to it. This applies also to a proxy-chain configuration when the appliance is not immediately connected to a client. If you modify the preconfigured settings, you might not need to configure clients in this way, but other network components that are then involved. For more information, see Network modes and Common proxy settings.
29
Proxies and Caching Network modes
Web cache settings

The web cache settings are part of the proxy settings. You can review and modify both on the same tab of the user interface. The web cache is by default enabled after the initial setup, but its use is controlled by web security rules. A web cache rule set must be implemented with rules for writing to the cache and reading from it. You can review the implemented rule sets on the Rule Sets tab of the Policy top-level menu. If no web cache rule set is implemented, you can import one from the rule set library or create a web cache rule set with rules of your own. For more information, see Web cache and Rules and Rule Sets.
Network modes
The appliance can operate in different network modes to intercept and filter web traffic. This section explains these modes and tells you how to configure them. Explicit proxy mode In this mode, the clients of the appliance are generally aware of its existence. You can use one of the following options to implement this mode: Proxy This is the explicit proxy mode proper. It is preconfigured on the appliance. Proxy with WCCP Clients can immediately be directed to the appliance and are then aware of its existence. However, they can also be directed to the appliance by WCCP services without being aware of it. Proxy HA The appliance operates as an explicit proxy that is configured as a part of a high-availability configuration. Transparent bridge mode Clients are unware of the appliance, which serves as an (invisible) bridge between a firewall and the rest of your network. Transparent router mode Clients are unware of the appliance, which serves as a router in your network, directing web traffic according to a routing table.
30
Explicit proxy mode

This section explains the explicit proxy mode and how you configure it on the appliance and its clients. In this mode, the clients that have their web traffic filtered by the appliance know they are connected to it. They must explicitly be configured to direct their web traffic to the appliance. If this is ensured, it is less important where the appliance is deployed within your network. Typically, it is placed behind a firewall and connected to its clients and the firewall by a router. The diagram below shows a configuration in explicit proxy mode:
Figure 3-1 Explicit proxy mode
Configure the explicit proxy mode

This section tells you how to configure the explicit proxy mode for the appliance.
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to configure settings for and select Proxies
(HTTP(S), FTP, ICAP, and IM).

3 Under Network Setup, select one of the options for the explicit proxy mode:
Proxy For the explicit proxy mode proper

Note: This mode is preconfigured after the initial setup.
Proxy and WCCP For an explicit proxy mode with client requests being directed immediately to the appliance or by WCCP services
Note: After selecting this option, specific WCCP settings appear below the Network Setup settings.
Proxy HA For an explicit proxy mode with high-availability functions

Note: After selecting this option, specific Proxy HA settings appear below the Network Setup settings.
4 Configure specific and common settings for the selected mode as needed. 5 Click Save Changes.
For more information, see WCCP system settings, Proxy HA system settings, and Common proxy settings.
31
WCCP system settings

Settings for the WCCP services.
Note: Version 2 of the WCCP services must be used on the appliance.
WCCP services List of services redirecting web traffic to the appliance under the WCCP protocol For the redirecting to work, the IP addresses of the clients that have their requests redirected must be visible on the appliance. They must not be converted using the NAT (Network Address Translation) method. Entries in the services lists are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-1 WCCP Services List Option Service ID WCCP router definition Ports to be redirected Definition ID of a service that redirects web traffic to the appliance under the WCCP protocol Multicast IP address and DNS name of the router (or switch with routing functions) that redirects web traffic to the appliance using the WCCP service
Note: You can configure multiple routers here, separating entries by commas.
Ports on web servers that data packets must have in their destination addresses to be redirected
Note: You can specify up to 8 port numbers here, separated by commas.

MD5 authentication key Input for load distribution Password used under the MD5 algorithm for signing and verifying control data packets Note: The password can have up to eight characters. (The main item does not appear in the list, but is visible in the Add and Edit windows. The four elements shown below are related to it, specifying what is used in a data packet as the criteria for load distribution.) When running multiple appliances, load distribution can be configured for the proxies on them. Data packets can be distributed to these proxies based on the masking of source or destination IP addresses and port numbers or on a hash algorithm. Assignment method Source IP When selected, load distribution relies on the masking of source IP addresses. Destination IP When selected, load distribution relies on the masking of destination IP addresses. Source port When selected, load distribution relies on the masking of source port numbers. Destination port When selected, load distribution relies on the masking of the destination port numbers.
(The main item does not appear in the list, but is visible in the Add and Edit windows. The two elements shown below are related to it, specifying the method used for load distribution.) Assignment by mask When selected, masking of the parameter specified above is used for load distribution. Assignment by hash When selected, a hash algorithm is used for load distribution.
Assignment weight
Value determining how much load is assigned to a proxy. This way you can assign more load to a proxy on an appliance that has more CPU capacity than others. 0 means that no load is distributed to a proxy. When selected, data packets are encapsulated by the router before being redirected. When selected, data packets are redirected to the appliance by replacing the MAC address of the next device (on the route to the web server) with that of the appliance. This is done on layer two (L2) of the standard communication model. Network interface on an appliance that data packets are redirected to Plain-text comment on the WCCP service
GRE-encapsulated L2-rewrite to local NIC L2-redirect target Comment
32
Proxy HA system settings

Settings for the appliance as a proxy in a high-availability configuration Destination HTTP proxy port Port on the appliance for data packets coming in under HTTP or HTTPS Original destination ports List of ports that data packets were originally sent to Director priority Priority (ranging from 0 to 99) an appliance takes in directing data packets. The highest value prevails. 0 means the appliance never directs data packets, but only filters them. In a high-availability configuration, two appliances are typically configured as director nodes with a priority higher than zero to direct data packets, providing fail-over functions for each other. The remaining nodes are configured with zero priority (also known as scanning nodes). The priority value is set on a slider scale. Management IP Source IP address of the appliance that directs data packets when sending heartbeat messages to other appliances Virtual IPs List of virtual IP addresses The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
F
Table 3-2 Virtual IP List Option Virtual IP address Network interface Comment Definition Virtual IP address Network interface on the appliance that data packets with the virtual IP address are routed through Plain-text comment on the virtual IP address
Virtual router IP IP address of the virtual router VRRP interface Network interface on the appliance for sending and receiving heartbeat messages
Configure the appliance as a proxy on a client

This section tells you how to configure the appliance as a proxy on each of its clients, so that they direct their web traffic to it. You need to do this when running the appliance in explicit proxy mode.
1 From the menu system of the client browser, select the Network/Connection tab. 2 On this tab, add an HTTP, HTTPS, or FTP proxy, according to the protocol you want to use for
communication between the client and the appliance.

3 Configure an IP address and port number for connecting to the appliance. Use the values
configured during the initial setup of the appliance. If you use the Microsoft Internet Explorer on your clients and a Windows Active Directory to administer them, you can configure the appliance as a proxy on all your clients in a single procedure.
33
Transparent bridge mode

This section explains the transparent bridge mode and tells you how to configure it on the appliance. In this mode, the clients of the appliance are unaware that they are connected to it. They need not be configured to direct their web traffic to the appliance. The appliance is placed between a firewall and a router, where it serves as an (invisible) bridge. The diagram below shows a configuration in transparent bridge mode:
Figure 3-2 Transparent bridge mode
Configure the transparent bridge mode

This section tells you how to configure the transparent bridge mode for the appliance.

3 Under Network Setup, select Transparent Bridge.
Note: After selecting this mode, specific Transparent Bridge settings appear below the Network Setup settings.
4 Configure specific and common settings for this mode as needed. 5 Click Save Changes.
For more information, see Transparent Bridge system settings and Common proxy settings. For a sample configuration, see Sample configuration Director and scanning nodes in transparent router mode.
34
Transparent Bridge system settings

Settings for the appliance when running in transparent bridge mode Port redirects List of ports that requests sent by users are redirected to The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-3 Port Redirects list Option Protocol name Original destination ports Destination proxy port Comment Definition Name of the protocol used for data packets coming in when a user sends a request Ports that data packets that are to be redirected were originally directed to Port that data packets directed to the above ports are redirected to Plain-text comment on the port
Director priority Priority (ranging from 0 to 99) an appliance takes in directing data packets. The highest value prevails. 0 means an appliance never directs data packets, but only filters them. The value for this priority is set on a slider scale. Management IP Source IP address of the appliance that directs data packets when sending heartbeat messages to other appliances IP spoofing When selected, the appliance keeps the destination IP address contained in a client request and uses it in communication with the requested web server. The appliance does not verify this address.
Sample configuration Director and scanning nodes in transparent bridge mode

This section describes a procedure for setting up two appliances in transparent bridge mode. One of them is configured as a director node that directs data packets, the other as a scanning node that only filters data packets, but does not direct them. Set up a director node To configure an appliance as a director node in transparent bridge mode, you need to enable this mode and configure at least one network interface for the transparent bridge functions. The director role is configured by giving the node an appropriate priority value. Complete the following procedure to set up a director node:
1 Go to Configuration | Appliance. 2 On the Appliances tree, go to the appliance you want to set up as a director node and select Network. 3 Select a still unused network interface of the appliance to use it as an interface of the transparent
bridge. However, do not enable it yet.

4 On the Advanced tab, select Bridge enabled for this interface. 5 In the Name field, type ibr0 as the name of the interface. 6 On the IPv4 tab, under IP Settings, select Disable IPv4. 7 Click Save Changes. You are logged out and logged on to the appliance again. 8 Go to Configuration | Appliances and select Network again. An additional network interface
named ibr0 is now available. Select this interface.

9 On the IPv4 tab, configure an IP address, a subnet mask, and a default route for ibr0. Then select
the checkbox next to ibr0 to enable this interface.

10 Select the interface that is currently used to access the appliance to assign it to ibr0.
35
11 On the Advanced tab, select Bridge enabled. 12 In the Name field, type ibr0 as the name of the interface. 13 On the IPv4 tab, under IP Settings, select Disable IPv4. 14 Enable the network interface you assigned to ibr0 in step 3. 15 Select Central Management. 16 In the Central Management Settings section, add the IP address you configured for ibr0 to the
list provided under IP address for Central Management communication.

17 Select Proxies (HTTP(S), FTP, ICAP, and IM). 18 Under Network Setup, select Transparent Bridge.
19 Set Director priority to a value > 0. 20 Configure proxy ports and port redirects for HTTP and FTP as needed. 21 Configure also IP spoofing as needed. 22 In the Management IP field, type the IP address you configured for ibr0. 23 Click Save Changes.
If you are going to configure another appliance as a director node, be sure to configure the same proxy ports and port redirects as for the initial director node and to add the port redirects in the same order as for that node. Set up a scanning node To configure an appliance as a scanning node in transparent bridge mode, you need to enable this mode and configure an IP address that allows the node to access the network interface of the director node. The scanning role is configured by giving the node 0 as a priority value. Complete the following procedure to set up a scanning node:
1 Go to Configuration | Appliance. 2 On the Appliances tree, go to the appliance you want to set up as a scanning node and select Proxies

3 Under Network Setup, select Transparent Bridge.
4 Set Director priority to 0. 5 Configure the same HTTP and FTP proxy ports and port redirects as for the director node. 6 Configure also IP spoofing in the same way as for the director node. 7 Click Save Changes.
36
Transparent router mode

This section explains the transparent router mode and tells you how to configure it on the appliance. This is also a transparent mode, so the clients are unware of the appliance and need not be configured to direct their web traffic to it. The appliance is placed as a router immediately behind a firewall. It can use a switch for connecting to its clients. A routing table is used to direct the traffic. The following diagram shows a configuration in transparent router mode:
Figure 3-3 Transparent router mode
Configure the transparent router mode

This section tells you how to configure the transparent router mode for the appliance.

3 Under Network Setup, select Transparent Router.
Note: After selecting this option, specific Transparent Router settings appear below the Network Setup settings.
4 Configure specific and common settings for this mode as needed. 5 Click Save Changes.
For more information, see Transparent Router system settings and Common proxy settings. For a sample configuration, see Sample configuration Director and scanning nodes in transparent router mode.
37
Transparent Router system settings

Settings for the appliance when running in transparent router mode Port redirects List of ports that requests sent by users are redirected to The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-4 Port Redirects list Option Protocol name Original destination ports Destination proxy port Comment Definition Name of the protocol used for data packets coming in when a user sends a request Ports that data packets that are to be redirected were originally directed to Port that data packets directed to the above ports are redirected to Plain-text comment on the port
Director priority Priority (ranging from 0 to 99) an appliance takes in directing data packets. The highest value prevails. 0 means an appliance never directs data packets, but only filters them. The value is set on a slider scale. Management IP Source IP address of the appliance that directs data packets in a given high-availaibility configuration when sending heartbeat messages to other appliances Virtual IPs List of virtual IP addresses The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-5 Virtual IP list Option Virtual IP address Network interface Comment Definition Virtual IP address Network interface on the appliance used for heartbeats under VRRP (Virtual Router Redundancy Protocol) Plain-text comment on the virtual IP address
Virtual router IP IP address of the virtual router VRRP interface Network interface on the appliance for sending and receiving heartbeat messages IP spoofing When selected, the appliance keeps the destination IP address contained in a client request and uses it in communication with the requested web server. The appliance does not verify whether this address matches the host name of the request. Otherwise, a domain name server is called to verify the host name after looking it up using the module that retrieves URL information.
38
Sample configuration Director and scanning nodes in transparent router mode

This section describes a procedure for setting up two appliances in transparent router mode. One of them is configured as a director node that directs data packets, the other as a scanning node that only filters data packets, but does not direct them. Set up a director node To configure an appliance as a director node in transparent router mode, you need to enable this mode and configure network interfaces for inbound and outbound web traffic. The director role is configured by giving the node an appropriate priority value. Complete the following procedure to set up a director node:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to set up as a director node and select Network. 3 Configure network interfaces as is suitable for your network. You need at least one interface for
inbound and one for outbound web traffic.

4 Click Save Changes. You are logged out and logged on to the appliance again. 5 Go to Configuration | Appliances. 6 On the Appliances tree, go to the appliance you are setting up as a director node and select Proxies

Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup settings.
8 Set Director priority to a value > 0. 9 Configure proxy ports and port redirects for HTTP and FTP as needed. 10 Configure virtual IP addresses for the inbound and outbound network interfaces, using free IP
addresses for this purpose.

11 In the Management IP field, type an IP address for reaching the scanning node. 12 Leave the number under Virtual router ID as it is. 13 From the VRRP interface list, select the interfaces for heartbeats under this protocol. 14 Configure IP spoofing as needed. 15 Click Save Changes. 16 Configure the clients of your network to let them direct their web traffic to the virtual IP addresses
you configured for the inbound network interfaces. If you are going to configure another appliance as a director node, be sure to configure the same virtual IP addresses as for the initial director node. The proxy ports and port redirects and the order of the port redirects must also be the same as for that node.
39
Set up a scanning node To configure an appliance as a scanning node in transparent router mode, you need to enable this mode and configure at least one network interface for outbound web traffic. The scanning role is configured by giving the node 0 as its priority value. Complete the following procedure to set up a scanning node:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to set up as a scanning node and select
Network.
3 Configure network interfaces as is suitable for your network. You need at least one interface for
outbound web traffic.

4 Click Save Changes. You are logged out and logged on to the appliance again. 5 Go to Configuration | Appliances. 6 On the Appliances tree, go to the appliance you want to set up as a scanning node and select Proxies

Note: After selecting this mode, specific Transparent Router settings appear below the Network Setup settings.
8 Set Director priority to 0. 9 Configure the same HTTP and FTP proxy ports and port redirects as for the director node. 10 Configure also IP spoofing in the same way as for the director node. 11 Click Save Changes.
40
Proxies and Caching Common proxy settings
Common proxy settings

You can configure settings for the proxy functions of the appliance and use in them in all network modes. This section tells you how to configure these settings and gives detailed descriptions of them.
Configure common proxy settings

This section tells you how configure the proxy settings of the appliance that are common to all network modes.

3 Configure these settings as needed.
Network Setup Settings for selecting a network mode HTTP Proxy, FTP Proxy (and other settings) Settings for the network protocols Web Cache Setting for enabling or disabling the cache Timeouts for HTTP(S), FTP, ICAP Settings for timeouts applying to some protocols Advanced Settings Settings for advanced proxy functions
4 Click Save Changes.
For more information on these settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system settings.
Proxies (HTTP(S), FTP, ICAP, and IM) system settings

This section describes the Proxies (HTTP(S), FTP, ICAP, and IM) system settings. You can configure these settings to modify the proxy functions of the appliance.
Note: These settings are configured on the Appliances tab of the Configuration top-level menu.
Network Setup
Settings for selecting a network mode Proxy When selected, the explicit proxy mode proper is used. Proxy and WCCP When selected, the explicit proxy mode is used and WCCP services can redirect web traffic to the appliance. Proxy HA When selected, the explicit proxy mode with high-availability features is used. Transparent router When selected, the transparent router mode is used. Transparent bridge When selected, the transparent bridge mode is used. In addition to the common proxy settings, specific settings exist for all these modes, except for the explicit proxy mode proper. For more information, see WCCP system settings, Proxy HA system settings, Transparent Bridge system settings and Transparent Router system settings.
41
HTTP Proxy
Settings for the appliance when running as a proxy under HTTP. This protocol is used for transferring web pages and other data (providing SSL-encryption for enhanced security). Enable HTTP proxy When selected, the appliance runs as a proxy under the HTTP protocol. HTTP port definition list List of ports on the appliance that listen to client requests. The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-6 HTTP Port Definition List Option Listener address Serve transparent requests Ports treated as SSL Definition Local IP address of the appliance running as an HTTP proxy and port for listening to client requests When selected, the HTTP proxy processes also client requests sent in transparent mode. Ports on destination servers indicating to the HTTP proxy that requests with these numbers are SSL-secured Note: It can be necessary to specify these numbers when the appliance processes requests in transparent mode since there is then no CONNECT header to indicate a request is SSL-secured. Transparent common name handling for proxy requests McAfee Web Gateway uses passive FTP over HTTP connections When selected, the HTTP proxy does not use the destination IP address of a request to create a common name for the certificate it issues. Instead, it copies the common name of the certificate that the destination server delivered. This might cause a problem if there is a common name mismatch in this certificate. When selected, the HTTP proxy uses connections in passive mode for transmitting requests to an FTP server. Note: The passive mode might be required for the data connection (used under FTP in addition to the control connection). In some cases, an FTP server is not allowed to use the data connection in active mode, for example, when a firewall rule enforces this in a company network. Plain-text comment on the HTTP proxy port
Comment
42
FTP Proxy
Settings for the appliance as a proxy under FTP . This protocol is used for transferring files, using separate connections for control functions and data transfer. Enable FTP proxy When selected, the appliance runs as a proxy under the FTP protocol. FTP port definition list List of ports on the appliance that listen to client requests The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-7 FTP Port Definition List Option Listener address Data port Port range for client listener Port range for server listener Allow clients to use passive FTP connections Definition Local IP address of the appliance running as an FTP proxy and port for listening to client requests Port number sent with the source IP address of the FTP proxy when it opens a data connection to a client Range of numbers for the ports on the FTP proxy that listen to client requests Range of numbers for the ports on the FTP proxy that listen to responses from web servers When selected, clients can send requests to the FTP proxy in passive mode, which is an option of the FTP protocol. Note: The passive mode can be required for the data connection (used under FTP in addition to the control connection). In some cases, FTP clients are not allowed to use the data connection in active mode, for example, when a firewall rule has been implemented in a company network to enforce this. When selected, the FTP proxy uses connections in passive mode for transmitting requests to an FTP server. Note: The passive mode can be required for the data connection (used under FTP in addition to the control connection). In some cases, the FTP server is not allowed to use the data connection in active mode, for example, when a firewall rule has been implemented in a company network to enforce this. Plain-text comment on the FTP proxy port
McAfee Web Gateway uses passive FTP connections
Comment
43
ICAP Server
Settings for the appliance when running as an ICAP server, modifying requests and responses in communication with ICAP clients. Enable ICAP server When selected, the appliance takes the role of an ICAP server. ICAP port definition list List of ports on the appliance that listen to requests from ICAP clients The list entries are described in the table below. For general information on maintaining a list of this type, see Inline lists.
Table 3-8 ICAP Port Definition List Option Listener address Send early 204 responses Wait for complete ICAP request Definition Local IP address of the appliance running as an ICAP server and port for requests from ICAP clients When selected, the appliance sends 204 responses early to clients before a request is fully transferred. Note: Some clients do not support early 204 responses. (The main item does not appear in the table, but is visible in the Add and Edit windows. The next four elements in the table are related to it, specifying when the ICAP server should wait until a request is complete.) Waiting for the complete request can be necessary when clients are not capable of receiving parts of the filtered data in response while other parts of the request are still being sent to the server. The normal behavior for the ICAP server is to try to filter and send back data chunk by chunk to reduce latency time. Maximal concurrent REQMOD connections Maximal concurrent RESPMOD connections Preview size Never When selected, the ICAP server never waits. Only for REQMOD requests When selected, the ICAP server waits if the mode for modifying requests is used. Only for FTP requests When selected, the ICAP server waits if a request was sent under FTP. Always When selected, the ICAP server always waits.
Maximum number of connections the ICAP server can use simultaneously when modifying requests Maximum number of connections the ICAP server can use simultaneously when modifying responses Size (in bytes) of the portion of a request sent by a client to the ICAP server at the beginning of the communication. The server asks for more data or lets the rest of the data pass through unmodified. Plain-text comment on the ICAP server port
Comment
Web Cache
Setting for enabling the appliance web cache Enable cache When selected, the web cache is enabled. You can then have it controlled by an appropriate rule set.
Timeouts for HTTP(S), FTP, ICAP

Settings for timeouts on connections under the HTTP(S), FTP, and ICAP protocols Initial connection timeout Timeout (in seconds) for closing a newly opened connection if no request is received Connection server timeout Timeout (in seconds) for closing a connection from the proxy to a server between one request and the next Connection client timeout Timeout (in seconds) for closing a connection from the proxy to a client between one request and the next Connection timeout Timeout (in seconds) for closing a connection if a client or server remains inactive during an uncompleted request communication
44
Yahoo
Settings for instant messaging under the Yahoo! protocol
Enable Yahoo proxy When selected, the appliance runs as a proxy for instant messaging under the Yahoo protocol. Listener address IP address of the proxy and number of the port for listening to client requests Support file transfer over 0.0.0.0:80 When selected, requests for file transfers can use this IP address and port Login server Host name and port number of the server that users log on to before sending requests Relay server Host name and port number of the server used as a relay station when transferring files Yahoo client connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a client Yahoo server connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a server
ICQ/AIM
Settings for instant messaging under the OSCAR protocol provided by AIM
Enable ICQ/AIM proxy When selected, the appliance runs as a proxy for instant messaging under OSCAR. Login and file transfer proxy port IP address of the proxy and number of the port for handling logon and file transfer BOS listener port IP address of the proxy and number of the port for listening to Basis Oscar Service (BOS) requests, which include chat messages (as opposed to, for example, file transfers) ICQ/AIM login server Host name and port number of the server that users log on to before sending requests ICQ/AIM client connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a client ICQ/AIM server connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a server that was the destination of a client request
Windows Live Messenger

Settings for instant messaging under the Windows Live Messenger protocol Enable Windows Live Messenger proxy When selected, the appliance runs as a proxy for instant messaging under Windows Live Messenger. Windows Live Messenger NS proxy listener 1 IP address of the first proxy and number of the port for listening to client requests Windows Live Messenger NS proxy listener 2 IP address of the second proxy and number of the port for listening to client requests Windows Live Messenger SB proxy port IP address of the proxy and number of the port for listening to client requests sent in Switchboard (SB) mode Windows Live Messenger client connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a client Windows Live Messenger server connection timeout Timeout (in seconds) for closing an inactive connection from the proxy to a server that was the destination of a client request
45
Proxies and Caching Helix proxy configuration
Advanced Settings
Settings for advanced proxy functions Number of working threads Number of threads used by the proxies on an appliance for transmitting and filtering web traffic Use TCP no delay When selected, delays on the proxy connection are avoided by not using the Nagle algorithm to assemble data packets. This algorithm enforces that packets are not sent before a certain amount of data has been gathered Maximal TTL for DNS cache in seconds Maximum time (in seconds) for storing host name information in the DNS cache Timeout for errors for long running connections in minutes Time to elapse (in minutes) before a long running connection that is inactive due to an error is closed Check interval for long running connections in minutes Time to elapse (in minutes) between check messages sent on long running connections Internal path ID ID of the path the appliance uses to forward internal requests (not requests received from clients), for example, requests for style sheets to display error messages Bypass RESPmod for responses that must not contain a body When selected, responses sent in ICAP communication are not modified using the RESPmod mode if they do not include a body.
Helix proxy configuration

The Helix proxy is a third-party proxy for handling real-time streaming data. It is pre-installed on the McAfee Web Gateway appliance. This section tells you how to use this proxy on the appliance. The Helix proxy is initially not accessed from the user interface of the appliance, but using a command line interface, which is, for example, provided by your administration system. Later on, you can administer the proxy on its own user interface. Complete the following procedure to set up the Helix proxy for use on the appliance:
1 On the command line interface, enter the activation command, for example, as follows:
service helix-proxy activate You are asked to enter a user name and password for the initial administrator account.
2 Enter both. The Helix proxy is started.
Note: After the start, you can find configuration files for the proxy in the /opt/helix-proxy folder on the appliance and modify them manually as needed.
3 Connect to the user interface of the proxy:
http://<IP address of the proxy>:21774/admin/index.html The user interface appears and displays a logon window.
4 Enter the user name and password from step 2.
After a successful logon, the user interface of the proxy is available for administering it.
5 Configure your real-player application to use the appliance as a proxy, for example, as follows: a Start the real player. b On its user interface, go to the proxy settings. c
In the appropriate input field, for example, the RTSP (Real-Time Streaming Protocol) field, enter the IP address of the appliance with 554 as the port number.
For more information, refer to the user documentation of the Helix proxy.
46
Proxies and Caching Web cache
Web cache
A web cache is provided on the appliance for storing web objects to speed up responses to client requests. This section explains the handling of this cache. Use of the web cache is controlled by rules for reading objects from it or writing them to it. This means a rule set must must be implemented that contains such rules. Optionally, bypass lists can contain web objects that should not be cached. In addition to this, the web cache must be enabled as an option of the common proxy settings. So administering the use of the web cache includes the following activities: Reviewing and modifying the web cache rules You can review the implemented rule set system to see whether it includes a web cache rule set. If it does not, you can import a rule set from the library or create a rule set with web cache rules of your own. Maintaining the bypass lists You can maintain these lists if you want particular objects not to be read from the cache or written to it. Verifying that the web cache is enabled You can do this by reviewing the web cache section of the common proxy settings. For more information, see Rules for the web cache, Bypass lists for the web cache, and Verify enabling of the web cache.
Rules for the web cache

Use of the appliance web cache is controlled by rules in a rule set. This section shortly explains the handling of a web cache rule set and describes a sample rule set from the library. To find out whether a web cache rule set is implemented, review the system of rule sets on the Rule Sets tab of the Policy top-level menu. If none is implemented, you can import the library Web Cache rule set. After importing this rule set, you can review and modify it on the Rule Sets tab to make it suit your network. Alternatively, you can create a rule set with rules of your own. A web cache rule set typically contains rules for reading objects from the cache and writing them to it. Additionally, there can be bypass rules that exclude objects from being read or written. For more information, see Import a rule set, Rules and Rule Sets, and Web Cache library rule set.
47
Web Cache library rule set

This section explains the rules and process flow of the Web Cache library rule set. This is a rule set with nested rule sets and rules for reading objects from the appliance web cache and for writing them there. For general information on understanding and handling rules and rule sets, see Rules and Rule Sets.
Library rule set Web Cache Criteria Always Cycle Requests (and IM) and responses
Two rule sets are nested in this rule set. Read from Cache Write to Cache Read from Cache library rule set The Read from Cache rule set enables the reading of web objects from the cache and forbids it for URLs on a bypassing list. It is processed in request cycles when users request access to web objects. There is no particular criteria for this rule set. When the process flow reaches it, it is always processed.
Nested library rule set Read from Cache Criteria Always Cycles Requests (and IM)
The rule set contains the following rules: Do not cache URLs in Web Cache URL Bypass List URL matches in list Web Cache URL Bypass List > Stop Rule Set The rule uses the URL property to check for requested URLs whether they are on the specified whitelist. If they are, processing of the rule set stops. The rule that enables writing to the cache is then not processed. Processing continues with the next rule set.
Note: This rule is not enabled initially.
Enable Web Cache Always > Continue Enable Web Cache The rule is always processed unless it is skipped because the bypassing rule placed before it in the rule set applies. It enables the web cache, so objects stored in it can be read. Processing continues with the next rule in the next rule set.
48
Write to Cache library rule set The Write to Cache rule set enables the writing of web objects to the cache and forbids it for URLs and media types on particular bypassing lists. It is processed in response cycles when objects are sent from the web in response to user requests. There is no particular criteria for this rule set. When the process flow reaches it, it is always processed.
Nested library rule set Write to Cache Criteria Always Cycles Responses
The rule set contains the following rules: Do not cache URLs in Web Cache URL Bypass List URL matches in list Web Cache URL Bypass List > Stop Rule Set The rule uses the URL property to check for a URL sent from the web whether it is on the specified bypass list. If it is, processing of the rule set stops. The rule that enables writing to the cache is then not processed. Processing continues with the next rule set.
Do not cache objects larger than X bytes String.ToNumber (Response.Headers.GetHeader (Content-Length)) greater than 8388608 > Stop Rule Set The rule uses the String.ToNumber property to convert a string in a response header that is sent with an object to indicate its content length into a numerical value. Then it checks whether this value is greater than the number specified here. If it is, processing of the rule set stops and the writing rule of the rule set is not processed. Processing continues with the next rule set.
Do not cache media types in Web Cache Media Type Black List MediaTypeEnsured at least one in list Web Cache Media Type Blacklist > Stop Rule Set The rule uses the Media.TypeEnsured property to check for media that have their type ensured with a probability of more than 50% if they are on the specified bypass list. If the type of the media is on the list, processing of the rule set stops. The writing rule of the rule set is then not processed. Processing continues with the next rule set.
Enable Web Cache Always > Continue Enable Web Cache The rule is always processed unless it is skipped because the rules preceding it it in the rule set apply. It enables the web cache, so objects can be written to it. Processing continues with the next rule in the next rule set.
49
Bypass lists for the web cache

You can enter web objects, such as URL, media types, and others onto bypass lists to exclude them from caching. There must be rules in the web cache rule set then that use these lists and let the rules that would eventually read or write the objects not be processed.
Note: This means that when you edit a bypass list on the user interface, you also modify the rule that uses it. You should therefore make sure you know which rule uses a list that you edit. You can do this, for example, by reviewing the rules of the web cache rule set to see which list names appear in rule names and criteria.
When you import the Web Cache rule set from the library, bypass lists are also implemented. You can edit these lists and also create lists of your own. The procedures used to maintain bypass lists differ according to the list type. For example, you can add URLs to a bypass list for URLs by typing them into the list. When adding media types, however, you select them from folders with media type groups. For more information, see Add a URL to a web cache bypass list, Add a media type to a web cache bypass list, and Sample web cache lists.
Add a URL to a web cache bypass list

This section tells you how to add a URL to a bypass list to exclude it from caching.
1 Go to Policy | Lists. 2 On the Lists tree, go to Wildcard Expression and select the web cache bypass list for URLs, for
example, Web Cache URL Bypass List. The list entries appear on the settings pane.
3 Click Add. The Add Wildcard Expression window opens. 4 In the Wildcard expression field, type a URL.
Note: To add multiple URLs at once, click Add multiple and type every URL in a new line.
5 [Optional] In the Comment field, type a comment on the URL. 6 Click OK. The window closes and the URL appears on the whitelist. 7 Click Save Changes.
For more information on how to maintain lists, see List maintenance.
Add a media type to a web cache bypass list

This section tells you how to add a media type to a bypass list to exclude it from caching.
1 Go to Policy | Lists. 2 On the Custom Lists branch of the Lists tree, go to Media Type and select the web cache bypass
list for media types, for example, Web Cache Media Type Blacklist. The list entries appear on the settings pane.
3 Click Edit. And Edit window opens. It displays a list of group folders with media types. 4 Expand the group folder with the media type you want to add, for example, Document, and select
the media type, for example, application/vnd/ms-excel.

Note: To add multiple media types at once, select multiple media types or one or multiple group folders.
5 Click OK. The window closes and the media type appears on the bypass list. 6 Click Save Changes.
50
Sample web cache lists

This section describes sample bypass lists for use with the web cache rules. When you import the rule set, these lists are also imported. You can find them on the Lists tab of the Policy top-level menu, sorted by their types and names. For general information on how to maintain lists, see List maintenance. Web Cache URL Bypass List Library list of URLs that should not be read to or written from the web cache. Type: Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 3-9 Web Cache URL Bypass List Option Wildcard Expression Comment Definition URL that is not cached (in Wildcard Expression format) Plain-text comment on the URL
Web Cache Media Type Blacklist Library list of media types that should not be read to or written from the web cache. Type: Media type Initial entries: application/mpegurl MP3 Playlist File application/x-pn-realaudio RealMedia streaming file video/x-la-asf Streaming Audio/Video File The table below describes the list entries.
Table 3-10 Web Cache Media Type Blacklist Option Media type Comment Definition Media type that is not cached (in Wildcard expression format). Plain-text comment on the media type
Verify enabling of the web cache

This section tells you how to verify whether the web cache is enabled. The relevant setting is a part of the common proxy settings.
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to verify the enabling for and select Proxies

3 Scroll down to the Web Cache section and see whether Enable Cache is selected. If necessary,
select this option.

4 If necessary, click Save Changes. 5 For more information on proxy settings, see Proxies (HTTP(S), FTP, ICAP, and IM) system settings.
51
52
Rules and Rule Sets
Contents Filtering controlled by rules About rule elements About rule sets Rule configuration Rule set configuration List maintenance Action and engine settings Access restrictions
Filtering controlled by rules

Whenever the appliance takes a filtering action to ensure web security for your network, it is executed according to a rule. The sections of this chapter explain how you can work with these rules. They describe the filtering process they are used in, their elements, and the rule sets that contain them. They also explain how to work with the lists and modules that rules rely on for retrieving filtering information.
About filtering
This section explains some basic concepts of the filtering process that goes on when the implemented rules are processed on the appliance. In this process, the appliance filters web traffic. It blocks some objects and lets others pass through, like a tea sieve or strainer that catches the tea leaves and allows the liquid to flow through its perforations. So how does the appliance tell the tea leaves from the liquid? The tea strainer obviously uses dimension as a key concept. If something is too big, it cannot pass through. Similarly, the appliance uses all kinds of properties that web objects can have or that are related in some way to web objects to make its filtering decisions.
Properties of filtered objects

Properties of web objects checked in the filtering process are, for example, being virus-infected or belonging to a URL category or having a particular IP address. The following can then be asked about these properties: For a given web object, what value does property p have? And: If this value is x, what action is required?
53
Rules and Rule Sets Filtering controlled by rules
Giving an answer to the second question leads to a rule: If the value of property p is x, action y is required. A property is a key element in every rule on the appliance. Understanding the property is essential to understanding the rule. When you are creating a rule, begin by thinking about the property you want to use. Using a property of an already existing rule as an example, you might consider something like the following: I want to filter viruses and other malware. I use the property being virus-infected and build a rule around it. I let this rule require a blocking action to be taken if a given object has this property. This rule could look as follows: If being virus-infected has the value true (for a given object), block this object. The object could, for example, be a file that a web server has sent because a user of your network requested it and that is intercepted and filtered on the appliance. Properties can be related to web objects, but also to the users that request them. For example, a rule could use the property user groups that user is member of to block requests sent by users who are not in an allowed group: If user groups that user is member of (for a given user) are not on the list of allowed groups, block requests sent by his user. Properties and rules are explained in this section using normal language. However, the format they have on the user interface of the appliance does not differ from this very much.
Filtering cycles
The filtering process on the appliance has three cycles: the request cycle, the response cycle, and the embedded objects cycle. Only one of these can go on at a given moment. The response cycle is used for filtering requests that users of your network send to the web (1), the response cycle is for the responses received upon these requests from the web (2).
Figure 4-1 Filtering requests and responses
54
When embedded objects are sent with requests or responses (3), the embedded objects cycle is used as an additional cycle of processing.
Figure 4-2 Filtering embedded objects
An embedded object could, for example, be a file sent with a request to upload a file and embedded in this file. The filtering process begins with the request cycle, filtering the request and checking the file that is requested for uploading. Then the embedded objects cycle is started for the embedded file. Similarly, the response cycle and the embedded objects cycle are started one after another for a file that is sent in response from a web server and has another file embedded in it. For every rule on the appliance, it is specified in which cycle it is processed. However, the cycle is not specified individually for a rule, but for the rule set that contains it. A rule set can be processed in just one cycle or in a combination of cycles.
Process flow
In the filtering process, the implemented rules are processed one after another. The order of the rules is determined by the positions they take in their rule sets. The rule sets themselves are processed in the order of the rule set system, which is shown on the Rule Sets tab of the user interface. In each of the three cycles, the implemented rules sets are looked up one after another to see which must be processed in this cycle. When a rule is processed and found to apply, it triggers an action. The action executes a filtering measure, such as blocking a request or removing a requested object. In addition to this, it has an impact on the filtering process. It can specify that the filtering process must stop completely, or skip some rules and then continue, or simply continue with the next rule. Processing also stops after all implemented rules have been processed. Accordingly, the process flow can be as follows: All rules have been processed for each of the cycles and no rule has been found to apply. > Processing stops. In the request cycle, the request is allowed to pass through to the appropriate web server. In the response cycle, the response sent from the web is forwarded to the appropriate user. In the embedded objects cycle, the embedded object is allowed to pass through with the request or response it was sent with. Processing begins again when the next request is received.
55
A rule applies and specifies that processing must stop completely.
>
Processing stops. An example of a rule that stops processing completely is a rule with a blocking action. If, for example, a request is blocked because the requested URL is on a blocking list, it is no use to process anything else. No response is going to be received because the request was blocked and not passed on to the appropriate web server. Filtering an embedded object that might have been sent with the request is also not needed because the request is blocked anyway. A message is sent to the user who is affected by the action, for example, to inform this user that a request was blocked and why. Processing begins again when the next request is received.
A rule applies and specifies that processing must stop for the current rule set.
>
Processing stops for this rule set. The rules that follow the stopping rule in the rule set are skipped. An example of a rule that stops the processing of a rule set is a whitelisting rule followed by a blocking rule in the same rule set. When a requested object is found on a whitelist, the request is allowed to pass through without further filtering. Therefore the rule set is not processed any further and the rule that eventually blocks the object is skipped. Processing continues with the next rule set. The next rule set can contain rules that, for example, block a request, although it was allowed to pass through the preceding rule set.
A rule applies and specifies that processing must stop for the current cycle.
>
Processing stops for this cycle. The rules and rule sets that follow the stopping rule in the cycle are skipped. An example of a rule that stops the processing of a cycle is a global whitelisting rule. When a requested object is found on a global whitelist, the request is allowed to pass through to the appropriate web server. To ensure the request is not blocked eventually by any of the following rules and rule sets, the request cycle is not processed any further. Processing continues with the next cycle.
A rule applies and specifies that processing continues with the next rule.
>
Processing continues with the next rule. This can be the next rule in the current rule set or the first rule in the next rule set or cycle. An example of a rule that lets the filtering process continue unimpeded is a billing rule. This rule just counts requests by increasing a counter and does otherwise nothing.
56
Rules and Rule Sets About rule elements
Modules for delivering filtering information

This section explains what special modules do for rules in the filtering process. Before a rule can trigger a particular action, it needs to know what the value of a particular property is. Consider, for example, a rule that blocks virus-infected objects: If being virus-infected has the value true (for a given object), block this object. The rule needs to know what the value for being virus-infected is for a given object. Only then can it block access to the object. How does the rule get this information? It gets the information by calling a special module. This module scans the object and tells the rule what value the property has for the object, for example, if being virus-infected is true for it or not. For a virus and malware filtering rule, the special module is the Antimalware module (also known as Antimalware engine). It can run with different settings and accordingly use different methods for completing its scanning job. For example, it can evaluate only virus signatures or use also proactive methods that are suitable for detecting viruses and other malware for which no signatures are known yet. Although the scanning module is used in the filtering process, it is not a filtering module in a strict sense. The filtering is not done by the module, but by the corresponding rule, based on the delivered information.
About rule elements

This section explains the elements of a web security rule. The general structure of a rule can be rendered very simply as follows: If a is the case, then do b. For web security rules on the appliance, this simple structure can be filled with a little more detail: If property p has the value x, do y. The property mentioned in the rule is the property of a web object or a user. It is checked, for example, when a user requests access to an object. An example of a rule like this is (in normal language): If being virus-infected has the value true (for a given object), block this object. or paraphrased even more simply: If an object is virus-infected, block it. Other examples are: If category that a URL belongs to has the value on list x, block the URL. If user groups that user is member of has the value not on allowed groups list x, block requests from this user. paraphrased more simply as:
57
If the category of a URL is on a particular list, block the URL. If a user is not a member of an allowed user group, block requests from this user.
Main elements of a rule

A web security rule on the appliance has three main elements: (1) Criteria: If the category of a URL is on list x, ...
Note: Instead of criteria, the term condition is used in other rule syntaxes.
(2) Action that is executed if the criteria is matched: ... block the URL The third element is optional: (3) Event (or more than one) that is to happen if the criteria is matched. ... and log this action.
Criteria If the category of a URL is on list x, ... Rule >
Action ... block the URL (and)
(Event) ... log this action.
The criteria has again three elements: (a) Property (of a web object or user) the category of a URL ... (b) Operator that links the property to an operand ... is on list (c) Operand specifying with the operator a value for the property ... x (list name)
Note: The operand is also known as parameter on the appliance.
Property the category of a URL ... Criteria
Operator ... is on list
Operand ... x (list name)
58
Rules on the user interface

