Professional Documents
Culture Documents
Mcafee Mvision Unified Cloud Edge Getting Started 11-2-2021
Mcafee Mvision Unified Cloud Edge Getting Started 11-2-2021
Discovering shadow IT
• On-demand scans
• Connected applications
• Cloud registry
Browser isolation
• Enable browser isolation when access to a website is considered a risk
• Enable browser isolation for any website as you consider it appropriate
Technical Content
• Supported Environments for McAfee Mobile Cloud Security (KB91790)
• Configuring global routing manager country and region prefixes (KB87631)
• Cloud Security: McAfee blogs and podcasts
• What is cloud security?
• What is a CASB?
• What is SASE?
• How to secure your data everywhere? It's easy with Unified Cloud Edge
• Think beyond the edge: Why SASE is incomplete without Endpoint DLP
• What is Browser Isolation?
• Remote Browser Isolation data sheet
Task
1. In the welcome email, click Activate.
2. In the dialog box, specify a new password, then click Set Password.
3. Provide the email that you used when signing up, optionally select a language, then click Next.
4. Provide the password that you specified, then click Sign In.
5. Read the McAfee Cloud Services Agreement, select that you understand and agree, then click Agree.
Results
You are logged on to MVISION Cloud, where you can set up access to web setup and web policy by configuring web protection
users and roles.
Task
1. On the MVISION Cloud navigation bar, click the settings icon.
2. From the drop-down list, select Infrastructure → Web Gateway Setup.
3. Click Get Started.
4. In Enter Tenant Authentication Credentials, click Configure.
a. In the New Shared Secret field, enter the new shared secret. The shared secret is the password that secures communication
between Client Proxy and McAfee WGCS.
b. In the Confirm New Shared Secret field, confirm the new shared secret.
c. Click Save.
5. In Define Proxy Server IP Addresses, click Configure.
a. From the Add Proxy drop-down list, enter proxy hostname or IP address of the proxy server, and listening port. Best practice
is to configure two proxy servers, using fully qualified domain names (FQDN) for the host names and specifying port 8080
for one proxy and 80 to the other proxy.
b. Click the + icon to configure another proxy server.
c. (Optional), From the Import CSV drop-down list, you can import the proxy server details from the .csv file.
d. (Optional), From the Export CSV drop-down list, you can download the configured proxy server list to the .csv file.
e. Click Save.
6. In Determine Proxy Selection Method, click Configure.
◦ First Available — Select this to connect to the first accessible proxy server from the list that you configure. This option is useful
when you prefer to select a specific server.
◦ Automatic Switch Over — Select this to automatically switch to the next available proxy server when the first accessible proxy
server is down. For example, if you have two proxy servers in the list and when the first server is down and second server
is reachable, Client Proxy automatically selects the second proxy server as the active proxy server to redirect the endpoint
traffic. In addition, when you select this option, Client Proxy checks for the availability of the first configured proxy server
periodically based on the interval set in the Polling Interval field. When the first configured proxy becomes available, Client
Proxy elects the first configured server as the active server to redirect the traffic. If this option is not selected, Client Proxy
does not check for the active server periodically. This option is available only when you select First Available.
◦ In Polling Interval (10 to 3600 seconds), specify the interval the Client Proxy software checks for the active server in the configured
proxy server list.
◦ Fastest Response Time — Select this to connect to the proxy server that has the fastest response time in the list that you
configure.
◦ Click Save.
7. In Name and Publish Policy, click Configure.
a. Provide a name for the policy.
b. Click Save Policy.
8. Click the yellow badge to publish the saved changes.
9. Click Download to download the Client Proxy policy file saved to an .opg file. Once Client Proxy software is installed on
endpoints, the Client Proxy clients need its first policy configuration to communicate to McAfee WGCS. Rename the .opg file to
MCPPolicy.opg and copy it to this location on the client computers.