On the user interface, a web security rule appears in the following way:
Figure 4-3 Sample rule on the user interface
The rule blocks a URL if its category is on a blocking list, notifies the user who requested the URL of the blocking, and writes a log file entry. The table below provides an overview of the individual rule elements and their meanings.
Table 4-1 Overview of rule elements Option Enabled Name Block URLs ... CategoryBlackList Yellow triangle Definition Allows you to enable or disable the rule Name of the rule Name text In name text: List used by the rule Next to a list name: Indicates that the list is initially empty Criteria of the rule Property Settings of the module that retrieves a value for the property Operator Operand (here: a list used by the rule) Clicking on the list name opens the list for editing. The list name appears both in the rule name and the criteria to let it be available when the criteria is not visible. Yellow triangle Next to a list name: Indicates that the list is initially empty Action of the rule Block <URLBlocked> Name of the action Settings of the action (here: settings specifying that a block message is sent to the user who is affected by the blocking) One (or more) events of the rule Name of an event Parameter of the event (here: the text of an entry that is written into a log file) Settings of the module that handles the event Clicking on the settings name opens the settings for editing. The symbol varies with the action. Clicking on the settings name opens the settings for editing. Clicking on the settings name opens the settings for editing. The criteria is only visible after clicking the toggle button Show Details. Clicking on the list name opens the list for editing. Comment
Criteria URL .Categories <Default> at least one in list CategoryBlackList
Action
Events Execute WriteLogEntry URLBlocked <URLBlocked>
For more information on these elements, see the following sections.
59
Complex criteria
The criteria of a rule can be made complex by configuring it with two or more parts. Each of the parts then has a property with operator and operand. The parts are linked by AND or OR. The following is an example of complex criteria:
AND/OR OR Property URL.Categories<Default> URL.Categories<Default> Operator at least one in list at least one in list Operand Drugs Games/Gambling
The criteria is matched if a filtered URL belongs to a category that is on any of the two specified category lists (or on both). If you configure criteria with three or more parts and use both AND and OR between them, you also need to put brackets to indicate how the parts are logically connected. For example, a AND (b OR c) differs in meaning from (a AND b) OR c. When you add a third criteria part on the user interface, lowercase letters appear before the parts and an additional field is inserted at the bottom of the configuration window. The field displays your criteria parts in short, for example, a AND b OR c. You can then type brackets into the field as needed.
ID a b c AND OR AND/OR Property URL.Categories<Default> URL.Categories<Default> Antimalware.Infected <Gateway AntiMalware> (a AND b) OR c Operator at least one in list at least one in list equals Operand Drugs Games/Gambling true
Criteria Combination
Properties
A property is a key element in every rule. If it has a particular value, the criteria of the rule is matched and the rule applies, which means that the rule action is triggered. For example, if the property Antimalware.Infected has the value true in the criteria of a particular rule for virus and malware filtering, the rule triggers its blocking action. A property in a rule is a property of a web object or of something that is related to a web object, such as the user who requests it. For example, Antimalware.Infected is the property of a web object that is requested by a user or sent in response by a web server or embedded in another object. A property has a name, a type, and a value. For every property, a particular range of values is possible. A value within this range is found for it during the filtering process by running a special module or by going through a particular list. In the following, some examples of properties are given. Property of a web page or a file
Property Antimalware.Infected Type Boolean Values true | false
The meaning of this property can be paraphrased as being infected by a virus or other malware. A rule using this property could apply if its value is true. The Antimalware module scans web objects when the rule is processed to find out what the value of the property is.
60
Property of a URL
Property URL.Categories Type List of categories Values Lists of URL categories
The meaning of this property can be paraphrased as belonging to (one or more) URL categories. A rule using this property could apply if one of these categories is on a blocking list. The TrustedSource module retrieves information on which category or categories a given URL belongs to. Property of a website or page
Property URL Type String Values Lists of URLs
The meaning of this property can be paraphrased as having a URL. A rule using this property could apply if a URL is on a blocking list. During the filtering process, it is looked up whether the URL is on the list. No special module is needed for this lookup. For a list of the available properties with explanations, see List of properties in the appendix.
Actions
An action is the element of a rule that is executed if the criteria of the rule is matched. For example, if an object sent by a web server in response to a user request is found to be virus-infected, the criteria of a particular rule for virus and malware filtering is matched, and the rule triggers the Block action. Settings can be configured for some actions to determine the way they are executed. For example, the Block action has settings that specify a corresponding user message. The settings can also specify the blocking reason for logging purposes. Every action has an impact on the filtering process. This process can be stopped by an action, or the remaining rules in a rule set or cycle are skipped when an action has been executed, or the process just continues after an action. In the following, some examples of actions are given.
Action Block Settings Specifying a message template and the blocking reason Impact Stops the filtering process
The blocking effect of this action is achieved by stopping the filtering process. If, for example, a request is blocked, processing stops completely and the request is not passed on to the appropriate web server. The user who sent the request, is informed of the blocking. Different settings can be configured for the action, according to whether the blocking reason was a found virus or an inappropriate URL category, and so on.
Action Stop Rule Set Settings None Impact Stops processing of the current rule set and lets processing continue with the next rule set.
This action can be used by a whitelisting rule to skip a blocking rule that follows it in the same rule set. Since this action does not affect the user, no settings for a user message are required.
61
Action Continue Settings None Impact Lets processing continue with the next rule after the rule that triggered this action.
This action does not affect a user and accordingly no settings are needed for a user message. For a list of the available actions, see List of actions in the appendix.
Events
If the criteria of rule matches, an event or several of them can optionally be triggered. For example, if an object is found to be virus-infected and blocked, an event can be triggered that writes the blocking action into a log file. The way an event is executed can be configured through parameters and settings. For example, the text of a log file entry can be specified as an event parameter and rotation of the log files as part of the event settings. Other activities executed by events are, for example: Setting a value Adding a request header Incrementing a counter For a list of the available events, see List of events in the appendix.
62
Rules and Rule Sets About rule sets
About rule sets

Web security rules are grouped and contained in rule sets on the appliance. This section provides some general information about these rule sets and the rule set systems they are included in. After the initial setup, a system of rule sets is implemented on the appliance. If you use the policy creation wizard, the system will match your selections. Rules, rule sets and filter lists are then implemented according to the type of your organization, your region, and the strictness you want to impose on the users of your network. If you choose not to make such selections, the default rule set system is implemented. In both cases, you can review and modify what has been implemented. You can modify rule sets and individual rules, including the filter lists, the settings of the modules used in the filtering process, and the the settings of the actions that are triggered when rules apply. You can edit or delete all these items, move rules and rule sets to different positions, copy rules to insert them into other rule sets, and create new items of all types. You can also import rule sets from the internal library, move them to other positions, and modify them.
Rules in rule sets

A rule cannot stand on its own, it must be included in a rule set. A rule set can include just a single rule or several of them or one or more nested rule sets. If it includes nested rule sets, it can, but need not include individual rules on the same level as the nested rule sets. Rule sets usually include rules that work together to provide a particular function for ensuring web security. For example, a virus and malware filtering rule set might include a rule that blocks infected rule sets and one or several others that whitelist objects to let them skip the blocking rule and ensure users can access them. Another rule set might filter URLs and include rules for blocking individual URLs and URL categories, as well as whitelisting rules. You can modify the implemented system and group rules in rule sets to build functional units in whatever way is suitable for your network.
Rule set cycles

Rule sets are processed, with their rules, in the three cycles of the filtering process. A rule set can be processed in any combinations of these cycles, for example, only in the request cycle, in the response and embedded objects cycle, and also in all three cycles. The cycles of a rule set are at the same time those of the individual rules contained in it. A rule cannot differ with regard to cycles from its rule set.
Rule set criteria

Like rules, rule sets have criteria and are applied if these match. A rule set has criteria in addition to the criteria of its individual rules and usually these criteria differ from each other. For a rule to apply, both its own criteria and the criteria of its rule set must match.
63
Nested rule sets

Rule sets can have other rule sets nested within them. A nested rule set has its own criteria. Regarding cycles, it can only be processed in the cycles of the nesting rule set, but need not be processed in all of them. This way, a nested rule set can be configured to deal especially with a particular cycle, while another nested rule set deals with another. For example, a media type filtering rule set could apply to all cycles, but have nested rule sets that are not processed in all of them: Media Type Filtering rule set (for requests, responses, and embedded objects) nested rule set Media Type Upload (only for requests) nested rule set Media Type Download (only for responses and embedded objects)
Implementing a rule set system

A system of rule sets can be implemented in the following ways: Use of the policy creation wizard When using this wizard, you can select values for the type of your organization, your region, and a level of strictness. A system of rule sets is implemented accordingly. Default configuration If you make no selections, the default system of rule sets is implemented. Own configuration You can create rule sets of your own, fill them with rules of your own and add them to a system that was created using the wizard or to the default system. If you find that a completely individual solution is best suited for your network, you can also use only rules and rule sets of your own to filter web traffic. Logging and error handling rule sets The appliance provides default rule sets for logging and error handling. These are part of every initial configuration, regardless of whether you use the wizard or implement the default system. They can be reviewed and modified like all other rule sets.
64
Sample wizard rule set system

When a rule set system is implemented using the policy creation wizard, it might, for example, be based on the following selections: Type of organization: Location: Level of strictness; commercial Europe limited (medium)
The table below shows the rule sets belonging to this system (nested rules sets are not shown).
Table 4-2 Wizard rule set system (commercial Europe limited) Rule set Global Whitelist Global Block Media Type Filtering Content Filter Gateway AntiMalware SSL Scanner Description Lets whitelisted IP addresses, URLs, and responses with empty bodies skip all further filtering. Blocks IP addresses, authenticated users, and URLs entered in blocking lists. Controls media type filtering with nested rule sets for uploading and downloading media types. Exempts users if entered in a whitelist. Blocks users if entered in a blocking list. Blocks URLs belonging to various categories. Controls virus and malware filtering. Prepares SSL-secured web traffic for processing by other filtering functions with nested rule sets for certificate verification and inspection enabling.
If this system were implemented on your appliance and you wanted to modify it, you could, for example, add a rule set for authentication. You could import it from the library or create one yourself. You might also move the SSL Scanner rule set to a position at the beginning of the rule set, for example, following Global Whitelist. If a SSL-secured request is blocked because the certificate submitted with it has expired or due to another reason, it is not necessary to apply virus and malware filtering and other filtering functions to it. The rule sets that provide these functions are not processed if processing is stopped before by a rule of the SSL Scanner rule set.
Default rule set system

The default rule set system is implemented if you do not use the wizard. The table below shows the rule sets of this system (nested rule sets are not shown).
Table 4-3 Default rule set system Rule set SSL Scanner Global Whitelist Common rules Authenticate and Authorize Content Filter Gateway AntiMalware Description Prepares SSL-secured web traffic for processing by other filtering functions with nested rule sets for certificate verification and inspection enabling. Lets requests that are sent from clients with whitelisted IP address or are directed to websites with whitelisted URLs skip all further filtering. Provides functions that support the filtering process, such as web caching, progress indication, and opening of archives. Asks unauthenticated users to authenticate and blocks users who are not in an allowed user group with nested rule sets for both functions. Controls filtering of individual URLs and URL categories, media types and HTML pages. Controls virus and malware filtering using virus signatures and proactive methods.
This rule set system has a rule set for authentication. The SSL Scanner rule set is placed before the filtering functions for URLs, media types, viruses and other malware. They are not applied if a rule of the SSL Scanner rule set blocks a request.
65
Library rule sets

The rule set library provides rule sets for you to import into your implemented rule set system. You could do this to add a function that is missing in your system or when the implemented rule sets do not suit your network in all respects. The table below shows the rule sets in the library (nested rule sets are not shown).
Table 4-4 Library rule sets Rule set AuthOverride Billing Bypass ePO Requests Coaching Cookie Authentication Gateway AntiMalware Global Whitelist HTML Filtering IM Authentication IM Logging McAfee AV Media Type Filtering Next Hop Proxy SSL Scanner Script Filter Time Quota Try-Auth URL Filtering Volume Quota Web Cache Description Allows users continued access to web pages when the configured quota is exceeded. Counts requests for access to the web submitted by users of your network. Lets connection requests received from an ePO server skip filtering. Ask users to confirm usage of web pages before they are allowed to continue Controls authentication using cookies and retrieving information from an authentication servers. Controls virus and malware filtering using virus signatures and proactive methods. Lets whitelisted URLs skip all further filtering. Filters HTML pages and uses its nested rule sets to remove embedded objects, such as Java scripts and others, from these pages. Controls authentication for users who communicate with the appliance using an instant messaging protocol. Records requests received on the appliance under an instant messaging protocol. Controls virus and malware filtering using virus signatures. Controls media type filtering with nested rule sets for uploading and downloading media types. Ensures that internal hosts are used as next-hop proxy servers for internal requests. Prepares SSL-secured web traffic for processing by other filtering functions with nested rule sets for certificate verification and inspection enabling. Filters web pages for embedded script code and removes it. Allows users web usage only for a configured period of time per day, week, or other time units. Asks unauthenticated users to authenticate and blocks users who are not in an allowed user group with nested rule sets for both functions. Controls filtering of individual URLs and URL categories. Allows users web usage only as long as a configured amount of bytes per day, week, or other time units is not exceeded. Controls caching of web objects with nested rule sets for reading from and writing to the cache.
Detailed descriptions of the library rule sets are given in the chapters that deal with individual filtering functions. For example, the Gateway AntiMalware library rule set is described in detail in the section on Virus and malware filtering.
66
Rules and Rule Sets Rule configuration
Rule configuration
Rules and rules sets are implemented on the appliance to ensure web security. This section explains how you can work with them to make them even more suitable for your network. It explains some sample rules and provides detailed information on how to modify and create rules and rule sets.
Rule Sets tab

Use the Rule Sets tab to work with rules and rule sets on the appliance. It is selected from the Policy top-level menu.
Rule Sets toolbar Rules toolbar Rule Sets tree Rules
Rule Sets menu
Figure 4-4 Rule Sets tab
The main elements of the tab are: Rule Sets toolbar Items for working with the rule sets on the Rule Sets tree Rule Sets tree Tree structure displaying the rule sets of the appliance configuration Rule Sets menu Buttons for displaying tree structures of: (General) rule sets Log Handler rule sets Error Handler rule sets User defined properties (for use in rule and rule set criterial) Rules toolbar Items for working with list entries Rules Rules of the currently selected rule set
67
The Rule Sets toolbar provides the following options:

Table 4-5 Rule Sets toolbar Option Add Definition Opens a menu or a window for adding an item, depending on what is currently selected from the Rule Sets menu: (Rule Sets is selected) Opens a menu, from which you can select: Rule Set from Library Opens the Add from Rule Set Library window for importing a rule set from the rule set library. Rule Set Opens the Add New Rule Set window to let you add a rule set to the appliance configuration. Top-Level Rule Set Opens the Add New Top-Level Rule Set window for adding a rule set at the top of the Rule Sets tree.
(Log Handler is selected) Lets you select Log Handler from a menu as the only accessible item to open the Add New Log Handler window for adding a new Log Handler rule set. (Error Handler is selected) Lets you select Error Handler from a menu as the only accessible item to open the Add New Error Handler window for adding a new Error Handler rule set. (User-Defined Property is selected) Lets you select User-Defined Property to open the Add New User-Defined Property window for adding a property.
Export Edit Delete Move up Move down Move out of Move into Expand all Collapse all Edit Enabled Criteria
Opens the Export Rule Set window for exporting a rule set to the library or into a file. Opens the Edit Rule Set window for editing a selected rule set. Deletes a selected rule set. A window opens to let you confirm the deletion. Moves a rule set up among other rules sets on the same level. Moves a rule set down among other rule sets on the same level. Moves a rule out of its nesting rule set and onto the same level as the nesting rule set. Moves a rule set out of its nesting rule set and into the rule set following this rule set. Expands all collapsed items on the Rule Sets tree. Lets all expanded items on the Rule Sets tree collapse. Opens the Edit Rule Set window for editing a selected rule set (same function as the corresponding item above the Rule Sets tree). Allows you to enable or disable a selected rule set. Displays the criteria of a selected rule set.
The following three items above the Rules toolbar are also for handling rule sets.
The Rules toolbar provides these options:

Table 4-6 Rules toolbar Option Add Rule Edit Delete Move up Move down Copy Paste Show Details Definition Opens the Add Rule window for adding a rule. Opens the Edit Rule window for editing a selected rule. Deletes a selected rule. A window opens to let you confirm the deletion. Moves a rule up within its rule set. Moves a rule set down within its rule set. Copies a selected rule. Pastes a copied rule. Shows or hides details of a rule entry including the criteria.
68
Adding a rule
This section describes the Add Rule window and explains in detail the steps you can complete using the window to add a new rule to a rule set. Use the Add Rule window to add new rules to rule sets. It opens after clicking Add Rule on the Rules toolbar of the Rule Sets tab.
Note: There is also an Edit Rule window where the same options can be used for editing a rule.
Figure 4-5 Add Rule window
The table below describes the window.

Table 4-7 Add Rule window Option Steps Definition For adding: Main window area Message field Back Next Finish Cancel Name, Comment, and Enabling Criteria Action Events Summary (for reviewing your settings)
Note: You can select a step by clicking it or use Next and Back to navigate. Provides different items for completing each step. Assists you in completing the steps with messages and symbols. Takes you back to the previous step. Takes you to the next step. Finishes the procedure. Leaves the procedure without adding a rule.
To add a rule, complete the steps in the window. For more information, see: Add name, comment, and enabling Add the criteria Add an action Add an event
Note: You can at any time select the Summary step to review your settings.
69
Add name, comment, and enabling

Complete the following procedure to add general settings to a rule:
1 Go to Policy | Rule Sets. 2 On the Rule Sets tree, select a rule set for the new rule. 3 Click Add Rule. The Add Rule window opens with the first step selected. 4 Add the following:
Name Name of the rule Enable rule When selected, the rule is enabled [Optional] Comment Plain-text comment on the rule Continue with another step, preferably with Add the criteria, or click Finish and then Save Changes.
70
Add the criteria

Complete the following procedure to add the criteria to a rule:
1 In the Add Rule window, select Rule Criteria.
Figure 4-6 Add Rule Criteria 2 In the Apply this rule section, configure when the rule is applied:
Always The rule is always applied. If the following criteria is matched The rule is applied if the criteria configured below is matched.
71
3 In the Criteria section, click Add. The Add Criteria window opens.
Figure 4-7 Add Criteria window (with property selected) 4 In the Property area, use the following items to configure a property:
Property List for selecting a property (property types shown in brackets) Search Opens the Property Search window to let you search for a property. Parameter Opens the Property Parameters window for adding up to three parameters, see Step 5.
Note: The icon is grayed out if the property has no parameters.
Settings List for selecting the settings of the module that delivers a value for the property (module name shown in brackets).
Note: The icon is grayed out if no settings are required for the property and (not needed) is added.
Add Opens the Add Settings window for adding new settings to the list. Edit Opens the Edit Settings window for editing the selected settings. If no parameters need to be configured for the property, click OK and continue with Step 6.
5 [Conditional] To add property parameters: a Click Parameter. The Property Parameters window opens.
Figure 4-8 Property Parameters window b Add as many parameters as needed. A parameter can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Then click OK. Property Follow the instructions for configuring properties, beginning again with Step 4.
6 From the Operator list, select an operator.
72
7 In the Parameter area, add a parameter (also known as operand). This can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Property Follow the instructions for editing properties, beginning again with Step 4.
8 Click OK to close the Add Criteria window.
Note: Repeat steps 3 to 8 to add more criteria parts for complex criteria. Connect them by AND or OR (these options are then provided) and, for three or more criteria parts, type brackets to indicate how they are logically connected in the Criteria Combination field (appears then).
9 Continue with another adding procedure, preferably with Add an action, or click Finish and then Save
Changes.
Add an action
Complete the following procedure to add an action to a rule:
1 In the Add Rule window, select Action.
Figure 4-9 Add Rule Action 2 Use the following items to configure an action:
Action List for selecting an action: Continue Continue with processing the next rule Block Block access to an object and stop processing rules Redirect Redirect the client that requested access to an object to another object Authenticate Stop processing the current cycle and send an authentication request Stop Rule Set Stop processing the current rule set and continue with the next rule set Stop Cycle Stop processing the current cycle, but do not block access to the requested object Remove Remove the requested object and stop processing the current cycle.
73
Settings List for selecting settings for the Block, Redirect, and Authenticate actions.
Note: The list is grayed out if no settings are required for an action and (not needed) is added.
Add Opens the Add Settings window for add new settings to the list. Edit Opens the Edit Settings window for editing the selected settings. Continue with another adding procedure, preferably with Add an event, or click Finish and then Save Changes.
Add an event
Complete the following procedure to add an event (or more than one) to a rule:
1 In the Add Rule window, select Events.
Figure 4-10 Add Rule Events 2 In the Events section, click Add. A drop-down menu opens.
74
3 Select Event. The Add Event window opens.
Figure 4-11 Add Event window 4 Use the following items to configure an event:
Note: Repeat this part of the procedure to add more than one event.
Event List for selecting an event (event types shown in brackets). Parameters Opens the Property Parameters window for adding up to three parameters, see Step 5.
Note: The icon is grayed out if the event has no parameters.
Settings List for selecting settings for an event.

Note: The icon is grayed out if no settings are required for an event.
Add Opens the Add Settings window for adding new settings to the list. Edit Opens the Edit Settings window for edit ing the selected settings . If no parameters need to be configured for the event, click OK and continue with Step 6.
5 [Conditional] To add parameters to an event: a Click Parameters. The Property Parameters window opens: b Add parameters as needed. A parameter can be a:
Value (String, Boolean, or numerical): Configure it inthe Value area. Then click OK. Property Configure it in the Property area. Then click OK.
6 [Conditional] If this is the last of the adding procedures: a [Optional] In the Add Rule window, select Summary to review what you have configured. b Click Finish and then Save Changes.
Otherwise continue with another adding procedure.
75
Create a sample rule

This section explains in detail how to create a sample rule. Creating new rules is one of the activities you can complete to modify the implemented rule set system.
Note: The rule already exists in one of the library rule sets, but under a slightly different name (Block if virus was found).
Rule Name Block if virus was detected Criteria Antimalware.Infected<Gateway AntiMalware> equals true Procedure Complete the following procedure to create this rule:
Note: Comments in italics explain what you are doing through the step or steps that follow.
1 Go to Policy | Rule Sets.
Action > Block<VirusFound>
Choosing a rule set for the rule

2 From the Rule Sets tree, select Gateway AntiMalware as the rule set for the rule. The rule set and
its current rules appear on the settings pane. Opening the Add Rule window
3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In
the main window area, items appear for adding a name and other general settings. Adding general settings
4 Add the following general settings: a Name Type Block if virus was detected. b Enable rule Deselect this checkbox, so the sample rule gets not enabled. c
Comment Skip this optional substep.
Adding the criteria

5 Select Rule Criteria. Items for adding the criteria appear. 6 Click Add. The Add Criteria window opens. 7 Add the criteria of the rule (Antimalware.Infected ... equals true): a From the Property list, select Antimalware.Infected. b In the Settings list, leave the default, which is Gateway AntiMalware .
The Antivirus engine runs with these settings when it scans web objects, using virus signatures and proactive methods.
c
In the Operator list, leave equals, the default value.

Note: (Boolean) is displayed in brackets next to Parameter. Antimalware.Infected is a property of the Boolean type. When it is selected, its parameter must have the same type.
d In the Parameter area, select true from the Value list as operand (parameter) for the criteria.
8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area.
Adding the action

9 Select Action. Items for adding an action appear in the main window area.
76
10 Add an action with special settings (Block<VirusFound>): a From the Action list, select Block. b From the Settings list, select VirusFound.
Under these settings, a block message is sent to the user who requested an object when the object is blocked. Reviewing the rule
11 Skip the Events step and select Summary to review what you have configured.
Completing the sample configuration

12 Click Finish. The Add Rule window closes and the new rule appears in the AntiMalware Gateway rule
set.
Note: The rule is grayed out because it is not enabled.
For more information, see About rule elements, Adding a rule, and Block if virus was found (Sample rule).
77
Sample rules
This section explains in detail three sample rules from the library rule sets of the appliance: Do not filter URLs in Global Whitelist Block URLs whose category is in CategoryBlackList Block if virus was found The Block if virus was found rule is also used in another section as an example for explaining step by step how a rule is created. For more information, see Create a sample rule.
Do not filter URLs in Global Whitelist (Sample rule)

This rule is included in the Global Whitelist library rule set. The rule set is processed by default in all three cycles of the filtering process. There is no particular criteria for processing it, it is Always processed. Rule Name Do not filter URLs in GlobalWhitelist Criteria URL matches in list GlobalWhitelist > Action Stop Cycle
In plain text, the rule could be rendered as follows: If a URL is on a particular global whitelist, stop the current processing cycle. Purpose of the rule The rule is implemented to provide you with a means of ensuring that particular URLs can be accessed by the users of your network and are not blocked by any other rules. To achieve this, URLs are entered on a whitelist. If a whitelist URL is requested, the rule stops processing the request cycle. This means all following rules of this cycle, including those that might eventually block the URL, are not processed. When this rule and its rule set are implemented in a rule set system, it should obviously be placed at the beginning of the system to ensure there are no rule sets before it that block URLs. In this case, the whitelisting rule is truly global. It overrules all other measures that might be taken for URLs by the implemented rule set system. Property and Criteria The property used in the criteria of the rule is URL. Its meaning can be paraphrased as being a URL. If a requested web object is a URL, then the rule is processed to see if it is on a particular whitelist. The whitelist is specified in the rule criteria as Global Whitelist. For looking up whether a given URL is on it, no special module is needed. Therefore the criteria includes no settings for a module. Action If the criteria of the rule matches, the rule applies and the Stop Cycle action is executed, with the impact that is the purpose of the rule. All measures that might prevent users from accessing the URL are avoided. The Stop Cycle action stops the request cycle when a request for access to the URL has been received. Since the rule set of the rule is processed in all three cycles of the filtering process, the Stop Cycle action can also stop the response or the embedded object cycle if a whitelisted URL is involved in these. The Stop Cycle action does not affect a user in the way that a blocking action would do. If the action and its rule work as intended, the user is allowed to access the requested URL. No message to the user is therefore needed, so the action of this rule has no settings to specify such a message.
78
Process flow If processing the rule leads to the result that a URL is on the specified whitelist, the current cycle of the filtering process stops, according to what the rule says. Other cycles of the process can go on. For example, if an embedded object was sent with the request, the embedded object cycle could be started to filter this object. If the request cycle is stopped after the whitelisted URL has been sent, the request is passed on the appropriate web server. The appliance then waits for a response from this server, and if this is received, the response cycle of the filtering process is started to process this reponse.
Block URLs whose category is in Category Blacklist (Sample rule)

This rule is included in the URL Filtering library rule set. The rule set is processed by default in the request cycle of the filtering process. There is no particular criteria for processing it, it is Always processed. Rule Name Block URLs whose category is in Category Blacklist Criteria URL.Categories at least on in list Category Blacklist In plain text, the rule could be rendered as follows: If the category of a URL is on a particular blocking list, block access to this URL. Purpose of the rule This rule is for blocking URLs not individually, but per category. All URLs that are related to, for example, drugs or online shopping are blocked. To achieve this, URL categories are entered on a blocking list. If a requested URL falls under a category that is on the list, the rule stops processing completely. The request is not passed on to the appropriate web server and the user who requested the URL cannot access it. In this sense, the URL is blocked. Property and criteria The property used in this rule is URL.Categories. Its meaning could be paraphrased as belonging to a URL category. If a requested web object is a URL, it is checked whether its categories are on the specified blocking list. If the URL belongs to more than one category, only one of them on the list is sufficient to trigger the blocking, as the rule says it: at least one in list. Information about URL categories is retrieved by a special module from a TrustedSource server. The settings of this module are therefore specified in the criteria of the rule. You can configure these settings to modify the way the module retrieves the information, for example, by using TrustedSource information retrieved earlier on and stored in a local database of the appliance. This can reduce latency. Action If the URL belongs to a category on the blocking list, the blocking action is executed. The settings of the action specify that a block message is sent to the user who requested the URL and is affected by the blocking action. Process flow The blocking action also stops the filtering process completely. When the request for the URL is received on the appliance, it is processed in the request cycle. Since the request is not forwarded to a web server, no response needs to be processed and looking for embedded objects that might have been sent with a request is also not needed because the request is blocked anyway. Processing can therefore be stopped completely. It continues when the next request is received on the appliance. > Action Block<URLBlocked>
79
Block if virus was found (Sample rule)

This rule is included in the Gateway AntiMalware library rule set. The rule set is processed by default in all three cycles of the filtering process. There is no particular criteria for processing it, it is Always processed. Rule Name Block if virus was found Criteria Antimalware.Infected<Gateway AntiMalware> equals true In plain text, the rule could be rendered as follows: If a web object is infected, block it. Purpose of the rule This is a key rule of the filtering process on the appliance. It blocks access to web objects that are infected by viruses or other malware. It blocks this access in all cycles of the process. Whether an infected object is sent by a web server in response to a user request, or a user requests to upload an infected object from your network to the web, or an infected object is sent embedded with a request or response, all these attempts are blocked by the rule. Property and criteria The property used in the rule is Antimalware.Infected, which means infected by a virus or other malware. To detect an infection in a web object, a special module is needed, the Antivirus module (or engine). Settings for the modules are specified with the property. Action The blocking action that is executed if an infected object is detected affects the user who sent a request for access to the object. The action settings therefore specify that a message is sent to inform the user, in the same way, as it is done when a request is blocked by a URL filtering rule. Process flow Like in URL filtering, the blocking action of the virus and malware filtering rule stops the filtering process completely. When the next request is received on the appliance, the process continues. > Action Block<VirusFound>
80
Rules and Rule Sets Rule set configuration
Rule set configuration

Rule sets are the building blocks of your web security policy. This section tells you how to add rule sets to your configuration by importing them from the rule set library. It also explains step by step how you create a rule set on your own.
Import a rule set

The rule set library provides complete rule sets, which you can import if a particular function is missing in your implemented rule set system or the implemented rule sets do not suit your requirements. Complete the following procedure to import a rule set from the library:
1 Go to Policy | Rule Sets. 2 On the rule set tree, navigate to the position where you want to insert the new rule set. 3 From the Add drop-down menu, select Rule Set from Library. A window with a list of the library
rule sets opens.

4 Select the rule set you want to import, for example, the Gateway Anti Malware rule set.
If conflicts arise when importing this rule set, they are displayed in the window.
Note: Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist in an appliance configuration.
5 Use one of the following methods to solve conflicts:
Click Auto-Solve Conflicts and choose one of the following strategies for all conflicts: Solve by referring to the existing objects If rules of the imported rule set refer to objects existing in the appliance configuration under the same names, references are made to apply to these existing objects. Solve by copying and renaming to suggested If rules of the imported rule set refer to objects existing in the appliance configuration under the same names, these objects are also used, but are renamed, so as to avoid conflicts. Click the listed conflicts one after another and solve them individually by choosing either of the two above strategies each time.
6 Click OK. The rule set is inserted in the rule sets tree. It is enabled by default.
Note: Together with the rule set, lists and settings can be implemented in your configuration. The rules of the rule set need these items to make decisions on blocking and other actions.
7 If necessary, use the blue arrows above the Rule Sets tree, to move the rule set to where you want
it to be.
81
Add a new rule set

You can also create rule sets of your own to add them to the appliance configuration. Complete this procedure to add a new rule set:
1 Go to Policy | Rule Sets. 2 On the rule set tree, navigate to the position where you want to insert the new rule set. 3 Click Add above the rule set tree. A drop-down menu opens. 4 Select Rule Set. The Add New Rule Set window opens.
xxx
Figure 4-12 Add New Rule Set window
5 Configure the following general settings for the rule set:
Name Name of the rule Enable When selected, the rule set is enabled [Optional] Comment Plain-text comment on the rule set
6 In the Applies to section, configure the processing cycles. You can select only one cycle, or any
combination of these three: Requests The rule set is processed when requests from the users of your network are received on the appliance. Responses The rule set is processed when responses from web servers are received. Embedded objects The rule set is processed for embedded objects sent with requests and responses.
7 In the Apply this rule set section, configure when the rule set is applied:
Always The rule set is always applied. If the following criteria is matched The rule set is applied if the criteria configured below is matched.
82
8 In the Criteria section, click Add. The Add Criteria window opens.
Figure 4-13 Add Criteria window (with property selected) 9 In the Property area, use the following items to configure a property:
Property List for selecting a property (property types shown in brackets) Search Opens the Property Search window to let you search for a property. Parameter Opens the Property Parameters window for adding up to three parameters, see Step 10.
Note: The icon is grayed out if the property has no parameters.
Settings List for selecting the settings of the module that delivers a value for the property (module names shown in brackets).
Note: The icon is grayed out if no settings are required for the property and (not needed) is added.
Add Opens the Add Settings window for adding new settings to the list. Edit Opens the Edit Settings window for editing the selected settings. If no parameters need to be configured for the property, click OK and continue with Step 11.
10 [Conditional] To add property parameters: a Click Parameter. The Property Parameters window opens. b Add as many parameters as needed. A parameter can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Then click OK. Property Follow the instructions for configuring properties, beginning with Step 4.
11 From the Operator list, select an operator. 12 In the Parameter area, add a parameter (also known as operand). This can be a:
Value (String, Boolean, or numerical) Configure it in the Value area. Property Follow the instructions for editing properties, beginning with Step 4.
13 Click OK to close the Add Criteria window. 14 (Optional] Select the Permissions tab and configure who is allowed to access the new rule set. 15 Click OK to close the Add New Rule Set window. The rule set is inserted in your rule set system. 16 Click Save Changes.
For more information, see Access restrictions.
83
Rules and Rule Sets List maintenance
List maintenance
Web security rules use lists, such as whitelists and blocking lists, for retrieving information on web objects and users. This section tells you how to maintain these lists. There are several ways to access a list: Lists tab Select the Lists tab and navigate to a list. Rules Sets tab Select the Rule Sets tab and click a list name in a rule name or rule criteria. Search function Click the Search button and use the Search objects function for lists.
Lists tab
Use the Lists tab to maintain lists on the appliance. It is selected from the Policy top-level menu.
L ists toolbar
List entries toolbar List entries
Lists tree
Figure 4-14 Lists tab
The main elements of the tab are: Lists toolbar Items for working with the lists on the Lists tree Lists tree Tree structure displaying the lists of the appliance configuration List entries toolbar Items for working with list entries List entries Entries of the currently selected list
84
The Lists toolbar provides the following options:

Table 4-8 Lists toolbar Option Add Edit Delete View Expand all Collapse all Definition Opens the Add List window for adding a list. Opens the Edit List window for editing a selected list. Deletes a selected list. A window opens to let you confirm the deletion. Opens a menu to let you display the lists in different ways (A-Z, Z-A, by list type, with or without list types for which currently no lists exist) Expands all collapsed items on the Lists tree. Lets all expanded items on the Lists tree collapse.
The List entries toolbar provides these options:

Table 4-9 List entries toolbar Option Add Add multiple Edit Delete Move up Move down Filter Definition Opens the Add <List type> window for adding a list entry, for example, the Add Regex window. Opens the Add <List type> window for adding multiple list entries when this is possible for a list type. Opens the Edit <List type> window for editing a selected list entry, for example, the Edit String window. Deletes a selected list entry. A window opens to let you confirm the deletion. Moves an entry up the list. Moves an entry down the list. Input field for typing a filtering term to display only matching list entries. Note: The filtering functions works as soon as you type a character in the field.
List types
The following types of lists exist on the appliance: Custom lists These lists can be modified by you. They are displayed on the upper branch of the Lists tree on the Lists tab. Custom lists include string, number, category, and other types of lists. Different list types can require different methods of maintaining them. System lists These lists cannot be modified. They are displayed on the lower branch of the Lists tree on the Lists tab. System lists include category and media type lists. Inline lists These lists can also be modified, but they do not appear on the Lists tab. They appear inline as part of the settings of a configuration item, for example, as part of the settings of a network protocol.
85
Add a list
Complete the following procedure to add a list to the appliance configuration:
1 Go to Policy | Lists. 2 On the Lists tree, go to the position where you want to add the list. 3 Click Add on the toolbar. The Add List window opens, with the Add List tab selected. 4 Use the following items to configure general settings for the list:
Name Name of the list Comment [Optional] Plain-text comments on the list Type List for selecting the a list type
5 [Optional] Select the Permissions tab and configure who is allowed to view the list and edit it. 6 Click OK. The Add List window closes and the new list appears on the Lists tree. 7 Click Save Changes.
You can now fill the list with entries. For more information, see Access restrictions and Add list entries.
Add list entries

Complete the following procedure to add entries to a list:
1 Go to Policy | Lists. 2 From the Lists tree, select the list you want to add entries to. 3 Click Add above on the settings pane. The Add <List type> window opens, for example, the Add
String window.
Note: It depends on the list type, how an entry can be added to a list. For example, if the type is String, you can add entries by typing strings in the String field of the Add String window. If the type is MediaType, you need to select an entry from a media type folder, which is part of a system of folders. For the String and Wildcard Expression types, there is the option to add multiple entries in one go by clicking Add multiple and typing text for each entry in a new line. For wildcard expressions, there is also an option to test it by using the Test button in the corresponding window.
4 Add an entry in the way it is done for a particular type. 5 [Optional] In the Comment field, type a plain-text comment on the list entry. 6 Click OK. The Add <List type> window closes and the entry is added to the list. 7 For more entries, repeat steps 3 to 6 as often as needed. 8 Click Save Changes.
For more information on handling wildcard expressions, see Wildcard expressions.
86
Inline lists
Inline lists do not appear on the Lists tab, they appear inline as a part of the settings for a configuration item on the settings pane. Their handling does not differ much from that of normal custom lists. This section gives an example of an inline list and shows you how to work with it.
Sample inline list

The list of port forwarding rules contains rules for directing web traffic from one host to another. It appears after clicking Port Forwarding on the Appliances tab of the Configuration top-level menu. On a toolbar, items are provided for working with the list. Other inline lists provide the same items (some do not provide all of them). The subject matter involved when working with these items varies, but the way of handling them is the same for all inline lists.
Work with a sample inline list

Complete the following procedure to work with the Port Forwarding Rules list:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to configure settings for and select Port
Forwarding. The list of port forwarding rules appears on the settings pane.
3 Use the items on the toolbar to configure port forwarding rules as needed. Table 5 Port Forwarding Rules list Option Add Edit Delete Move up Move down Filter Definition Opens the AddAppliancePortForwarding window for adding a list entry. Opens the EditAppliancePortForwarding window for editing a selected list entry. Deletes a selected list entry. A window opens to let you confirm the deletion. Moves an entry up the list. Moves an entry down the list. Input field for typing a filtering term to display only matching list entries. Note: The filtering functions works as soon as you type a character in the field.
When adding or editing thet rules in the port forwarding inline list rules, you need to know the meanings of the elements that a rule can have. They are described in the table below, which you find also in the section on port forwarding the System Configuration chapter of this guide. Corresponding tables are provided in sections on other functions when their configuration involves the use of an inline list.
Table 6 Port Forwarding Rules list Option Source Host Source Port Destination Host Destination Port Comment Definition IP address of the host that is the source of web traffic in a port forwarding rule. Port used on this host for outgoing web traffic. IP address of the host that web traffic from the source host should be directed to. Port used on this host for web traffic coming in from the source host and port. Plain-text comment on the port forwarding rule
87
Rules and Rule Sets Action and engine settings
Action and engine settings

Web security rules rely on special modules (also known as engines) to deliver information they need to know before triggering actions. Settings determine the way these modules retrieve the information and the actions are executed. This section tells you how to configure these settings.
Settings tab
Use the Settings tab to configure actions and engines on the appliance. It is selected from the Policy top-level menu.
Settings toolbar
Settings tree
Settings
Figure 4-15 Settings tab
The main elements of the tab are: Settings toolbar Items for working with the actions and engines on the Settings tree Settings tree Tree structure displaying actions and engines of the appliance configuration Settings Settings of the currently selected item on the Settings tree The Settings toolbar provides the following options:
Table 4-1 Settings toolbar Option Add Edit Delete Expand all Collapse all Definition Opens the Add Settings window for adding a setting. Opens the Edit Settings window for editing a selected setting. Deletes a selected setting. A window opens to let you confirm the deletion. Expands all collapsed items on the Settings tree. Lets all expanded items on the Settings tree collapse.
88
Rules and Rule Sets Action and engine settings
Types of settings
Two types of settings can be configured on the Settings tab of the user interface: Action settings Settings for the actions that rules execute, for example, Block or Authenticate. These settings are mainly configured for specifying the user messages that are sent when actions affect users. Actions that do not affect users have no settings, for example, Continue or Stop Rule Set. You can access these settings on the upper branch of the Settings tree on the tab.
Note: When settings of this type are described in this guide, the section title always contains the words action settings, for example, Authenticate action settings.
Engine settings Settings for the modules (or: engines) that retrieve information for rules. For example, the TrustedSource engine retrieves information to deliver values for the URL.Categories property in URL filtering rules. You can access these settings on the lower branch of the Settings tree on the tab.
Note: When settings of this type are described in this guide, the section title always contains the words engine settings, for example, Antimalware engine settings.
A third type of settings is not configured on the Settings tab: System settings Settings of the appliance system, for example, network interface settings or domain name server settings. You can access these settings on the Appliances tab of the Configuration top-level menu.
Note: When settings of this type are described in this guide, the section title always contains the words system settings, for example, DNS system settings.
For more information on action and system settings, see User messages and System Configuration. For more information on engine settings, see the sections on functions with rules using these engines, for example, Virus and malware filtering.
Add settings
When adding settings to the appliance configuration, you do not create them completely new, but use existing settings that you give a new name and modify as needed. Complete the following procedure to add settings:
1 Go to Policy | Settings. 2 From the Actions or Engines branch of the Settings tree, select the settings you want to use as the
starting point for creating new settings.

3 Click Add above the Settings tree. The Add Settings window opens with an empty name field and the
values of the selected settings in the other fields.

Note: If you want to select not these, but other settings, you can also do this in the window. The Settings for pane provides a list of settings to choose from.
4 In the Name field, type a name for the new settings. 5 [Optional] In the Comment field, type a plain-text comment on the settings. 6 Modify the existing values of the settings as needed. 7 [Optional] Select the Permissions tab and configure who is allowed to view the settings and edit
them.
8 Click OK and then Save Changes.
89
Rules and Rule Sets Access restrictions
Access restrictions
When you add or edit a new list, new settings, or a new rule set to your configuration, you can restrict access to them for users and roles. Complete the following procedure to restrict access for a newly added item:
1 Go to Policy | Lists (or Rule Sets). 2 On the tree structure, go to the position where you want to add the new item. 3 Click Add. above the tree structure. The adding window opens. 4 Complete the steps for adding a new item. Then select the Permissions tab.
Three modes of access can be configured: Read and Write, Read, and No Access.
5 Click Add under the Read and Write pane. The Add Role or User window opens. 6 Select a role or a user (or more than one of each type at once) from the list in the corresponding
pane. Or type a wildcard expression as name of a role or user in the Wildcard field.
7 Add as many entries to the Read and Write list as needed. Use the Delete button under the pane
to delete entries.
8 Fill the Read and No Access panes in the same way. 9 Use the radio buttons under All others have to configure access for all roles and users that are not
included in one of the lists on the tab.

90
Authentication and Account Management
Contents Filtering users Database authentication Cookie authentication Quotas and coaching Administrator accounts
Filtering users
Users can be filtered on the appliance, which means you can allow web access only for those who are able to authenticate. Administrators need to have accounts with roles and privileges. This gives you control over who is active in your network. The sections of this chapter explain how to configure the authentication process, for example, by joining the appliance to a Windows domain to retrieve user information, or by using an LDAP or a RADIUS server, or a database on another server. They also explain how to guide users by configuring quotas for their web usage and coaching them. And they tell you how to set up accounts and roles for administrators and grant them privileges.
Administering authentication and accounts

This section provides an overview of activities for administering authentication and administrator accounts. By default, authentication is not implemented on the appliance after the initial setup. If you do not want to implement it, you need not complete any of the activities related to authentication. Similarly, you might be the only administrator of the appliance, and as one administrator account is provided by default after the initial setup, you might not need to set up more. If you have implemented authentication or take over administration of an appliance where it is implemented, begin with the following step: Review the implemented authentication rules Go through the authentication rule sets and look at rules, lists, and settings to see if you want to keep or modify them. Configure an authentication method You can configure a method, such as NTLM or LDAP, to retrieve information for authenticating users. Another option is to set cookies for authenticated users who need not authenticate again at the following requests. Adapt authentication messages sent to users When an authentication rule triggers an action, a message is sent to inform the user about what the appliance did or expects the user to do, for example, submit credentials for authentication. Templates are available for these messages, which you can adapt by editing their text and otherwise.
91
Authentication and Account Management Filtering users
Configure quotas and coaching To restrict web usage for the users of your network, you can configure time and volume quotas and coach their web access. Overriding quotas is possible if users authenticate. Manage administrator accounts You can set up accounts for administrators in addition to the one that exists after the initial setup. A role concept allows you to create roles and grant a different access privileges to each of them. For example, you can let an administrator only view the dashboard or access lists, but not rules, and so on. For general information on filtering rules and user messages, see Rules and Rule Sets and User messages. For more information on user filtering, see Database authentication, Cookie authentication, Quotas and coaching, and Administrator accounts.
Authentication process on the appliance

This section explains what happens on the appliance during the authentication process. Understanding this process should help you when you begin to configure authentication according to your own requirements. Authentication usually takes place in the request cycle of the filtering process. When users send requests to the web, for example, to view a web page or download a file, the appliance intercepts these requests and considers whether to block or allow them. There can be many reasons for not allowing a request, for example, the URL of a requested website could be on a blocking list. However, authentication usually does not look at the requested object, it looks at the user. Can information be found in a directory or database to prove that the user can be trusted? If yes, the user is authenticated. This is what the authentication rules of the appliance check. A special authentication module retrieves user information and passes it on to these rules to let them trigger actions, like asking an unauthenticated user to authenticate or forwarding a request of an authenticated user to further filtering. The methods the authentication module uses to retrieve the user information can be configured under its settings. Looking at the user need not be the only thing that happens in the authentication process. The rules for this process can also include the checking of web objects. Then authentication can also happen in the response cycle. For example, a rule might specify that when a web object is sent from the web in response to a request, a user must authenticate to be allowed access to the object.
92
Process flow for authenticating a user

When a user sends a request to the web, the appliance intercepts it and begins processing the implemented rules. If these include authentication rules, the request is also checked by them. To trigger an action, an authentication rule needs to know whether the user who sent the request is authenticated. The authentication module retrieves user information and tells the rule about its findings. If the module has found that the user is not authenticated, the process flow is as follows: User is authenticated? No. > > The user is informed that authentication is required and asked to provide credentials for authenticating. Processing of requests stops. The appliance waits until the next request is sent.
When the user sends an authentication request including credentials, all implemented rules of the request cycle are processed again. When it comes to processing the authentication rules, the credentials are checked to see if they are sufficient to authenticate the user. If this is the case, the process continues as follows: > > User is authenticated? Yes. Processing continues with the next rules in the request cycle. If not blocked by any of these, the request is passed on the appropriate web server.
The authentication process uses the elements of an authentication rule in different ways. The rule criteria is processed to find out whether a user is already authenticated. The rule action eventually requests the user to authenticate.
93
Sample authentication rule

In the following, an example of an authentication rule is explained. This rule is included in a rule set of the appliance library. It is shown in a notation that comes close to how the rule appears on the user interface. Name Authenticate with User Database Criteria Authentication.Authenticate<User Database> equals false In plain text, this rule could be rephrased as follows: If the user has not yet been authenticated (through information from the user database), ask this user to submit credentials for authentication. Criteria and action The structure of the rule is the same as for all other rules on the appliance. It has two main elements, the criteria and the action. If the criteria is matched, the action is taken. The user is not authenticated if this is matched, the Authenticate action is taken. The criteria has three elements: Property Authentication.Authenticate<User Database> Operator equals Value of the property false > Action Authenticate<Default>
The meaning of the Authentication.Authenticate property could be rendered as having been authenticated. The criteria could then be rephrased as follows: Having been authenticated is false (for the user who sent the request). Property A property is something related to a web object or a user. In this rule, having been authenticated is a property of the user who sent a request. Property names usually have two or more parts. For the Authentication.Authenticate property, the Authentication indicates that the property has something to do with authentication in general. The Authenticate part denotes a particular aspect of authentication like having been authenticated. Settings The sample rule also contains two terms in angle brackets: <User Database> and <Default>. Terms in angle brackets are alway settings in rules on the appliance. The <User Database> settings appear next to the property Authentication.Authenticate. They are the settings of the module that this property relies on for being assigned a value. The authentication module retrieves information from a database to let the rule know that Authentication.Authenticate (being authenticated) has the value false for a given user. The module settings are <User Database> in this rule, which means the module is to retrieve user information from the local user database. The rule action, which is Authenticate, has <Default> as its settings. Settings of an action are mainly for specifying a particular message that is sent to users who are affected by the action.
94
Authentication and Account Management Database authentication
Database authentication
Differerent methods can be configured on the appliance for authenticating users. Each of them retrieves the information needed for this authentication in a different way. This section explains how to configure the following methods: NTLM Uses a database on a Windows domain server. NTLM-Agent Uses an external agent on a Windows-based system for applying the NTLM authentication method. User database Uses an internal database on the appliance. LDAP Uses a database on an LDAP server. Novell eDirectory Uses data from a directory on a server that takes the role of an LDAP server. RADIUS Uses a database on a RADIUS server. Kerberos Uses a database on a Kerberos server. Authentication server Uses a database on another external server. An authentication rule in a rule set specifies settings for the authentication module. Accordingly, the module uses one of these methods to retrieve user information. So, to configure an authentication method, do the following: Make sure an authentication rule set is implemented An authentication rule set is not implemented on the appliance after the initial setup, but you can import one from the appliance library or create a rule set of your own. Configure settings for the authentication module The settings of the authentication module include an option for selecting an authentication method. You can configure additional settings to determine the way the module executes the method. For more information, see Implementation of an authentication rule set and Configure an authentication method.
95
Implementation of an authentication rule set

An authentication rule set contains rules for controlling the authentication process on the appliance. This section tells you how to implement a rule set by importing it from the library and modifying it in an appropriate way.
Import and modify the library rule set

The rule set library provides the Authenticate and Authorize rule set for implementing authentication on the appliance. This rule set contains a nested rule set for authentication and another nested rule set for authorizing users in allowed user groups. Complete the following procedure to import and modify this rule set:
1 Go to Policy | Rule Sets. 2 On the Rule Sets tree, go to the position where you want to insert the new rule set. 3 From the Add drop-down menu, select Rule Set from Library. A window with a list of the library
rule sets opens.

4 Select Authenticate and Authorize. 5 If necessary, use the options that are provided for solving import conflicts.
Note: Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist in an appliance configuration.
6 Click OK. The rule set appears in the rule sets tree. 7 Disable the nested authorization rule set, which is not needed for implementing authentication: a Go to Policy | Rule Sets and expand the Authenticate and Authorize rule set. b Select the nested Authorize rule set and deselect Enable on the settings pane. 8 Click Save Changes.
For more information on the rule set and both its nested rule sets, see Authenticate and Authorize library rule set.
Modify the module settings

The authentication rule in the library authentication rule set specifies the User Database method as one of the settings for the authentication module. You can modify this setting and select a different authentication method.
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Authentication and select User Database.
If you want to keep the User Database authentication method, you can still review the other options of the settings and modify them. When you are done, click Save Changes. If you want to use a different method, continue with steps 3 to 5.
3 Under Authentication Method, select a method, for example, NTLM. 4 Configure settings for this method. 5 Click Save Changes.
Note: It is recommended that if you have changed the authentication method, you rename the settings, the authentication rule and the nested rule set, accordingly. For example, rename the settings to NTLM and both the rule and the nested rule set to Authenticate with NTLM.
For more information on the rule set, see Rules and Rule Sets. For the settings, see Configure an authentication method.
96
Configure an authentication method

The authentication module retrieves information for authenticating users on the appliance. It uses the method that is specified as part of its settings and executes it according to other settings. This section tells you how to configure these settings.
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Authentication and select the settings you want
to configure, for example, User Database.

3 Under Authentication Method, keep the method or select a new one. The settings that are specific
to a method appear below the Common Authentication Parameters section.

4 Under Common Authentication Parameters, configure settings that are common to all
authentication methods. This includes configuring the authentication cache.

5 [Conditional] If you have selected NTLM as the authentication method, configure the appliance as a
member of one or more Windows domains.

Note: This is configured on the Appliances tab of the Configuration top-level menu.
For more information, see Authentication engine settings and Join the appliance to a Windows domain.
Authentication engine settings

You can configure settings for the Authentication engine. This module handles authentication on the appliance. For example, it retrieves user information from internal or external databases.
Note: These settings are configured on the Engines branch of the Settings tab of the Policy top-level menu.
Authentication Method
Settings for selecting an authentication method You can select one of the following: NTLM NTLM-Agent User Database LDAP Novell eDirectory RADIUS Kerberos Authentication Server After selecting a method, the settings that are specific to this method appear below the Common Authentication Parameters.
Note: The specific settings are described here after the Common Authentication Parameters, using the above order.
97
Authentication Test
Settings for testing whether a user with given credentials would be authenticated. User User name that is tested Password Tested password Authenticate User Executes the test. Test result Displays the outcome of the test.
Common Authentication Parameters

Settings common to all authentication methods Proxy Realm Location of the proxy that receives requests from users who are asked to authenticate Authentication attempt timeout Time (in seconds) to elapse before the authentication process terminates if not completed successfully Use authentication cache When selected, authentication information is stored in a cache. Authentication is then based on this stored information, rather than on information retrieved from an authentication server or the internal user database. Authentication cache TTL Time (in minutes) that authentication information is stored in the cache
NTLM Specific Parameters

Settings for the NTLM authentication method Default NTLM domain Name of the default Windows domain used for looking up authentication information
Note: This is one of the domains you have configured on the Appliances tab of the Configuration top-level menu.
Get global groups When selected, information on global user groups is searched for on the Windows domain server. Get local groups When selected, information on local user groups is searched for on the Windows domain server. Prefix group name with domain name (domain\group) When selected, the name of the Windows domain appears before the name of the user group when authentication information on this group is sent from the domain server. Enable basic authentication When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. Enable integrated authentication When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. Enable NTLM cache When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. NTLM cache TTL Time (in minutes) that authentication information is stored in this cache International text support Set of characters used by default for a request sent from a client, for example, ISO-8859-1
98
NTLM-Agent Specific Parameters

Settings for the NTLM-Agent authentication method Use secure Agent When selected, the connection used for communicating with the NTM-Agent is SSL-secured. Authentication connection timeout in seconds Time (in seconds) to elapse before the connections to the NTLM-Agent is closed if no activities occur on it Agent definition List of agents that are available for performing NTLM authentication The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 5-2 NTLM Agent list Option String Comment Definition Name of an NTLM agent Plain-text comment on the NTLM agent
Default NTLM domain, Get global groups, ... The remaining parameters have the same usage and meanings as for tne NTML authentication method. For more information, see NTLM Specific Parameters.
User Database Specific Parameters

Settings for the User Database authentication method Enable basic authentication, Enable integrated authentication, ... The parameters for the User Database authentication method have the same usage and meaning as the parameters used under the same names for the NTLM authentication method. For more information, see NTLM Specific Parameters.
99
LDAP Specific Parameters

Settings for the LDAP authentication method LDAP server(s) to connect to List of LDAP servers to retrieve authentication information from The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 6 LDAP server list Option String Comment Definition Name of an LDAP server Plain-text comment on the LDAP server
List of certificate authorities Lists of certificate authorities for providing certificates when a Secure LDAP (S-LDAP) connection is used for communication with the LDAP server. The table below describes the list entries. Use the buttons provided here to add and edit entries. For general information on how to maintain lists, see List maintenance.
Table 5-1 Certificate authorities list Option Certificate Certificate revocation list Trusted Comment Definition Name of a certificate List with information on when the certificate becomes invalid and URI used to access it Information on whether the certificate is trusted on the appliance Plain-text comment on the certificate
Credentials User name of the appliance for logging on to the LDAP server Password Password for that user name Clicking Set opens a window for configuring a new password. International text support Set of characters used by default for a request sent from a client, for example, ISO-8859-1 Enable LDAP version 3 When selected, version 3 of the LDAP protocol is used. Allow LDAP library to follow referrals When selected, the lookup of user information can be redirected from the LDAP server to other servers. Connection live check Time (in minutes) to elapse between checks to see whether the connection to the LDAP server is still active LDAP operation timeout Time (in seconds) to elapse before the connection to the LDAP server is closed if no communication occurs Base distinguished name to user objects Distinguished name (DN) in the directory on the LDAP server where the lookup of user attributes should begin Map user name to DN When selected, the name of the user who asks for authentication must map to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server. Filter expression to locate a user object Filtering term for restricting the lookup of user attributes To substitute the user name in the filtering term, u% is used as a variable. Get user attributes When selected, user attributes are looked up on the LDAP server to authenticate a user.
100
User attributes to retrieve List of user attributes to retrieve from the LDAP server The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 6 User attributes list Option String Comment Definition User attribute Plain-text comment on the user attribute
Attributes concatenation string String for separating user attributes found by the lookup, for example, / (slash) Get groups attributes When selected, user group attributes are also looked up on the LDAP server to authenticate a user. Base distinguished name to group objects Distinguished name (DN) in the directory on the LDAP server where the lookup of group attributes should begin Filter expression to locate a group object Filtering term for restricting the lookup of group attributes To substitute the user name in the filtering term, u% is used as a variable Group attributes to retrieve List of group attributes to retrieve from the LDAP server The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7 Group attributes list Option String Comment Definition Group attribute Plain-text comment on the group attribute
Attributes concatenation string String for separating group attributes found in the lookup, for example, / (slash)
101
Novell eDirectory Specific Parameters

Settings for the Novell eDirectory authentication method LDAP server(s) to connect to List of the eDirectory servers that take the role of LDAP servers to provide authentication information The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 8 LDAP server list Option String Comment Definition Name of an LDAP server Plain-text comment on the LDAP server
List of certificate authorities, Credentials ... Other parameters for the Novell eDirectory authentication method have the same usage and meaning as the parameters used under the same names for the LDAP authentication method. In addition to these, you need to configure the following parameters: eDirectory network address attribute Name of the attribute that provides the network addresses used for the eDirectory server. eDirectory network login time attribute Name of the attribute that provides the login time used on the eDirectory server. eDirectory network minimal update interval Time to elapse (in seconds) before information from the eDirectorry server is updated. For more information, see LDAP Specific Parameters.
102
RADIUS Specific Parameters

Settings for the RADIUS authentication method RADIUS server definition List of RADIUS servers that authentication information is retrieved from. The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 9 RADIUS server list Element String Comment Description Name of a RADIUS server Plain-text comment on the RADIUS server
Default domain name Name of the domain that information is retrieved from if no other domain is specified Shared secret Password used by the appliance to get access to the RADIUS server Radius connection timeout in seconds Time (in seconds) to elapse before the connection to the RADIUS server is closed if no traffic occurs International text support Set of characters used by default for a request sent from a client, for example, ISO-8859-1 Value of attribute with code Code value for the attribute retrieved with the user group information, according to RFC 2865. For example, 25 is the code for the class attribute Vendor specific attribute with vendor ID Vendor ID for retrieving vendor-related data in the search for user group information According to RFC 2865, the vendor ID is a part of the vendor attribute, followed by a number of subattributes. Its code value is 26 Vendor subattribute type Code value for the type of subattributes included in a vendor attribute. according to RFC 2865 Since not all vendors adhere to this structure, it is recommended to specify 0 as values here. This allows the authentication module to retrieve all available vendor information.
103
Kerberos Specific Parameters

The specific settings of the parameter for the Kerberos authentication method are not configured under the settings of the authentication module, but as settings of the appliance system. They can be accessed on the Appliances tab of the Configuration top-level menu under Kerberos Administration. After selecting Kerberos in the Authentication Method section of the Authentication engine settings on the Settings tab, you need to go to the Appliances tab and continue configuration there
Note: You can also first configure the settings on the Appliances tab and then select Kerberos on the Settings tab.
For more information, see Kerberos Administration system settings. Kerberos Administration system settings Settings for the Kerberos authentication method Key tab file Input field for entering the file that contains the key required to access the Kerberos server. You can type a file name or use the Browse button to browse to file and enter it in the field Kerberos realm Location of the Kerberos server Maximal time difference between appliance and client Time (in seconds) to elapse between requests and responses in the communication between both
Note: Configuring Kerberos as the authentication method can lead to problems when particular browsers are used for sending requests: When the Microsoft Internet Explorer is used in a version lower than 7.0, Kerberos authentication might not be possible at all. When this explorer runs on Windows XP, Kerberos authentication might not work as expected. When Mozilla Firefox is used, Kerberos authentication must be configured in the browser settings to enable this authentication method.
Authentication Server Specific Parameters

Settings for the Authentication Server method Authentication server URL URL of the server used under this method to look up authentication information Require client ID When selected, the authentication server requires the ID of the client that a user sent a request from. Store authentication result in a cookie When selected, the information retrieved from the authentication server is stored in a cookie. If cookie authentication is implemented, the cookie is added to the next request sent by the respective user, so that this user needs not authenticate again. Allow persistent cookie for the server When selected, a cookie can be used persistently for sending multiple requests to the authentication server. Cookie TTL for the authentication server in seconds Time (in seconds ) that a cookie sent with a request to the server is stored Cookie prefix Prefix provided by the appliance for a cookie, for example, MWG_Auth.
104
Join the appliance to a Windows domain

When you use the NTLM authentication method, you need to join the appliance to a Windows domain to let the authentication module retrieve user information stored on the domain server. The appliance can be joined to more than one domain. Complete the following procedure to join the appliance to a Windows domain:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to join and select Windows Domain
Memberhship. A list of domains appears on the settings pane. It is initially empty.

3 Click Join to enter a domain into the list. The Join domain window opens. 4 Configure a domain name, a domain controller, and other settings in the window. 5 Click OK. The window closes and the new domain appears in the list. The appliance is now a member
of this domain.
Note: Repeat steps 3 to 5 to add multiple domains.
6 Use the other icons on the toolbar to work with the list:
Modify Opens a window to let you modify a domain entry. Leave Removes a domain from the list and lets the appliance leave this domain. Filter Lets you enter a filtering term to display only domains with matching names. Refresh Refreshes the list. For more information, see Join the appliance to a Windows domain and Configure an authentication method.
105
Windows Domain Membership system settings

The Windows Domain Membership system settings must be configured when joining an appliance to a Windows domain or modify its membership in a domain. They provide a list of the domains that the appliance is a member of.
Join Domain window

The Join Domain window provides options for configuring the Windows domains that the appliance is a member of. The table below describes the window.
Table 5-1 Join Domain window Option Windows domain name McAfee Web Gateway account name Overwrite existing account Use NTLM version 2 Administrator name Definition Name of the domain Name of the account for an appliance When selected. When selected. Is used with a password when the appliance is joined to the domain to create an account for it. The credentials are only used for this purpose and not stored. For the above administrator
Password
List of Windows domains

List of all Windows domains the appliance is a member of The List displays the settings of a domain as configured by you in the Join Domain window. In addition to these settings, the following is shown: Status Status of the domain.
106
Authenticate and Authorize library rule set

The Authenticate and Authorize library rule set handles authentication and allows only whitelisted users access.
Library rule set Authenticate and Authorize Criteria Connection.Protocol equals HTTP OR Connection.Protocol equals HTTPS Cycle Requests (and IM)
The following rule sets are nested in this rule set: Authenticate with User Database Authorize Process flow
Authenticate with User Database library rule set

The Authenticate with User Database library rule set asks unauthenticated users to authenticate. Its authentication method is retrieving information from the internal user database.
Nested library rule set Authenticate with user database Criteria Command.Name equals CONNECT Cycle Requests (and IM)
The rule set contains the following rule: Authenticate with User Database Authentication.Authenticate<User Database> equals false > Authenticate<Default> The rule uses the Authentication.Authenticate property to check whether a user who sends a request is authenticated. Settings that have the internal user database configured as the authentication method are specified with the property. If a user has not been authenticated by information from the internal database, the rule applies. Processing stops and the user is asked to authenticate. Processing continues when the next request is received, which can be an authentication request by the same user.
Authorize library rule set

The authorize library rule set allows only requests from whitelisted users.
Nested library rule set Authorize Criteria Always Cycle Requests (and IM)
The rule set contains the following rule: Only allow users of Allowed User Groups Authentication.Attributes none in list Allowed User Groups > Block<AuthorizedOnly> The rule uses the Authentication.Attributes property to allow only users access who are members of a group on the specified whitelist. If a user is not in one of the groups on the list, the rule applies and stops processing of all rules. The request is not passed on to a web server and blocked this way. The action settings specify that a notification is sent to the requesting user. Processing continues when the next request is received.
107
Authentication and Account Management Cookie authentication
Cookie authentication
Users can be authenticated using cookies once they have successfully authenticated on the appliance. This section tells you how to configure cookie authentication and describes a library rule set you can use for this purpose. A rule set with appropriate rules must be implemented on the appliance to enable cookie authentication. The rules of this rule set say that a cookie is stored for a successfully authenticated user and what should be done when this user sends another request. Typically, the user does then not need to authenticate again. Like other authentication activities, cookie authentication is handled by the authentication module of the appliance.
Note: The size of a cookie grows with the user information it contains. This can cause a problem for the browser you use to log on to the appliance. The Mozilla Firefox browser version 3.5 or higher does not support cookies bigger than 32 KB. So cookie authentication might not work for a user who is a member of many user groups.
To configure cookie authentication, you need to complete the following activities: Make sure a cookie rule set is implemented A cookie authentication rule set is not implemented on the appliance after the initial setup, but you can import one from the appliance library or create a rule set of your own. Configure settings for the authentication module When the library cookie rule set is imported, settings for this module are also implemented. These include options to enable cookie authentication and for configuring the time that cookies are stored. For more information, see Import a rule set, Cookie Authentication library rule set, and Configure settings for cookie authentication
108
Configure settings for cookie authentication

You can configure settings for cookie authentication as part of the settings for the authentication module of the appliance. Complete the following procedure to do this:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go Authentication and select the settings you want to
configure. After importing the cookie authentication rule set from the library, the following settings are available: Local cookie authentication server Settings for verifying whether a cookie is valid The library rules specify the Authentication Server method for this. After selecting these settings, the corresponding section of the authentication module appears on the settings pane. User database at authentication server Settings for authenticating users who send requests from clients without cookies According to the library rules, this authentication uses the User Database method. After selecting these settings, the corresponding section of the authentication module appears on the settings pane.
3 Configure these settings as needed. 4 Click Save Changes.
For more information, see Authentication engine settings.
Cookie Authentication library rule set

The Cookie Authentication library rule set controls cookie authentication.
Li
Library rule set Cookie Authentication Criteria Always Cycle Requests (and IM)
The following rule sets are nested in this rule set: Cookie Authentication at HTTP proxy Set Cookie Authentication for Authenticated Clients Authenticate Clients with Authentication Server Cookie Authentication at Authentication Server Authentication Server Request
109
Cookie Authentication at HTTP Proxy library rule set

The Cookie Authentication at HTTP Proxy library rule set handles authentication for requests received under HTTP that do not require authentication on the configured authentication server.
Nested library rule set Cookie authentication at HTTP proxy Criteria Connection.Protocol equals HTTP AND Auth.IsAuthenticationServerRequest equals false Cycle Requests (and IM)
The following rule sets are nested in this rule set: Set Cookie Authentication for Authenticated Clients Authenticate Clients with Authentication Server
Set Cookie for Authenticated Clients library rule set

The Set Cookie for Authenticated Clients library rule set handles authentication when a request is received from a user who has successfully authenticated.
Nested library rule set Set cookie for authenticated clients Criteria Auth.IsAuthenticationServerLanding equals true Cycle Requests (and IM)
The rule set contains the following rule: Set cookie and redirect client to the requested URL Always > Redirect<Redirect back from authentication server> The rule sets a cookie for a client if the user who sent a request from it has successfully authenticated. It also redirects the client. The action settings specify that a redirect message is sent to the user. Processing continues with the next rule set.
Authenticate Clients with Authentication Server library rule set

The Authenticate Clients with Authentication Server library rule set asks users to authenticate if no valid cookie could be found for them and directs them to the authentication server.
Nested library rule set Authenticate clients with authentication server Criteria Always Cycle Requests (and IM)
The rule set contains the following rule: Redirect clients that do not have valid cookie to the authentication server Authentication .Authenticate<Local cookie authentication server> equals false > Authenticate<Default> The rule asks users who have no cookies set on their clients to authenticate. Information for this authentication is retrieved from the configured authentication server. The settings for the module that verifies whether a cookie is set are specified with the property. The action settings specify the authentication message that is sent to the user. Processing continues with the next rule set.
110
Cookie Authentication at Authentication Server library rule set

The Cookie Authentication at Authentication Server library rule set handles authentication when users send requests to authenticate on the configured authentication server.
Nested library rule set Cookie authentication at authentication server Criteria Always Cycle Requests (and IM)
The following rule set is nested in this rule set: Authentication Server Request.
Authentication Server Request library rule set

The authentication server request handles authentication when users send requests to authenticate on the configured authentication server.
Nested library rule set Authentication server request Criteria Auth.IsServerRequest equals true Cycle Requests (and IM)
The rule set contains the following rules: Do not authenticate clients that have valid cookies Auth.Authenticate<Local cookie authentication server> equals true > Redirect <Redirect back from authentication server> The rule lets authentication be skipped when a user sends a request from a client with a valid cookie. It redirects the client to the requested URL. The settings for the module that verifies the cookies are specified with the property. The action settings specify that a redirect message is sent to the user. Authenticate against user database Auth.Authenticate<User database at authentication server> equals false > Authenticate <Default> The rule asks a user who is not yet authenticated under the configured method to authenticate. The settings for the module that checks whether the user is authenticated are specified with the property. The action settings specify that an authentication message is sent to the user. Redirect authenticated client to the proxy Always Redirect <Redirect back from authentication server> The rule redirects the client that a user sent a request from. The action settings specify that a redirect message is sent to the user.
111
Authentication and Account Management Quotas and coaching
Quotas and coaching

Web usage can be restricted on the appliance by configuring time and volume quotas for users. Users are allowed to continue their sessions when quota limits are reached through an authorized override. User coaching asks users to confirm before they access a web object. This section explains how you can implement and configure these functions. Quota and coaching measures are taken on the appliance according to rules. By default, this is not implemented after the initial setup, but you can import appropriate rule sets from the library. Module settings and lists for quotas and coaching are imported with these rule sets. The settings include, for example, the time or number of bytes allowed by a quota or the time allowed for a coached session. A quota list is, for example, a list of users who are no longer allowed web usage when the configured time quota has expired. You can guide the users of your network by quotas and coaching as follows: Time and volume quotas Allow users web usage for a configured amount of time or number of bytes within a given period of time. When the quota limits are reached, user requests are blocked. Authorized override Allows users to override and continue with a new session when the quota is exceeded for a given session, but overall quota time is still left. Users must authenticate before being allowed to override. Coaching Displays a coaching page when a user requests access to a web object. It is then in the users responsibility to access the object or not. For more information, see Quota and coaching modes and Configure quotas and coaching.
Quota and coaching modes

You can configure quotas and coaching for the users of your network based on user names, IP addresses, media types, and URLs. For example, time quotas based on user names block a request sent by a user if: The configured time quota is exceeded AND The user name of the requesting user is on a quota list Similarly, time quotas based on IP addresses block a request: The configured time quota is exceeded AND The IP address of the client that the request was sent from is on a quota list. Based on URLS, they blocked a request if: The configured time quota is exceeded AND The requested URL is on a quota list. The same applies for volume quotas and when users are guided by coaching or are allowed authorized overrides. For example, a user is coached upon sending a request if:: The user or the IP address of the request or the requested URL is on a coaching list.
112
An option for using media types is provided when responses are processed and the volume quota is checked. A response is then blocked if:
The configured volume quota is exceeded AND The media type sent in response is on a quota list.
Configure quotas and coaching

You can configure quotas and coaching to guide and restrict the web usage of your users.
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Coaching, Time Quota, Volume Quota, or
Authorized Override, according to what you want to configure.

3 Configure the respective settings as needed:
Coaching Length of the coached session time Time quota Time length of the quotas Volume quota Number of bytes for the quotas Authorized Override Time length for sessions that allow users an authorized override
For more information on these settings, see Coaching engine settings, Time Quota engine settings, Volume Quota engine settings, and Authorized override engine settings.
Coaching engine settings

You can configure the Coaching engine settings. These are the settings of the module that handles the coaching of users.
Note: These settings are configured on the Settings tab of the Policy top-level menu.
Hours and Minutes of Session Time

Settings for the time length of coached sessions Days (Hours, Minutes) Of a session
Time Quota engine settings

You can configure the Time Quota engine settings. These are the settings of the module that handles time quotas to limit the web usage of your users.
Time Quota per Day, Week, Month, and Session Time

Settings for selecting the time mode used to configure the quotas When a time mode is selected, approproate settings appear in the section below. Time quota per day (week, month) When selected, the quota is configured as allowed time per day, week, or month. Session time When selected, the quota is configured as length of a session time.
113
Hours and Minutes for Time Quota per Day (Week, Month, or Session Time)
Settings to configure time for the quota according to the selected mode Hours Allowed hours per day, week, month, or session Minutes Allowed hours per day, week, month, or session
Actual Configured Time Quota

Displays what the configured time quota amounts to for all time units For example, 2 hours and 20 minutes configured as allowed time for a week equals 20 minutes each day. Time quota per day (week, month) Allowed time per day, week, or month Session time per day Allowed time for a session per day
Volume Quota engine settings

You can configure the Volume Quota engine settings. These are the settings of the module that handles volume quotas to limit the web usage of your users.
Volume Quota per Day, Week, Month, and Session Time

Settings for selecting the time mode used to configure volume quotas When a time mode is selected, approproate settings appear in the section below. Volume quota per day (week, month) When selected, the quota is configured as allowed volume per day, week, or month. Session time When selected, the quota is configured as volume allowed per session.
Hours and Minutes for Volume Quota per Day (Week, Month, or Session Time)
Settings to configure the volume quotas according to the selected mode Hours Allowed hours per day, week, month, or session Minutes Allowed hours per day, week, month, or session
Actual Configured Volume Quota

Displays what the configured volume quota amounts to for all time units For example, 35 GB configured as allowed volume for a week amount to 5 GB each day. Time quota per day (week, month) Allowed volume per day, week, or month Session time per day Allowed volume for a session per day
114
Authorized override engine settings

You can configure the Authorized Override engine settings. These are the settings of the module that handles authorized overrides. These allow users to continue their sessions when quota limits are reached.
Hours and Minutes of Session Time

Settings for the time length of sessions that allow users an authorized override Days For a session Hours For a session Minutes For a session
Quota and coaching lists

When guiding users by quotas and coaching, you can maintain lists of users, IP addresses, media types and URLs categories . The quota and coaching rules uses these lists, for example, to block a request when the time quota is exceeded and the user still requests a URL of a particular category. For general information on how to maintain lists, see List maintenance.
Library quota and coaching lists

The following lists are used by the Quota Rules library rule set. URL Blocklist for Time Quota List of URL categories. When the configured time quota is exceeded, a request is blocked if the requested URL is in a category on the list. Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 5-2 URL Blocklist for Time Quota Option Wildcard Expression Comment Definition URL category (in Wildcard Expression format) Plain-text comment on the URL category
User Blocklist for Time Quota List of user names. When the configured time quota is exceeded, a request is blocked if the user who requests access to an object is on the list. Type String The list is initially empty. The table below describes the list entries.
Table 5-3 User Blocklist for Time Quota Option String Comment Definition User name Plain-text comment on the user
115
IP Blocklist for Time Quota List of IP addresses. When the configured time quota is exceeded, a request is blocked if the IP address of the client the request was sent from is on the list. Type IP The list is initially empty. The table below describes the list entries.
Table 5-4 User Blocklist for Time Quota Option IP Comment Definition IP address Plain-text comment on the IP address
Other lists for quotas and coaching Other lists are used by the library quota and coaching rules in the same way as the URL Blocklist, the IP Blocklist, and the User Blocklist for Time Quota. When the quota is exceeded, the relevant rule checks whether an object is on a list. If it is, the rule applies, and an action is triggered, for example, a request is blocked. These lists include: URL Blocklist, IP BLocklist, and User Blocklist for Time Session URL Blocklist, IP BLocklist, User Blocklist, and Media Type Blocklist for Volume Quota URL Blocklist, IP BLocklist, User Blocklist, and Media Type Blocklist for Volume Session URL Blocklist, IP BLocklist, and User Blocklist for Authorized Override URL Blocklist, IP BLocklist, and User Blocklist for Coaching
116
Rule sets for quotas and coaching

This section describes the library rule sets for quotas and coaching. Authorized Override Time Quota Volume Quota Coaching The Authorized Override, Time quota and Coaching rule sets are all processed when requests are sent to the appliance. Coaching and overrides both apply to user requests and whether time quota limits are reached can also be decided upon receiving a request from a user. The Volume Quota rule set is processed when a response is received from a web server. The volume of the the object sent in response, for example, a web page or a file, is then checked to see whether allowing it would let the volume quota be exceeded.
Authorized Override library rule set

The Authorized Override library rule set allows users to override and continue with a new session when the quota is exceeded for a given session, but overall quota time is still left. Users must authenticate before being allowed to override.
Nested library rule set Authorized Override Criteria Always Cycle Requests (and IM)
The rule set contains the following rules: Redirecting after authenticating for authorized override AuthOverride.lsActivationRequest<default> equals true > Redirect<RedirectQuotaBack> The rule redirects a request and lets a user again access an object after session time has expired and the user has chosen to continue with a new session. The user must authenticate before being again allowed access. The settings of the module that handles the authorized override are specified with the property. The action settings specify that a message about the redirect and the need to authenticate is sent to the user. Authorized Override for URLs that are in URL Blocklist for Authorized Override URL.categories<Default> at least one in list URL Blocklist for Authorized Override AND AuthOverride.SessionExceeded<default> equals true > Block<ActionAuthOverBlocked> The rule informs the user that session time has expired if the category of the requested URL is on a quota list. Allows the user to authenticate and continue. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify a message to the requesting user. Other rules Two more rules in the rule set do the same as the URL-based rule if the client IP address of a request or the user is on a quota list.
Note: These rules are not initially enabled.
117
Time Quota library rule set

The Time Quota library rule set blocks requests when time quotas are exceeded.
Nested library rule set Time Quota Criteria Always Cycle Requests (and IM)
The rule set contains the following rules: Redirecting after starting new time session TimeQuota.lsActivationRequest equals true > Redirect<RedirectQuotaBack> The rule redirects a request and lets a user again access an object after session time has expired and the user has chosen to continue with a new session. The action settings specify a message to the requesting user. Time session counting for URLs that are in URL Blocklist for Time Session URL.categories<Default> at least one in list URL Blocklist for Time Session AND TimeQuota.SessionExceeded<default> equals true > Block<ActionTimeSessionBlocked> The rule informs the user that session time has expired if the category of the requested URL is on a quota list. Provides an option to continue with a new session. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify a message to the requesting user. Time session counting for URLs that are in URL Blocklist for Time Session URL.categories<Default> at least one in list URL Blocklist for Time Session AND TimeQuota.SessionExceeded<default> equals true > Block<ActionTimeQuotaBlocked> The rule blocks a request if the time quota is exceeded and the category of the requested URL is on a quota list. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify a message to the requesting user. Other rules Two more rules of the rule set do the same as the last two (URL-based) rules if the client IP address of a request is on a quota list. One rule provides an option for a new session if quota time is still left , the other blocks if time is completely exhausted. Two more rules do the same if the requesting user is on a quota list.
118
Volume Quota library rule set

The Volume Quota library rule set blocks responses and embedded objects sent with responses when volume quotas are exceeded.
Nested library rule set Volume Quota Criteria Always Cycle Responses, embedded objects
The rule set contains rules that do the same as the rules of the Time Quota rule set, after checking volume quotas instead of time quotas. It contains two more (not initially enabled) rules for media type handling. These do the same for media types as the corresponding rules for users, IP addresses, and URLs. One of them provides an option for a new session if quota time is still left and the media type sent in response is on a quota list, the other blocks if time is completely exhausted and the media type is on the list.
Coaching library rule set

The coaching library rule set displays a coaching page to a user who requests access to an object.
Nested library rule set Coaching Criteria Always Cycle Requests (and IM)
The rule set contains the following rules: Redirecting after starting new coaching session Coaching.lsActivationRequest<default> equals true > Redirect<RedirectQuotaBack> The rule redirects a client and lets a user again access an object after session time has expired and the user has chosen to continue with a new session. The settings of the module that handles the authorized override are specified with the property. The action settings specify a message to the requesting user. Coaching for URLs that are in URL Blocklist for Coaching URL.categories<Default> at least one in list URL Blocklist for Coaching AND Coaching.SessionExceeded<default> equals true > Block<ActionCoachingBlocked> The rule displays a coaching page informing the user that session time has expired if the category of the requested URL is on a quota list. Leaves it to the user to continue. The settings of the module that retrieves information on URL categories are specified with the corresponding property. The action settings specify that a coaching page is sent to the user. Other rules Two more rules in the rule set do the same as the URL-based rule if the client IP address of a request or the user is on a quota list.
119
Authentication and Account Management Administrator accounts
Administrator accounts
Administrator accounts can be set up and managed on the appliance or on an external server. This section tells you how to do this and how to create administrator roles with different access privileges for administrators.
Internal management of administrator accounts

You can manage accounts internally. These are stored on the appliance, not on an external server. Complete the below procedures to do this.
Add an administrator account

To add an internal administrator account:
1 Go to Accounts | Administrator accounts.
Note: On the Administrator Accounts tab, an administrator and a role have already been inserted at the initial setup.
2 Under Internal Administrator Accounts, click Add. The Add Administrator window opens. 3 Add a user name, a password, and other settings for the account. Then click OK. 4 Click OK and then Save Changes.
For more information, see Administrator account settings.
Edit an administrator account

To edit an internal administrator account:
1 Go to Accounts | Administrator accounts. 2 Under Internal Administrator Accounts, select an account and click Edit. The Edit Administrator
window opens.
Note: You can use the Filter input field to type a filtering term and display only accounts with matching names.
3 Edit the settings of the account as needed. 4 Click OK and then Save Changes.
For more information, see Administrator account settings.
Delete an administrator account

To delete an administrator account:
1 Go to Accounts | Administrator accounts. 2 Under Internal Administrator Accounts, select an account and click Delete. A window opens to
let you confirm the deletion.

Note: You cannot delete all administrator accounts. At least one must always exist on the appliance.
120
Administrator account settings

You can use the administrator account settings to add or edit an administrator account. User name User name of the administrator Password Administrator password Password repeated Repetition of the password to check and confirm it
Note: In the Edit Administrator window, you need to select Set a new password before the two password fields become available.
Role List for selecting an administrator role

Note: You can use the Edit and Add icons to edit and add roles. The modified and added roles appear also in the list of administratrator roles under Roles.
[Optional] Name Real name of the person that the account is set up for
Test with current settings

You can test whether an administrator with given credentials would be admitted on the appliance. The following settings are provided for this purpose on the Administrator Accounts tab of the Accounts top-level menu. User User name that is tested Password Tested password Test Executes the test. The Authentication Test Results window opens to display the outcome of the test.
Administrator roles
You can set up roles and use them to configure administrator accounts.
Manage administrator roles

Complete the following procedure to manage administrator roles:
1 Go to Accounts | Administrator accounts.
Note: On the Administrator Accounts tab, an administrator and a role have already been inserted after the initial setup.
2 Under Roles, click Add to add a role. The Add Role window opens. 3 In the Name field, type a role name. 4 Configure access rights for the dashboard, rules, lists, and other items. 5 Use the Edit and Delete icons to edit and delete roles.
Note: The added and modified roles appear also in the list of administratrator roles under Internal Administrator Accounts and the deleted disappear.
For more information, see Administrator role settings.
121
Administrator role settings

You can use the following settings to add or edit an administrator role. The items of the user interface listed here are accessible for the role according to your selections. Name Name of the role Dashboard accessible When selected. Policy Rules accessible When selected. Policy Lists accessible When selected. Policy Settings accessible When selected. Configuration accessible When selected. Accounts accessible When selected. Log files accessible When selected. For more information, see Manage administrator roles.
Configure external account management

You can have administrator accounts managed on external authentication servers and map externally stored user groups and individual users on to roles on the appliance. Complete the following procedure to configure external account management:
1 Go to Accounts | Administrator accounts. 2 Click Administrator accounts are managed in an external directory server. Additional
settings appear.
3 Under Authentication Server Details, configure settings for the external server. These settings
determine the way the authentication module on the appliance retrieves information from that server.
4 Use the settings under Authentication group = role mapping, to map user groups and individual
users stored on the external server to roles on the appliance:

a Click Add. The Group/User Role Mapping window opens. b Select the checkboxes next to the input field for groups and users as needed and type group and
user names in these fields.

c
Click OK.
d Under Role to map to, select a role.
Note: You can use the Edit and Delete icons to edit and delete roles.
e Click OK and then Save Changes.
For information on the settings for the authentication server, see Authentication engine settings.
122
Web Filtering
Contents Filtering web objects Virus and malware filtering URL filtering Media type filtering HTML filtering Global whitelisting SSL scanning Supporting functions User messages
Filtering web objects

The McAfee Web Gateway appliance filters web objects before the users of your network can access them. The sections of this chapter explain the filtering process and tell you how to administer it. The functions for filtering web objects are controlled by rules. These say, for example, when access to an object is blocked or allowed. They go through blocking lists and whitelists and call modules to let them retrieve other relevant filtering information. For example, a rule calls the Antimalware module to find out whether an object is infected, another rule calls the TrustedSource module to retrieve information on URL categories.
Administering the filtering process

Administering the filtering process for web objects includes the following activities: Reviewing and modifying the filtering rules These rules are implemented at the initial setup by the policy creation wizard or as a default system. You can review and modify what is implemented. Maintaining the filter lists These include mainly blocking lists and whitelists for URLs, media types, HTML pages, and other web objects. Configuring the module settings By configuring these settings you determine the way the modules retrieve relevant information for the filtering process. For example, it depends on these settings whether the Antimalware module uses only virus signatures to detect infected web objects or also proactive methods. Adapting user messages on filtering actions A message sent to a user might read as follows: The transferred file contained a virus and was therefore blocked. To adapt these messages, you need to configure the settings of the actions in question.
123
Web Filtering Filtering web objects
The sections of this chapter explain these activities in detail for individual filtering functions. They assume that you have read the Rule and Rule Sets chapter, which provides general information on handling rules and how they use filter lists and modules. For more information, see these sections, for example, Virus and malware filtering, and also Rules and Rule Sets and User messages.
Functions for filtering web objects

You can use the following functions to filter web objects on the appliance: Virus and malware filtering You can filter web objects and block them if they are infected by viruses and other malware, using the Antimalware scanning module, which can apply different methods when scanning objects. URL filtering You can filter URLs individually and per category and block inappropriate or malicious content, using filter lists and information that the TrustedSource module retrieves from the global TrustedSource intelligence system. Media type filtering You can filter media types and block text, audio, image, streaming, or other media, using appropriate filter lists for upload and download. HTML filtering You can filter HTML pages and have embedded objects, including Java and Visual Basic scripts, ActiveX controls, and others, removed from them. Global whitelisting You can enter URLs onto a global whitelist to ensure the users of your network can access them. SSL scanning You can have SSL-secured requests inspected to make them available for further filtering and block objects if they are not sufficiently secured by a valid certificate. You can also use the following functions that do not themselves filter web objects, but support the filtering process: Billing You can count requests for web access sent by users of your network. Progress indication You can show users the progress made in downloading objects. Next-hop proxies You can use next-hop proxies for routing requests to internal destinations. For more information, see the sections on individual filtering and supporting functions, for example, URL filtering or Billing.
124
Web Filtering Virus and malware filtering
Virus and malware filtering

The appliance filters web objects to block viruses and other malware. This section explains the virus and malware filtering process and how you can modify it. Virus and malware filtering is controlled by rules. One of them says, for example, that access to a web object is blocked if it is infected by viruses or other malware. This rule calls the Antimalware module to find out whether an object is actually infected. Other rules use whitelists to let virus and malware filtering be skipped for particular objects. Administering virus and malware filtering includes the following activities:. Review and modify the filtering rules These rules work together in a rule set. Whitelisting rules are placed and processed in this rule set before the blocking rule. If any of them applies, the blocking rule is skipped and no virus and malware filtering is done for the whitelisted objects. Maintain the whitelists Whitelists are used by whitelisting rules to see which objects are allowed to skip the blocking rule. There can be different whitelists for URLs, media types, and other types of objects. Blocking lists are typically not used in virus and malware filtering because here the blocking depends not on lists, but on the findings of the Antimalware module. Configure settings for the Antimalware module The Antimalware module scans objects to detect infections by viruses and other malware. Based on the findings of this module, the blocking rule blocks access to web objects or lets them pass through. You can configure settings for this module, for example, to let it scan objects using only virus signatures to detect infections or also proactive methods. For more information, see Rules and rule sets for virus and malware filtering, Whitelists for virus and malware filtering, and Scanning module for virus and malware filtering.
Whitelists for virus and malware filtering

You can maintain whitelists for web objects to let them skip virus and malware filtering. This section explains how this is done and describes some sample whitelists. You can enter web objects, such as URL, media types, and others, onto whitelists. The rules of the virus and malware filtering rule set use these lists and let the rule that would eventually block the objects not be processed.
Note: This means that when you edit a whitelist, you also modify the rule that uses it. You should therefore make sure you know which rule uses a list that you edit. You can do this, for example, by reviewing the rules of the virus and malware filtering rule set to see which list names appear in rule names and criteria.
Whitelists are created at the initial setup of the appliance together with the corresponding rules and rule sets. You can also create lists of your own. The procedures used to maintain whitelists differ according to the list type. For example, you can add URLs to a whitelist for URLs by typing them into the list. When adding media types, however, you select them from folders with media type groups. For more information, see Add a URL to a virus and malware filtering whitelist, Add a media type to a virus and malware filtering whitelist, and Sample whitelists for virus and malware filtering.
125
Add a URL to a virus and malware filtering whitelist

You can add a URL to a whitelist to let it skip virus and malware filtering. Complete the following procedure to do this:
1 Go to Policy | Lists. 2 On the Lists tree, go to Wildcard Expression and select the virus and malware filtering whitelist for
URLs, for example, AV URL Whitelist. The list entries appear on the settings pane.
3 Click Add. The Add Wildcard Expression window opens. 4 In the Wildcard expression field, type a URL.
Note: To add multiple URLs at once, click Add multiple and type every URL in a new line.
5 [Optional] In the Comment field, type a comment on the URL. 6 Click OK. The window closes and the URL appears on the whitelist. 7 Click Save Changes.
For more information on how to maintain a list, see List maintenance.
Add a media type to a virus and malware filtering whitelist

You can add a media type to a whitelist to let it skip virus and malware filtering. Complete the following procedure to do this:
1 Go to Policy | Lists. 2 On the Custom Lists branch of the Lists tree, go to Media Type and select the virus and malware
filtering whitelist for media types, for example, AV Media Type Whitelist. The list entries appear on the settings pane.
3 Click Edit. And Edit window opens. It displays a list of group folders with media types. 4 Expand the group folder with the media type you want to add, for example, Document, and select
the media type, for example, application/vnd/ms-excel.