◦ Windows-based computers — C:\ProgramData\McAfee\MCP\Policy\Temp
◦ macOS computers — /usr/local/mcafee/mcp/policy
The Client Proxy establishes trust and redirect traffic to McAfee WGCS using tenant Information and shared secret.
Note: Click the yellow badge to publish all your locally saved changes. When you complete the Client Proxy configuration, the
administrators can add proxy servers and customize the Client Proxy policy on the Client Proxy Management UI page.
Web policy
Use MVISION Unified Cloud Edge to protect your organization from security threats that arise when users in your organization
access the web, by enforcing web policy, setting and applying rules to take action when certain conditions for web traffic are met.
The MVISION Unified Cloud Edge platform uses McAfee WGCS to provide control and policy enforcement over web traffic and
Shadow cloud services — those not approved for corporate use by IT departments — via forward proxy. Client Proxy is installed
on endpoints. The client software is location-aware, and detects whether users are working inside or outside the network. When
users are outside the network, it directs their traffic to McAfee WGCS for filtering. To manage Client Proxy you can configure the
redirection policy, including bypass lists, in the MVISION Cloud user interface. Policy changes are stored in the Global Policy Store
in the cloud. McAfee WGCS accesses the GPS when requested by the Client Proxy, which then allows it to permit or block the
request based on the rule set in the policy. When the Client Proxy software redirects HTTP/HTTPS traffic, it adds metadata to the
requests. McAfee WGCS uses the metadata (for example, group membership) when applying web protection policies. When the
Secure Channel option is enabled in Client Proxy, the cloud proxy server certificate is validated against the device certificate
store, establishing a secure connection. Traffic can also be blocked if the validation fails.
MVISION Cloud also uses secure tunnels to secure communication between remote sites, routing traffic through McAfee WGCS,
where it is filtered according to web policy, without first going through the home network. Secure tunnels can be established
using either a dynamic IPsec or GRE protocol. McAfee WGCS uses SAML to authenticate requests received from the remote site
through the secure tunnel.
Traffic from mobile users can be directed through MVISION Unified Cloud Edge using McAfee Mobile Cloud Security. When
McAfee Mobile Cloud Security has been set up on the device, HTTP/HTTPS traffic is redirected to McAfee WGCS for filtering
through a VPN gateway. This is configured through the MVISION Cloud user interface.
1. The web administrator sets up the web components and configures the web policy in the MVISION Cloud UI.
2. The administrator manages Client Proxy policies and selects the active policy. Client Proxy redirects the users' web requests to
McAfee WGCS for filtering according to the location awareness and traffic redirection settings in the active policy.
3. After the administrator sets up the McAfee Mobile Cloud Security solution, software on the mobile devices redirects users'
web requests to McAfee WGCS for filtering.
4. The administrator configures the rules that make up the web policy. McAfee WGCS filters all web requests according to the
configured rules, blocking bad web traffic while allowing good traffic to continue to the internet.
5. The administrator configures an IPsec or GRE tunnel from an office location or remote site to McAfee WGCS. The cloud service
receives web requests through the configured tunnel and filters them according to the web policy.
Access control
The administrator assigns roles to users. The type of role assignment determines the type of access the user has in the assigned
role:
• Read Only — Users have read-only permission.
• Manage — Users have read and write permissions.
Administrator → Setup & Configuration Access Web Gateway Setup as follows and complete the setup
tasks:
Settings → Infrastructure → Web Gateway Setup
Policy Management → Feature Configuration Access Feature Configuration in the Web Policy UI and configure the
features.
Policy Management → List Catalog Access the List Catalog in the Web Policy UI and configure the lists.
Policy Management → Web Policy Access and configure these areas of the Web Policy UI:
• Policy tree — Configure policy rules here.
• Block Page Templates — Customize block pages here.
Policy Management → Web Policy Code Open the Advanced view of the rules in the Web Policy UI and
configure the rules in code view.