Note: To add multiple media types at once, select multiple media types or one or multiple group folders.
5 Click OK. The window closes and the media type appears on the whitelist. 6 Click Save Changes.
For more information on how to maintain a list, see List maintenance.
126
Sample whitelists for virus and malware filtering

This section describes some sample whitelists used by the library Gateway AntiMalware rule set. When you import the rule set, these lists are also imported. You can find them on the Lists tab of the Policy top-level menu, sorted by their types and names. For general information on how to maintain lists, see List maintenance. AV URL Whitelist Library list of URLs that are allowed to skip virus and malware filtering Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-1 AV URL Whitelist Option Wildcard Expression Comment Definition URL that is allowed to skip filtering (in Wildcard expression format). Plain-text comment on the URL
AV Media Type Whitelist Library list of media types that are allowed to skip virus and malware filtering Type Wildcard Expression Initial entries application/ogg Audio/Video files in OGG format application/vnd.ms-af Microsoft Multimedia Container and others The table below describes the list entries.
Table 6-2 AV Media Type Whitelist Option Media type Comment Definition Media type that is allowed to skip filtering. For example, application/ogg, audio/mp4, video/mpeg. Plain-text comment on the media type
127
Scanning module for virus and malware filtering

The Antimalware module (also known as Antimalware engine) scans web objects for infections by viruses and other malware. This section tells you how to configure this module and describes the module settings in detail. The blocking rule of the virus and malware filtering process relies on the Antimalware module to find out whether a web object is infected by viruses or other malware. By configuring settings for it, you can let the module do its scanning job in different ways.
Note: This means that when you edit the module settings, you also modify the blocking rule that uses it. You should therefore make sure you know which blocking rule uses the module whose settings you edit. You can do this, for example, by reviewing the rule in the virus and malware filtering rule set to see which settings name appears in the rule criteria.
The module has three submodules, which can run in different combinations. Each submodule uses different methods to detect infections in web objects. McAfee Gateway Anti-Malware Uses proactive methods. You can configure several advanced settings for this submodule, however not for the other two. McAfee Anti-Malware Uses virus signatures. In contrast to the proactive methods, virus signatures can only be applied to detect viruses that are already known. Avira Provides the scanning methods of a third-party product. The submodules and their methods can be combined into scanning modes as follows: Mode a: proactive + signatures + third-party Mode b: proactive + signatures Mode c: signatures only Other module settings are for the AV PreScan option, which reduces the scanning load, or the Mobile Code Behavior option, which lets you set a level of strictness in classifying code. For more information, see Configure the Antimalware module and Antimalware engine settings.
Configure the Antimalware module

This section tells you how to configure settings for the Antimalware module. Complete the following procedure to configure these settings:
1 Go to Policy | Settings. 2 On the Settings tree, go to Engines | Antimalware and select a settings name, for example,
Gateway AntiMalware.
Select Scanning Engines For selecting the scanning mode. Mobile Code Behavior For configuring the risk of obtaining false positives and false negatives when classifying mobile code. Advanced Settings For all submodules. Advanced Settings for McAfee Gateway Anti-Malware For this submodule only.
For more information on these settings, see Antimalware engine settings.
128
Antimalware engine settings

This section describes in detail the settings of the Antimalware engine, which is the module used in virus and malware filtering to scan web objects.
Select Scanning Engines Settings for selecting a combination of submodules to determine the scanning mode McAfee Gateway Anti-Malware including McAfee Anti-Malware When selected, these two submodules and Avira are active. Web objects are then scanned using: proactive methods + virus signatures + third-party module functions McAfee Gateway Anti-Malware including McAfee Anti-Malware without Avira When selected, only the first two submodules are active. Web objects are then scanned using: proactive methods + virus signatures McAfee Anti-Malware only When selected, only this submodule is active. Web objects are then scanned using: signatures only Mobile Code Behavior Settings for configuring a risk level in classifying mobile code The risk level can take values from 60 to 100. A low value means the risk in proactively scanning the behavior of mobile code and not detecting that it is malware is low because the scanning methods are applied very strictly. Mobile code will then be classified as malware even if only a few criteria of being potentially malicious have been detected. This can lead to classifying mobile code as malware that is actually not malicious (false positives). While more proactive security is achieved with a stricter setting, accuracy in determining which mobile code is really malicious will suffer. Consequently, the appliance might block web objects that you want to get through to your users. A high value means the risk in not detecting malicious mobile code is high (more false negatives), but more accuracy is achieved in classifiying mobile code correctly as malicious or not (fewer false positives).
Classification threshold
Slider scale for setting a risk level as described above. Minimum value (maximum proactivity): 60 Maximum value (maximum accuracy): 100 Advanced Settings Settings for all submodules. Enable AV PreScan When selected, performance of the submodules is improved by reducing the load sent to them for scanning.
Note: This option is by default selected. It is generally recommended not to change this setting.
129
Advanced Settings for McAfee Gateway Anti-Malware Settings applying only to the McAfee Gateway Anti-Malware submodule.
Note: The following options are by default selected. It is generally recommended not to change these settings. (General Settings)
Settings for some general scanning methods. Enable Artemis queries When selected, queries regarding infected objects are also performed on an Artemis database. Enable heuristic scanning When selected, heuristic methods are used in scanning web objects. Enable detection for potentially unwanted programs When selected, web objects are also scanned for potentially unwanted programs. Enable mobile code scanning When selected, mobile code is scanned in general.
Note: Individual settings can be configured under Scan the following mobile code types. Scan the following mobile code types
Settings for including different types of mobile code in the scanning. Windows executables When selected, these are scanned. Once downloaded from the web or received by email, these executables can become a threat when launched because they run with all the privileges of the current user. JavaScript When selected, this is scanned. JavaScript code can be embedded virtually anywhere, from web pages and PDF documents to video and HTML files. Flash ActionScript When selected, this is scanned. ActionScript code can be embedded in flash videos and animations and has access to the flash player and the browser with all their functions. Java applets When selected, these are scanned. Java applets can be embedded in web pages. Once activated, they can run at different permission levels, based on a digital certificate and the users choice. Java applications When selected, these are scanned. Java applications run stand-alone with all privileges of the current user. ActiveX controls When selected, these are scanned. ActiveX controls can be embedded in web pages and office documents. Once activated, they run with all privileges of the current user. Windows libraries When selected, these are scanned. These libraries usually come along with an executable in a setup package or are downloaded from the web by a running executable or by malicious code. Visual Basic script When selected, this is scanned. Visual Basic script code can be embedded in web pages or in emails. Visual Basic for applications When selected, this is scanned. Visual Basic macros can be embedded in office documents created with Word, Excel, or PowerPoint.
Block the following behavior
Settings for selecting code behavior that leads to blocking. Data theft: Backdoor When selected, the following is blocked: Malicious applications that grant an attacker full remote access and control to a victims system through existing or newly created network channels. Data theft: Keylogger When selected, the following is blocked: Malicious applications that hook into the operating system to record and save keyboard strokes. The captured information, such as passwords, is sent back to the attacking party. Data theft: Password stealer When selected, the following is blocked: Malicious applications that gather, store, and leak sensitive information, such as the system configuration, confidential data, credentials, and other data for user authentication.
130
System compromise: Code execution exploit When selected, the following is blocked: Exploiting vulnerabilities in any client applications, such as browsers, office programs, or multi-media players, that could allow an attacker to run arbitrary code on the compromised system. System compromise: Browser exploit When selected, the following is blocked: Exploits for vulnerabilities in browser applications and plug-ins that could allow the attacker to run arbitrary code, steal sensitive data, or escalate privileges. System compromise: Trojan When selected, the following is blocked: Malicious applications that pretend to be harmless or useful, but actually perform malicious activities. Stealth activity: Rootkit When selected, the following is blocked: Malicious applications or device drivers that manipulate the operating system and hide presence of malware on infected systems. After the compromise, files, registry keys, and network connections belonging to the malware processes turn invisible and could be hard to recover. Viral Replication: Network worm When selected, the following is blocked: Malicious applications or device drivers that self-replicate using email, the internet, peer-to-peer networking, or by copying themselves onto removable media such as USB devices. Viral Replication: File infector virus When selected, the following is blocked: Self-replicating applications that infect existing files on the hard-disk, embedding viral code in order to spread through the newly infected host file. System compromise: Trojan downloader When selected, the following is blocked: Malicious applications or script code that download and execute additional payload from the internet. System compromise: Trojan dropper When selected, the following is blocked: Malicious applications that carry hidden payload, extract and launch it upon execution. System compromise: Trojan proxy When selected, the following is blocked: Malicious applications that allow to relay potentially malicious hidden network activity through the compromised system. Web threats: Infected website When selected, the following is blocked: Websites that contain injected malicious script code or request additional malicious code as soon as it is opened in a browser. The initial infection might have taken place through an SQL injection attack against the web server. Stealth activity: Code injection When selected, the following is blocked: Applications that copy their code into other, often legitimate processes, resulting in a hijacking of the respective privileges and trust. This technique is typically employed by malware that tries to hide its presence on compromised systems and tries to evade detection. Detection evasion: Obfuscated code When selected, the following is blocked: Applications that consist of highly scrambled of encrypted code. Detection evasion: Packed code When selected, the following is blocked: Applications whose content has been compressed by a run-time packer or protector. Applying a run-time packer to an application changes the way it looks so it is harder to it is harder to classify. Potentially unwanted: Ad-/Spyware When selected, the following is blocked: Applications that show potentially annoying or unwanted advertisements, but also track and analyze the users activities and behavior. Potentially unwanted: Adware When selected, the following is blocked: Applications that show potentially annoying or unwanted advertisements, but also track and analyze the users activities and behavior. Data theft: Spyware When selected, the following is blocked: Applications that track and analyze the users activities and behavior, steal sensitive data, and leak this data to the attackers servers. Potentially unwanted: Dialer When selected, the following is blocked: Applications that provide access to content, such as pornography, through a more expensive network connection. Web threats: Vulnerable ActiveX controls When selected, the following is blocked: Potentially vulnerable ActiveX controls that are restricted to other, on-browser usage and should not be used on a web page.
131
Potentially unwanted: Suspicious activity When selected, the following is blocked: Potentially malicious code that is identified by either non-standard or not fully trusted behavior. Web threats: Cross-site scripting When selected, the following is blocked: Malicious scripts that try to exploit browser or web application access-control vulnerabilities in browsers or web applications to steal user-specific data, such as cookies. Potentially unwanted: Deceptive behavior When selected, the following is blocked: Misleading messages, missing code tricks, and fake alerts presented to users. These threats might tell users that their systems are infected with spyware and promote so-called fake AV applications for cleaning. Potentially unwanted: Redirector When selected, the following is blocked: Redirecting code that forwards users visiting a website to other, potentially malicious locations. This behavior is often caused by an infection of a previously legitimate website. Potentially unwanted: Direct kernel communication When selected, the following is blocked: Applications that directly communicate with the Windows kernel or in kernel mode. These might try to install a rootkit or to destabilize the system. Potentially unwanted: Privacy violation When selected, the following is blocked: Potentially malicious code that accesses sensitive or private data. This could result in eavesdropping your clipboard content or reading registry keys. Network behavior and DLP Settings for handling unknown browsers, unwanted programs, and data leakage. Forbid unknown browsers to download executables When selected, requests for downloading executables submitted by unknown browsers are blocked. Block requests sent by PUPs When selected, requests sent by potentially unwanted programs (PUPs) are blocked. Treat as request sent by a PUP if probability is at least Slider scale to set the probability (in percent) for classifying a request as being sent by a potentially unwanted program. Detect unsolicited POSTs When selected, unsolicited POST requests, which could enable data leakage, are detected.
132
Rules and rule sets for virus and malware filtering

Rules that filter web objects for infections are contained in a virus and malware filtering rule set. This section explains these rules and describes in detail a library rule set. A virus and malware filtering rule set typically includes a blocking rule that blocks access to infected objects. It can also include rules for whitelisting objects, such as URLs, media types, and others, that should not be filtered to avoid getting blocked eventually. The whitelisting rules are placed before the blocking rule, so they are processed before it. If a requested object is on one of the whitelists, the corresponding rule applies. It stops the processing of the rule set, so the blocking rule is not processed and cannot apply. A rule set like this is included when the wizard creates a system of rule sets. It is also included in the default system. Wizard rule sets differ from each other and from the default rule set mainly with regard to their whitelisting rules, which can cover different types of objects and use different whitelists. They do not differ, however, in their fundamental structure, which combines a blocking rule with one or more whitelisting rules that are processed before it.
Process flow in a virus and malware filtering rule set

This section describes the process flow in a library rule set for virus and malware filtering. The rule set library contains two virus and malware filtering rule set. One of them is the Gateway AntiMalware rule set. It includes: A whitelisting rule for media types A whitelisting rule for URLs A blocking rule that blocks access to objects if they are infected. When, for example, an infected, non-whitelisted object is sent in response to a user request from a web server, these rules work together, creating a process flow as follows: Object is a URL and on the whitelist? No. Object is streaming media and on the whitelist? No. Object isinfected by a virus or other malware? Yes. > Processing continues with the next rule in the rule set.
> Processing continues with the next rule in the rule set. Processing of rules stops. > The object is blocked (and not passed on to the user who requested it). A block message is sent to this user.
If the object were streaming media and on the whitelist, the process flow would be: Object is URL and on the whitelist? No. Object is streaming media and on the whitelist? Yes. Object isinfected bya virus or other malware? > > Processing continues with the next rule in the rule set. Processing of the rule set stops. This blocking rule is not processed. The object is not scanned for infections.
133
Virus and malware filtering rules

This section explains in detail a blocking rule and a whitelisting rule for virus and malware filtering.
Note: The rules are shown here in a notation that comes close to how they appear on the user interface.
Blocking rule The following is an example of a blocking rule for virus and malware filtering. Name Block if virus was found Criteria Antimalware.Infected<Gateway AntiMalware> equals true In plain text, this rule can be rephrased as follows: If an object is infected by a virus or other malware, block access to it. The key element in the rule criteria is Antimalware.Infected. It is the property that is checked for a given web object. Antimalware.Infected is (equals) true if the object is actually infected by a virus or other malware. The Antimalware module is called to find out whether this is the case. If it is, the criteria is matched and the rule applies. The rule then executes its action, which is the Block action. It blocks access to the object. The Antimalware.Infected property has the Gateway AntiMalware settings specified for it. This means the module that scans objects for infections runs with these settings. The settings determine, for example, which methods are used for the scanning. The Block action also has settings specified for it. These settings determine that a message is sent to a user who is affected by the action and what this message looks like. For this virus and malware filtering rule, the VirusFound settings are specified, which means that the message mentions an infection of the requested object as the reason for the blocking. For more information, see Select a different mode for scanning web objects. Whitelisting rule The following is an example of a whitelisting rule for virus and malware filtering. Name Do not filter specific URLs Criteria URL matches in list AV.URL Whitelist > Action Stop Rule Set > Action Block<VirusFound>
In plain text, this rule can be rephrased as follows: If a URL is on the whitelist for virus and malware filtering, do not process the virus and malware filtering rule set any further. The property in the rule criteria is URL. When the rule is processed, it is checked for a given URL whether it is on the list (matches in list) specified in the criteria as the AV.URL Whitelist. If it is, the criteria matches and the rule applies. The rule then executes the Stop Rule Set action, which stops processing of the virus and malware filtering rule set and lets all rules of the rule set that follow this whitelisting rule be skipped, including the blocking rule (if placed behind this rule). For more information, see Change the list used by a whitelisting rule.
134
Select a different mode for scanning web objects

This section explains how you select a different mode for the module that scans web objects for infections. Complete the following procedure to do this:
1 Go to Policy | Rule Sets. 2 On the Rule Sets tree, select the virus and malware filtering rule set, for example, Gateway
AntiMalware. The rules of this rule set appear on the settings pane.
3 Make sure Show details (above the list of rules) is enabled and in the criteria of the Block if virus
was found rule, select the module settings, for example Gateway AntiMalware. The Edit Settings window opens.
4 Scroll down to the Select scanning engines section and select a combination of submodules that
uses a particular scanning mode. McAfee Gateway Anti-Malware including McAfee Anti-Malware When selected, these two submodules and Avira are active. > Scanning mode: proactive methods + virus signatures + third-party module functions McAfee Gateway Anti-Malware including McAfee Anti-Malware without Avira When selected, only the first two submodules are active. > Scanning mode: proactive methods + virus signatures. McAfee Anti-Malware only When selected, only this submodule is active. > Scanning mode: signatures only
Note: If you select this mode for the Gateway AntiMalware rule set, you should rename the settings and the rule set, for example, to McAfee AntiMalware settings and rule set respectively, to indicate a key setting has changed. Alternatively, you can also import the (appropriately named) McAfee AV rule set from the rule set library. This rule has a blocking rule with module settings that have only the use of the McAfee Anti-Malware module selected. You can then disable or delete the other rule set.
135
Change the list used by a whitelisting rule

This section explains how you let the whitelisting rule for URLs in a virus and malware filtering rule set use a different list. Complete the following procedure to change the whitelist in this rule:
1 Create a new list. a Go to Policy | Lists. b On the Custom Lists branch of the Lists tree, select Wildcard Expression and click Add. The
Add List window opens.

c
In the Name field, type a name for the new list, for example, My AV URL Whitelist. Permissions tab, configure who is allowed access to it.
d [Optional] In the Comment field, type a plain-text comment on the new list and on the e Click OK. The Add List window closes and the new list is inserted on the Lists tree under Wildcard
Expression.
2 Go to Policy | Rule Sets. 3 On the Rule Sets tree, select the virus and malware filtering rule set, for example, the Gateway
AntiMalware rule set. The rules of this rule set appear on the settings pane.
4 Select the whitelisting rule for URLs, for example, Do not filter specific URLs, and click Edit
immediately above the topmost rule. The Edit Rule window opens.
5 Select Rule Criteria and then the rule and click Edit. The Edit Criteria window opens. 6 From the drop-down list under Parameter Value, select the new list. 7 Click OK and Finish to close the open windows. The name of the new list appears in the criteria of
the whitelisting rule on the settings pane.

The whitelisting rule for URLs now uses your new list. You can fill this list with URLs to let them skip virus and malware filtering.
136
Gateway AntiMalware library rule set

This section explains in detail the Gateway AntiMalware library rule set. This is a rule set for virus and malware filtering with a blocking rule that uses all three submodules of the Antimalware module and their methods to scan web objects. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set Gateway AntiMalware Criteria Always Cycles Requests (and IM), responses, embedded objects
The rule set contains the following rules: Do not filter for viruses if user agent matching a special list Request.Headers.GetHeader (User-Agent) matches in list UserAgentWhiteList > Stop Rule Set The rule uses the Request.Headers.GetHeader property to check the User-Agent information that is sent with the header of a request. If the User-Agent in question is on the specified whitelist, processing of the rule set stops, so the blocking rule of the rule set is not processed and cannot block the request. A parameter of the property specifies that it is the User-Agent information that must be checked when the rule is processsed.
Do not filter specific URLs URL matches in list AV URL Whitelist > Stop Rule Set The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, processing of the rule set stops and the blocking rule is not processed. Do not filter streaming media URL Categories<Default> contains Streaming Media AND MediaType.Ensured all in list AV Media Type Whitelist > Stop Rule Set The rule uses the URL.Categories property to check whether a given URL belongs to the Streaming Media category. The TrustedSource module, which is called to retrieve category information, runs with the Default settings, as specified with the property. The second part of the criteria uses the MediaType.Ensured property to check if the media type of a web object is found on the specified whitelist. When this property is used, media types are checked that have been ensured to match for their respective objects with a probability of more than 50 %. If the URL belongs to the Streaming Media category and the web object that is located by the URL is of a media type that is on the whitelist, processing of the rule set stops and the blocking rule is not processed.
137
Block if virus was found Antimalware.Infected<Gateway AntiMalware> equals true > Block<VirusFound> Statistics.Counter.Increment (BlockedByAntiMalware,1)<default> The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware. The Antimalware module, which is called to scan the object runs with the Gateway AntiMalware settings, as specified with the property. These settings let the module use all its three submodules and their methods to scan web objects. If the module finds that a web object is infected, processing of all rules stops and the object is not passed on any further. Access to it is blocked this way. In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is not passed on to the user who requested it. The VirusFound action settings a message to the requesting user. The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the counter that is incremented and the increment. The event settings specify the settings of the Statistics module, which executes the counting.
McAfee AV library rule set

The McAfee AV library rule set is a rule set for virus and malware filtering with a blocking rule that uses only the McAfee Anti-Malware module and the virus-signatures method to scan web objects.
Library rule set McAfee AV Criteria Always Cycles Requests (and IM), responses, embedded objects
The rule set contains the same rules as the Gateway AntiMalware rule set, except for the rule that lets whitelisted streaming media skip the filtering. The process flow in the rule set is also the same. For more information, see Gateway AntiMalware library rule set.
138
Web Filtering URL filtering
URL filtering
The appliance filters URLs to block inappropriate or malicious content. This section explains the URL filtering process and tells you how to modify it. URL filtering is controlled by rules. One of these rules says, for example, that access to a URL is blocked if it is on a blocking list. Another rule blocks URLs if they belong to a category that is on a blocking list. This rule calls the TrustedSource module to retrieve category information for URLs from the global TrustedSource intelligence system. A whitelisting rule lets URLs skip URL filtering if they are on the list used by the rule. Administering the URL filtering process includes the following activities: Reviewing and modifying the filtering rules Rules for blocking and whitelisting URLs are contained in a URL filtering rule set. The whitelisting rules are placed and processed before the blocking rules. Maintaining the filter lists Each of the filtering rules uses its own list. Since a URL filtering rule set handles only URL filtering, whitelists are not needed for several types of objects like in virus and malware filtering, but only for one type (URLs). Maintaining Extended Lists In addition to the list that is used by the category blocking rule, you can maintain lists on which you enter URLs and assign categories to them yourself. You can then let one of these lists be included in the search when the TrustedSource module retrieves category information on URLs. Configuring settings for the TrustedSource module The TrustedSource module retrieves category and other information for URLs from the global Trusted Source intelligence system. Based on this information, the category blocking rule blocks access to URLs or lets them pass through. You can configure settings for this module, for example, to let it include category information retrieved from an Extended List that you provide or to perform a DNS lookup for URLs and include the corresponding IP address in the search for category information. For more information, see Rules and rule set for URL filtering, Lists for URL filtering, Extended Lists for blocking URLs per category, and Module for retrieving URL category information.
139
Lists for URL filtering

You can maintain a whitelist and blocking lists for use by the URL filtering rules. This section tells you how to do this and describes some sample lists. The URL filtering rules use the following types of lists: URL category blocking lists Lists of URL categories. Categories are entered on this list to block all individual URLs belonging to them. URL blocking lists Lists of individual URLs that are blocked URL whitelist List of individual URLs that are allowed to skip URL filtering The procedures used to maintain URL filter lists differ according to the list type. For example, when adding URL categories, you select them from category folders. Adding individual URLs to a blocking list or to a whitelist is done in the same way as for a virus and malware filtering whitelist. These lists are of the same type allowing you to enter URLs by typing them into the list. For more information, see Add a URL category to a blocking list, Add a URL to a virus and malware filtering whitelist, and Sample lists for URL filtering.
Add a URL category to a blocking list

You can add a URL category to a blocking list to block access to all URLs falling in that category. Complete the following procedure to add a category:
1 Go to Policy | Lists. 2 On the Customs Lists branch of the Lists tree, go to Category and select the blocking list for URL
categories, for example, Category Blacklist. The list entries appear on the settings pane.
3 Click Edit. The Edit window opens. It displays a list of group folders with URL categories. 4 Expand the group folder with the category you want block, for example, Purchasing, and select the
category, for example, Online Shopping.

Note: To add multiple categories at once, select multiple categories or one or multiple group folders.
5 Click OK. The window closes and the category appears on the blocking list. 6 Click Save Changes.
140
Sample lists for URL filtering

This section describes some sample lists used by the library URL Filtering rule set. When you import the rule set, these lists are also imported. You can find them on the Lists tab of the Policy top-level menu, sorted by their names. For general information on how to maintain lists, see List maintenance. Category Black List Library list of URL categories that are blocked Type Category The list is initially empty. The table below describes the list entries.
Table 6-3 Category Black List Option Category Comment Definition URL category that is blocked. Plain-text comment on the category
URL Black List Library list of individual URLs that are blocked Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-4 URL Black List Option Wildcard Expression Comment Definition URL that is blocked (in wildcard expression format) Plain-text comment on the URL
URL White List Library list of individual URLs that are allowed to skip URL filtering. Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-5 URL White List Option Wildcard Expression Comment Definition URL that is allowed to skip filtering (in wildcard expression format) Plain-text comment on the URL
141
Extended Lists for blocking URLs per category

You can maintain Extended Lists with URLs that you assign to categories yourself. These lists can be included when the TrustedSource module retrieves category information. This section tells you how to add and edit an Extended list.
Add an Extended List

This section tells you how to add an Extended List of URLs with categorizations of your own. Complete the following procedure to do add this list:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to TrustedSource and select the settings you want to
configure, for example, Default.

3 Under Extended List, click Add. The Add List window opens. 4 [Optional] In the Comment field, type a plain-text comment on the list and on the Permissions tab,
configure who is allowed access to it.

5 Click OK & Edit. The Edit List (Extended List Element) window opens. 6 To add a list entry: a Click Add. The Add Extended List Element window opens. b Configure the following:
Protocol Network protocol that must be used if categorization and, eventually, blocking is to be applied for a URL. For example, if FTP is specified here, categories are not looked up and blocking is never applied when requests are sent under HTTP or HTTPs. URL URL that is categorized.
c
Under Categories, click the Edit symbol. An Edit window opens with a list of group folders containing URL categories. the checkbox next to this category, for example, Travel.
Note: Repeat this substep if you want to add more than one category.
d Expand the folder with the category you want to assign the URL to, for example, Lifestyle, and select
e Click OK. The Edit window closes and the category or categories appear on the list in the Add Extended
List Element window.

7 Click OK. The Add Extended List Element window closes and the new entry appears on the Extended List
in the Edit List (Extended List Element) window.

Note: Repeat steps 6 and 7 if you want to add more entries to the Extended List.
8 Click OK. The Edit List (Extended List Element) window closes and the new list appears:
On the Lists tree under Extended List Element. Under the Extended List options of the Default settings for the TrustedSource engine.
142
Edit an Extended List

This subsection explains how you edit an Extended List to modify your categorizations of URLs. Complete the following procedure to edit this list:
1 Go to Policy | Lists. 2 On the Lists tree, go to Extended List Element and select the Extended List you want to edit. The
list entries appear on the settings pane.

3 Edit the list, using the items on the toolbar above the entries. The table below describes the list
entries:.
Table 6-6 Extended List Option Protocol URL Categories Comment Definition Network protocol that must be used if categorization and, eventually, blocking is to be applied for a URL. URL that is categorized. URL categories that the URL is assigned to. Plain-text comment on the URL
143
Module for retrieving URL category information

You can configure the TrustedSource module to retrieves URL category information in different ways.This section explains how this is done and describes the module settings in detail. The global TrustedSource intelligence system provides information on categories and reputation scores for URLs, based on the content of the corresponding web pages. Various technologies, such as link crawlers, security forensics, honeypot networks, sophisticated auto-rating tools, and customer logs are used to gather this information. An international, multi-lingual team of McAfee web analysts evaluates the information and enters URLs under particular categories into a database. The TrustedSource intelligence system provides also reputation scores. To gather information on the reputation of a URL, its behavior on a worldwide real-time basis is analyzed, for example, where a URL shows up in the web, its domain behavior, and other details.
Configure the TrustedSource module

You can configure settings for the TrustedSouce module Complete the following procedure to configure these settings:
1 Go to Policy | Settings. 2 On the Settings tree, go to Engines | TrustedSource and select the settings you want to configure,
for example, Default.

Extended List For Extended Lists with URL categorizations of your own. Rating Settings For the search mode when category information is retrieved.
For more information on these settings, see TrustedSource engine settings.
TrustedSource engine settings

This section describes in detail the settings of the TrustedSource engine, which is the module that retrieves information from the TrustedSource intelligence system.
Note: These settings are configured on the Settings tab of the Policy top-level menu..
Extended List Settings for Extended Lists. (Extended Lists list) List for selecting an Extended List. Add Opens the Add List window for adding an Extended List. Edit Opens the Edit List (Extended List) window for editing a selected Extended List.
144
Rating Settings Settings for the search performed to retrieve information on URLs and their categories. Search the CGI parameters for rating When selected, these are searched. CGI parameters in a URL trigger scripts or programs when the URL is accessed. Information on its CGIs can affect the categorization of a URL. Search for and rate embedded URLs When selected, these are searched for and rated. Information on an embedded URL can affect the categorization of the embedding URL.
Note: Searching for embedded URLs can reduce performance.
Do a forward DNS lookup to rate URLs When selected, a DNS lookup is performed for a URL that no relevant information has been found for. The IP address that was looked up is used for another search. Do a backward DNS lookup for unrated IP-based URLs When selected, a backward DNS lookup is performed for a URL that no relevant information has been found for, based on its IP address. The host name that was looked up is used for another search. Only use in-the-cloud rating services When selected, information is only searched for in the TrustedSource intelligence system, not in the local database of the appliance. The local database contains data retrieved through updates from the TrustedSource system. Do in-the-cloud rating if local rating yields no results When selected, information is searched for in the TrustedSource Intelligence system if the search in the local database yielded no results. Use the default TrustedSource server for in-the-cloud rating When selected, a default server is used to connect to the TrustedSource intelligence system. IP of the TrustedSource server IP address of the server used to connect to the TrustedSource intelligence system when the default server is not used. Port of the TrustedSource server Port on this server listening to requests from the appliance. Force rating attempts to run in synchronous mode When selected, the search is performed in synchronous mode. This means that if the TrustedSource intelligence system is included, the appliance connects to the TrustedSource server for processing a particular request and does not begin with processing other requests before the server has responded and processing of the first request has been completed.
Note: Using this option will reduce performance if the TrustedSource server is slow in responding.
145
Rules and rule set for URL filtering

Rules that filter URLs are contained on the appliance in a URL filtering rule set. This section explains these rules and the process flow within the rule set. A rule set for URL filtering typically includes a blocking rule that blocks access to URLs per category and another one that blocks access to individual URLs. It can also include a rule for whitelisting URLs that should not be filtered and get blocked eventually. The whitelisting rule is placed before the blocking rules, so it is processed before them. If a requested URL is on the whitelist, the rule applies. It stops the processing of the rule set, so the blocking rules are not processed and cannot apply. A rule set like this is included when the wizard creates a system of rule sets. It is also included in the default system. Wizard rule sets differ from each other and from the default rule set in that they use different blocking lists and whitelists. They do not differ, however, in their fundamental structure, which combines whitelisting rules with blocking rules that block URLs individually or per category.
URL filtering rule

This section explains in detail a category blocking rule, which is a key rule type in URL filtering.
Note: The rule is shown here in a notation that comes close to how it appears on the user interface.
Name Block URLs whose category is in URL Category Black List Criteria URL.Categories<Default> matches in list CategoryBlackList In plain text, this rule can be rephrased as follows: If a URL belongs to a category that is on a blocking list, block access to it. The property of the rule criteria is URL.Categories. This property is checked for a given URL and the TrustedSource module is called to find the categories the URL belongs to. If these are on the specified blocking list, the criteria is matched and the rule applies. The rule then executes its action, which is the Block action. It blocks access to the URL. If a URL belongs to more than one category, it is blocked if any of these categories is on the list. The URL.Categories property has the Default settings specified for it. This means the module that retrieves the category information runs with these settings. The settings determine, for example, whether a DNS lookup is performed for a URL and category information also searched for based on the corresponding IP address. The Block action also has settings. These specify a message that is sent to a user who is affected by the action. For this URL blocking rule, the URLBlocked settings are specified, which means that the message mentions the category that a requested URL belongs to as the reason for the blocking. > Action Block<URLBlocked>
146
URL Filtering library rule set

This section explains in detail the URL Filtering library rule set. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set URL Filtering Criteria Always Cycles Requests (and IM)
The rule set contains the following rules: Allow URLs in URL White List URL matches in list URLWhiteList > Stop Rule Set The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, processing of the rule set stops and the blocking rules that follow the whitelisting rule are not processed. Block URLs whose category is in URL Category Black List URL.Categories<Default> at least one in list CategoryBlackList > Block<URLBlocked> Statistics.Counter.Increment (BlockedByURLFilter,1)<default> Uses the URL.Categories property to check whether one of the categories a given URL belongs to is on the specified blocking list. The TrustedSource module, which is called to retrieve information on these categories, runs with the Default settings, as specified with the property. If one of the URLs categories is on the list, processing of all rules stops and the request for access to the URL is not passed on to the appropriate web server. Access to it is blocked this way. The URLBlocked action settings specify that the user who requested this access is notified of the blocking. The rule also uses an event to count blocking due to URL filtering. The event parameters specify the counter that is incremented and the increment. The event settings specify the settings of the Statistics module, which executes the counting. Block URLs matching URL Black List URL matches in list URLBlackList > Block<URLBlocked> Statistics.Counter.Increment (BlockedByURLFilter,1)<default> The rules uses the URL property to check whether a given URL is on the specified blocking list. If it is, processing of all rules stops and the request for access to the URL is not passed on to the appropriate web server. Access to it is blocked this way. The URLBlocked action settings specify that the user who requested this access is notified of the blocking. The rule also uses an event to count blocking due to URL filtering in the same way as the preceding rule.
147
Web Filtering Media type filtering
Media type filtering

The appliance filters media according to their types, using appropriate filter lists, so particular text, audio, image, streaming, and other media can be blocked. This section explains media type filtering and how to administer it. When administering media type filtering, you deal mainly with the filtering rules and the lists they use. Maintaining the filter lists You can maintain lists of media types you want to block or whitelist and also have different lists for filtering uploads and downloads or special kinds of media types. Modifying the filtering rules You can review the rules for media type filtering and modify them as needed for your network. Typically, you have a rule set for media types that users of your network upload to the web and one for those that they download. These can be nested in a common media type filtering rule set. A special rule is used to call an opener module for media types. For more information, see Lists for media type filtering and Rules for media type filtering.
Lists for media type filtering

You can maintain lists for media type filtering. This section explains different types of these lists and how you add a media type to a list. It also describes some sample lists that are used by the library rules. Media type lists contain different kinds of media, such as text, audio, image, streaming, and others. When editing these lists, you do not type names of media types, but select them from folders. Some lists are provided by the system and cannot be edited at all. You can use them only as they are. Apart from being system or user-maintained lists, lists used in media type filtering are the same with regard to editing. However, you can use them for different purposes and this way have blocking lists, whitelists, upload lists, download lists, or even upload blocking lists, upload whitelists, and so on. The following are the kinds of media type filtering lists that are used by the library rules. However, you can create and use lists and lists types other than these. Upload whitelists Lists of media types that users are allowed to upload to the web Download blocking lists Lists of media types that are blocked when users attempt to download them from the web With regard to editing, media type filtering lists can be: Custom lists Can be reviewed and edited like all other custom lists. System lists Are provided by the appliance system and cannot be edited. There are system lists for text, audio, image, streaming, and other media types. You can view these lists under System Lists | Media Types on the Lists tab of the Policy top-level menu. If you see, for example, that a media type is on a system list used by a blocking rule, but do not want this media type to be blocked, you cannot remove it from the list. However, you can modify the rule to let it not use the system list, but a custom list without the media type in question. For more information, see Add a media type to a media type filter list, and Sample lists for media type filtering.
148
Add a media type to a media type filter list

This section tells you how to add an entry to a list for media type filtering.
1 Go to Policy | Lists. 2 On the Lists tree, go to Media Type and select a list. 3 Click Edit. The Edit window opens and displays a list of group folders with media types. 4 Expand the group folder with the media type you want to add, for example, Audio, and select the
media type, for example, audio/mp4.

Note: To add multiple media types at once, select multiple media types (or one or multiple group folders).
5 Click OK. The window closes and the media type appears on the list. 6 Click Save Changes.
Sample lists for media type filtering

This section describes some sample lists used by the Media Type Filtering rule set from the library. When you import the rule set, these lists are also imported. You can find them on the Lists tab of the Policy top-level menu, sorted by their names. For general information on how to maintain lists, see List maintenance. Media Type Blacklist Library list of media types that are blocked when users attempt to download them from the web. Type Media Type The list is initially empty. The table below describes the list entries.
Table 6-7 Media Type Blacklist Option Media type Comment Definition Media type that is blocked, for example, application/ogg, audio/mp4, video/mpeg Plain-text comment on the media type
Upload Media Type Whitelist Library list of media types that users are allowed to upload to the web. Type Media Type The list is initially empty. The table below describes the list entries.
Table 6-8 Upload Media Type Whitelist Option Media type Comment Definition Media type that is allowed for uploading, for example, application/ogg, audio/mp4, video/mpeg Plain-text comment on the media type
149
Streaming Media Library system list of streaming media types that users are allowed to upload to the web.
Note: You can only view, not edit this list.
Type Media Type Initial entries video/x-la-asf Streaming Audio/Video file application/vnd.tmobile-livetv Mobile TV data file video/h261 H.261 Video Stream and others
Rules for media type filtering

Rules for media type filtering block and whitelist media types. This section explains how these rules work and how you can modify them. It also describes a media type filtering rule set from the library.
Media type filtering rule sets

A media type filtering rule set typically includes nested rule sets for controlling media upload and download. In each rule set, there is at least one rule that blocks media if their types are on a blocking list. There can be whitelisting rules that let media skip the blocking rule. There can also be several blocking rules to handle different media types or media types in different contexts, for example, media types embedded in archives. A special rule calls an opener module to open media.
Note: Media type filtering rules can also be included in rule sets that are not media type filtering rule sets in the first place, for example, in virus and malware filtering rule sets.
Media type filtering rule

The following is an example of a rule for blocking media types.
Note: The rule is shown here in a notation similar to the one used on the user interface.
Name Block types from Media Type Blacklist Criteria MediaType.EnsuredTypes at least one in list Media Type Blacklist > Action Block <MediaType (black list)>
In plain text, this rule can be rephrased as follows: If media belongs to a type that is on a particular blocking list, block access to it. The rule criteria checks the MediaType.EnsuredTypes property. Media have this property if it can be ensured with a probability of more than 50% that they are of a particular type. This is the case if a signature from an internal list on the appliance can be found in the object code of the media. For media that have their types ensured in this sense, the rule looks up the specified blocking list to see whether they are on it. It they are, the criteria is matched and the rule applies. If media belong to multiple types, already one of them on the list is sufficient to let the criteria match. The rule then executes the Block action. Processing of all rules stops and the media is not passed on to the user who requested it. This way, access to it is blocked. The settings of the Block action specify a message that is sent to a user who is affected by the action. The message mentions media type as the blocking reason.
150
Media type filtering properties

Most of the media type filtering rules in the library rule set use the MediaType.EnsuredTypes property. There are several other properties, however, which let rules behave differently when included in their criteria. There is, for example, the MediaType.NotEnsuredTYpes property. If you use this property in the criteria of a blocking rule, the rule blocks media whose types are on a blocking list even if the probability that they actually are of this type is less than 50%. You could do this if you wanted to make sure a media type gets blocked under all circumstances. The table below lists the properties of the rules in the library rule set for media type filtering.
Table 6-9 Media type filtering properties Property MediaType.EnsuredTypes Description Property of media that have their types ensured with a probability of more than 50% This level of probability is assumed if a media type signature from an internal list on the appliance can be found in the object code of the media. MediaType.NotEnsuredTypes MediaType.FromFileExtension Property of media for which the probability that they actually are of their respective types is less than 50% Property of media for which types are assumed based on the extensions of the media type file names Extensions and the media types associated with them are looked up in an internal catalog on the appliance. There are, however, extensions that are used by more than one media type. MediaType.FromHeader Property of media for which types are assumed according to the content type field of the headers sent with the media Headers are read and evaluated in a standardized format. To filter headers in their original formats, you can use the Header.Get property. MediaType.IsSupported List.MediaType.IsEmpty Property of embedded or archived media that can be extracted by the opener module of the appliance. Property of media with types that are not on an internal list
For information on other properties, see the List of properties in the appendix. For a procedure to let a rule use a different property, see Change the property in a media type filtering rule.
Change the property in a media type filtering rule

You can modify a media type filtering rule by changing the property in its criteria. This section tells you how to do this for a blocking rule that uses the MediaType.EnsuredTypes property. This property is replaced by MediaType.NotEnsuredTypes. A modification like this might also require that the rule uses a different filter list. The procedure includes also steps for this. Complete the following procedure to change the property in a media type filtering rule:
1 Create a new blocking list for media types that are not ensured: a Go to Policy | Lists. b On the Custom Lists branch of the Lists tree, select Media Type and click Add. The Add List
window opens.
c
In the Name field, type a name for the new list, for example, Not Ensured Media Type Blocking List. Permissions tab, configure who is allowed to access it.
d [Optional] In the Comment field, type a plain-text comment on the new list and on the e Click OK. The Add List window closes and the new list is inserted on the Lists tree under Media
Type.
151
2 Go to Policy | Rule Sets. 3 On the Rule Sets tree, select the rule set for media type downloads, for example, Media Type
Download.
4 Select a blocking rule, for example, Block Types from Media Type Blacklist, and click Edit
immediately above the topmost rule. The Edit Rule window opens.
Note: If you want to have two rules, one for blocking ensured and another for blocking not ensured media types, copy the existing blocking rule for ensured media types, insert it into the rule set, and modify the inserted rule.
5 Select Rule Criteria and then the rule and click Edit. The Edit Criteria window opens. 6 From the drop-down list under Property select a new property, for example,
MediaType.NotEnsuredTypes (instead of MediaType.EnsuredTypes).

7 From the drop-down list under Parameter Value, select Not Ensured Media Type Blocking
List.
8 Click OK and Finish to close the open windows. The new property and list name appear in the criteria
of the media type filtering rule on the settings pane.

The rule now blocks not ensured media types from your new list. You need to fill this list with entries, so the rule knows what to block.
Media Type Filtering library rule set

This section describes in detail the Media Type Filtering library rule set. This is a rule set for filtering the upload and download of the media types. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set Media Type Filtering Criteria Always Cycles Requests (and IM), responses, embedded objects
Two rule sets are nested in this rule set. Media Type (upload)
Note: This rule set is not enabled initially.
Media Types (download) Media Type Filtering (upload) library rule set This rule set allows the upload of whitelisted media types. It is processed in request cycles when users request to upload media to the web.
Nested library rule set Media Type Filtering (upload) Criteria Always Cycle Requests (and IM)
The rule set contains the following rule: Only allow types from Upload Media Type Whitelist Media.TypeEnsured at least one in list Upload Media Type Whitelist > Stop Rule Set The rule uses the Media.TypeEnsured property to check for media that have their type ensured with a probability of more than 50% if they are on the specified whitelist. If they are, processing of the rule set stops. It is continued with the next rule set.
152
Media Type Filtering (download) library rule set This rule set blocks the download of media types if they are on a blocking list and according to some other criteria. It is processed in response cycles when media are sent from the web for download in response to user requests. It is also processed in embedded object cycles when media are sent embedded in responses.
Nested library rule set Media Type Filtering (download) Criteria Always Cycle Responses and embedded objects
The rule set contains the following rules: Enable Composite Opener Always > Continue Enable Composite Opener The rule triggers an event that enables the composite opener. This module opens composite web objects, for example, archives, to make media types embedded in them accessible to further filtering. The rule is always applied, which means the opener is always enabled. The rule is appropriately placed before the filtering rules proper. When its event has been executed, processing continues with the next rule in the rule set. Block types from Media Type Blacklist MediaTypeEnsured at least one in list Media Type Blacklist > Block <MediaType (black list)> The rule uses the Media.TypeEnsured property to check for media that have their type ensured with a probability of more than 50% if they are on the specified blocking list. If they are, processing of all rules stops and the media is not passed on to the user who requested it. Access to it is blocked this way. The action settings specify that the user is notified of the blocking. Block not detectable data List.MediaType.IsEmpty (MediaType.Ensured) equals true > Block <MediaType (not detected)> The rule uses the List.MediaType.IsEmpty properties to check for media whether their type can be found on a list of media types. For the media types on this list , it can be ensured with a probability of more than 50% that filtered media actually have these types. If the media type cannot be found on the list, it is blocked. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule.
Note: The rule is not enabled initially.
Block not supported archives MediaType.Ensured at least one in list Archives AND MediaType.IsSupported equals false > Block <MediaType (common)> The rule uses the Media.TypeEnsured the MediaType.IsSupported properties to check for media embedded in archives whether the media type is on the specified archive list and whether this type of archive is supported (can be opened on the appliance). If the media is on the list, but not supported, it is blocked. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule. The archive list is a system list and cannot be edited.
153
Block multimedia files MediaType.Ensured at least one in list Audio OR MediaType.Ensured at least one in list Video > Block <MediaType (common)> The rule uses the Media.TypeEnsured property to block multimedia files that are on one of the two specified blocking lists (or on both). These lists are system lists and cannot be edited. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule.
Block streaming media MediaType.Ensured at least one in list Streaming Media > Block <MediaType (common)> The rule uses the Media.TypeEnsured property to block streaming media that is on the specified blocking list. This list is a system lists and cannot be edited. The process flow for the blocking is the same as with the Block types from Media Type Blacklist rule.
154
Web Filtering HTML filtering
HTML filtering
The appliance filters HTML pages and removes embedded objects from them. This section explains the rules used for HTML filtering and the lists and module settings involved in the filtering process. HTML filtering rules say which embedded objects are removed and which are kept. They evaluate object types and use also filter lists. They call an opener module to make embedded objects accessible for filtering. Administering HTML filtering includes the following activities: Importing and modifying filtering rules You can import an HTML filtering rule set from the library and modify its rules or create a rule set of your own. Configuring settings for the HTML opener module You can configure settings for this module to tell it which object types to open. Maintaining the filter lists You can maintain lists of objects types for use by the filtering rules. The filtering rules can remove the following types of objects: Java applets Are embedded in HTML pages (unlike the stand-alone Java applications) and run, once their certificates are accepted, with all privileges of the current user. ActiveX controls Run with all privileges of the user. Scripts Include JavaScript, JScript, and Visual Basic Script. Media types Include text, audio, image, streaming, and other media types. For more information, see Rule set for HTML filtering, Module for opening embedded objects,and Sample lists for HTML filtering.
Rule set for HTML filtering

To enable HTML filtering on the appliance, an appropriate rule set must be implemented. This section describes a sample rule set from the library. A rule set for HTML filtering typically contains rules that remove embedded objects, as well as rules that whitelist particular types. An opener rule that calls a module to make embedded objects accessible for filtering and rules that modify requests for objects also belong to such a rule set. After the initial setup, no HTML filtering rule set is implemented on the appliance. You can import the HTML Filtering rule set from the library and modify it according to your requirements or create a rule set of your own. For more information, see Import a rule set and HTML Filtering library rule set.
HTML Filtering library rule set

This section describes in detail the HTML Filtering library rule set. It contains rules for filtering HTML pages and removing embedded objects from them. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set HTML Filtering Criteria Always Cycles Requests (and IM), responses, embedded objects
The rule set contains a rule and the following two nested rule sets: Enable HTML Filtering HTML Filtering
155
The following is the rule of the rule set: Remove Content-Encoding header Always > Continue Header.RemoveAll (Accept-Encoding) The rule uses the Header.RemoveAll event to remove the content encoding header from a request. This header is not needed because filtering is only applied to the content, which is eventually sent in not encoded format to the user who requested it. The name of the header is specified by the event parameter. Processing continues with the first rule of the next rule set. Nested Enable HTML Filtering library rule set The nested Enable HTML Filtering library rule set prepares HTML filtering by enabling the HTML opener and removing a header element.
Nested library rule set Enable HTML Filtering Criteria Always Cycles Requests (and IM) and responses
The rule set contains the following rule: Enable HTML opener Always > Continue Enable HTML Opener<HTML Filtering> The rule enables the HTML opener. The settings of the module are specified with the event. Processing continues with the next rule. Nested HTML Filtering library rule set The nested Enable HTML Filtering library rule set removes different types of embedded objects from HTML pages, using a nested rule set for each of the types.
Nested library rule set Enable HTML Filtering Criteria MediaType.EnsuredTypes contains text/html Cycles Embedded objects
The rule set contains the following nested rule sets: Embedded Objects Embedded Scripts ActiveX Controls
Advertising Filter
156
Nested Embedded Objects library rule set The nested Embedded Objects library rule set removes Java applets embedded in HTML pages, as well as other embedded media types if they are on a blocking list. It is processed in the embedded object cycle when these objects are sent with requests or responses.
Nested library rule set Embedded Objects Criteria Always Cycle Embedded objects
The rule set contains the following rules: Java applets HTMLElement.Name equals APPLET OR ( HTMLElement.Name equals OBJECT AND HTMLElement..HasAttribute (codetype) equals true AND HTMLElement.Attribute (codetype) equals application/java) > Remove The rule uses several HTMLElement ... properties to remove an element from an HTML page if it is found that particular values are true for these properties. An element is removed if its name is APPLET or if its name is OBJECT and has a code type attribute with application/java as its value. Processing of the embedded object cycle stops then and the HTML page is forwarded without the removed element to the user who requested it or to the web if a user attempted to upload it. Stop if element is not interesting (HTMLElement.Name does not equal OBJECT AND HTMLElement.Name does not equal embed) OR HTMLElement.HasAttribute (type) equals false > Stop Rule Set The rule uses several HTMLElement ... properties to check whether an element needs not be removed. An element needs not be removed if its name is neither OBJECT nor embed or has no type attribute at all. Processing of the rule set stops then, so the rule that removes elements from HTML pages (and follows this rule in the rule set) is not processed. Processing continues with the next rule set. Default action for unlisted media types HTMLElement.Attribute (type) is not in list Media Type Whitelist HTMLElement.Attribute (type) is not in list Media Type Blocklist > Stop Rule Set The rule uses the HTMLElement.Attribute property to check whether an element is of a type that is neither on the relevant whitelist nor the blocking list. In this case, a default action is executed, which for this rule is Stop Rule Set. Processing of the rule set stops then, so the whilelisting and blocking rules for media types that follow in the rule set are not processed. Processing continues with the next rule set. Handle whitelisted media types HTMLElement.Attribute (type) is in list Mediatype whitelist The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a media type whitelist. If it is, the rule applies. Processing of the rule set stops then, so the removing rule that follows this rule in the rule set is not processed. Processing continues with the next rule set.
157
Handle blacklisted media types HTMLElement.Attribute (type) is in list Mediatype blacklist > Remove The rule uses the HTMLElement.Attribute property to check whether the type of an element is on a media type blacklist. If it is, the rule applies and the media type in question is removed from the HTML page. Processing of the embedded objects cycle stops then and the HTML page is forwarded without the removed element to the user who requested it or to the web if a user attempted to upload it. Nested Embedded Scripts library rule set The nested Embedded Scripts library rule set removes script code embedded in HTML pages, providing options for keeping some code types. It is processed in the embedded object cycle when this code is sent with requests or responses.
Nested library rule set Embedded Scripts Criteria HTMLElement.Name equals SCRIPT Cycle Embedded objects
The rule set contains the following rules: Variable resetter Always > Continue Set User-Defined.removeOneScript = false The rule sets the User-Defined.removeOneScript property to false, so the break rules that follow this rule later in the rule set do not apply. Processing continues with the next rule.
JavaScript HTMLElement.Script.Type (type) equals text/javascript > Stop Rule Set Set User-Defined.removeOneScript = true The rule uses the HTMLElement.Script.Type property to check whether an element is of the JavaScript type. If it does, the rule applies. Processing of the rule set stops then, so the rule that removes script code at the end of the rule set is not processed. This way, the embedded script code is kept in the HTLM page. Processing continues with the next rule set. If you want to remove JavaScript code, replace the Stop Rule Set by the Remove action. The rule also sets the User-Defined.removeOneScript property to true. This property is evaluated by the break rule that follows this JavaScript rule. When this rule applies with Stop Rule Set or Remove as its action, processing of the rule set is stopped. If you let the rule use an action that does not stop the rule set, you can enable the break rule. It will find that the value for the User-Defined.removeOneScript property is true and stop processing of the rule set accordingly. To reset the value of the User-Defined.removeOneScript property to false, you need to enable the reset rule at the beginning of the rule set. With this value for the property, the break rules of the rule set will not apply. Break; User-Defined.removeOneScript equals true > Stop Rule Set The rule stops processing of the rule set if the User-Defined.removeOneScript property has true as its value. Processing continues with the next rule set.
158
JScript HTMLElement.Script.Type equals text/jscript > Stop Rule Set Set User-Defined.removeOneScript = true This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule. Break; User-Defined.removeOneScript equals true > Stop Rule Set This rule works in the same way as the break rule that follows the JavaScript rule.
Visual Basic script HTMLElement.Script.Type text/vbscript equals vbscript > Stop Rule Set Set User-Defined.removeOneScript = true This rule removes or keeps JScript within HTML pages in the same way as the JavaScript rule. Break; User-Defined.removeOneScript equals true > Stop Rule Set This rule works in the same way as the break rule that follows the JavaScript rule.
Other scripts Always > Remove The rule removes all embedded script code from HTML pages, unless it is kept from doing so by one of the rules preceding it in the rule set. These can stop the rule set before the process reaches the removing rule. They can do so for JavaScript, JSCript, and Visual Basic script code if enabled. If you want this to happen for other script code as well, you can add appropriate rules. The break rules of the rule set can also stop it and let the removing rule not be processed. If the removing rule is processed, it stops processing of the embedded objects cycle. Processing then continues with the next cycle.
159
Nested ActiveX Controls library rule set The nested ActiveX Controls library rule set removes ActiveX controls embedded in HTML pages. It is processed in the embedded object cycle when this code is sent with requests or responses.
Nested library rule set ActiveX Controls Criteria Always Cycle Embedded objects
The rule set contains several rules and the nested Filter ActiveX in Scripts rule set. Nested Advertising Filter library rule set The nested Advertising Filter library rule set removes advertising elements embedded in HTML pages, such as images, layers, forms, and others. It is processed in the embedded object cycle when this code is sent with requests or responses.
Nested library rule set Advertising Filter Criteria Always Cycle Embedded objects
The rule set contains a rule and the following nested rule sets: Link Filter Dimension Filter Popup Filter Script Filter
160
Module for opening embedded objects

A filtering rule in the HTML filtering rule set calls an opener module that opens objects embedded in HTML pages to make them accessible for filtering. This section explains how to configure settings for this modules.
Configuring the HTML opener

You can configure settings for the module that opens embedded objects in HTML pages. Complete the following procedure to configure the module:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Enable.HTMLOpener and select the settings you
want to configure, for example, HTML Filtering.

List of objects that the module should open Setting for opening only objects with external sources
For more information on these settings, see Enable HTML Opener engine settings.
Enable HTML Opener engine settings

You can configure the Enable HMTL Opener engine settings. These are settings for the module that opens embedded objects in HTML pages to make them accessible for filtering.
HTML Opener Configuration Settings for the HMTL opener. (HTML opener list) List of objects embedded in an HTML page that the module should open. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 6-10 HTML Opener list Option Node name Only open start tags Comment Definition Type of an object that the HTML opener should open. When selected, the HTML opener opens only starts tags. These contain the attributes that are checked by the the rules. Plain-text comment on the element
Only open elements that refer to external sources When selected, the HTML opener opens only these elements, for example, when pictures are transmitted from an external server. You can select these settings if you think that HTML pages stored on the local server are trustworthy and need not have elements removed.
161
Sample lists for HTML filtering

You can maintain lists for use by the HTML filtering rules. This section describes some sample lists that are used by the library rules. When you import the HTML Filtering library rule set, these lists are also imported. You can find them on the Lists tab of the Policy top-level menu, sorted by their types and names. For general information on how to maintain lists, see List maintenance. Media Type Whitelist List of media types embedded in HTML pages you want to keep. Type String The list is initially empty. The table below describes the list entries.
Table 6-11 Media Type Blacklist Option Media type Comment Definition Media type that is kept during HTML filtering Plain-text comment on the media type
Media Type Blacklist List of media types embedded in HTML pages you want to remove. Type String The list is initially empty. The table below describes the list entries.
Table 6-12 Upload Media Type Whitelist Option Media type Comment Definition Media type that is removed by HTML filtering Plain-text comment on the media type
162
Web Filtering Global whitelisting
Global whitelisting
URLs and other web objects can be placed on global whitelists to let them skip all further filtering. This section explains global whitelisting and describes the library rule set for this function and the list used by its rule. A global whitelist is used by a rule in a global whitelisting rule set. The rule stops the filtering process for objects it finds on the list. So administering global whitelisting includes the following activities: Maintaining the global whitelists You can add objects to these lists and remove them as needed. Modify the global whitelisting rule set You can have whitelisting rules for different types of objects in this rule set. You can modify a rule, for example, by replacing the list it uses with another list. For more information, see Global whitelists and Global Whitelist library rule set.
Global whitelists
You can maintain lists for use by the global whitelisting rules. This section tells you how to add an object to such a list and describes a sample list that is used by a library rule.
Add a URL to a global whitelist

Complete the following procedure to add a URL to a global whitelist:
1 Go to Policy | Lists. 2 On the Lists tree, go to Wildcard Expression and select a global whitelist for URLs, for example,
Global White List.

3 Click Add. The Add Wildcard Expression window opens. 4 Type a URL in the Wildcard Expression field.
Note: To add multiple URLs at once, use the Add multiple icon and type every URL in a new line.
5 [Optional] Type a comment on the URL in the Comment field. 6 Click OK. The window closes and the URL appears on the whitelist. 7 Click Save Changes.
163
Web Filtering Global whitelisting
Library global whitelist

This section describes a library global whitelist for URLs. When you import the Global Whitelist rule set from the library, this list is also imported. Its name is Global Whitelist.
Note: You can find the list on the Lists tab of the Policy top-level menu, which displays lists sorted by their types and names.
For general information on how to maintain lists, see List maintenance. Global Whitelist List of URLs that are allowed to skip all further filtering Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-13 Global WhItelist Option Wildcard Expression Comment Definition URL that is allowed to skip al further filtering (in Wildcard Expression format) Plain-text comment on the URL
Rule set for global whitelisting

This section explains what a global whitelisting rule set does and describes a sample rule set from the library. A rule set for global whitelisting contains at least one whitelisting rule for a particular object type, for example, for URLs. Thdis rule uses a list to stop the current filtering cycle for objects that are on it. The rule set is typically placed at the beginning of a rule set system and before the rule sets that do virus and malware filtering, URL filtering, and other filtering jobs. This way, all these rule sets are not processed in the current cycle when the whitelisting rule or rules of the global whitelisting rule set apply. The impact of the rule set is then truely global because it does not disable only a particular kind of filtering, but all filtering that would have been executed after it in the process.
Global Whitelist library rule set

This section describes in detail the Global Whitelist library rule set. The rule in this rule set lets URLs skip all further filtering. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set Global Whitelist Criteria Always Cycle Requests (and IM), responses, embedded objects
The rule set contains the following rule: Do not filter URLs in GlobalWhiteList URL matches in list GlobalWhiteList > Stop Cycle The rule uses the URL property to check whether a URL is on the specified whitelist. If it is, the rule applies and stops the current processing cycle. In the request cycle, this means that a request to access the URL is forwarded to the appropriate web server. In the response cycle, the URL sent in response from a web server is forwarded to the user who requested it. In the embedded object cycle, the embedded object in question is also forwarded.
164
Web Filtering SSL scanning
SSL scanning
SSL-secured requests can be inspected by an SSL scanning module before other appliance functions filter them. This section explains the SSL scanning process and tells you how you can modify it. The rules in the rule set for SSL scanning call the an SSL scanning module to let it verify the certificates sent with SSL-secured requests. If certificate verification does not lead to blocking a request, the rules call the module to enable content inspection and have the request filtered by the other implemented rule sets. The rules also handle the CONNECT request that SSL-secured communication begins with if it does not use the transparent mode. Whitelists of hosts and certificates can be used to skip certificate verification and content inspection. Administering the SSL scanning process includes the following activities: Configuring the module settings You can configure settings for the SSL scanning module that verifies certificates and enables content inspection, as well as for two other modules that deal with certificates. Maintaining the SSL scanning lists You can maintain the whitelists used by the SSL scanning rules to let request skip certificate verification or content inspection and also some other lists used in the process. Modifying the SSL scanning rule set You can review the rules in this rule set and modify them. The rules of the library SSL Scanner rule set are explained in detail in this section to show how the SSL scanning process works. For more information, see Settings for the SSL scanning modules, SSL scanning lists, and Rule set for SSL scanning.
Settings for the SSL scanning modules

The SSL scanning rules call several modules to execute jobs that are related to SSL scanning. This section tells you how to configure these modules. You can configure the following modules: Enable SSL Scanner This module enables certificate verification and content inspection, which are the key jobs in SSL scanning on the appliance. Typically, there are separate settings for the module when it is called to do certificate verification and when it is called to enable content inspection. Enable SSL Client Context This module handles the sending of a certificate from the appliance to a client and other parameters. After the initial setup, the module uses a certificate issued by a default root certificate authority (CA) that is implemented on the appliance. It is recommended that you generate your own root CA, using the options provided for this with the module settings. Certificate Chain This module handles the addition of certificate authorities to form a chain, using a list to add certificates from. You can add certificate authorities to this list and edit them.
165
Configure the SSL scanning module

This section tells you how to configure the module that does the main jobs in SSL scanning. Complete the following procedure to configure the module:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Enable SSL Scanner and select the settings you
want to configure, for example, Default Certificate Verification.

3 Configure settings for encrypting traffic and the SSL session cache. 4 Click Save Changes.
For more information, see Enable SSL Scanner engine settings.
Configure the client certificate module

This section tells you how to configure the module that deals with the certificates the appliance sends its clients in SSL-secured communication. Complete the following procedure to configure the module:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Enable SSL Client Context and select the
settings you want to configure, for example, Default CA.

3 Configure settings for certificate authorities, encryption and the session cache. 4 Click Save Changes.
For more information, see Enable SSL Scanner engine settings.
Configure the certificate chain module

This section tells you how to configure the module that deals with the certificates that can be added to form a certificate chain. Complete the following procedure to configure the module:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Certificate Chain and select the settings you want
to configure, for example, Default.

3 Configure settings for the certificate authorities that are on the list for setting up a certificate chain. 4 Click Save Changes.
For more information, see Import a certificate authority and Enable SSL Scanner engine settings.
166
Import a certificate authority

This section tells you how to import a certificate authority (CA) and add it to a list of known certificate authorities. Complete the following procedure to import and add a certificate authority:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Certificate Chain and select the settings you want
to configure, for example, Default.

3 Select a list of certificate authorities and click Edit. The Edit List (Certificate Authority) window opens. 4 Click Add. The Add Certificate Authority window opens. 5 [Optional] Type the name of a certificate revocation list (CRL) in the input field provided here and
select or deselect Trusted, according to the status the new certificate authority should have.
6 Click Import. A window opens to let you access your file system. 7 Browse to the file for the certificate authority you want to import and click Open. The window closes
and information on the new certificate authority appears in the Add Certificate Authority window.
8 Click OK. The window closes and the new certificate authority appears on the list in the Edit List
(Certificate Authority) window.

9 Click OK. The Edit List (Certificate Authority) window closes. 10 Click Save Changes.
Enable SSL Scanner engine settings

You can configure the Enable SSL Scanner engine settings. These are the settings for the module that the SSL scanning rules call to verify certificates and enable content inspection in SSL-secured communication.
Enable SSL Scanner Settings for the Enable SSL Scanner module Server cipher list String of Open SSL symbols used for decrypting server data The module uses different strings to do the default certificate verification and a special kind of verification for certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. SSL session cache TTL Time (in seconds) for keeping the parameter values of an SSL-secured session in the cache. Certificate verification When selected, the module verifies certificates. Content inspection When selected, the modules enablesss the inspection of SSL-secured content.
167
Enable SSL Client Context engine settings

You can configure the Enable SSL Client Context engine settings. These are the settings for the module that deals with the certificates the appliance sends to its clients.
Define SSL Client Enable SSL Scanner Settings for the Enable SSL Client Context module Current root CA Parameters and values of the root CA that is currently in use on the appliance. It is recommended that you generate your own root CA. Use the Generate New button and the other buttons provided here to do this. Send certificate chain When selected, the appliance sends a certificate chain (rather than a single certificate to its clients. Certificate chain Input field for entering the certificate chain Server cipher list String of Open SSL symbols used for decrypting server data The module uses different strings to do the default certificate verification and a special kind of verification for certificates from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. SSL session cache TTL Time (in seconds) for keeping the parameter values of an SSL-secured session in the cache.
Certificate Chain engine settings

You can configure the Enable SSL Client Context engine settings. These are the settings for the module that deals with the certificates the appliance sends to its clients.
Certificate Verification Settings for the Certificate Chain module List of certificate authorities List of the certificate authorities that can be used to configure a certificate chain. The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 6-14 Certificate Authorities list Option Certificate Certificate revocation list Trusted Comment Definition Name of a certificate List with information on when the certificate becomes invalid and URI used to access it Information on whether the certificate is trusted on the appliance Plain-text comment on the certificate
168
SSL scanning lists

This section describes some sample SSL scanning lists. The lists are used by the rules of the library SSL Scanner rule set. When you import this rule set, the lists are also imported.
Note: When you import this rule set, the lists are also imported. You can find them on the Lists tab of the Policy top-level menu, which displays lists sorted by their types and names.
For general information on how to maintain lists, see List maintenance. Allowed CONNECT Ports List of ports that are allowed CONNECT ports on destination servers Type Number Initial entry 443 Default HTTPS port The table below describes the list entries.
Table 6-15 Allowed CONNECT Ports list Option Number Comment Definition Number of a port that is an allowed CONNECT port on a destination server. Plain-text comment on the port.
Certificate White List List of certificates that are not verified by the SSL scanning module Type Host and Certificate The list is initially empty. The table below describes the list entries.
Table 6-16 Certificate White List Option Certificate Host Comment Definition Name of a whitelisted certificate Host that the certificate proves to be trustworthy (in regular expression format). Plain-text comment on the certificate
No-EDH Server List of hosts that are non-EDH servers. When requests are sent from these hosts, the SSL scanning module verifies the certificate with special settings. Type String The list is initially empty The table below describes the list entries.
Table 6-17 No-EDH Server list Option String Comment Definition Host name of a non-EDH server Plain-text comment on the server
169
SSL Inspection White List List of hosts. For requests sent to these hosts, the SSL scanning module does not enable content inspection. Type Wildcard Expression The list is initially empty. The table below describes the list entries.
Table 6-18 SSL Inspection White List Option Wildcard expression Comment Definition Name of a whitelisted host (in regular expression format including also wildcards) Plain-text comment on the host
Rule set for SSL scanning

To use SSL scanning on the appliance, an appropriate rule set must be implemented. This section describes a sample rule set from the library. A rule set for SSL scanning contains rules for handling the different types of requests that a client sends to the appliance in SSL-secured communication and for enabling certificate verification and content inspection. Other rules whitelist requests if, for example, the host or the certificate that a request is related to are on a whitelist.
SSL Scanner library rule set

This section describes in detail the SSL scanner library rule set. It contains rules for filtering HTML pages and removing embedded objects from them. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set SSL Scanner Criteria Always Cycle Requests (and IM)
The following rule sets are nested in this rule set: Handle Connect Call Certificate Verification. Verify Common Name (proxy setup) Content Inspection Verify Common Name (transparent setup)
170
Nested Handle Connect Call library rule set

This rule set handles the CONNECT call in SSL-secured communication and enables certificate verification.
Nested library rule set Handle Connect Call Criteria Command.Name equals CONNECT Cycle Requests (and IM)
The rule set contains the following rules: Set client context Always > Continue Enable SSL Client Context<Default CA> The rule enables the use of a server certificate that is sent to a client. The event settings specify the McAfee Web Gateway root certificate authority (CA) as the default issuer of this certificate. Tunneled hosts URL.Host is in list SSL Host Tunnel List > Stop Cycle The rule lets requests for access to hosts with a URL that is on the specified whitelist skip SSL scanning. Restrict destination ports to allowed CONNECT ports URL.Port is not in list Allowed Connect Ports > Block<Connect not allowed> The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports. The action settings specify a message to the requesting user. Enable certificate verification without EDH for hosts in no-EDH server list URL.Host is in list No-EDH server > Stop Rule Set Enable SSL Scanner<Certificate Verification without edh> The rule enables the certificate verification for requests sent from a host on the no-EDH (Ephemeral Diffie-Hellman) server list. The event settings specify running in verification mode for the SSL scanning module and a special cipher string for data encryption on non-EDH hosts. Enable certificate verification Always > Stop Rule Set Enable SSL Scanner<Default certificate verification> The rule enables certificate verification. The event settings specify that the SSL scanning module runs in verification mode.
171
Nested Certificate Verification library rule set

This rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted certificates skip verification and blocks others according to particular criteria.
Nested library rule set Certificate Verification Criteria Command.Name equals CERTVERIFY Cycle Requests (and IM)
The rule set contains the following rules: Skip verification for certificates found in Certificate Whitelist Certificate.SSL.HostAndCertificate is in list Certificate Whitelist > Stop Rule Set The rule lets whitelisted certificates skip verification. Block self-signed certificates Certificate.SSL.SelfSigned equals true > Block <Certificate incident> The rule blocks requests with self-signed certificates. The action settings specify a message to the requesting user. Block expired server (7 day tolerance) and expired CA certificates Certificate.SSL.DaysExpired greater than 7 OR CertificateChain.SSL.ContainsExpiredCA<Default> equals true > Block <Certificate incident> The rule blocks requests with expired server and CA certificates. The action settings specify a message to the requesting user. Block too long certificate chains CertificateChain.SSL.PathLengthExceeded<Default> equals true > Block <Certificate incident> The rule blocks a certificate chain if it exceeds the path length. The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user. Block revoked certificates CertificateChain.SSL.ContainsRevoked<Default> equals true > Block <Certificate incident> The rule blocks a certificate chain if one of the included certificates has been revoked. The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user.. Block unknown certificate authorities CertificateChain.SSL.FoundKnownCA<Default> equals false > Block <Certificate incident> The rule blocks a certificate chain if none of the certificate authoritiies (CAs) issuing the included certificates is a known CA . The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user. Block untrusted certificate authorities CertificateChain.SSL.FirstKnownCAIsTrusted<Default> equals false > Block <Certificate incident> The rule blocks a certificate chain if the first known CA that was found is not trusted. The settings in the property specify a list for the module that checks the certificate authorities. The action settings specify a message to the requesting user.
172
Nested Verify Common Name (proxy setup) library rule set This rule set verifies set the common name in a certificate. It applies only to requests sent in non-transparent mode.
Nested library rule set Verify Common Name (proxy setup) Criteria Connection.TransparentSSL equals false Cycle Requests (and IM)
The rule set contains the following rules: Allow matching hostname URL.Host equals Certificate.SSL.CN > Stop Rule Set The rule allows a request if the URL of the requested host is the same as the common name in the certificate. Allow wildcard certificates Certificate.SSL.CN.HasWildcards equals true AND URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) > Stop Rule Set The rule allows requests to hosts sending certificates that have wildcards in their common names matching the URLs of the hosts. To verify that a common name containing wildcards matches a host, this name is converted into a regular expression. Allow alternative common names URL.Host is in list Certificate.SSL.AlternativeCNs > Stop Rule Set The rule allows requests to hosts with alternative common names in their certificates and the host matches at least one of them. Block incident Always > Block <Common name mismatch> If any of the rules for allowing matching common names applies, processing of the rule set stops and this rule is not processed. Otherwise, requests are blocked by this rule due to a common name mismatch. The action settings specify a message to the requesting user.
Nested Verify Common Name (transparent setup) library rule set

This rule set verifies the common name in a certificate. It applies only to requests sent in transparent mode.
Nested library rule set Verify Common Name (transparent setup) Criteria Connection.TransparentSSL equals true AND Command.Name does not equal CONNECT AND Command.Name does not equal CERTVERIFY Cycle Requests (and IM)
The rules of the rule set check the same criteria to verify a common name as those of the Verify Common Name rule set for the non-transparent mode. However, in the latter mode the host name to be checked is taken from the CONNECT request, which is not sent under the transparent mode. In this mode, the host name is just taken from the request that is sent. For more information, see Nested Verify Common Name (proxy setup) library rule set.
173
Nested Content Inspection library rule set

This rule set completes the handling of a CERTVERIFY call. It lets some requests skip content inspection according to particular criteria and enables inspection for all others.
Nested library rule set Content Inspection Criteria Command.Name equals CERTVERIFY Cycle Requests (and IM)
The rule set contains the following rules: Skip content inspection for hosts found in SSL Inspection Whitelist Connection.SSL.Transparent equals false AND URL.Host matches in list SSL Inspection Whitelist > Stop Rule Set The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in non-transparent mode. Skip content inspection for CN found in SSL Inspection Whitelist Connection.SSL.Transparent equals true AND Certificate.SSL.CN matches in list SSL Inspection Whitelist > Stop Rule Set The rule lets requests with whitelisted common names in their certificates skip content inspection. It applies only in transparent mode.
Do not inspect connections with client certificates Connection.Client.CertificateIsRequested equals true > Stop Rule Set The rule lets requests skip inspection if they require the use of client certificates.
Enable content inspection Always > Continue Enable SSL Scanner<Enable content inspection> The rule enables content inspection. The event settings specify that the SSL scanning module runs in inspection mode. If any of the rules for skipping content inspection applies, processing of the rule set stops and this last rule, which enables the inspection, is not processed. Otherwise, content inspection is enabled by this rule.
174
Web Filtering Supporting functions
Supporting functions
Some functions on the appliance do not filter web objects or users, but support the filtering process in various ways. This section explains some of these functions. You can use them to do, for example, the following: Count user requests You can count the number of requests for web access sent by individual users of your network. Show download progress You can configure methods to show users the progress made in downloading web objects. Route requests through next-hop proxies When requests are directed at internal destinations, you can use these proxies to route them. For more information, see Billing, Progress Indication, and Next-hop proxies.
Billing
User requests for web access can be counted on the appliance in a process known as billing. This section explains how to implement and maintain this process. When the process is implemented, a rule in a billing rule set calls a module that increments a counter every time a user sends a request for web access to the appliance. Administering this process on the appliance includes the following activities: Implementing a billing rule set A rule set with billing rules is not implemented on the appliance after the initial setup. You can import a rule set from the library or create a rule set of your own. Creating billing rules The library rule set contains rules that count requests by two dummy users, based on the IP address ranges of the clients that the requests are sent from. You need a separate billing rule for every user whose requests you want to count. Configuring settings for the billing module When a counter needs to be incremented, the billing rule calls the Statistics module. The rule specifies settings for the module, which include a list of counters. The rule also specifies the counter on the list that the module must increment. When you import the library rule set, module settings are also imported. You can configure these settings, adding as many counters to the list as you need for counting your user requests. For more information, see Import a rule set, Billing library rule set, Add a request counter, and Add a billing rule.
175
Billing library rule set

This section describes in detail the Billing library rule set. It contains rules that count how many requests for web access the users of your network send to the appliance. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set Billing Criteria Always Cycle Requests (and IM)
The rule set contains the following rules: Count customer one requests Client.IP is in range 10.0.0.0 - 10.0.225.255 > Continue Execute IncrementCounter (customer one request count, 1) <default custom counters> The rule uses the Execute IncrementCounter event to increment a counter for each request sent from a client with an IP address in the specified range. The event parameters specify the name of the counter and the increment. The event settings specify the list on which the counter can be found. Processing continues with the next rule. Count customer two requests Client.IP is in range 10.149.0.0 - 10.149.255.255 Continue Execute IncrementCounter (customer two request count, 1) <default custom counters> The rule lets a counter be incremented in the same way as the first rule, but for a different IP addrress range.
Add a request counter

When you create a billing rule, you need to let it use its own request counter. This section tells you how to add one to the list of counters. Complete the following procedure to add a request counter:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Statistics and select the settings you want to add
a counter to, for example, the default custom counters settings.

3 Above the list of user defined counters, click Add. The Add Counter Definition window opens. 4 In the Name field, type a name for the new counter, for example, customer three requests count.
Then click OK. The window closes and he new counter appears on the list.
For more information, see Statistics engine settings.
176
Statistics engine settings

You can configure the Statistics engine settings. These are settings of the module that increments counters for user requests.
Statistics User Defined Counters Settings for the billing module. List of user-defined counters List of counters for counting user requests The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 6-19 List of user-defined counters Option Name Comment Definition Name of a countedr, for example, customer one request count Plain-text comment on the counter
Add a billing rule

In the billing rule set, you need a separate rule for every user whose requests you want to count user requests for web access, you need a counter for every user. You can configure counters under the settings for the billing module. Complete the following procedure to add counters:
1 Go to Policy | Rule Sets. 2 On the Rule Sets tree, select the implemented billing rule set, for example, the Billing library rule
set. The rules of this rule set appear on the settings pane.
3 Select an existing rule, for example, Count customer one requests, and click Copy. 4 Click Paste. The rule is inserted below the last rule. 5 Click Edit. The Edit Rule window opens. 6 Modify the copied rule as follows: a Select the Name step of the window and type, for example, Count customer three requests as
the new rule name.

b Select Rule Criteria, select the criteria, and click Edit. The Edit Criteria window opens. c
Under Parameter (IP Range), type the IP address range of a client and click OK. The rule then counts user requests sent from this client.
d Select Events, select the event , and click Edit. The Edit Event window opens. e Click Parameters. The Property Parameters window opens. f
Under Parameter 1, type the name of the counter the billing module should use, for example, customer three requests count. Leave Parameter 2 (the increment) and the settings as they are.
g Click twice OK and then Finish to close the open windows. 7 Click Save Changes.
177
Progress Indication
The progress made in downloading objects from the web can be shown to users in different ways. This section explains how to configure the methods for showing this progress. It depends on the userss browser which method of progress indication is appropriate. Accordingly, the rules of a progress indication rule set call different modules that use one or the other method to show download progress. Administering progress indication on the appliance includes the following activities: Make sure a progress indication rule set is implemented The rule set that is implemented as part of the default system contains rules calling a module that displays a progress page for Mozilla browsers and another module that uses data trickling for all others. You can also create a rule set of your own and let it contain different rules. Configuring the settings of the progress indication modules When the default rule set is implemented, module settings are also available. You can modify the settings of the module that executes data trickling and of the one that uses a progress page. For more information, see Default Progress Indication rule set and Configure the progress indication modules.
Default Progress Indication rule set

This section describes in detail the default Progress Indication rule set. It contains rules that enable a progress page or data trickling to show download progress to users. For general information on understanding and handling rules, see Rules and Rule Sets
Default rule set Progress Indication Criteria MediaType.FromHeader does not equal text/htm Cycles Responses
The rule set contains the following rules: Progress Page Header.Request.Get (User-Agent) matches *(Mm)ozilla* > Stop Rule Set Enable Progress Page <Default> The rule enables a progress page for Mozilla browsers. The event settings specify what the progress page looks like, for example, the language it uses. Data Trickling Always > Stop Rule Set Enable Data Trickling<Default> The rule enables data trickling for all browsers that are not Mozilla. The event settings specify the chunk and block sizes used for the trickling.
178
Configure the progress indication modules

When the default rule set for progress indication is implemented, settings for two modules that use different methods of progress indication are also implemented. Complete the following procedure to configure these settings:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Enable.DataTrickling or Enable.Progress Page
and select the settings you want to configure, for example, Default.
Data trickling For all browsers that are not Mozilla. You can configure the size of the first chunk, the block size, and other settings. Progress page For Mozilla browsers. You can configure a page for the progress bar, a page for download completion, and other settings. Templates are used to provide these two pages. You can configure them in the same way as the templates for user messages.
For more information, see Enable Data Trickling engine settings, Enable Progress Page engine settings, and User messages.
Enable Data Trickling engine settings

You can configure the Enable Data Trickling engine settings. These are the settings of the module that uses the data trickling method for progress indication.
Data Trickling Parameters Settings for chunks and blocks used in data trickling Size of first chunk (in bytes) Block size (in bytes) Trickle bytes per block size (in bytes) Enable data trickling during scan When selected, the scanning of an object that is being downloaded can begin while the download is not yet complete and data trickling is still going on.
Enable Progress Page engine settings

You can configure the Progress Page engine settings. These are the settings of the module that uses the progress page method for progress indication.
Progress Page Parameters Settings for templates and timeouts Templates Settings for progress page templates Language Language of a progress page Template collection List of template collections for different settings, for example, Default. Template name for progress bar page List of templates Template name for download finished page List of templates Timeout Settings for the availability of objects Time a file is available before download by user (in minutes) Time a file is available after successful download by user (in minutes)
179
Next-hop proxies
The appliance can use next-hop proxies for routing client requests to internal destinations. This section explains how to implement and configure these proxies. When next-hop proxies are implemented, a rule in a corresponding rule set uses a module to call proxies that are on a list when an internal request is received. Administering next -hop proxies on the appliance includes the following activities: Implementing a next-hop proxy rule set A rule set with a rule for using next-hop proxies is not implemented on the appliance after the initial setup. You can import a rule set from the library or create a rule set of your own. Maintaining a list of next-hop proxy servers When you import the next-hop proxy rule set, a server list is also imported, which is initially empty and must be filled by you. You can also create more than one list and use for routing in different situations. Configuring settings for the next-hop proxy module Settings for the next-hop proxy module are also imported with the library rule set. You can configure these settings to let the module use a particular next.-hop proxy list and to determine the mode of calling the proxies (round-robin or fail-over). For more information, see Next-hop proxy modes, Import a rule set, Fail-over mode, and c.
Next-hop proxy modes

When multiple servers are available as next-hop proxies for routing requests, the next-hop proxy module can use two modes to call them: round-robin and fail-over. When routing a request in round-robin mode, the next-hop proxy module calls the server that is next on the list to the one that was called last time. For the next request, this is handled in the same way, so all servers on the list will eventually have been used as next-hop proxies.
Figure 6-1 Round-robin mode
180
When routing a request in fail-over mode, the next-hop proxy module calls the first server on the list. If the server fails to respond, the call is repeated until the configured number of retries is reached. Only then is the next server in the list tried. It is called in the same way as the first, and eventually the next server in the list is tried. This is continued until a server responds or all servers in the list were found to be unavailable.
Figure 6-2 Fail-over mode
Next Hop Proxy library rule set

This section describes in detail the Next Hop Proxy library rule set. It contains a rule for routing internal requests through internal next-hop proxies. For general information on understanding and handling rules, see Rules and Rule Sets
Rule set Next Hop Proxy Criteria Always Cycle Requests (and IM)
The rule set contains the following rule: Use internal proxy for internal host URL.Destination.IP is in range 10.0.0.0 - 10.255.255.255 > Continue Enable Next Hop Proxy<Internal Proxy> The rule lets internal next-hop proxies route requests when a URL has a destination IP addresses in the specified range. The event settings specify settings that include the next-hop proxy list and the mode for calling proxies.
181
Library next-hop proxy list

This section describes a library next-hop proxy list. When you import the Next Hop Proxy rule set from the library, this list is also imported. Its name is Internal Proxies.
Note: You can find the list on the Lists tab of the Policy top-level menu, which displays lists sorted by their types and names.
For general information on how to maintain lists, see List maintenance. Internal Proxies list List of servers that the appliance can use as next-hop proxies Type Next Hop Proxy The list is initially empty. The table below describes the list entries.
Table 6-20 Internal Proxies list Option Identifier Host Port User Password Number of retries Wait time after failure Comment Definition Unique name given to a next-hop proxy Host name or IP address of the next-hop proxy. Number of the port used by the next-hop proxy for listening to requests sent by the appliance User name submitted on the appliance for logon to the next-hop proxy Password submitted on the appliance for logon under the above user name Number of attempts made by the appliance to connect to the next-hop proxy before another server is tried Time (in seconds) the appliance waits after an unsuccessful attempt to connect to the next-hop proxy before it tries again . Plain-text comment on the next-hop proxy
Configure next-hop proxy settings

You can configure the settings of the module that calls next-hop proxies. Complete the following procedure to configure these settings:
1 Go to Policy | Settings. 2 On the Engines branch of the Settings tree, go to Enable Next Hop Proxy and select the settings
you want to configure, for example, the Internal Proxies settings.

3 Configure a list to call the next-hop proxies from and the calling mode (round robin or fail over). 4 Click Save Changes.
For more information on these settings, see Enable SSL Scanner engine settings.
182
Next Hop Proxy engine settings

You can configure the Next Hop Proxy engine settings. These are the settings of the module that calls next-hop proxies to route internal requests.
Next-hop proxy server Settings for using servers as next-hop proxies List of next-hop proxy servers List for selecting a next-hop proxy server list The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 6-21 List of next-hop proxy server lists Option Name Comment Definition Name of the next-hop proxy server list Plain-text comment on the next-hop proxy servers list
Round robin When selected, the next-hop proxy module uses the next-hop proxy following the one in the list that has been used last. When the end of the list has been reached, the first next-hop proxy in the list is again selected. Fail over When selected, the next-hop proxy module tries the first next-hop proxy in the list first. If it fails, it is retried until the configured retry maximum has been reached. Then the second next-hop proxy in the list is tried, and so on, until a server responds or all are found to be unavailable.
183
Web Filtering User messages
User messages
Messages can be sent to users when a filtering rule blocks their requests for web access or affects them in other ways. This sections tells you how to work on these messages. Messages are sent to users based on templates. To modify what messages look like, you adapt these templates. This is done under the settings for the actions that affect users. Authenticate Template-based message tells a user that authentication is required to access a URL. Block Template-based message tells a user that a request was blocked for various reasons, for example, because a virus was detected in the requested object. Redirect Template-base message tells a user that redirecting to another URL is needed for accessing the requested object.
Message templates
Message templates contain standard text with variables. The variables are filled with values as needed in a given situation. For example, a Virus Found message might have the following text and variables: Standard text The transferred file contained a virus and was therefore blocked. Variables as follows: URL URL that the user requested to access the file. The variable used to display a URL is $URL$. Virus name Name of the found virus that triggered the blocking of the file. The variable used to display a virus name is $StringList.ToString$.
Note: All variables used in message templates are also properties used by rules. For example, URL is a variable in a message text and a property used in the rule that exempts URLs from filtering.
Different versions can exist of a particular template regarding: File format .html or .txt. Language Templates can exist for multiple languages. An English version is provided by default for all initially existing templates. You can group templates into collections and have, for example, a default collection and collections for other purposes. You can edit message templates when you edit the settings for particular actions. For more information, see Adapt a user message template.
184
Adapt a user message template

You can adapt the templates of messages sent to users when they are affected by an action of a filtering rule. Complete the following procedure to adapt a template:
1 Go to Policy | Settings. 2 On the Actions branch of the Settings tree, go to an action and select the settings you want to
configure, for example, the Virus Found settings of the Block action.
For example, to edit the text of a message:

a From the list under Template Name, select a template, for example, Virus Found. b Click Edit. The Template Editor opens. c
On the templates tree, double-click the Virus Found folder. The folder opens and displays templates in the available languages and file formats (.html and .txt). pane. Initially, the template text reads as follows: The transferred file contained a virus and was therefore blocked.
d Select, for example, en for English and html. The corresponding template appears on the settings
e Edit this text as needed. 4 Click Save Changes on the Template Editor.
For more information, see Template Editor and Settings for message templates.
Template Editor
The template editor is a device on the user interface that allows you to edit existing templates for user messages.
Note: The template editor opens when you click Edit for a selected template or template collection on the Settings tab of the Policy top-level menu (after selecting the settings of the Authenticate, Block, or Redirect action on the Settings tree).
When editing a message template, you can do the following: Select a language for the message of the template Edit the text of the message Replace the variables of the template Provide a block reason for logging purposes (only for Block action templates) Provide a URL for redirecting (only for Redirect action templates)
185
The table below describes the options of the Template Editor in detail.
Table 6-22 Template Editor Option Templates Definition Displays a tree structure (for viewing templates and selecting them for editing) with the following elements: Template collections Collections of templates, for example, the Default collection. Templates Templates belonging to a collection, for example, Virus Found. For each template, the following is provided under a tree node:
de, en ... Language versions of the template html version in .html format txt version in .txt format
When you select a format, the template content appears on the HTML Editor pane. (Expand All) Expands all collapsed items on the Templates tree. (Collapse All) Lets all expanded items collapse.
A right-click on a collection, template, language version, or format opens a menu with the following options (the selection of the options varies with the item): File System Clone Opens the Clone <item> window for inserting a copy of an item under a new name into a collection. Add <item> Opens the Add <item> window for adding an item of the same type. Rename Opens the Rename <item> window for renaming an item. Change Opens the Change Language window for changing a language version. Delete Deletes an item. A window opens to let you confirm the deletion.
Displays a tree structure (for completing general tasks, such as adding, renaming, and deleting template files) with the following elements: Template collections Collections of templates, for example, the Default collection. Language versions Templates sorted by language versions (and within a language group first by names and then by formats). For example, the en language group contains:

...
authenticationrequired.html authenticationrequired.txt AuthorizedOnly.html AuthorizedOnly.txt
When you select a format, the template content appears on the HTML Editor pane (same function as on the Templates pane). Images Image files (with images used in templates) sorted by name Add Opens the following menu:
New File Opens the Filename window for adding a file with a new name. New Directory Opens the Rename Directory window for adding a selected folder of the tree structure under a new name. Existing File or Directory Opens your file manager for selecting and adding a file or folder. Edit Opens the following menu: Rename Opens the Rename <item> window for renaming an item. Delete Deletes an item. A window opens to let you confirm the deletion. Cut Copies and deletes a selected item. Copy Copies a selected item. Paste Pastes a copied item. Delete Deletes a selected item. (Expand All) Expands all collapsed items on the File System tree. (Collapse All) Lets all expanded items collapse.
A right-click on an item opens a menu with the above options (options that do not apply for an item are grayed out).
186
Table 6-22 Template Editor (continued) Option HTML Editor Definition Displays the content the template that is currently selected on the Templates or File System pane. Add Opens the following menu:
Resource Reference Opens the Insert Resource Path window for entering the path to a resource, such as an image or other graphical element, that appears in a template. Property Opens the Choose Property window for adding a property that appears as a variable in a template, for example, $URL$. Edit Opens the following menu: Cut Copies and deletes a selected portion of template content. Copy Copies a selected portion. Paste Pastes a copied portion. Delete Deletes a selected portion. Select All Selects the complete template content. Discard Changes Undoes your changes of a template.

Viewer (visible instead of the HTML Editor when an image file is selected on the File System tree) Save Template Changes Cancel
Show Source Toggle button to display the HTML source code of a template Languages drop-down menu Lets you select the language of the preview. Preview Displays a preview of a template. Zoom In Enlarges an image. Zoom Out Reduces the size of an image. Fit to Window Lets an image fill out the Viewer pane. Original Size Displays an image in original size again.
Displays the image contained in a currently selected image file.
Saves your changes to a template. Lets you leave the Template Editor without changes.
187
Settings for message templates

You can configure settings for the Authenticate, Block, and Redirect actions, including the settings of the templates for messages to affected users. This section describes these settings.
Block action settings

The settings for the Block action allow you to configure user messages and a block reason for logging purposes. A typical text of a user message sent with this action is: The file was blocked, because the detected media type is not allowed. Language and Template Settings Settings for the Block action Language Settings for selecting the language of a user message Auto (Browser) When selected, the message is in the language of the browser that the blocked request was sent from. Force to When selected, the message is in the language chosen from the list that is provided here. Value of Message.Language property When selected, the message is in the language that is the value of the Message.Language property. This property can be used for creating a rule. Template collection List for selecting a template collection Add Opens the Add Template Collection window for adding a template collection. Edit Opens the Template Editor for editing a template collection. Template name List for selecting a template Add Opens the Add Template window for adding a template. Edit Opens the Template Editor for editing a template. Secure Web Reporter block reason ID Numerical value for a block reason Block reason Block reason in plain text
Authenticate action settings

The settings for the Authenticate action allow you to configure user messages informing users that they need to authenticate in a given situation. A typical text of a user message sent with this action is: You must be authenticated to access this URL.The file was blocked, because the detected media type is not allowed. Failed Login Message Template Settings for the Authenticate action These settings are the same as for the Block action (except for the block reason) and are configured in the same way. For more information, see Block action settings.
188
Redirect action settings

The settings for the Redirect action allow you to configure user messages and the redirect URL. A typical text of a user message sent with this action is: The object has moved to another place, please enable redirects in your browser. Redirect Settings Settings for the Redirect action Most of these settings are the same as for the Block action and are configured in the same way. The following settings apply only to the Redirect action: Redirect.URL When selected, the URL used for redirecting is the value given to the Redirect.URL property. This property can be part of a corresponding rule. User-defined URL When selected, the redirecting URL must be specified by you. Redirect URL Input field for this redirecting URL. For more information, see Block action settings.
189
190
System Configuration
Contents Configuring the appliance system System settings System files Database updates Central Management
Configuring the appliance system

The McAfee Web Gateway appliance is a system providing functions for authenticating users and filtering web objects. You can configure settings for these functions and also for the system itself, including settings for network interfaces, Central Management, the user interface, and other items. You can configure system settings on the user interface or a command line interface (CLI). The sections of this chapter explain these settings.
Initial setup system settings

Some system settings are configured during the initial setup. You can later modify these settings, as well as configure other system settings. The table below shows the initial settings and their default values:
Table 7-1 Initial setup system settings Parameter Primary network interface Autoconfiguration with DHCP Host name Root password Remote root logon with SSH Default gateway DNS server Default value eth0 yes mwgappl <last eight digits of appliance MAC address> off <configured by DHCP> <configured by DHCP>
For more information, see System settings.
191
System Configuration Configuring the appliance system
System configuration after the initial setup

System settings that can be configured after the initial setup include the following: Network system settings Settings for integrating the appliance system into your network You can modify the initial settings for the primary network interface of the appliance and the domain name server. You can also modify the default proxy mode of the appliance and configure settings for port forwarding and static routes. Central Management system settings Settings for running multiple instances of the appliance You can run the appliance as a standalone system or integrate multiple instances of the appliance in a system that you administer using Central Management methods. Authentication system settings Settings for authenticating users In addition to configuring authentication rules, you can configure some authentication methods also through system settings. This includes joining the appliance to Windows domains and using a Kerberos server for authenticating users. System settings for logging and troubleshooting Settings for logging system functions and solving problems You can configure the log file manager, forward data to an ePO server, and monitor events using an SNMP agent. You can also generate core files and enable connection tracing. System settings for other functions Settings for licensing, date and time, and the user interface The license system settings are used immediately after the initial setup to import a license for an appliance. Settings for date and time and the user interface can be modified later as needed.
192
System Configuration System settings
System settings
This section tells you where you can configure the settings of the appliance system on the user interface and describes individual system settings.
Appliances tab
Use the Appliances tab to configure the settings of the appliance system. It is selected from the Configuration top-level menu.
Appliances toolbar (on tab)
Appliance toolbar (appears when an appliance name is selected, for example, mwgappl) Appliance settings
Appliances tree
Figure 7-1 Appliances tab
The main elements of the tab are: Appliances toolbar Options for adding and deleting appliances and updating all of them Appliances tree Tree structure displaying different appliances and system settings Appliance toolbar Options for working with a selected appliance (appears when the appliance name is selected, for example, mwgappl) Appliance settings System settings of the selected appliance
Appliances toolbar
The Appliances toolbar provides the following options:
Table 7-2 Appliances toolbar Option Add Delete Manual engine update Definition Opens the Add Appliance window for adding an appliance. Deletes a selected appliance. A window opens to let you confirm the deletion. Updates DAT files with virus signatures and other filtering information for all configured appliances.
193
Appliance toolbar
The Appliance toolbar provides the following options:
Note: This toolbar appears only when an appliance name is selected on the Appliances tree, for example, mwgappl.
Table 7-3 Appliance toolbar Option Reboot Flush cache Update appliance Shutdown Definition Restarts an appliance. Flushes the web cache of an appliance. Implements an updated version of the appliance. Lets an appliance become inactive.
Configure the system settings

The system settings of an appliance include settings for network interfaces, Central Management, and other functions. This section tells you how to access these settings and where they are described within this guide.
Note: When you administer multiple appliances using Central Management, you can also configure their system settings from the one you are logged on to.
Complete the following procedure to configure the system settings of an appliance:

1 Go to Configuration | Appliances. 2 On the Appliances tree, go to an appliance and select the system settings you want to configure, for
example, Network.
3 Configure these settings as needed. 4 Click Save Changes.
For information on individual system settings, see the table below.

Note: Some of the system settings are described in this guide together with other functions that they are related to. For example, the Kerberos Administration system settings are described in the chapter on authentication.
Table 7-4 Sections on system settings Individual system settings are described under ... Central Management system settings Date and Time system settings DNS system settings ePolicy Orchestrator system settings Kerberos Administration system settings License system settings Log File Manager system settings Network system settings Port Forwarding system settings Proxies (HTTP(S), FTP, ICAP, and IM) system settings SNMP system settings Static Routes system settings Troubleshooting system settings Information on these is provided under Enable the creation of core files and Enable the creation of connection tracing files. User Interface system settings Windows Domain Membership system settings
194
Date and Time system settings

The Date and Time system settings include settings for the time servers that synchronize date and time on the appliance, as well as for the time zone.
Date and Time

Settings for date and time on the appliance system Enable time synchronization with NTP servers When selected, the appliance uses time servers under the NTP (Network Time Protocol) for time synchronization. The system time of the appliance is then synchronized with the time on the NTP servers. This will fail, however, if the delta between both times is too big. It is therefore recommended that you restart the appliance after configuring time synchronization with NTP servers. When the appliance restarts, it sets system time to the time on the NTP servers. NTP Server List List of servers used for time synchronization under the NTP protocol. The table below described the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-5 NTP Server List Option String Comment Definition Name of an NTP server Plain-text comment on the NTP server
Select time zone List for selecting a time zone Time synchronization performed by the NTP servers or manually set time refer to the time zone that you select here.
Set System Time Manually

Settings for configuring time and date on the appliance system manually. Current date and time Elements for setting date and time on the appliance system. (Date field) For entering a date by typing it in the field or using a calendar. (Calendar icon) Opens a calendar for selecting a date. After selecting a date on the calendar and clicking OK, the date appears in the date field. (Time field) For typing a time. Set now Sets the date and time you have entered into the corresponding fields.
DNS system settings

The DNS system settings are settings for the domain name servers. The appliance uses these to retrieve the IP addresses that match the host names submitted in user requests.
Domain Name Service Settings

Settings for the IP addresses of different domain name servers Primary Domain Name Server IP address of the first server Secondary Domain Name Server IP address of the second server Tertiary Domain Name Server IP address of the third server
195
License system settings

The License system settings are used to import a license for the appliance. Information on the license is also displayed with these settings.
License administration
Settings for importing a license and reviewing license information. Import License Provides items for importing a license. License file Input field for entering the name of a license file. You can type a file name here or use the Browse button and select an appropriate file. Browse Opens the file manager on your system to let you browse to a license file. Activate Activates the license specified in the input field.
Note: The Activate button is grayed out as long as you have not entered a file name in the input field.
License information Displays information on the license that is currently in use on the appliance. The table below explains this information.
Table 7-6 License information Option Status Creation Expiration License ID Customer Seats Evaluation Definition Status of a license Date when the license was created. Date when the license expires. Numerical value that identifies the license. Name of the license owner Number of workplaces in the owners company that the license is valid for. Information whether the license has been evaluated.
196
Network system settings

The Network system settings are used for configuring the network interfaces of the appliance.
Network Interface Settings

Settings for configuring network interfaces. Host name Name of the appliance Enable these network interfaces List of network interfaces that can be enabled or disabled. IPv4 Tab for configuring network interfaces under version 4 of the Internet Protocol. The table below describes this tab.
Table 7-7 IPv4 tab Option IP settings Definition List for selecting a method of configuring an IP address for a network interface. Obtain automatically (DHCP) The IP address is automatically obtained, using the Dynamic Network Host Protocol (DHCP). Configure manually The IP address is configured manually, using the input fields below. Note: If this option is not selected, the input fields are grayed out. Disable IPv4 Version 4 of the Internet Protocol is not used for this interface.
IP address Subnet mask Default route MTU IP aliases
IP address of the network interface (manually configured) Subnet mask of the network interface (manually configured) Default route for web traffic using the network interface (manually configured). Maximum number of bytes in a single transmission unit List of aliases for the IP address Add alias Opens the Input window for adding an alias Delete Deletes a selected alias
IPv6 Tab for configuring network interfaces under version 6 of the Internet Protocol. The table below describes this tab.
Table 7-8 IPv6 tab Option IP settings Definition List for selecting a method of configuring an IP address for a network interface Obtain automatically (DHCP) The IP adress is automatically obtained, using the Dynamic Network Host Protocol (DHCP). Solicit from router The IP address is obtained by a router. Configure manually The IP address is configured manually using the input fields below. Note: If this option is not selected, the input fields are grayed out. Disable IPv6 Version 6 of the Internet Protocol is not used for this interface.
IP address, subnet mask, and so on
These items have the same meanings as on the IPv4 tab, see above.
197
Advanced Tab for configuring additional media and a bridge for a network interface. The table below describes this tab.
Table 7-9 Advanced tab Options Media Definition List for selecting additional media for use with the network interface. Bridge enabled Automatically detect Media for use with the network interface are automatically detected if available in the network environment of the appliance. 1000BaseT-FD, 1000Base-HD, ... The selected media item is used with the network interface.
When selected, web traffic is routed through the network interface in transparent bridge mode. Name Name of the transparent bridge
Port Forwarding system settings

The Port Forwarding system settings are used for configuring rules to let the appliance direct web traffic sent from a particular port on a particular host to another host and port.
Port Forwarding
Settings for configuring port forwarding rules. Port forwarding rules List of port forwarding rules The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-10 Elements of an entry in the Port Forwarding Rules list Option Source Host Source Port Destination Host Destination Port Comment Definition IP address of the host that is the source of web traffic in a port forwarding rule. Port used on this host for outgoing web traffic. IP address of the host that web traffic from the source host should be directed to. Port used on this host for web traffic coming in from the source host and port. Plain-text comment on the port forwarding rule
198
Static Routes system settings

The Static Routes system settings are for configuring routes that always use the same gateway and interface on this gateway when web traffic is routed from the appliance to a particular host.
Static routes
Settings for configuring static routes. Static Routes List List of static routes used under version 4 of the Internet Protocol. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-11 Static Routes List Option Destination Gateway Device Description Comment Definition IP address and (optionally) netmask of the host that is the destination for a static route. IP address of the gateway for routing web traffic from the appliance to this host. Interface used on this gateway for the static route. Plain-text description of the static route Plain-text comment on the static route
Static Routes List (IPv6) List of static routes used under version 6 of the Internet Protocol. The elements of the entries in this list have the same meanings as under version 4, see above.
User Interface system settings

The User Interface system settings are used for configuring the ports of the local user interface on the appliance and a session timeout.
HTTP Connector Port

Settings for configuring the user interface on the appliance. Enable local user interface over HTTP When enabled, you can connect to the user interface using the HTTP protocol. HTTP connector Port for connecting to the user interface under HTTP.
Note: You can specify multiple ports here, separated by commas.
Enable local user interface over HTTPS When enabled, you can connect to the user interface using the HTTPS protocol. HTTPS connector Port for connecting to the user interface under HTTPS.
Note: You can specify multiple ports here, separated by commas.
Session timeout Time (in minutes) to elapse before a session on the user interface is closed if no activities occur.
Note: The range of allowed values is 1 to 9999.
199
System Configuration System files
System files
You can edit the system files of the appliance with a file editor. This section tells you how to work with this editor.
File Editor tab

Use the File Editor tab to edit system files on the appliance. It is selected from the Configuration top-level menu.
Appliances
Toolbar
System files
File text
Figure 7-2 File Editor tab
The main elements of the tab are: Appliances Tree structure of appliances that can be administered from this appliance System files Tree structure of system files for an appliance Toolbar Items for editing a system file File text Text of the currently selected system file
File Editor toolbar

The table below describes the options of the File Editor toolbar:
Table 7-12 File Editor too bar Option Edit Cut Copy Paste Delete Definition Opens a menu with editing options. Cuts out selected text. Copies selected text. Pastes copied or cut out text. Deletes selected text.
200
System Configuration Database updates
Table 7-12 File Editor too bar Option Select All Discard Changes Definition Selects the complete text. Discards text changes. A window opens to let you confirm the discarding.
Database updates
Information retrieved from external databases for use in the filtering process needs to be updated on the appliance from time to time. This section tells you how you can schedule automatic updates and also how to update this information manually. Web objects are filtered on the appliance in a rule-based process. The filtering rules need information on these objects before they can trigger actions, such as blocking access to an object or allowing it. They rely for this information on special modules. For example, a virus and malware filtering rule relies on the Antivirus module (or engine) to find out whether an object is virus-infected, or a URL filtering rules relies on the TrustedSource module for URL category information. The modules retrieve this information, for example, virus signatures stored in DAT files, from external databases. The database updates on the appliance are updates of this information. You can update database information on the appliance using different methods. Manual engine update You can manually update database information for the modules of the appliance you are currently logged on to. If you are running multiple appliances and use Central Management functions to administer them, this manual update applies also to all appliances that you have included as nodes in this Central Management configuration. Automatic engine update You can also configure automatic updates in regular intervals for the modules of the appliance you are currently logged on to. These updates can retrieve information: From the internet Information is then downloaded from the relevant external databases.
Note: Database information is updated in this way immediately after the initial setup of an appliance.
From other nodes in a Central Management configuration Information is then downloaded from these nodes. For every node, you can in turn configure whether uploading linformation from it to other nodes is allowed. You can configure these updates when you set up the Central Management configuration, specifying for each node how it should behave regarding automatic updates.
201
Update database information manually

This section tells you how update database information manually. The update applies to the modules of the appliance you are logged on to and to those of other appliances if you have included them in a Central Management configuration. Complete the following procedure to update database information manually:
1 Go to Configuration | Appliances. 2 On the Appliances toolbar, click Manual Engine Update. The update is performed.
Schedule automatic engine updates

This section tells you how to schedule automatic updates of database information for the modules of the appliance. If you want to run multiple appliances in a Central Management configuration, you can schedule these updates when you set up the configuration. Complete the following procedure to schedule automatic engine updates:
1 Go to Configuration | Appliances. 2 On the Appliances tree, navigate to the appliance you want to schedule automatic updates for and
select Central Management Configuration.

3 Scroll down to Automatic Engine Updates and configure update settings as needed.
Enabling of automatic updates To make sure updates can happen automatically on an appliance at all. Sources of the updates These can be external databases on the internet. In a Central Management configuration, these can also be other nodes. Update intervals With a special setting for updating certificate revocation lists (CRLs). Use of update proxies To enable a fail-over when systems become unavailable. Advanced update settings For the upload of updated information from one node to others in a Central Management configuration and other functions.
Automatic Engine Updates system settings

The Automatic Engine Updates settings are for scheduling automatic updates of database information for modules used in the filtering process.
Enable automatic updates When selected, database information is automatically updated. Allow to download updates from the internet When selected, database updates are downloaded from the internet. Allow to download updates from other nodes When selected, database updates are downloaded from other nodes in a Central Management configuration. Update interval Time (in minutes) to elapse before database information is again updated. The time is set on a slider scale.
202
CRL update interval Time (in hours) to elapse before certificate revocation lists used in filtering SSL-secured web traffic are updated. This update uses a method that differs from those of other updates and must therefore be configured separately. The time is set on a slider scale.
Enable update proxies When selected, proxy servers are used for routing updated database information. Update proxies (fail over) List of proxy servers used for routing updated database information. The proxy servers are used in fail-over mode. The first server on the list is tried first and only if the configured timeout has elapsed is the next server tried. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-13 Update Proxies list Option Host Port User Password Comment Definition Host name or IP address of the server that is used as proxy for routing updates, Port on the proxy that listens for update requests. User name of the user who is authorized to request updates that use the proxy. Password of this user Plain-text comment on the proxy
Advanced Settings
Settings for advanced update functions Allow to upload updates to other nodes When selected, updated database information can be uploaded from the appliance (as a a node in a Central Management configuration) to other nodes. The first time an update starts, it should wait an appropriate time before starting Time (in seconds) to elapse before an update is started.
The first time an automatic update starts, it uses the startup interval to update Time (in seconds) to elapse between attempts to start an automatic update for the first time. During an update, the coordinator subsystem, which stores updated information on the appliance, tries to connect to the appliance core, where the modules reside that use this information. A low value for this interval can therefore speed up updates because it reduces the time the coordinator might have to wait until the core is ready to receive data.
Try to update with start interval Maximum number of attempts (1 to 9) the appliance makes when trying to start an update. Use alternative URL URL of an update server that is used instead of the default server. Verify SSL tunnel When selected, an option to tunnel SSL-secured web traffic is used for updates.
203
System Configuration Central Management
Central Management
This section explains how to configure a Central Management configuration. You can run multiple appliances within your network and use Central Management functions to administer them. The appliances then have the following connections: Each of the appliances has clients that direct their web traffic to it. The appliances are joined in an appliance group that allows, for example, updates from one appliance to others. An appliance can be a member of different groups at the same time. After setting up an appliance, you can configure Central Management settings for it. You can then add other appliances that you want to be in the same group to the configuration. After adding an appliance, you can view and configure its system settings on the user interface of the appliance that the other appliance was added to. The diagram below shows a group of appliances in a Central Management configuration.
Figure 7-3 Central Management configuration
204
Configure Central Management settings

Multiple appliances can be run in a Central Management configuration. This sections tells you how you can configure the settings for this configuration on an appliance. Complete the following procedure to configure Central Management settings:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to configure Central Management settings for
and select Central Management Configuration.

3 Configure these settings as needed. They include:
Communication parameters The IP address used for communication with other nodes, a timeout, and the maximum number of retries Group membership The group or groups that an appliance belongs to Update schedules Methods and intervals for database updates Advanced settings For storing configuration data and other functions
For more information, see Central Management system settings.
Add an appliance to the appliance configuration

You can add one or more other appliances to a configuration as members of the same group. Complete the following procedure to do this:
1 Go to Configuration | Appliances. 2 On the Appliances toolbar, click Add. The Add Appliance window opens. 3 Configure settings for the appliance:
Host name or IP Of the added appliance Network group Group that the appliance belongs to (selected from a list)
4 Click OK. The new appliance appears on the Appliances tree. 5 Click Save Changes.
205
Central Management system settings

The Central Management system settings are used for configuring an appliance as a node in a Central Management configuration.
Central Management Settings

Settings for a node in a Central Management configuration IP addresses for Central Management communication List of IP addresses of the node The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-14 IP address list Option String Comment Definition String for an IP address of the appliance when it is a node in a Central Management configuration. Plain-text comment on the IP address
Timeout of distribute messages to other nodes Time (10 to 600 seconds) to elapse before the node makes the next attempt to send a message to another node that has not yet responded The value for this priority is set on a slider scale. Attempts to distribute messages per address Maximum number of attempts (1 to 5) the node makes when trying to reach another node under a particular IP address that has not yet responded The number is set on a slider scale.
Advanced Management Settings

Settings for advanced Central Management functions Node priority Priority (ranging from 1 to 100) that the node takes within the configuration. The highest priority is 1. When you add a node to a group of nodes in a Central Management configuration, the nodes that have a lower priority (a higher value) and are allowed to receive configuration settings from other nodes receive new settings from this node.
Note: If this is not your intention, you should make sure the nodes that you add have the same priority as the already existing nodes. In this case, the most recent configuration settings are distributed, either from the newly added node to the existing nodes or from the node with the most recent settings in the group to the new node.
The value for this priority is set on a slider scale. Allow a GUI server to attach to this node When selected, a server providing an additional user interface for the appliance is allowed to connect to the node. Allow to attach a GUI server from non-local host When selected, a server with an additional user interface that is not running within your network is allowed to connect to the node. GUI control address IP address and port number of the server that provides an additional user interface GUI request address IP address and port number of this server used when sending requests to it Contact other nodes unencrypted When selected, messages sent from this node to other nodes in the configuration are not encrypted.
206
This Node is a Member of the Following Groups

Settings for including a node in a group of nodes Group runtime Group of the node, in which runtime data can be shared with all nodes of the group, for example, the amount of quota time or volume Group update Group of the node, in which updates can be shared with all nodes of the group Group network Group of the node, in which it can immediately connect to all other nodes of the group A node can be a member of more than one network group. In this case, the nodes of one group that a node is a member of can connect through this node to nodes of another group that this node is also a member of. All groups that a node is a member of are listed here. The table below describes the list entries. For information on how to maintain a list of this type, see Inline lists.
Table 7-15 Group Network list Option String Comment Definition String for the name of a group of nodes Plain-text comment on the group
Automatic Engine Updates

Settings for automatically updating database information for special appliance modules For more information, see Automatic Engine Updates system settings.
Handle Stored Configuration Files (Advanced Settings)

Settings for storing configuration file folders on disk Keep saved configuration folders for a minimal time Time (1 to 365 days) that configuration file folders are at least stored on disk Keep minimal number of configuration folders Number of configuration file folders (1 to 100) that are at least stored on disk at any time Keep minimal number of packed folders Number of packed configuration file folders (1 to 100) that are at least stored on disk at any time
Note: Configuration folders are packed when the minimal time configured for storing them on disk has elapsed and the minimal number of folders stored on disk at any time would be exceeded if they were stored unpacked any longer.
207
208
Monitoring
Contents Monitoring the appliance Dashboard Logging Forwarding data to an ePO server Event monitoring with SNMP Error handling
Monitoring the appliance

You can monitor how the McAfee Web Gateway appliance executes the filtering functions that ensure web security for your network. The sections in this chapter provide on overview of appliance monitoring, telling you how to access the dashboard and how to use logging and other functions for monitoring purposes.
Monitoring functions
This section gives an overview of the monitoring functions that are available on the appliance. Dashboard The user interface provides a dashboard, where you can view information on web usage, filtering activities, and system behavior. Logging The appliance provides two default logs for storing log files. Entries in these files are written by rules in corresponding rule sets. You can configure the handling of these log files, such as rotation, deletion, and pushing. Other log files are not maintained by rules. The default rule-based logs are: Access log Records requests for access to the web received on the appliance. Viruses Found log Records viruses and other malware that infected requested objects. Monitoring with external devices You can forward information on the appliance status to an ePolicy Orchestrator (ePO) server and monitor events on the appliance with an agent application under the SNMP protocol.
Troubleshooting functions
When problems arise in working with the appliance, you might want to take troubleshooting measures. Monitoring what has happened in a problem situation can be one of the means for troubleshooting. The user interface provides a Troubleshooting top-level menu, which also includes some monitoring functions. For more information, see Troubleshooting.
209
Monitoring Dashboard
Dashboard
The dashboard on the user interface of the appliance allows you to monitor web usage, filtering activities, and system behavior. This section tells you how to access the dashboard and gives an overview of the information it provides.
Access the dashboard

To access the dashboard:
1 Select the Dashboard top-level menu. 2 From the Appliance drop-downlist, select the appliance you want to view dashboard information for. 3 [Optional] Click Update to ensure you see the latest information. 4 From the list on the navigation pane, select the dashboard charts you want to view.
Dashboard display options

For viewing dashboard information, you have several display options, depending on the type of information that is displayed. There are two main types of dashboard information: Dynamic information Shows how particular parameters developed over a selected time interval. For example, you can view a dashboard chart showing how the number of blocked or allowed URL requests developed over a selected time interval. Static information Shows numbers of particular events or bytes transferred at particular events up to the moment when you view them. What you see then is these numbers, but not how they developed over time. For example, you can view a dashboard chart showing the URL categories that have been most often requested so far. The table below explains the options for displaying both information types.
ac
Table 8-1 Options for displaying dashboard information Option Show last Resolution Definition Drop-down list for selecting a time interval: 1 hour | 3 hours | ... | 1 year Displays the time unit used for the diagram that shows the development of a parameter over the selected interval. Resolution varies with the interval. For example, when 1 hour is selected, the diagram uses 1 minute as the time unit, when 1 year is selected, the diagram uses 1 day. View Drop-down menu for selecting: Display mode: Line | Stacked Average values
For displaying dynamic information
Refreshes the view. For displaying static information Top Drop-down list for selecting how many of the items with the highest scores are shown: 10 | 25 | ... | 1000 For example, the 25 URL categories that were most often requested can be shown. Refreshes the view.
210
Overview of the dashboard information

The dashboard displays statistical data on web usage, filtering activities, and system behavior. The table below provides an overview of this information.
Table 8-2 Overview of dashboard information Information Executive Summary URL Executive Summary Shows how numbers of requests developed during the selected interval and sorts them into allowed (good) requests and requests blocked by filtering rules for viruses and other malware, URLs, and media types. Shows the URL categories that were requested most often within the interval selected for the summary. Shows the virus and malware types that were requested most often within the interval selected for for the summary. Shows how numbers of requests sent and received developed during the selected interval. Shows how usage of hard disk, CPU, memory, and the memory of the module used in virus and malware filtering developed during the selected interval. Shows the versions of several modules and filter information files that are implemented on the appliances, for example, of the Gateway AntiMalware engine or of the anti-malware signature files. Shows when several modules of the appliance were last updated, for example, the TrustedSource module. Lists the ports on the appliance that are currently listening to requests. Shows status of WCCP services used to redirect traffic to the appliance. Shows how numbers of connections developed during the selected interval. Shows how volumes of web traffic under the HTTP, HTTPS, and FTP protocols developed during the selected interval. Shows how numbers of requests under the HTTP, HTTPS, and FTP protocols developed during the selected interval. Shows how volumes of ICAP requests in REQMOD and RESPMOD modes developed during the selected interval. Shows how numbers of ICAP requests in REQMOD and RESPMOD modes developed during the selected interval. Lists the domains that were requested most according to the amount of bytes transferred from them. Lists the domains that were requested most according to the number of requests for them. Lists the destinations that were requested most according to the number of bytes transferred from them. Lists the domains that were requested most according to the number of requests for them. Lists the source IPs that most volume was transferred to. Lists the source IPs that most requests were made from. Description
Categories by Hits Malwares by Hits System Summary Network Utilization System Utilization Update Status
Last Update Open Ports WCCP Services Active Proxy Connections Web Traffic Summary Traffic per Protocol Requests per Protocol ICAP Traffic Summary ICAP Traffic ICAP Requests Traffic Volume Top-Level Domains by Bytes Transferred Top-Level Domains by Number of Requests Destinations by Bytes Transferred Destinations by Number of Requests Source IPs by Bytes Transferred Source IPs by Number of Requests Web Cache Statistics Web Cache Efficiency Web Cache Object Count
Shows how numbers of caching requests developed during the selected interval and sorts them into hits and misses. Shows how numbers of objects in the cache developed during the selected interval.
211
Table 8-2 Overview of dashboard information (continued) Information Web Cache Usage Malware Statistics Malware URLs by Hits Malware by Hits URL Filter Statistics Category Reputation Categories by Hits Sites Not Categorized by Hits Malicious Sites by hits Media Type Statistics Media Type Groups by Hits Media Types by Bytes Media Types by Hits Certificate Statistics Certificate Incidents Shows how numbers of incidents developed during the selected interval and sorts them according to the events that caused the incident, for example, expired certificates or common name mismatches. Shows how numbers of requests sent and received developed during the selected interval. Shows how CPU usage developed during the selected interval. Shows how the usage of memory developed during the selected interval. Shows how usage of virtual memory developed during the selected interval. Shows how usage of the file systemdeveloped during the selected interval. Shows usage of the file system per partition. Shows how number of open TCP ports developed during the selected interval. Shows how numbers of requested media type groups developed during the selected interval and sorts the different types into audio files, images, and others. Lists the media types that were most requested according to the number of bytes transferred. Lists the media types that were most requested according to the numbers of successful requsts fo them. Shows how numbers of requested URL categories developed during the selected interval. Shows how numbers of requests developed during the selected interval and sorts them according to the reputation of the requested URLs. Lists the URL categories that were most requested. Lists among the sites that are not categorized those that were most requested. Lists among the sites that were found to be infected those that were most requested. Lists the URLs infected by viruses and other malware that were most requested. Lists the malware types that most requests were made for. Description Shows how usage of the cache developed during the selected interval.
System Details Network Utilization CPU Utilization Memory Usage Swap Space (Virtual Memory) Usage File System Utilization File System Utilization Open TCP Ports
212
Monitoring Logging
Logging
Appliance behavior can be recorded in log files. This section describes the available log file types, explains their handling, and gives an example of configuring a log file to record found viruses.
Log file types

You can use several types of log files on the appliance. They differ in the type of data they record and in the way they do the logging. This section describes these log file types and explains their differences.
Log files using rules

Log files can use rules for having entries written to them. These are then written by events that are triggered when particular rules apply. For example, a rule triggers an event when an object that a user requested is infected by a virus. The triggered event writes an entry with information on the user, the infected object, date and time of the request, and so on, to the log file. Log files that store the same kind of data are stored in a folder, which is called a log. The following rule-based logs are provided by default: Access log Stores log files that record requests and related information, including date and time, user name, requested object, infection of an object, blocking of an object. Found viruses log Stores log files that record the names of viruses and other malware that were found to infect requested objects. Records also date and time, user name, IP address of the client a request was sent from, requested URL.
Log files maintained by the appliance system

Log files can be maintained by the appliance system. In this case, log entries are written by functions of this system, not by rule events. For example, the system records changes to the appliance configuration that you implement in the Audit Log. Log files that store the same kind of data are stored in a folder, which is called a log. The following system-based logs are provided by default: Audit log Stores log files that record changes to the appliance configuration. Update log Stores log files that record updates of modules and files on the appliance. Errors logs Stores log files that record errors occurring in appliance components. There are separate errors logs for the core and coordinator subsystems, the anti-malware module, the user interface, and the system configuration daemon.
Log file handling using rules

When log files use rules, they have their entries written by events of those rules. If a logging rule applies, one event sets the parameter values that are recorded, another writes these values into a log file. The log for this file is specified by the settings of the write event. These settings include also options for configuring log file rotation, deletion, and pushing. So, when handling log files that use rules, you need to take care of the following: Logging rules Include criteria and events that write log file entries when the criteria are matched. Logging rule sets Contain the logging rules. They are nested on the appliance in top-level rule sets known as log handlers. A Default log handler is provided after the initial setup. Logging event settings Are configured to specify the log for the log files and measures, such as rotation, deletion, and pushing. The log and the measures are handled by a particular module (or engine) on the appliance. By default, this i32s the File System Logging engine. If you want to use log files of your own, you need to configure all these items in an appropriate way. For more information, see Use self-configured log files.
213
Monitoring Logging
Log file handling for system-maintained files

When log files are maintained by the system, system functions write their entries. You can configure system settings to enable rotation, deletion, pushing for these log files. A component of the appliance system, the Log File Manager, executes these activities.
Sample logging rule

This section explains a sample logging rule. The rule is taken from the Found Viruses Log rule set, which is provided on the appliance by default.
Note: The rule is shown in a notation that comes close to the one used on the user interface.
Name Write Found Viruses Log Criteria Antimalware.Infected equals true > Action Continue
Events Set User-Defined.LogLine = [ + DateTime.ToString ( ) + ] + Authentication.Username + + String.IP.ToString (Client.IP) + + String.List.String.ToString (Antimalware. VirusNames) + + URL + Execute FileSystemLogging.WriteLogEntry (User-Defined.LogLine)<FoundVirusesLog>
The rule applies when a requested object has been found to be infected. Then it triggers two events, one to set parameter values, including the names of the found viruses and malware items and related information, and another to write an entry with these values into a log file. The elements of this rule have the following meanings: Criteria Antimalware.Infected equals true The criteria of the rule uses the Antimalware.Infected property. It is matched when it has the value true. This means that the rule applies when a filtered object is infected. Action Continue When it applies, the rule triggers the Continue action. This action lets processing continue with the next rule after the events of the current rule have been executed. Events When it applies, the rule also triggers two events: Set User-Defined.LogLine = ... Sets the parameter values that are logged, including: DateTime.ToString ( ). Date and Time of the request for the object that was found to be infected. The value is converted into a string before being logged. Authentication.Username Name of the authenticated user who requested the object. String.IP.ToString (Client.IP) IP address of the client the request was sent from. The address is converted into a string. String.List.String.ToString (Antimalware.VirusNames) List with the names of the found viruses and other malware items. The list is converted into a string. URL URL that was requested.
214
Monitoring Logging
Execute FileSystemLogging.WriteLogEntry ... Executes the write event. The entry that is to be written and the log file it is written into are specified with the event: (User-Defined.LogLine) Event parameter specifying the entry. This is a log file line with the parameter values that have been set by the other event of the rule. <Found Viruses Log> Event settings specifying the log file.
Note: Clicking the settings name on the user interface opens the settings for editing.
You can modify this logging rule or create similar rules of your own. For more information, see Create a sample logging rule.
Viewing log files

Most of the log files can be viewed on the user interface. For some rule-based log files, you need to open a folder of the program files for McAfee Web Gateway to view them. This section tells you what to do to view each type of log files.
View rule-based log files

Complete the following procedure to view this type of log files:
1 Select the Troubleshooting top-level menu. 2 On the appliances tree, navigate to the appliance you want to view log files for and select Log Files. 3 In the list of log file folders on the settings pane, double-click user-defined logs. Folders with the
rule-based log files that are provided by default appear: access.log foundViruses.log
4 Double-click a folder to view a list of log files with names, sizes, and dates.
Using the items on the toolbar, you can: View file content
Note: You can also double-click a log file to view its content.
Download files Copy link copy links to files

5 If you have created rule-based log files of your own, you can view them in a folder of the program
files for McAfee Web Gateway. Using your file manager, navigate to the location where these program files are stored and go to: /opt/mwg/log/user-defined-logs/<log file name>/<log file name>
215
Monitoring Logging
View system-maintained log files

Complete the following procedure to view this type of log files:
1 Select the Troubleshooting top-level menu. 2 On the appliances tree, navigate to the appliance you want to view log files for and select Log Files.
A list of log file folders appears on the settings pane with folders for system-maintained and rule-based log files.
3 Double-click a folder, for example, audit, to view a list of system-maintained log files with names,
sizes, and dates. Using the items on the toolbar, you can: View file content
Note: You can also double-click a log file to view its content.
Download files Copy link copy links to files
Create a sample logging rule

This section describes steps for creating a sample logging rule. The rule is taken from the Found Virus Log Rule Set, which is provided on the appliance by default.
Note: The rule name is slighty modified to avoid a conflict with the existing rule.
Complete the following procedure to create this rule:

1 Go to Policy | Rule Sets. 2 From the Rule Sets menu, select Log Handler and then the Found Viruses Log rule set. 3 On the settings pane, click Add Rule. The Add Rule Window opens with the Name step selected. In
the main window area, items appear for adding a name and other general settings.
4 Add the following general settings: a Name Type Write Found Malware Log.
Note: The name of the already existing logging rule is Write Found Viruses Log.
b Enable rule Deselect this checkbox, so the sample rule gets not enabled. 5 Select Rule Criteria. Items for adding the criteria appear. 6 Click Add. The Add Criteria window opens. 7 Add the criteria of the rule (Antimalware.Infected equals true): a From the Property list, select Antimalware.Infected. b In the Operator list, leave equals. c
In the Parameter area, select true from the Value list.
8 Click OK. The Add Criteria window closes and the added criteria appears in the main window area. It
lets the rule write a log file entry if an object is actually found to be infected.
9 Select Action and from the Action list, select Continue. This action lets the filtering process continue
after the log file entry has been written.

10 Select Events. 11 Click Add and from the drop-down menue that appears select Set Property Value. The Add Set
Property window opens.

12 From the list under Set this property (string), select User-Defined.LogLine.
216
Monitoring Logging
13 Configure the following for the log file line:
[ + DateTime.ToString( ) + ] + Authentication.UserName + + String.IP.ToString (Client.IP) + + String.List.String.ToString (Antimalware.VirusNames) + + URL + To do this:

a Click Add and in the window that opens select Value and enter an opening square bracket. Then
click OK.
b Click Add again, select Property, and from the properties list, select DateTime.ToString
(String).
c
Click Parameters and in the Property Parameters window (where Value is selected) , click OK. Then click OK again to close the preceding window.
d Click Add, select Value and enter a closing square bracket. Then click OK.
This adds the date and time part included in square brackets and with an output field for the date and time value.
e Click Add, select Property, and from the properties list select Authentication.UserName. Then
click OK.
f
Click Add and in the Value field, type . Then click OK. This adds the user name part with an output field for the value.
g Use the appropriate items to add properties and output fields for the client IP address and the
remaining parameters as shown at the beginning of step 13.

h Click OK to close the Add Set Property window. 14 To add the write event, click Add and select Event. The Add Event window opens. 15 From the properties list, select FileSystemLogging.WriteFileEntry. 16 Click Parameters. The Property Parameters window opens. 17 From the properties list, select User-Defined-LogLine. This adds the entry that is written into the
log file.
18 Click OK on both open windows to close them. 19 Select Summary to review what you have configured. 20 Click Finish. The sample logging rule is inserted in the Found Viruses Log rule set. Click Delete to
remove it again.
217
Monitoring Logging
Create a log handler

When you create new logging rules, you can insert them into existing logging rule sets or create new rule sets for them. These must be nested themselves in top-level rule sets known as log handlers. This section tells you how to create a log handler.
Note: You can also use the Default log handler for inserting new logging rule sets.
Complete the following procedure to do this:

1 Go to Policy | Rule Sets. 2 From the Rule Sets menu, select Log Handler. 3 On the Log Handler tree, navigate to the position where you want to insert the new log handler. Then
click Add.
4 From the drop-down menu that appears, select Log Handler. The Add New Log Handler window
opens with the Rule Sets tab selected.

5 Configure the following general settings:
Name Name of the log handler Enable When selected, the log handler is enabled. [Optional] Comment Plain-text comment on the log handler.
6 [Optional] Select the Permissions tab and configure who is allowed to access the new log handler. 7 Click OK to close the Add New Log Handler window. The log handler is inserted into the tree structure. 8 Click Save Changes.
You can now insert one or more nested rule sets into the log handler and fill these with rules. For more information, see Add a new rule set, Create a sample logging rule, and Access restrictions.
Use self-configured log files

You can use log files of your own to monitor appliance behavior and have entries written into them by rules. This section explains how this is done. Complete the following procedure to enable the use of your own log files:
1 Go to Policy | Rule Sets. 2 Use the items on this tab to create a log handler and a nested rule set within this log handler. 3 Create a log for storing log files: a Go to Policy | Settings. b Go to File System Logging and select one of the existing settings, for example, Access Log
Configuration. These will serve as the starting point for creating new setting, including settings for a new log.
c
Click Add above the Settings tree. The Add Settings window opens.
d In the Name field, enter a name for the new settings. e [Optional] Type a comment on the new settings and use the Permission tab to configure who is
allowed access to the new settings.

f
Under Name of the log, type the name of the new log.
g Configure other items of the new settings as needed. h Click OK. The Add Settings window closes and the new settings appear under File System
Logging on the Settings tree.
218
Monitoring Logging
4 Go to Policy | Rule Sets and insert a logging rule that triggers events when its criteria is matched
into the rule set you created in step 2. The logging rule should triggers the following events if its criteria is matched: A set event that sets parameter values for a log file entry. A write event that writes the entry into a log file of the log you created.
Note: The criteria of the logging rule relates to what you want to log, for example, Antimalware.Infected equals true as the criteria if you want to log requests for infected objects. Then the set and write events are triggered if an object is found to be infected.
The new log and the log files are stored in a folder of the program files for McAfee Web Gateway. To view them, navigate with your file manager to the location where these program files are stored and go to: /opt/mwg/log/user-defined-logs/<log file name>/<log file name> For more information, see Create a log handler, Add a new rule set, Create a sample logging rule, Configuring log file settings, and Access restrictions.
Configuring log file settings

By configuring log file settings, you can determine how log files are rotated, deleted, and pushed. For rule-based log files, these specify also the log that is used to store the log files. This section tells you how these settings are configured for the different types of log files.
Configure settings for rule-based log files

Complete the following procedure to configure this type of log files:
1 Go to Policy | Settings. 2 On the Settings tree, go to File System Logging and select the settings you want to configure, for
example, Access Log Configuration.

3 Configure these settings as needed:
Log settings For log name, log file header, and other parameters. Log file settings For rotation, deletion, and pushing of log files.
For more information, see File System Logging engine settings
Configure settings for system-maintained log files

Complete the following procedure to configure this type of log files:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to configure system settings for and select Log
File Manager.
3 Configure these system settings as needed. They include settings for rotation, deletion, and pushing
of log files.
For more information, see Log File Manager system settings
219
Monitoring Logging
Log file settings

You can configure log file settings to determine the handling of log files on the appliance, for example, how they are rotated and deleted. This section describes these settings for different types of log files.
File System Logging engine settings

The File System Logging engine settings are settings for the module that handles rule-based log files on the appliance.
File System Logging Settings Settings for a log that stores log files Name of the log Log name Enable log buffering When selected, the log is buffered. The buffer interval is 30 seconds. Enable header writing When selected, the header below is added to all log files. Log header Input field for typing a header for all log files Encrypt the log file When selected, log files are stored encyrpted. First password, Repeat password Input field for creating a password for access to encrypted log files [Optional] Second password, Repeat password Input field for creating an second password for access to encrypted log files Settings for Rotation, Deletion, and Pushing Settings for handling log files Enable specific settings for User-Defined Log When selected, the settings configured in the following apply to the user-defined logs, which store the log files that are rule-based. Otherwise the system settings configured for the Log File Manager function apply also to this log. Auto Rotation Settings for rotating log files automatically according to size and time of day Enable auto rotation When selected, log files are rotated according to the following settings.
Note: You can configure just one of the two settings or both.
Enable log file rotation if log file size exceeds When selected, log files are rotated according to the size (in MiB) specified in the input field provided here. Enable scheduling of log file rotation When selected, log files are rotated according to the time of day (in hours and minutes) specified in the input field provided here.
Note: The 24-hours format is used here, for example, 1:30 p. m. is 13:30.
Auto Deletion Settings for deleting log files automatically according to size and last time of modification Enable auto rotation When selected, log files are deleted according to the following settings.
Note: You can configure just one of the two settings or both.
Enable log file deletion if log file size exceeds When selected, log files are rotated according to the size (in MiB) specified in the input field provided here. Enable autodeletion of unchanged files When selected, log files are deleted after the time (in days) specified in the input field provided here.
220
Monitoring Logging
Auto Pushing Settings for pushing rotated log files to another server Enable auto pushing When selected, rotated log files are pushed from the local database to the server specified by the following settings. Destination Network protocol, host name, and path of the server User name Name of the user who is authorized to push log files to the server Enable pushing log files directly after rotation When selected, pushing follows rotation immediately. Push interval Time (in hours) to elapse before the next log files are pushed (if not pushed immediately after rotation)
Log File Manager system settings

The Log File Manager system settings are settings for the function that handles system-maintained log files.
Global Log File Settings Settings for all log files that no specific settings have been configured for Auto Rotation, Auto Deletion, Auto Pushing Meanings and usage of these settings are the same as of the corresponding settings for the File System Logging module. Settings for the Update Log Enable specific settings for Update Log When selected, the settings configured in the following apply to the Update Log. Otherwise the global log file settings apply. Auto Rotation, Auto Deletion, Auto Pushing Meanings and usage of these settings are the same as of the corresponding settings for the File System Logging module. Settings for the Audit Log Enable specific settings for Audit Log When selected, the settings configured in the following apply to the Audit Log. Otherwise the global log file settings apply. Auto Rotation, Auto Deletion, Auto Pushing Meanings and usage of these settings are the same as of the corresponding settings for the File System Logging module. For more information, see File System Logging engine settings.
221
Monitoring Logging
Log handler rule sets

Log handler rule sets are top-level rule sets with nested rule sets that include logging rules. This section describes the nested logging rule sets that are provided by default on the appliance.
Nested Access Log logging rule set

The nested Access Log logging rule set records requests for access to the web sent from users of your network.
Nested logging rule set Access Log Criteria Always
The rule set contains the following rule: Write access.log Always > Continue Set User-Defined.LogLine = [ + DateTime.ToString() + ] ... Execute FileSystemLogging.WriteLogEntry (User-Defined.LogLine) <Access Log Configuration> The rule uses an event to fill a log file entry with parameter values relating to requests sent by users, such as user names or request headers. It uses another event to write this entry to a log file. The log file entry is specified as a parameter in both events. The log that stores the log file is specified by the settings of the write event. Values for the following parameters are set and logged by the events of the rule (properties used by the set event in italics): Date and time DateTime.ToString User name Authentication.UserName Client IP String.IP.ToString(Client.IP) Response status String.Number.ToString (Response.StatusCode) Request header RequestHeader.FirstLine URL category List.Category.ToString (URL.Categories<Default>) URL category List.Category.ToString (URL.Categories<Default>) URL reputation String.Number.ToString (URL.Reputation<Default>) The logging rule applies whenever request for access to the web is received. The two rule events for filling and writing a log entry are then executed and the filtering process is continued with the next rule or rule set. Media type String.MediaType.ToString (MediaType.Header) Body size String.Number.ToVolumeString (Body.Size) User agent Header.Get(User-Agent) Virus and malware names String.List. String.ToString (Antimalware.VirusNames) <Gateway Antimalware>) Block action ID String.Number.ToString (Block.ID)
222
Monitoring Forwarding data to an ePO server
Nested Found Viruses Log logging rule set

The Found Viruses logging rule set records names of viruses and other malware found in requested web objects.
Nested logging rule set Found Viruses Log Criteria Always
Nested Handle Events logging rule set

The Handle Events logging rule set sends messages when particular events have occurred under the SNMP protocol.
Nested logging rule set Found Viruses Criteria Incident.ID does not equal 0
Forwarding data to an ePO server

The McAfee Web Gateway appliance can be monitored on the McAfee ePolicy Orchestrator (ePO). This section tells you how to configure the appliance to forward monitoring data to an ePO server.
The ePolicy Orchestrator is a monitoring tool for web security products, which can also include the McAfee Web Gateway appliance. If you configure the orchestrator and the appliance accordingly, you can log on to the appliance from the ePO user interface and have monitoring data forwarded from the appliance to the ePO server. When forwarding data to the ePO server is configured, this server sends SSL-secured requests for collecting data to the appliance in regular intervals. Then you need to allow the CONNECT request that the SSL-secured communication begins with to bypass the normal processing of web security rules, so it does not get blocked on the appliance. For example, if you have authentication rules implemented, this would lead to blocking because the ePO server does not support authentication. You can import an appropriate rule set from the library to enable the bypassing or create a rule set of your own. For more information, see Configure data forwarding, Import a rule set, and Bypass ePO requests library rule set.
Configure data forwarding

Complete the following procedure to configure data forwarding to an ePO server on the appliance:
1 Go to Configuration | Appliances. 2 On the Appliances tree, go to the appliance you want to forward data and select ePO Orchestrator. 3 Configure the ePolicy Orchestrator settings as needed. These include settings for an account on the
appliance that is needed to forward the data and settings for the data collection process.
For more information, see ePolicy Orchestrator system settings.
223
Monitoring Forwarding data to an ePO server
ePolicy Orchestrator system settings

The ePolicy Orchestrator system settings can be configured to allow the appliance to forward ePO data.
ePolicy Orchestrator Settings

Settings for forwarding ePO data ePO user account User name of the user who is authorized to retrieve ePO data on the appliance Password, Repeat password For the above account Enable data collection for ePO When selected, data for the ePO server is collected on the appliance. Data collection interval in minutes Time (in minutes) to elapse before ePO data is again collected. The interval is set on a slider scale. It can range from 10 minutes to 6 hours.
Bypass ePO requests library rule set

This section describes in detail the Bypass ePO requests library rule set. This rule lets requests from an ePO server to connect to the appliance bypass the filtering process. For general information on understanding and handling rules, see Rules and Rule Sets.
Library rule set Bypass ePO requests Criteria Command.Name equals CONNECT Cycles Requests (and IM)
The rule set is processed when the SSL-secured communication between the ePO server and the appliance that is begins with a request from the server to connect to the appliance. It contains the following rule: Skip subsequent rules for ePO requests URL.Host equals 127.0.0.1 OR URL.Host equals [::1] > Stop Cycle Enable SSL Client Context <Default CA> Enable SSL Scanner <Certificate verification without edh> The rule uses the URL.Host property to identify the host of a requested URL, using the IP address of the host. If this address is 127.0.0.1, the host of the requested URL is the appliance. When the ePO server sends a request to connect to the appliance, it uses this address. So if 127.0.0.1 is the requested address, the rule applies and stops all further processing in the request cycle. The CONNECT request is allowed to pass through and the process of collecting appliance data for the ePO server can go ahead. The next step in this process, is sending and verifying certificates. The rule includes an event to enable the sending of a client certificate that is issued by the default certificate authority. You can modify the event settings to have the certificate issued by another authority. The rule also includes an event to enable verification of the certificate sent by the ePO server without using the EDH (Ephemeral Diffie-Hellman) method, which is the appropriate procedure for this server.
224
Monitoring Event monitoring with SNMP
Event monitoring with SNMP

Events on the McAfee Web Gateway appliance can be monitored using an agent application under the SNMP protocol. This section tells you what you need to configure on the appliance to use this monitoring option.
Configure SNMP monitoring

Complete the following procedure to configure SNMP monitoring:
1 Go to Configuration | Appliances. 2 On the Appliances tree, navigate to the appliance you want monitor events on and select SNMP. 3 Configure the SNMP settings as needed.
SNMP port settings For the ports that listen to requests from the SNMP agent. SNMP system information For the system that serves as a management station for the agent. SNMP protocol options For the communication between the appliance and the agent. SNMP trap sinks For the systems that are to receive messages on monitored events from the agent.
For more information, see SNMP system settings.
SNMP system settings

The SNMP system settings can be configured to allow the forwarding of ePO data.
SNMP Port Settings

Settings for the port listening to requests from an SNMP agent. Enable UDP When selected, communication with the agent follows the UDP protocol. UDP port Port listening to requests under that protocol. Enable TCP When selected, communication with the agent follows the UDP protocol. TCP port Port listening to requests under that protocol.
SNMP System Information

Settings for the system serving as management station for the SNMP agent. Description System name Object ID ID the system has in the Management Information Base (MIB) used under the SNMP protocol. Contact person Real name of the person administering the SNMP functions of the system Physical location Of the system
225
Monitoring Event monitoring with SNMP
SNMP Protocol Options

Settings for the communities and users that have access to monitoring information under different versions of the SNMP protocol. SNMP v1 When selected, communities have access under this version of the protocol. SNMP v2c When selected, communities have access under this version of the protocol. Communities for SNMPv1 and SNMPv2c access List of communities with allowed access The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 8-3 SNMP communities list Option Community string Allowed root OID Allowed from Read-only access Comment Definition String representing the name of a community ID of the object that is the root of an allowed community Host name or IP address of the host that a community is allowed access from Information on whether a community is only allowed to read monitoring information Plain-text comment on the community
SNMP v3 When selected, access is granted to users under this version of the protocol. SNMP v3 Users List of users with allowed access The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 8-4 SNMP v3 Users list Option User name Allowed root OID Authentication Encryption Read-only access Comment Definition Name of a user who is allowed access ID of the object that is the root of an allowed user Information on whether the user must authenticate to gain access Information on whether the monitoring data is provided for the user in encrypted format Information on whether a user is only allowed to read monitoring information Plain-text comment on the user
SNMP Trap Sinks

Settings for the hosts that receive trap messages on monitored events from the SNMP agent Trap Sinks List of hosts that receive messages (also known as trap sinks). The table below describes the list entries. For information on how to maintain lists, see List maintenance.
Table 8-5 Trap Sinks list Option Host name or IP address Port Community string Send SNMP v2c traps Comment Definition Host name or IP address of a host that receives messages Port on that host for receiving the messages String representing the name of a community that is allowed to read the messages Information on whether the messages are sent under this version of the protocol Plain-text comment on the community
226
Monitoring Error handling
Error handling
Errors of the appliance system can be handled by rules. This main section describes how you can create a top-level error rule set (also known as error handler) for nesting rule sets with error rules. It also describes the rule sets that are provided by default for error handling on the appliance.
Create an error handler

When you create new error rules, you can insert them into existing error rule sets or create new rule sets for them. These must be nested themselves in top-level rule sets known as error handlers. This section tells you how to create an error handler.
Note: You can also use the Default error handler for inserting new error rule sets.
Complete the following procedure to do this:

1 Go to Policy | Rule Sets. 2 From the Rule Sets menu, select Error Handler. 3 On the Error Handler tree, go to the position where you want to insert the new error handler. Then
click Add.
4 From the drop-down menu that appears, select Error Handler. The Add New Error Handler window
opens with the Rule Sets tab selected.

5 Configure the following general settings:
Name Name of the error handler Enable When selected, the error handler is enabled. [Optional] Comment Plain-text comment on the log handler.
6 [Optional] Select the Permissions tab and configure who is allowed to access the new log handler. 7 Click OK to close the Add New Error Handler window. The error handler is inserted into the tree
structure.
You can now insert one or more nested rule sets into the error handler and fill these with rules. For more information, see Add a new rule set, Access restrictions, and Error handler rule sets.
227
Monitoring Error handling
Error handler rule sets

Error handler rule sets are top-level rule sets with nested rule sets that include error rules. This section describes the nested error rule sets that are provided by default on the appliance.
Nested Long Running Connections error rule set

The nested Long Running Connections error rule set keeps connections alive when a system error occurs.
Nested error rule set Long Running Connections Criteria Error ID equal 20000
Nested Block on AV Engine Errors error rule set

The nested Block on AV Engine Errors error rule set blocks access to all objects when the Antimalware engine cannot be loaded or is overloaded.
Nested error rule set Block on AV Engine Errors Criteria Always
Nested Block on All Errors error rule set

The nested Block on All Errors error rule set blocks access to all objects that are being filtered when an internal error occurs on the appliance.
Nested error rule set Block on all errors Criteria Always
The rule set contains the following rule: Always block Always > Block<Internal Error> The rule blocks access to all objects when an internal error occurs. The action settings specify that a user who is affected of the blocking is notified. The rule in this rule set is for handling internal errors on the appliance. It is executed at the time when an internal error occurs, which can, of course, not be predicted and can happen at any time during the filtering process or not at all. In this sense, processing the rule is not part of the normal process flow. After executing the blocking, the rule stops all further processing of rules for the requests, responses, or embedded objects that were being filtered when the internal error occurred. This way it is ensured that no malicious or inappropriate web objects enter your network or leave it while the appliance is not fully available. The process flow continues when the next request is received if the internal error did not lead to an interruption of the appliance functions.
228
Troubleshooting
Contents Troubleshooting appliance problems Create a feedback file Enable the creation of core files Enable the creation of connection tracing files Generate a TCPdump Use network tools Back up and restore the appliance configuration
Troubleshooting appliance problems

The sections of this chapter explain how to use troubleshooting tools and methods if problems arise when working with the appliance.
Files for recording appliance behavior

You can record appliance behavior and evaluate the data recorded in the corresponding files. Several types of files can be created for this purpose: Log files For logging different events and functions, such as access to the appliance or updates of files and modules Core files For recording memory content after a crash has occurred Rule tracing files For recording the processing of rules Connection tracing files For recording activities on the connections from the appliance to other network components Feedback files For backtracing functions after the failure of a particular function TCPdump files For recording network activities of the appliance
Network tools
You might need to test whether connections to other network components still work. The appliance provides several tools, including ping, nslookup, and traceroute, for doing this.
229
Troubleshooting Create a feedback file
Backup and restore files

When other troubleshooting methods do not work, it can be necessary to remove a faulty configuration and replace it with a backup. Having a backup available might also help in other situations, for example, when you want to discard changes applied to an existing configuration. The appliance provides functions for creating backups and using them to restore configurations.
Create a feedback file

Feedback files can be used on the appliance to trace back functions when the process on the appliance is halted due to the failure of particular functions. Complete the following procedure to create a feedback file:
1 Go to Troubleshooting | Feedback. 2 Select or deselect Pause running McAfee Web Gateway ... as needed.
Note: It is recommended that you use this option to stop the appliance before creating the feedback file.
3 Click Create Feedback File. The file is created and appears with its name, size, and date in the list
under Feedback file. Using the items on the toolbar, you can: View file content Download files Copy link copy links to files
Enable the creation of core files

Core files can be created on the appliance to record memory content after system crashes. Complete the following procedure to enable the creation of core files:
1 Go to Configuration | Troubleshooting. 2 Make sure Enable core file creation is selected. Core files are then created after crashes.
They can be viewed on a list after selecting the Troubleshooting top-level menu, navigating to an appliance, and selecting Core Files. Using the items on the toolbar, you can: View file content Download files Copy link copy links to files
230
Troubleshooting Enable the creation of connection tracing files
Enable the creation of connection tracing files

Trace files can be created on the appliance to record activities on connections from the appliance to other network components. Complete the following procedure to enable the creation of connection tracing files:
1 Go to Configuration | Troubleshooting. 2 Make sure Enable connection tracing is selected. Connection tracing files are then created.
Note: To trace only activities on a connection to a network component with a particular IP address, select Restrict tracing to only one IP and type the address in the IP field.
Connection tracing files can be viewed on a list after selecting the Troubleshooting top-level menu, navigating to an appliance, and selecting Connection Tracing. Using the items on the toolbar, you can: View file content Download files Copy link copy links to files
Generate a TCPdump
TCPdumps can be used on the appliance to review network activities of the appliances and detect reasons for errors and failures. Complete the following procedure to generate a TCPdump:
1 Go to Troubleshooting | TCPdump. 2 Under Command line parameters, type parameters for the TCPdump as needed. 3 Click tcpdump start. The dump is generated and appears with its name, size, and date in the dump
list under Results (dump). Using the items on the toolbar, you can: View dump content Download dumps Copy link copy links to dumps
231
Troubleshooting Use network tools
Use network tools

Several network tools are provided for troubleshooting on the appliance. Complete the following procedure to use a network tool:
1 Go to Troubleshooting | Network Tools. 2 Under Command line parameters, type parameters as needed for use with each command. For
example, type the name of a host you want to ping.

3 Click the button for the network tool you want to use:
Ping Ping6 nslookup traceroute traceroute6 The corresponding command is executed and the output displayed in the Results field, for example: Ping: unknown host testhost
Back up and restore the appliance configuration

The appliance configuration, including rules, lists, settings, and administrator accounts, can be stored in a backup file and also restored from there. Complete the following procedure to backup or restore the appliance configuration:
1 Go to Troubleshooting | Backup/Restore. 2 Under Backup Policy, Configuration, and Accounts, proceed as follows:
To backup the configuration, click Backup to file. A window opens to let you select a file for storing the configuration. To restore the configuration, click Restore from file. A message informs you that you will be logged out after restoring and asks whether you really want to do it. If you confirm, a window opens to let you select a file for restoring the configuration.
Note: If you only want to restore the rules, lists, and settings that were configured on the tabs of the Policy top-level menu, make sure the Only restore policy checkbox is selected before clicking the button.
232
Appendix: Configuration Lists
Contents List of actions List of events List of properties Wildcard expressions
List of actions
The table below provides a list of the actions that can be configured in web security rules. The actions are listed in alphabetical order.
Table -1 List of actions Name Authenticate Block Continue Redirect Remove Stop Cycle Stop Rule Set Description Stops processing the rules in the current cycle. Sends an authentication request to the client of the user who requested access to an object. Blocks access to the requested object. Stops processing rules. Continues processing with the next rule. Redirects the client that requested access to an object to another object. Removes the requested object. Stops processing the rules in the current cycle. Stops processing the rules in the current cycle. Does not block access to the requested object. Stops processing the rules of the current rule set. Continues processing with the next rule set.
233
Appendix: Configuration Lists List of events
List of events
The table below provides a list of the events that can be configured in web security rules. The events are listed in alphabetical order.
Table -2 List of events Name Body.Insert Description Inserts a string into the body of a message. Parameters 1. Number: Byte position where the insertion begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values Body.Remove Removes a number of bytes from a body. 1. Number: Byte position where the removal begins 2. Number: Number of bytes to remove Body.Replace Replaces a portion of a body with a string. 1. Number: Byte position where the replacement begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values Email.Send Sends an email. 1. String: Recipient 2. String: Subject 3. String: Body Enable Cache Enable Composite Opener Enable Data Trickling Enable HTML Opener Enable Next Hop Proxy Enable RuleEngine Tracing Enable SSL Client Context Enable SSL Scanner Enable SafeSearchEnforcer Enable Workaround FileSystemLogging. WriteDebugEntry FileSystemLogging. WriteLogEntry HTMLElement. InsertAttribute HTMLElement. RemoveAttribute Enables the web cache. Enables the composite opener. Enables data trickling. Enables the HTML opener. Enables the use of next-hop proxies. Enables tracing of the rule processing module. Enables the sending of client certificates. Enables the SSL scanning module. Enables the SafeSearchEnforcer. Enables a workaround. Writes a debugging entry. 1. String: Debugging entry 2. Boolean: If true, the entry is written to stdout. Writes an entry into a log. Inserts an attribute into an HTML element. Removes an attribute from an HTML element. String: Log entry 1. String: Attribute name 2. String: Attribute value String: Attribute name
234
Table -2 List of events (continued) Name HTMLElement. SetAttributeValue Header.Add Header.AddMultiple Description Sets an attribute to a value. Parameters 1. String: Attribute name 2. String: Value to set the attribute to Adds a header to a request or response. Adds a header with a list of values to a request or response. Adds a block header to a request or response. Adds a block header with a list of values to a request or response. Removes all block headers with a given name from a request or response. Removes all headers with a given name from a request or response. Adds information to an ICAP request. Replaces a media type header with an appropriate header when it is found after inspection of the media body that the original header does not match the body. Writes an entry with notice level into syslog. Adds global variable of type Bool. Adds global variable of type Category. String: Log entry 1. String: Variable key 2. Boolean: Variable value 1. String: Variable key 2. Category: Variable value Adds global variable of type Dimension. 1. String: Variable key 2. Dimension: Variable value Adds global variable of type Hex. Adds global variable of type IP. Adds global variable of type IPRange. 1. String: Variable key 2. Hex: Variable value 1. String: Variable key 2. IP: Variable value 1. String: Variable key 2. IPRange: Variable value Adds global variable of type Category List. 1. String: Variable key 2. Category List: Variable value Adds global variable of type Dimension List. 1. String: Variable key 2. Dimension List: Variable value Adds global variable of type Hex List. Adds global variable of type IP List. Adds global variable of type IPRange List. 1. String: Variable key 2. Hex List: Variable value 1. String: Variable key 2. IP List: Variable value 1. String: Variable key 2. IPRange List: Variable value 1. String: Header name 2. String: Header value 1. String: Header name 2. List of String: List of header values 1. String: Header name 2. String: Header value Header.Block. AddMultiple Header.Block. RemoveAll Header.RemoveAll ICAP. AddRequestInformation MediaType.Header. FixContentType 1. String: Header name 2. List of String: List of header values String: Header name String: Header name 1. String: Name of the request 2. String: Added information
Header.Block.Add
Notice PDStorage. AddGlobalData.Bool PDStorage. AddGlobalData. Category PDStorage. AddGlobalData. Dimension PDStorage. AddGlobalData.Hex PDStorage. AddGlobalData.IP PDStorage. AddGlobalData. IPRange PDStorage. AddGlobalData.List. Category PDStorage. AddGlobalData.List. Dimension PDStorage. AddGlobalData.List.Hex PDStorage. AddGlobalData.List.IP PDStorage. AddGlobalData.List. IPRange
235
Table -2 List of events (continued) Name PDStorage. AddGlobalData.List. MediaType PDStorage. AddGlobalData.List. Number PDStorage. AddGlobalData.List. Regex PDStorage. AddGlobalData.List. String PDStorage. AddGlobalData. MediaType PDStorage. AddGlobalData.Number PDStorage. AddGlobalData.Regex PDStorage. AddGlobalData.String PDStorage. AddUserData.Bool PDStorage. AddUserData.Category PDStorage. AddUserData. Dimension PDStorage. AddUserlData.Hex PDStorage. AddUserData.IP PDStorage. AddUserData.IPRange PDStorage. AddUserData.List. Category PDStorage. AddUserData.List. Dimension PDStorage. AddUserData.List.Hex PDStorage. AddUserData.List.IP PDStorage. AddUserData.List. IPRange PDStorage. AddUserData.List. MediaType PDStorage. AddUserData.List. Number Description Adds global variable of type MediaType List. Parameters 1. String: Variable key 2. MediaType List: Variable value Adds global variable of type Number List. 1. String: Variable key 2. Number List: Variable value Adds global variable of type Regex List. 1. String: Variable key 2. Regex List: Variable value Adds global variable of type String List. 1. String: Variable key 2. String List: Variable value Adds global variable of type MediaType. 1. String: Variable key 2. MediaType: Variable value Adds global variable of type Number. Adds global variable of type Regex. Adds global variable of type String. Adds user variable of type Bool. Adds user variable of type Category. Adds user variable of type Dimension. 1. String: Variable key 2. Number: Variable value 1. String: Variable key 2. Regex: Variable value 1. String: Variable key 2. String: Variable value 1. String: Variable key 2. Boolean: Variable value 1. String: Variable key 2. Category: Variable value 1. String: Variable key 2. Dimension: Variable value Adds user variable of type Hex. Adds user variable of type IP. Adds user variable of type IPRange. Adds user variable of type Category List. 1. String: Variable key 2. Hex: Variable value 1. String: Variable key 2. IP: Variable value 1. String: Variable key 2. IPRange: Variable value 1. String: Variable key 2. Category List: Variable value Adds user variable of type Dimension List. 1. String: Variable key 2. Dimension List: Variable value Adds user variable of type Hex List. Adds user variable of type IP List. Adds user variable of type IPRange List. 1. String: Variable key 2. Hex List: Variable value 1. String: Variable key 2. IP List: Variable value 1. String: Variable key 2. IPRange List: Variable value Adds user variable of type MediaType List. 1. String: Variable key 2. MediaType List: Variable value Adds user variable of type Number List. 1. String: Variable key 2. Number List: Variable value
236
Table -2 List of events (continued) Name PDStorage. AddUserData.List. Regex PDStorage. AddUserData.List. String PDStorage. AddUserData. MediaType PDStorage. AddUserData.Number PDStorage. AddUserData.Regex PDStorage. AddUserData.String PDStorage.Cleanup PDStorage. DeleteAllUserData PDStorage. DeleteGlobalData PDStorage. DeleteUserData SNMP.Send.Trap. Application SNMP.Send.Trap. System SNMP.Send.Trap.User SNMP.Send.Trap. UserHost Description Adds user variable of type Regex List. Parameters 1. String: Variable key 2. Regex List: Variable value Adds user variable of type String List. 1. String: Variable key 2. String List: Variable value Adds user variable of type MediaType. 1. String: Variable key 2. MediaType: Variable value Adds user variable of type Number. Adds user variable of type Regex. Adds user variable of type String. Cleans up persistently stored data. Deletes all permanently stored user data. Deletes all permanently stored global variables of a given type. Deletes all permanently stored user variables of a given type. Sends an SNMP trap message with application information. Sends an SNMP trap message with system information. Sends an SNMP trap message with user information. Sends an SNMP trap message with information on the host of the user. 1. Number: User ID 2. String: Message body 1. Number: User ID 2. String: Message body 3. IP: IP address of the host Statistics.Counter. Increment Statistics.Counter. Reset Syslog Increments a counter. Resets a counter. Writes an entry into syslog. 1. String: Counter name 2. Number: Increment value String: Counter name 1. Number: Log level 0 emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 info 7 debugging 2. String: Log entry String: Variable key String: Variable key 1. String: Variable key 2. Number: Variable value 1. String: Variable key 2. Regex: Variable value 1. String: Variable key 2. String: Variable value
237
Appendix: Configuration Lists List of properties
List of properties
The table below provides a list of the properties that can be configured in web security rules. The properties are listed in alphabetical order.
Table -3 List of properties Name Antimalware.Infected Antimalware.Proactive. Probability Antimalware.VirusNames Authentication.Attributes Authentication.Authenticate Type Boolean Number String List String List Boolean Description If true, an object has been found to be infected. Probability that an object is malware. Range: 1 to 100. List with names of viruses that an object has been found to be infected with List of user attributes If true, the authentication process has been applied to a user. The process sets values for the Authentication. IsAuthenticated, Authentication.UserName, and Authentication.Attributes properties. ID of the client that a user (who the authentication is applied to) sent a request from If true, user attributes were retrieved, resulting in values for the Authentication.Attributes property. If true, a user has been successfully authenticated. If true, cookie authentication has been applied for a user. If true, authentication has been requested under the Authentication Server method. Method used for authenticating a user, for example, LDAP Credentials retrieved if Authentication.GetAttributes is true User name retrieved if Authentication.GetAttributes is true Authentication realm, for example, a Windows domain Name of a user that the authentication process has been applied to Total value of a counter Value of a counter achieved during the last (fully completed) minute ID of an action that blocked a request Name of an action that blocked a request If true, the header of a request or response sent for an object has been changed. ID of an object class String: Name of the counter String: Name of the counter Parameters
Authentication.ClientID
Integer
Authentication.GetAttributes
Boolean
Authentication.IsAuthenticated Authentication. IsLandingOnServer Authentication.IsServerRequest Authentication.Method Auth.RawCredentials Auth.RawUserName Authentication.Realm Authentication.UserName Billing.Counter.Get Billing.Counter.GetCurrent Block.ID Block.Reason Body.ChangeHeaderMime
Boolean Boolean Boolean String String String String String Number Number Number String Boolean
Body.ClassID
String
238
Table -3 List of properties (continued) Name Body.Equals Type Boolean Description If true, the body of an object matches the pattern specified by the property parameters. Parameters 1. Integer: Position of the byte where the pattern begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values Body.FileName String Name of a file that is embedded in the body of an object, for example, an archived file If true, the body of an object is above a given size limit. If true, the body of an object is composite, consisting of multiple parts, for example, embedded in an archive If true, an archive contained in the body of an object is corrupt. If true, an archive contained in the body of an object is encrypted. If true, an archive contained in the body of an object is complex, consisting of multiple parts. If true, an appliance module has modified the body of an object. Current level of an archive part in an archive that has archive parts nested in it If false, the body of an object matches the pattern specified by the property parameters. 1. Integer: Position of the byte where the pattern begins 2. String: Pattern a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values Body.NumberOf Children Integer Number of objects embedded in the body of an object
Body.IsAboveSizeLimit Body.IsComposite Object
Boolean Boolean
Body.IsCorrupted Object Body.IsEncrypted Object Body.IsMultiPartObject
Boolean Boolean Boolean
Body.Modified Body.NestedArchive Level Body.NotEquals
Boolean Integer Boolean
239
Table -3 List of properties (continued) Name Body.PositionOfPattern Type Long (int64_t) Description Position of the byte where a searched for pattern in the body of an object begins Returns -1 if the pattern is not found. Parameters 1. String: Pattern that is searched for: a. string embedded in double quotes ( ..., can also contain hex values preceded by \) or: b. sequence of hex values 2. Integer: Position of the byte where the search for the pattern begins 3. Integer: Search length (in bytes, 0 means search from offset to end of object) Body.Size Body.Text Body.ToString Integer String String Size of the body of an object (in bytes) Text in the body of an object Part of the body of an object (as specified by the property parameters) converted into a string 1. Integer: Position of the byte where converted part begins 2. Integer: Length of the converted part (in bytes) 0 for the first parameter and the value of the Body.Size property for the second mean the whole body is converted. Body.Uncompressed Size Integer Size of the body of an archived object (in bytes) after having been extracted from the archive If true, the cache is enabled. If true, a client has requested a reload of the cache. If true, an object sent in response from a web server can be stored in the cache. If true, an object stored in the cache has either been downloaded from the web or has been verified. Cache status for an object Values: CallErrorHandler Category.ToString String String TCP_HIT (Cache hit) TCP_MISS (Cache miss) TCP_MISS_RELOAD (Client does not allow use of cache) TCP_MISS_VERIFY (Verification failed)
Cache.Enabled Cache.ForcedReload Cache.IsCacheable Cache.IsFresh
Boolean Boolean Boolean Boolean
Cache.Status
String
ID of an error handler rule set that is processed Name of a URL category converted into a string Category: Category that is converted
240
Table -3 List of properties (continued) Name Category.ToShortString Client.IMLogin Type String String Description Name of a URL category converted into a string that is the category abbreviation Login ID of a client communicating with the appliance under an Instant Messaging protocol Screen name of of a client communicating with the appliance under an instant messaging protocol IP address of a client Categories a command belongs to, for example, an FTP command Name of a command Parameter of a command If true, a read or send call has finally failed on a connection. If true, a web server requests a client to submit a certificate. Protocol of a connection, for example, HTTP If true, communication on a connection uses an instant messaging protocol. If true, communication on a connection is SSL-secured and uses a transparent mode. ID of a processing cycle If true, processing of data is complete for a cycle. Name of a processing cycle ID of the cycle (Requests or Responses) that is processed before an object is processed in the Embedded Objects cycle. Name of the cycle (Requests or Responses) that is processed before an object is processed in the Embedded Objects cycle. Size of blocks (in bytes) used for data trickling Number of bytes sent for each data block that is received If true, data trickling is used for downloading objects. Size of first chunk (in bytes) used for data trickling If true, data trickling goes on while an object is scanned. Number of month Number of day in month Number of day in week (1 is Sunday) Current year (four digits) Current year (last two digits) Hour (in 24-hours format, for example, 1 p. m. is 13 Parameters Category: Category that is converted
Client.IMScreenName
String
Client.IP Command.Categories Command.Name Command.Parameter Connection.Aborted Connection. ClientCertificateIsRequested Connection.Protocol Connection.Protocol.IsIM Connection.SSL.Transparent
IP String List String String Boolean Boolean String Boolean Boolean
Cycle.ID Cycle.LastCall Cycle.Name Cycle.TopID
Integer Boolean String Integer
Cycle.TopName
String
DataTrickling.BlockSize DataTrickling.BytesPer ReceivedBlock DataTrickling.Enabled DataTrickling.First ChunkSize DataTrickling.Trickle DuringScan DateTime.Date.MonthNumber DateTime.Date.MonthDay Number DateTime.Date.WeekDay Number DateTime.Date.Year DateTime.Date.YearTwoDigits DateTime.Time.Hour
Long Long Boolean Long Boolean Number Number Number Number Number Number
241
Table -3 List of properties (continued) Name DateTime.Time.Minute DateTime.Time.Second DateTime.Time.ToString Type Number Number String Description Minute in hour Second in minute String representation of current time (in the format specified by the property parameters) String: 1. %h (for the hour) or: %hh (with 0 inserted before a one-digit hour) 2. %m (for the minute) or: %mm 3. %s (for the second) or: %ss If no para meters are specified, the format is: %hh:%mm:%ss DateTime.Date.ToString String String representation of current date (in the format specified by the property parameters) String: 1. %YYYY (for the year) or: %YY (last two digits) or: %Y (last two digits, but only one digit if the last two digits begin with 0, for example, 9 for 2009) 2. %MM (for the month number with 0 inserted before one-digit numbers) or: %M (0 is not inserted, for example, 3 for March and 12 for December) 3. %DD (for the day) or: %D If no para meters are specified, the format is: %YYYY/%MM /%DD Parameters
242
Table -3 List of properties (continued) Name DateTime.ToString Type String Description String representation of current date and time (in the format specified by the property parameters) Parameters as for the DateTime.Time.ToStr ing and DateTime.Date. ToString properties If no para meters are specified, the format is: %YYYY/%MM /%DD %hh:%mm:%ss DateTime.ToGMTString String String representation of current date and time in Greenwich Mean Time format, for example, Mon, 22 March 2010 11:45:36 GMT String representation of current date and time in ISO format, for example, 2010-03-22 11:45:36 Number of seconds since beginning of 1/1/1970 (UNIX epoch time) List of IP addresses found in a DNS lookup for the specified host name List of host names found in a reverse DNS lookup for the specified IP address Name of an error group, identifying the appliance module that caused the error, for example, the rule processing module or the TrustedSource engine ID of an error Message text describing an error Unique name of an error If true, an error has occurred on the appliance. If true, an error has occurred on the appliance. String made anonymous by appropriate encryption If true, the block header with the specified name exists. First value for the specified block header List of values for the specified block header If true, the header with the specified name exists. First value for the specified header (according to the current processing cycle: request or response header) List of values for the specified header (according to the cycle) If true, the request header with the specified name exists. First value for the specified request header List of values for the specified request header If true, the response header with the specified name exists. String: String that is encrypted String: Header name String: Header name String: Header name String: Header name String: Header name String: Host name IP: IP address of the host name
DateTime.ToISOString
String
DateTime.ToNumber DNS.Lookup DNS.Lookup.Reverse Error.Group
Number IP List String List String
Error.ID Error.Message Error.Name Error.Occurred Error.Occurred FileSystemLogging.Make Anonymous Header.Block.Exists Header.Block.Get Header.Block.GetMultiple Header.Exists Header.Get
Number String String Boolean Boolean String Boolean String String List Boolean String
Header.GetMultiple Header.Request.Exists Header.Request.Get Header.Request.GetMultiple Header.Response.Exists
String List Boolean String String List Boolean
String: Header name String: Header name String: Header name String: Header name String: Header name
243
Table -3 List of properties (continued) Name Header.Response.Get Header.Response.GetMultiple Header.Response.GetMultiple HTML.Element.Attribute Type String String List String List String Description First value for the specified response header List of values for the specified response header List of values for the specified response header String representing the numerical value of an attribute belonging to an HTML element If true, an HTML element has the specified attribute String representing the numerical values of the width and height of an HTML element Returns -1, -1 if the HTML element does not have these dimensions. HTML.Element.Name ICAP.Policy ICAP.Reqmod.Header.Exists String String Boolean Name of an HTML element Name of a policy included in an ICAP request for a URL If true, a response sent from an ICAP server in REQMOD mode contains the specified header. First value for the specified header contained in the REQMOD response List of values for the specified header contained in the REQMOD response If true, a response sent from an ICAP server in RESPMOD mode contains the specified header. First value for the specified header contained in the RESPMOD response List of values for the specified header contained in the RESPMOD response If true, the ICAP server has changed the HTTP state for the response sent in RESPMOD mode. Direction of a message sent (from a client or server to the appliance) under an instant messaging protocol Name of a file transferred under an instant messaging protocol Size of a file transferred under an instant messaging protocol Name of the template used for sending a message to a user communicating with the appliance under an instant messaging protocol Name of a client that a file is transferred to under an instant messaging protocol Name of a sender that sends a file to a client under an instant messaging protocol List of URL categories (specified by its ID) List of URL categories (specified by its name) String: List ID String: List name String: Header name String: Attribute name Parameters String: Header name String: Header name String: Header name
HTML.Element.HasAttribute HTML.Element.Dimension
Boolean String
ICAP.Reqmod.Header.Get ICAP.Reqmod.Header. GetMultiple ICAP.Respmod.Header.Exists
String String List Boolean
String: Header name String: Header name String: Header name
ICAP.Respmod.Header.Get ICAP.Respmod.Header. GetMultiple ICAP.Respmod.Encapsulated HTTPChanged IM.Direction
String String List Boolean
String: Header name String: Header name
String
IM.FileName IM.FileSize IM.Notification
String String String
IM.Recipient IM.Sender
String String
List.Category.ByID List.Category.ByName
Category List Category List
244
Table -3 List of properties (continued) Name List.Category.Erase Type Category List Description List of URL categories with specified category erased Parameters 1. Category List: List with category to erase 2. Integer: Position of category to erase List.Category.EraseElems Category List List of URL categories with specified categories erased 1. Category List: List with categories to erase 2. Integer: Position of first category to erase 3. Integer: Position of last category to erase List.Category.EraseList Category List List of URL categories with categories that are also on another list erased 1. Category List: List to erase categories from 2. Category List: List with categories to erase from first list List.Category.Find Integer Position of a URL category on a list 1. Category List: List with category to find position for 2. Category: Category to find position for List.Category.Get Category URL category (specified by its position on a list) 1. Category List: List containing the category 2. Integer: Position of the category on the list List.Category.GetElems Category List List of URL categories (extracted from another list) 1. Category List: List with categories to extract 2. Integer: Position of first category to ex tract 3. Integer: Position of last category to ex tract List.Category.Insert Category List List of URL categories with specified category inserted 1. Category List: List to insert the category in 2. Category: Category to insert List.Category.IsEmpty Boolean If true, the specified list is empty. Category List: List to check for being empty 1. Category List: First list to join 2. Category List: Second list to join List.Category.Reverse List.Category.Size Category List Integer List of URL categories that has its original order reverted Number of URL categories on a specified list Category List: List in original order Category List: List to provide number of categories for
List.Category.Join
Category List
List of URL categories created by joining two lists
245
Table -3 List of properties (continued) Name List.Category.Sort List.Category.ToString List.Category.ToShortString List.Dimension.ByID List.Dimension.ByName List.Dimension.Erase Type Category List String String Dimension List Dimension List Dimension List Description List of URL categories sorted in alphabetical order List of URL categories converted into a string List of URL categories converted into a list of their abbreviated name forms List of dimensions (specified by its ID) List of dimensions (specified by its name) List of dimensions with specified dimension erased Parameters Category List: List to sort Category List: List to convert Category List: List to convert String: List ID String: List name 1. Dimension List: List with dimension to erase 2. Integer: Position of dimension to erase List.Dimension.EraseElems Dimension List List of dimensions with specified dimensions erased 1. Dimension List: List with dimensions to erase 2. Integer: Position of first dimension to erase 3. Integer: Position of last dimension to erase List.Dimension.EraseList Dimension List List of dimensions with dimensions that are also on another list erased 1. Dimension List: List to erase dimensions from 2. Dimension List: List with dimensions to erase from first list List.Dimension.Find Integer Position of a dimension on a list 1. Dimension List: List with dimension to find position for 2.Dimension: Dimension to find position for List.Dimension.Get Dimension Dimension (specified by its position on a list) 1. Dimension List: List containing the dimension 2. Integer: Position of the dimension on the list List.Dimension.GetElems Dimension List List of dimensions (extracted from another list) 1. Dimension List: List with dimensions to extract 2. Integer: Position of first dimension to extract 3. Integer: Position of last dimension to extract List.Dimension.Insert Dimension List List of dimensions with specified dimension inserted 1. Dimension List: List to insert the dimension in 2. Dimension: Dimension to insert List.Dimension.IsEmpty Boolean If true, the specified list is empty. Dimension List: List to check for being empty
246
Table -3 List of properties (continued) Name List.Dimension.Join Type Dimension List Description List of dimensions created by joining two lists Parameters 1. Dimension List: First list to join 2. Dimension List: Second list to join List.Dimension.Reverse List.Dimension.Size Dimension List Integer List of dimensions that has its original order reverted Number of dimensions on a specified list Dimension List: List in original order Dimension List: List to provide number of dimensions for Dimension List: List to sort Dimension List: List to convert String: List ID String: List name 1. Hex List: List with hex value to erase 2. Integer: Position of hex value to erase List.Hex.EraseElems Hex List List of hex values with specified values erased 1. Hex List: List with hex values to erase 2. Integer: Position of first hex value to erase 3. Integer: Position of last hex value to erase List.Hex.EraseList Hex List List of hex values with values that are also on another list erased 1. Hex List: List to erase hex values from 2. Hex List: List with hex values to erase from first list List.Hex.Find Integer Position of a hex value on a list 1. Hex List: List with hex value to find position for 2. Hex: Hex value to find position for List.Hex.Get Hex Hex value (specified by its position on a list) 1. Hex List: List containing the hex value 2. Integer: Position of the hex value on the list List.Hex.GetElems Hex List List of hex values (extracted from another list) 1. Hex List: List with hex values to extract 2. Integer: Position of first hex value to extract 3. Integer: Position of last hex value to extract List.Hex.Insert Hex List List of hex values with specified value inserted 1. Hex List: List to insert the hex value in 2. Hex: Hex value to insert
List.Dimension.Sort List.Dimension.ToString List.Hex.ByID List.Hex.ByName List.Hex.Erase
Dimension List String Hex List Hex List Hex List
List of dimensions sorted in alphabetical order List of dimensions converted into a string List of hex values (specified by its ID) List of hex values (specified by its name) List of hex values with specified value erased
247
Table -3 List of properties (continued) Name List.Hex.IsEmpty Type Boolean Description If true, the specified list is empty. Parameters Hex List: List to check for being empty 1. Hex List: First list to join 2. Hex List: Second list to join List.Hex.Reverse List.Hex.Size Hex List Integer List of hex values that has its original order reverted Number of hex values on a specified list Hex List: List in original order Hex List: List to provide number of hex values for Hex List: List to sort Hex List: List to convert String: List ID String: List name 1. IP List: List with IP address to erase 2. Integer: Position of IP address to erase List.IP.EraseElems IP List List of IP addresses with specified addresses erased 1. IP List: List with IP addresses to erase 2. Integer: Position of first IP address to erase 3. Integer: Position of last IP address to erase List.IP.EraseList IP List List of IP addresses with addresses that are also on another list erased 1. IP List: List to erase IP addresses from 2. IP List: List with IP addresses to erase from first list List.IP.Find Integer Position of an IP address on a list 1. IP List: List with IP address to find position for 2.IP: IP address to find position for List.IP.Get IP IP address (specified by its position on a list) 1. IP List: List containing the IP address 2. Integer: Position of the IP address on the list List.IP.GetElems IP List List of IP addresses (extracted from another list) 1. IP List: List with IP addresses to extract 2. Integer: Position of first IP address to extract 3. Integer: Position of last IP address to extract
List.Hex.Join
Hex List
List of hex values created by joining two lists
List.Hex.Sort List.Hex.ToString List.IP.ByID List.IP.ByName List.IP.Erase
Hex List String IP List IP List IP List
List of sorted hex values List of hex values converted into a string List of IP addresses (specified by its ID) List of IP addresses (specified by its name) List of IP addresses with specified address erased
248
Table -3 List of properties (continued) Name List.IP.Insert Type IP List Description List of IP addresses with specified address inserted Parameters 1. IP List: List to insert the IP address in 2. IP: IP address to insert List.IP.IsEmpty List.IP.Join Boolean IP List If true, the specified list is empty. List of IP addresses created by joining two lists IP List: List to check for being empty 1. IP List: First list to join 2. IP List: Second list to join List.IP.Reverse List.IP.Size IP List Integer List of IP addresses that has its original order reverted Number of IP addresses on a specified list IP List: List in original order IP List: List to provide number of IP addresses for IP List: List to sort IP List: List to convert String: List ID String: List name 1. IP Range List: List with IP address range to erase 2. Integer: Position of IP address range to erase List.IPRange.EraseElems IP Range List List of IP address ranges with specified ranges erased 1. IP Range List: List with IP address ranges to erase 2. Integer: Position of first IP address range to erase 3. Integer: Position of last IP address range to erase List.IPRange.EraseList IP Range List List of IP address ranges with ranges that are also on another list erased 1. IP Range List: List to erase IP address ranges from 2. IP Range List: List with IP address ranges to erase from first list List.IPRange.Find Integer Position of an IP address range on a list 1. IP Range List: List with IP address range to find position for 2.IP Range: IP address range to find position for List.IPRange.Get IP Range IP address range (specified by its position on a list) 1. IP Range List: List containing the IP address range 2. Integer: Position of the IP address range on the list
List.IP.Sort List.IP.ToString List.IPRange.ByID List.IPRange.ByName List.IPRange.Erase
IP List String IP Range List IP Range List IP Range List
List of sorted IP addresses List of IP addresses converted into a string List of IP address ranges (specified by its ID) List of IP address ranges (specified by its name) List of IP address ranges with specified range erased
249
Table -3 List of properties (continued) Name List.IPRange.GetElems Type IP Range List Description List of IP address ranges (extracted from another list) Parameters 1. IP Range List: List with IP address ranges to extract 2. Integer: Position of first IP address range to extract 3. Integer: Position of last IP address range to extract List.IPRange.Insert IP Range List List of IP address ranges with specified range inserted 1. IP Range List: List to insert the IP address range in 2. IP: IP address range to insert List.IPRange.IsEmpty Boolean If true, the specified list is empty. IP Range List: List to check for being empty 1. IP Range List: First list to join 2. IP Range List: Second list to join List.IPRange.Reverse List.IPRange.Size IP Range List Integer List of IP address rangess that has its original order reverted Number of IP address ranges on a specified list List of sorted IP address ranges List of IP address ranges converted into a string List of media types (specified by its ID) List of media types (specified by its name) List of media types with specified type erased IP RangeList: List in original order IP Range List: List to provide number of IP address ranges for IP Range List: List to sort IP Range List: List to convert String: List ID String: List name 1. Media Type List: List with media type to erase 2. Integer: Position of media type to erase List.MediaType.EraseElems Media Type List List of media types with specified types erased 1. Media Type List: List with media type to erase 2. Integer: Position of first media type to erase 3. Integer: Position of last media type to erase List.MediaType.EraseList Media Type List List of media types with types that are also on another list erased 1. Media Type List: List to erase media types from 2. Media Type List: List with media types to erase from first list
List.IPRangeP.Join
IP Range List
List of IP address ranges created by joining two lists
List.IPRange.Sort List.IPRange.ToString List.MediaType.ByID List.MediaType.ByName List.MediaType.Erase
IP Range List String Media Type List Media Type List Media Type List
250
Table -3 List of properties (continued) Name List.MediaType.Find Type Integer Description Position of a media type on a list Parameters 1. Media Type List: List with media type to find position for 2.IP: Media type to find position for List.MediaType.Get Media Type Media type (specified by its position on a list) 1. Media Type List: List containing the media type 2. Integer: Position of the media type on the list List.MediaType.GetElems Media Type List List of media types (extracted from another list) 1. Media Type List: List with media types to extract 2. Integer: Position of first media type to extract 3. Integer: Position of last media type to extract List.MediaType.Insert Media Type List List of media types with specified type inserted 1. Media Type List: List to insert the media type in 2. Media Type: Media type to insert List.MediaType.IsEmpty Boolean If true, the specified list is empty. Media Type List: List to check for being empty 1. Media Type List: First list to join 2. Media Type List: Second list to join List.MediaType.Reverse List.MediaType.Size Media Type List Integer List of media types that has its original order reverted Number of media types on a specified list Media Type List: List in original order Media Type List: List to provide number of media types for Media Type List: List to sort Media Type List: List to convert String: List ID String: List name 1. Number List: List with number to erase 2. Integer: Position of number to erase List.Number.EraseElems Number List List of numbers with specified numbers erased 1. Number List: List with number to erase 2. Integer: Position of first number to erase 3. Integer: Position of last number to erase
List.MediaType.Join
Media Type List
List of media types created by joining two lists
List.MediaType.Sort List.MediaType.ToString List.Number.ByID List.Number.ByName List.Number.Erase
Media Type List String Number List Number List Number List
List of media types sorted in alphabetical order List of media types converted into a string List of numbers (specified by its ID) List of numbers (specified by its name) List of numbers with specified number erased
251
Table -3 List of properties (continued) Name List.Number.EraseList Type Number List Description List of numbers with numbers that are also on another list erased Parameters 1. Number List: List to erase numbers from 2. Number List: List with numbers to erase from first list List.Number.Find Integer Position of a number on a list 1. Number List: List with number to find position for 2. Number: Number to find position for List.Number.Get Number Number (specified by its position on a list) 1. Number List: List containing the number 2. Integer: Position of the number on the list List.Number.GetElems Number List List of numbers (extracted from another list) 1. Number List: List with numbers to extract 2. Integer: Position of first number to extract 3. Integer: Position of last number to extract List.Number.Insert Number List List of numbers with specified number inserted 1. Number List: List to insert the number in 2. Number: Number to insert List.Number.IsEmpty Boolean If true, the specified list is empty. Number List: List to check for being empty 1. Number List: First list to join 2. Number List: Second list to join List.Number.Reverse List.Number.Size Number List Integer List of numbers that has its original order reverted Number of numbers on a specified list Number List: List in original order Number List: List to provide number of numbers for Number List: List to sort Number List: List to convert String: List ID String: List name 1. Regex List: List with regular expression to erase 2. Integer: Position of regular expression to erase
List.Number.Join
Number List
List of numbers created by joining two lists
List.Number.Sort List.Number.ToString List.Regex.ByID List.Regex.ByName List.Regex.Erase
Number List String Regex List Regex List Regex List
List of sorted numbers List of numbers converted into a string List of regular expressions (specified by its ID) List of regular expressions (specified by its name) List of regular expressions with specified expression erased
252
Table -3 List of properties (continued) Name List.Regex.EraseElems Type Regex List Description List of regular expressions with specified expressions erased Parameters 1. Regex List: List with regular expression to erase 2. Integer: Position of first regular expression to erase 3. Integer: Position of last regular expression to erase List.Regex.EraseList Regex List List of regular expressions with expressions that are also on another list erased 1. Regex List: List to erase regular expressions from 2. Regex List: List with regular expressions to erase from first list List.Regex.Find Integer Position of a regular expression on a list 1. Regex List: List with regular expression to find position for 2. Regex: Regular expression to find position for List.Regex.Get Regex Regular expression (specified by its position on a list) 1. Regex List: List containing the regular expression 2. Integer: Position of the regular expression on the list List.Regex.GetElems Regex List List of regular expressions (extracted from another list) 1. Regex List: List with regular expressions to extract 2. Integer: Position of first regular expression to extract 3. Integer: Position of last regular expression to extract List.Regex.Insert Regex List List of regular expressions with specified regular expression inserted 1. Regex List: List to insert the regular expression in 2. Regex: Regular expression to insert List.Regex.IsEmpty Boolean If true, the specified list is empty. Regex List: List to check for being empty 1. Regex List: First list to join 2. Regex List: Second list to join List.Regex.Reverse List.Regex.Size Regex List Integer List of regular expressions that has its original order reverted Number of regular expressions on a specified list Regex List: List in original order Regex List: List to provide number of regular expressions for Regex List: List to sort Regex List: List to convert
List.Regex.Join
Regex List
List of regular expressions created by joining two lists
List.Regex.Sort List.Regex.ToString
Regex List String
List of sorted regular expressions List of regular expressions converted into a string
253
Table -3 List of properties (continued) Name List.String.ByID List.String.ByName List.String.Erase Type String List String List String List Description List of strings (specified by its ID) List of strings (specified by its name) List of strings with specified string erased Parameters String: List ID String: List name 1. String List: List with string to erase 2. Integer: Position of string to erase List.String.EraseElems String List List of strings with specified strings erased 1. String List: List with strings to erase 2. Integer: Position of first string to erase 3. Integer: Position of last string to erase List.String.EraseList String List List of strings with strings that are also on another list erased 1. String List: List to erase strings from 2. String List: List with strings to erase from first list List.String.Find Integer Position of a string on a list 1. String List: List with string to find position for 2. String: String to find position for List.String.Get String String (specified by its position on a list) 1. String List: List containing the string 2. Integer: Position of the string on the list List.String.GetElems String List List of regular expressions (extracted from another list) 1. String List: List with regular expressions to extract 2. Integer: Position of first regular expression to extract 3. Integer: Position of last regular expression to extract List.String.Insert String List List of regular expressions with specified regular expression inserted 1. String List: List to insert the regular expression in 2. String: String to insert List.String.IsEmpty Boolean If true, the specified list is empty. String List: List to check for being empty 1. String List: First list to join 2. String List: Second list to join List.String.Reverse List.String.Size String List Integer List of strings that has its original order reverted Number of strings on a specified list String List: List in original order String List: List to provide number of strings for String List: List to sort String List: List to convert
List.String.Join
String List
List of strings created by joining two lists
List.String.Sort List.String.ToString
String List String
List of strings sorted in alphabetical order List of strings converted into a string
254
Table -3 List of properties (continued) Name Math.Abs Type Number Description Absolute value of the specified number Parameters Number: Number that the absolute value is provided for
MediaType.EnsuredTypes
Media Type List Media Type List Media Type List Boolean
List of media types that are ensured for the media in question with a probability of more than 50% List of media types that are found using the file extension of the media in question List of media types that are found using the content-type header sent with the media in question If true, an object that is media of the type in question is composite, for example, is an archive. If true, an opener module exists on the appliance for the media type in question. If true, the media type specified in the header sent with media does not match the type that was found on the appliance by examining the magic bytes actually contained in it. List of media types that are ensured for the media in question with a probability of less than 50% Name of a directory containing template files for messages sent to users Short form of a language for messages sent to users, for example, en, de, ja Identical name part for different formats of template files for messages sent to users Name of a template file for messages sent to users ID for a list of next-hop proxies If true, the servers on a next-hop proxy list are called in round-robin mode. If false, they are called in failover mode. User variable of type Bool User variable of type Category User variable of type Hex User variable of type IP User variable of type IP Range User variable of type MediaType User variable of type Number User variable of type Regex User variable of type String User variable of type Category List User variable of type Hex List User variable of type IP List Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String
MediaType.FromFileExtension MediaType.FromHeader
MediaType.IsCompositeObject
MediaType.IsSupported MediaType.MagicBytes Mismatch
Boolean Boolean
MediaType.NotEnsured
Media Type List String String String
Message.Directory Message.Language Message.Main.Template
Message.TemplateName NextHopProxy.List NextHopProxy.Round Robin
String String Boolean
PDStorage.GetUserData.Bool PDStorage.GetUserData. Category PDStorage.GetUserData.Hex PDStorage.GetUserData.IP PDStorage.GetUserData. IPRange PDStorage.GetUserData. MediaType PDStorage.GetUserData. Number PDStorage.GetUserData.Regex PDStorage.GetUserData.String PDStorage.GetUserData.List. Category PDStorage.GetUserData.List. Hex PDStorage.GetUserData.List.IP
Bool Category Hex IP IP Range MediaType Number Regex String Category List Hex List IP List
255
Table -3 List of properties (continued) Name PDStorage.GetUserData.List. IPRange PDStorage.GetUserData.List. MediaType PDStorage.GetUserData.List. Number PDStorage.GetUserData.List. Regex PDStorage.GetUserData.List. String PDStorage.GetGlobalData.Bool PDStorage.GetGlobalData. Category PDStorage.GetGlobalrData.Hex PDStorage.GetGlobalData.IP PDStorage.GetGlobalData. IPRange PDStorage.GetGlobalData. MediaType PDStorage.GetGlobalData. Number PDStorage.GetGlobalData. Regex PDStorage.GetGlobalData. String PDStorage.GetGlobalData.List. Category PDStorage.GetGlobalData.List. Hex PDStorage.GetGlobalData.List. IP PDStorage.GetGlobalData.List. IPRange PDStorage.GetGlobalData.List. MediaType PDStorage.GetGlobalData.List. Number PDStorage.GetGlobalData.List. Regex PDStorage.GetGlobalData.List. String ProgressPage. Directory ProgressPage.Done.Template ProgressPage.Enabled ProgressPage.Hold AfterDownload ProgressPage.Hold BeforeDownload ProgressPage. Language Type IP Range List Media Type List Number List Regex List String List Bool Bool Hex IP IP Range MediaType Number Regex String Category List Hex List IP List IP Range List MediaType List Number List Regex List String List String String Boolean Number Number Description User variable of type IP Range List User variable of type MediaType List User variable of type Number List User variable of type Regex List User variable of type String List Global variable of type Bool Global variable of type Category Global variable of type Hex Global variable of type IP Global variable of type IP Range Global variable of type MediaType Global variable of type Number Global variable of type Regex Global variable of type String Global variable of type Category List Global variable of type Hex List Global variable of type IP List Global variable of type IP Range List Global variable of type MediaType List Global variable of type Number List Global variable of type Regex List Global variable of type String List Name of a directory containing progress page files Name of a template file for indicating that a download is complete If true, a progress page is used for indicating download progress. Time a file is kept after being downloaded Time a file is kept before being allowed for download after it has been scanned completely Name of the language used on a progress page Parameters Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String Variable Key: String
String
256
Table -3 List of properties (continued) Name ProgressPage. Template Proxy.IP Proxy.Port Proxy.IP Proxy.Port Quota.AuthorizedOverride. Exceeded Quota.AuthorizedOverride. IsActivationRequest Quota.AuthorizedOverride. RemainingSession Quota.AuthorizedOverride. SessionIsActivated Quota.AuthorizedOverride. SessionIsStarted Quota.AuthorizedOverride. SessionLength Quota.Coaching.Exceeded Quota.Coaching. IsActivationRequest Quota.Coaching. RemainingSession Quota.Coaching. SessionIsActivated Quota.Coaching. SessionIsStarted Quota.Coaching.SessionLength Quota.Time.Exceeded Quota.Time. IsActivationRequest Quota.Time.RemainingDay Quota.Time.RemainingMonth Quota.Time.RemainingSession Quota.Time.RemainingWeek Quota.Time.SessionIsActivated Quota.Time.SessionIsStarted Quota.Time.SessionLength Quota.Time.SizePerDay Quota.Time.SizePerMonth Quota.Time.SizePerWeek Type String IP Integer IP Integer Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) Description Name of the template file for a progress page IP address used on a connection Port used for a connection IP address of connection Port of connection If true, the time for an authorized override session has been exceeded. If true, an authorized override session is in activation state. Remaining time for an authorized override session If true, an authorized authorized override session has been activated. If true, an authorized override session has been started. Time allowed for an authorized override session If true, the time for a coaching session has been exceeded. If true, a coaching session is in activation state. Remaining time for a coaching session If true, a coaching session has been activated. If true, a coaching session has been started. Time allowed for a coaching session If true, the time quota has been exceeded. If true, a time quota session is in activation state. Remaining time per day under the configured quota Remaining time per month under the configured quota Remaining time for a time quota session Remaining time per week under the configured quota If true, a time quota session has been activated. If true, a time quota session has been started. Time allowed for a time quota session Time allowed per day under the configured quota Time allowed per month under the configured quota Time allowed per week under the configured quota Parameters
257
Table -3 List of properties (continued) Name Quota.Volume.Exceeded Quota.Volume. IsActivationRequest Quota.Volume.RemainingDay Quota.Volume.RemainingMonth Quota.Volume. RemainingSession Quota.Volume.RemainingWeek Quota.Volume. SessionIsActivated Quota.Volume. SessionIsStarted Quota.Volume.SessionLength Quota.Volume.SizePerDay Quota.Volume.SizePerMonth Quota.Volume.SizePerWeek Redirect URL Reporting.URL.Categories Reporting.URL.Reputation Request.Header.FirstLine Request.ProtocolandVersion Response.ProtocolandVersion Response.Redirect.URL Response.StatusCode Rules.CurrentRuleID Rules.CurrentRuleName Rules.EvaluatedRules Rules.EvaluatedRules.Names Rules.FiredRules Rules.FiredRules.Names SNMP.Trap.Additional SNMP.Incident.ID Type Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) Boolean Boolean Long (int64_t) Long (int64_t) Long (int64_t) Long (int64_t) String Category List Number List String String String String String String String String List String List String List String List String String Description If true, the volume quota has been exceeded. If true, a volume quota session is in activation state. Remaining volume per day under the configured quota Remaining volume per month under the configured quota Remaining time for a volume quota session Remaining volume per week under the configured quota If true, a volume quota session has been activated. If true, a volume quota session has been started. Time allowed for a volume quota session Volume allowed per day under the configured quota Volume allowed per month under the configured quota Volume allowed per week under the configured quota URL that a user is redirected to by an authentication or quota rule List of all URL categories used on the appliance List of all reputation values used on the appliance First line of a header sent with a request under the HTTP protocol Protocol and protocol version used when sending a request Protocol and protocol version used when sending a response URL that a user is redirected to when a response has been sent Status code of a response that has been received ID of the rule that is currently processed Name of the rule that is currently processed List of all rules that have been processed List with names of all rules that have been processed List of all rules that have applied List with names of all rules that have applied Message sent to a trap under the SNMP protocol ID of an incident that is logged under the SNMP protoco Parameters
258
Table -3 List of properties (continued) Name SNMP.Incident.IDName SNMP.Incident.Origin SNMP.Incident.OriginName SNMP.Incident.Severity SNMP.Incident.AffectedHost SSL.HandshakeErrorMessage String.BackwardFind Type String Number String Number IP String Integer Description Text describing the incident Number indicating the system that triggered the incident Text describing the system Severity level of an incident IP address of the system that triggered an incident Text of an error message sent when an SSL handshake has failed Position where a substring begins that found in a specified string by a backward search Returns -1 if the substring is not found 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the backward search for the substring starts String.Base64Decode String.Base64Encode String.BooleanToString String.Concat String String String String Decoded format of a string specified in base-64 encoded format Base-64 encoded format of a specified string Boolean value converted into a string Concatenation of two specified strings String: String in encoded format String: String to encode Boolean: Value to convert 1. String: First string to concatenate 2. String: Second string to concatenate String.Dimension.ToString String.Find String Integer Dimension converted into a string Position where a substring begins that is found in a specified string by a forward search Returns -1 if the substring is not found Dimension: Vaiue to convert 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the forward search for the substring starts String.FindFirstOf Integer Position of the first character of a substring found in a specified string Returns -1 if the substring is not found 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the search for the substring starts String.FindLastOf Integer Position of the last character of a substring found in a specified string Returns -1 if the substring is not found 1. String: String that contains the substring 2. String: Substring 3. Integer: Position where the search for the substring starts String.Hex.ToString String.IP.ToString String String Hex value converted into a string IP address converted into a string Hex: Vaiue to convert IP: Vaiue to convert Parameters
259
Table -3 List of properties (continued) Name String.IPRange.ToString String.Length String.List.Dimension.ToString String.List.Hex.ToString String.List.IP.ToString String.List.IPRange.ToString String.List.MediaType.ToString String.List.Number.ToString String.List.Regex.ToString String.Match.Regex Type String Number String String String String String String String String List Description IP address range converted into a string Number of characters of a string List of dimensions converted into a string List of hex values converted into a string List of IP addresses converted into a string List of IP address ranges converted into a string List of media types converted into a string List of numbers converted into a string List of regular expressions converted into a string List with terms in a string matching terms in a regular expression Parameters IP Range: Vaiue to convert String: String to count characters for Dimension List: List to convert Hex List: List to convert IP List: List to convert IP Range List: List to convert Media Type List: List to convert Number List: List to convert Regex List: List to convert 1. String: String to match 2. Regex: Regular expression to match String.MediaType.ToString String.Number.ToString String.NumberVolume.ToString String String String Media type converted into a string Number converted into a string Volume converted into a string and rounded to the appropriate unit, for example, to 1 GB or 3 MB Regular expression converted into a string String having a substring replaced by another substring Media Type: Value to convert Number: Value to convert Number: Volume to convert Regex: Value to convert 1. String: String containing the substring 2. Integer: Position where the replacement starts 2. Integer: Number of characters to replace 4. String: Replacing substring String.ReplaceAll String String having all occurrences of a substring replaced by another substring 1. String: String containing the substring 2. String: Replacing substring 3. String: Substring to replace String.ReplaceFirst String String having the first occurrence of a substring replaced by another substring 1. String: String containing the substring 2. String: Replacing substring 3. String: Substring to replace
String.Regex.ToString String.Replace
String String
260
Table -3 List of properties (continued) Name String.SubString Type String Description Substring contained in a specified string Parameters 1. String: String containing the substring 2. Integer: Position where the substring begins 3. Integer: Number of characters in the substring If no number is specified, the substring extends to the end of the original string String.ToNumber String.CRLF String.LF System.HostName System.URLDecode System.URLEncode System.UUID URL URL.Categories URL.CategoriesForURL URL.DestinationIP URL.Geolocation URL.GetParameter URL.HasParameter URL.Host URL.Host URL.IsHighRisk URL.IsMediumRisk URL.IsMinimalRisk URL.IsUnverifiedRisk URL.Path URL.Port URL.Protocol URL.Reputation URL.ReputationForURL String Reputation Reputation Number String String String String String String String Category List Category List IP String String Boolean String String Boolean Boolean Boolean Boolean String String converted into a number Carriage return line-feed Line-feed Host name of an appliance Standard format of URL for an appliance that was specified in encoded format Encoded format of a specified URL for an appliance UUID of an appliance URL of an object List of URL categories that a URL belongs to List of URL categories that a particular URL belongs to IP address for a requested URL as found in a DNS lookup ISO 3166 code for the country where the host that a URL belongs to is located Specified parameter of a URL in string format If true, the specified parameter exists in a URL Host that a URL belongs to Host that a URL belongs to If true, the reputation value of a URL falls in the high risk range of values. If true, the reputation value of a URL falls in the medium risk range of values. If true, the reputation value of a URL falls in the minimal risk range of values. If true, the reputation value of a URL falls in the unverified risk range of values. Path of a URL Port of a URL Protocol for a URL Reputation score for a URL Reputation score for a URL as input parameter. String: Parameter name String: Parameter name String: URL in encoded format String: URL to encode String: String to convert
261
Table -3 List of properties (continued) Name Workaround.IgnoreConflicting ContextLength Workaround.KeepLeadingSlash Workaround.NoPersistentClient Connection Workaround.NoChunkEncoding ToClient Workaround.NoPersistentClient Connection Type Boolean Boolean Boolean Description If true, a conflicting context length sent in a header is ignored. If true, the leading slash in URLs sent under the FTP protocol is kept. If true, no chunk encoding is used in a response sent from the appliance to a client. If true, no chunk encoding is used in a response sent from the appliance to a client. If true, the connection to a client is closed after processing the request sent by the client. Parameters
Boolean
Boolean
262
Appendix: Configuration Lists Wildcard expressions
Wildcard expressions
When completing configuration jobs on the appliance, you can use wildcard expressions for several purposes, for example, to enter URLs onto blockings lists or whitelists. There are two types of wildcard expressions you can use: Glob expressions Using these is the default. For information on some of the special characters used to create Glob expressions, see List of important special Glob characters. Detailed information on using this type of expressions is, for example, provided on the following Linux man page: glob(7) Regular expressions (Regex) If you want to use these, you need to type the term regex first and then include the regular expression in round brackets, for example: regex(a*b) For information on some of the special characters used to create regular expressions, see List of important special Regex characters. The Regex expressions used on the appliance follow the Perl Regular Expression syntax. Information on this is, for example, provided on the folIowing Linux man page: perlre(1)
Test a wildcard expression

When you add a wildcard expression to a list, you can test it before actually adding it. The Add Wildcard Expression window provides a Test button for this purpose. Proceed as follows:
1 Go to Policy | Lists (or go to Policy| Rule Sets and access a list by clicking its name in a rule name
or criteria).
2 On the Lists tree, go to Wildcard Expressions, select a list, and click Add on the settings pane.
The Add Wildcard Expression window opens.

3 Type a whitecard expression in the input field and click Test. The Wildcard Expression Test window
opens, providing information on whether the expression matches.
263
List of important special Glob characters

The table below provides a list of important special characters for creating Glob type wildcard expressions.
Table -4 List of important special Glob characters Character ? Description (If not between square brackets:) Matches any single character. For example, ?est matches:
best rest test

and others * (If not between square brackets:) Matches any string, including the empty string. For example, b* matches:
b best binary3
and others [...] Matches any of the single characters included in the square brackets. ? and * are normal characters between square brackets. For example, [a5?] matches:
a 5
?
Note: The first character must not be an ! (exclamation mark).

! Matches any single character except those following the exclamation mark. For example, [!ab] matches:
c S %
and others, but not:
a b
Is used to denote a range of characters. For example, [a-f A-F 0-5] matches:
d F 3
and others / Is not matched by ? or *. Cannot be included in [...] or be part of a range. This means, for example, that http://linux.die.net/* does not match the following pathname:
http://linux.die.net/man/7/glob
However, this pathname is matched by:
http://linux.die.net/*/*/*
264
Table -4 List of important special Glob characters (continued) Character \ Description If preceding ?, *, or [, these are normal characters. For example, [mn\*\[] matches:
m n * [
. A file name beginning with a . (dot), must be matched explicitly. For example, the command:
rm *
will not remove the file .profile. However, the following command will:
rm .*
265
List of important special Regex characters

The table below provides a list of important special characters for creating Regex type wildcard expressions.
Note: The examples given here include the term regex and round brackets, as you need to use them when working with these expressions on the appliance.
Table -5 List of important special Regex characters Character . Description Matches any single character. For example, regex(.est) matches:
best rest test

and others * Matches the preceding character zero or more times. For example, regex(a*b) matches:
b ab aaaaaab
and others + Matches the preceding character one or more times. For example, regex(c+d) matches:
cd cccccd
and others ? Matches the preceding character zero or one times. For example, regex(m?n) matches:
n mn
^ $ {...} Options: a{n} Matches a character n times. For example, regex(a{3}) matches: Matches the beginning of a line. Matches the end of a line. Are used to match a character as many times as specified.
aaa
a{n,} Matches a character n and more times. For example, regex(p{4,}) matches:
pppp pppppp
and others a{n,m} Matches a character between n and m times, including the limiting values. For example, regex(q{1,3}) matches:
q qq qqq
266
Table -5 List of important special Regex characters(continued) Character | Description Matches alternative expressions. For example, regex(abc|jkl) matches:
abc jkl
(...) Are use to group characters in an alternative expression. For example, regex(de(r|st)) matches:
der dest
[...] Matches any of the single characters included in the square brackets. For example, regex([bc3]) matches:
b c
3 Is used to denote a range of characters in a bracket expression. For example, regex([c-f C-F 3-5]) matches:
d F 4
and others
267
Table -5 List of important special Regex characters(continued) Character ^ Description Matches any single character in a bracket expression except those following the accent circonflexe. For example, regex([^a-d]) matches:
e 7 &
and others, but not:
a b c d
\ (If preceding a special character:) Turns it into a normal character. For example, regex(mn\+) matches:
mn+
(If preceding some normal characters:) Matches a particular class of characters. For information on these classes, refer to the perlre man page or other documentation. The following are examples of frequently used character classes. For example, regex(\d) matches all digits, such as:
3 4 7
and others
regex(\w) matches all alphabetical characters, such as: a F s

and others
regex(\D) matches all characters that are not digits, such as: c T &
and others
268
Index
A
access restrictions 90 administrator accounts 120 external accounts 122 roles 121 test account 121 anti-malware see virus and malware filtering anti-virus see virus and malware filtering appliance authentication 91 Central Management 204 dashboard 210 filtering functions 124 license 25 logon 23 logout 27 monitoring 209 physical 19 proxies 29 setup 19 troubleshooting 229 virtual 20 web security 11 authentication 95 administration 91 authorized override 112 coaching 112 common parameters 98 cookies 108 Kerberos 95 LDAP 95 methods 95 NTLM-Agent 95 process 92 quotas 112 RADIUS 95 settings 97 test 98 time quotas 112 user database 95 volume quotas 112 Windows domain 105 AV see anti-virus
B
Billling 175
C
cache see web cache Central Management 204 coaching 112 cookie authentication 108
D
dashboard access 210 display options 210 overview 211 data trickling 178 database updates 201
E
ePolicy Orchestrator 223 error handling 227 explicit proxy mode 31
F
file editor 200 filtering concepts 53 cycles 54 process flow 55 rules 53 filtering functions global whitelisting 163 HTML filtering 155 media type filtering 148 overview 124 SSL scanning 165 URL filtering 139 virus and malware filtering FTP proxy 43
G
global whitelisting administration 163 Global Whitelist library rule set 164 library rule set 164 lists 163 rule set 164
H
Helix proxy 46 high availability 30 HTML filtering
269
Index
administration 155 HTML filtering library rule set 155 library rule set 155 lists 162 opener module 161 rule set 155 HTTP proxy 42
common settings 41 explicit proxy 31 FTP 43 Helix 46 high availability 30 HTTP 42 ICAP server 44 ICQ 45 instant messaging 41 network modes 30 preconfigured settings 29 settings 29 transparent bridge 34 transparent router 37 WCCP 30 Windows Live Messenger 45 Yahoo 45
I
ICAP server 44 IM see instant messaging initial configuration 22 instant messaging AIM 45 ICQ 45 Windows Live Messenger 45 Yahoo 45
L
library 66 licensing 25 logging functions 213 logon 23 logout 27
Q
quotas 112
R
roles 121 rule sets default system 65 implementing methods 64 library 66 wizard-created 65 rules actions 61 complex criteria 60 criteria 58 cycles 54 elements 57 events 62 process flow 55 properties 53 property types 60 rule sets 63 user interface format 59
M
malware see virus and malware filtering McAfee Web Gateway see appliance media type filtering administration 148 library rule set 152 lists 148 Media Type Filtering library rule set 152 rule set 150 monitoring dashboard 210 ePO server 223 logging 213 SNMP 225
S
search function 27 setup initial configuration 22 license 25 logon 23 physical appliance 19 policy creation 24 virtual appliance 20 SNMP monitoring 225 SSL scanning administration 165 library rule set 170 lists 169 modules 165 rule set 170
N
next-hop proxies 180 NTLM 95
P
physical appliance 19 policy creation 24 process flow 55 progress indication data trickling 178 progress page 178 progress page 178 proxies advanced settings 46 AIM 45
270
Index
SSL Scanner library rule set 170 system files 200 system settings Central Management 204 configuration 194 overview 192
McAfee AV library rule set 138 rule sets 133 scanning module 128
W
WCCP 30 web cache 47 Web Gateway see appliance web security filtering 11 policy 24 rules 53 wildcard expressions 263 Windows domain 105 Windows Live Messenger 45 wizards initial configuration 22 policy creation 24
T
tabs administrator accounts 120 appliances 193 file editor 200 lists 84 overview 27 rule sets 67 settings 88 template Editor 185 time quotas, volume quotas 112 transparent modes bridge 34 router 37 troubleshooting 229 TrustedSource see URL filtering
U
URL filtering administration 139 extended lists 142 library rule set 147 lists 140 module 144 rule set 146 TrustedSource module 144 URL Filtering library rule set 147 user interface logon 23 logout 27 main elements 26 search function 27 settings 199 user messages adapt 185 settings 188 template Editor 185 templates 184
V
virtual appliance 20 virus see virus and malware filtering virus and malware filtering administration 125 Antimalware module 128 Gateway AntiMalware library rule set 137 library rule sets 137, 138 lists 125
271
Index
272
700-2514A00

WG 70 PG Product 7002514A00 En-Us

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

WG 70 PG Product 7002514A00 En-Us

Încărcat de

Drepturi de autor:

Formate disponibile

Product Guide

McAfee Web Gateway

McAfee Web Gateway 7.0 Product Guide

About the McAfee Web Gateway Appliance

Setup and Logon

Proxies and Caching

Rules and Rule Sets

Filtering controlled by rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

McAfee Web Gateway 7.0 Product Guide

Authentication and Account Management

McAfee Web Gateway 7.0 Product Guide

. 120 . 120 . 121 . 122

McAfee Web Gateway 7.0 Product Guide

. 202 . 204 . 205 . 205 . 206

Appendix: Configuration Lists

McAfee Web Gateway 7.0 Product Guide

About this guide

Courier bold Courier italic

McAfee Web Gateway 7.0 Product Guide

Find additional information

Find additional information

McAfee Web Gateway 7.0 Product Guide

McAfee Web Gateway 7.0 Product Guide

McAfee Web Gateway 7.0 Product Guide

About the McAfee Web Gateway Appliance

Comprehensive web security for your network

Figure 1-1 Filtering web traffic

McAfee Web Gateway 7.0 Product Guide

Main functions of the McAfee Web Gateway appliance

Main administrator activities

McAfee Web Gateway 7.0 Product Guide

Deployment of the McAfee Web Gateway appliance

Administration and updates

McAfee Web Gateway 7.0 Product Guide

Main components of the McAfee Web Gateway appliance

Figure 1-2 Appliance subsystems and modules

McAfee Web Gateway 7.0 Product Guide

Filtering rules on the McAfee Web Gateway appliance

Rule sets for filtering

Lists and modules for filtering

McAfee Web Gateway 7.0 Product Guide

About the McAfee Web Gateway Appliance Chapters of this guide

Modifying the filtering process

Chapters of this guide

McAfee Web Gateway 7.0 Product Guide

About the McAfee Web Gateway Appliance Chapters of this guide

McAfee Web Gateway 7.0 Product Guide

About the McAfee Web Gateway Appliance Chapters of this guide

McAfee Web Gateway 7.0 Product Guide

Setup and Logon

Setting up the McAfee Web Gateway appliance

Setting up a physical appliance

Check your shipment

McAfee Web Gateway 7.0 Product Guide

Setup and Logon Setting up the McAfee Web Gateway appliance

Gather necessary materials

Connect the appliance

Continue with Performing the initial configuration.

Setting up a virtual appliance

Requirements for setting up a virtual appliance

McAfee Web Gateway 7.0 Product Guide

Setup and Logon Setting up the McAfee Web Gateway appliance