Usage Analytics Users Access and configure the web protection dashboard and
analytics, as follows:
• Dashboards → Web Dashboard
• Analytics → Web Traffic
• Analytics → Web Malware
Publishing is a web protection function. The publish shield is only visible from the Web Gateway Setup and Web Policy pages in the
MVISION Cloud UI.
Customer ID
Your customer ID:
• Uniquely identifies you in the system.
• Allows Client Proxy, McAfee WGCS, and other web protection components to connect, synchronize, and communicate securely.
1. MVISION Cloud UI — Upload the CA certificate used by the Mobile Device Management (MDM) server software to sign the
device certificates.
2. Administrator interface of your MDM solution — Configure an identity certificate profile for the device and a VPN profile.
Note: You must upload the CA certificate before configuring the MDM solution.
Android • AirWatch
• Microsoft Intune
• MobileIron
iOS • AirWatch
• Microsoft Intune
• MobileIron
McAfee components
• MVISION Cloud — Provides the user interface where administrators configure the mobile cloud security solution.
• VPN Gateway — Separates the mobile cloud security infrastructure from McAfee WGCS and the internet. The VPN Gateway
runs inline with McAfee WGCS.
• McAfee WGCS — Filters HTTP/HTTPS traffic for your organization's mobile devices according to the policy you configure.
Customer-provided components
• MDM solution — The Mobile Device Management server and client software
• Mobile devices — Android or iOS endpoints with MDM client software installed
1. In the UI, the administrator configures the mobile cloud security solution by:
a. Uploading the customer CA certificate, whose private key is used to sign the device certificates
b. Specifying the names of the fields that identify the user name and user group in the device certificates
Note: You must upload the CA certificate before configuring the MDM solution.
2. In the administrator interface of the MDM solution, the administrator:
a. Configures an identity certificate profile for the device.
b. Configures the VPN profile which references the identity certificate profile.
3. When the user logs on to the device and registers it with the MDM server, the software:
a. Signs the identity or device certificate with the CA certificate.
b. Downloads the signed certificate and VPN profile to the device.
4. After the following steps are completed, the software on the device starts redirecting HTTP/HTTPS traffic to McAfee WGCS
through the VPN gateway.
a. The device uses the signed certificate to authenticate to the VPN gateway.
b. The VPN gateway creates a secure VPN tunnel with the device.
5. McAfee WGCS filters the HTTP/HTTPS traffic, allowing or blocking web requests according to your policy.
Certificate authorities
McAfee provides these certificate authorities:
• Default certificate authority — We recommend that you download the default CA from the Web Gateway Setup page and deploy
it to the endpoints in your organization. You need this CA to use SAML authentication or see error messages that occur before
you are authenticated.
• Customer certificate authority — When you log on for the first time, McAfee WGCS generates a custom CA for your
organization. You can download and deploy this CA to your endpoints, but for the best protection, we recommend that you
replace the custom CA with your own CA in the UI.
1. HTTPS Connection Options — This rule set allows web requests sent to the configured domains, hosts, WebEx servers, or
Citrix servers to bypass HTTPS scanning and go directly to the internet.
Related features: HTTPS Connection, Certificate Verification Options
Proxy port Web requests are sent to dedicated Web requests are sent to HTTP/HTTPS
SAML port 8084. ports 80 and 443.
1) McAfee WGCS receives a web request on port 8084. 1) McAfee WGCS receives a web request on port 80 or 8080.
2) McAfee WGCS prompts the user for an email address and 2) McAfee WGCS identifies the customer based on the
uses the domain to identify the customer. configured IP ranges or IPsec or GRE source.
5) The identity provider authenticates the user and sends the user name and group information in a SAML response to
McAfee WGCS.
6) McAfee WGCS applies the customer's web policy to the user's web request.
Permissions
You need Administrator → Setup & Configuration permissions to access the Web Gateway Setup UI and configure SAML authentication.
Permissions
You need Administrator → Setup & Configuration permissions to access the Web Gateway Setup UI and configure your locations.
Protocol Network prefix (bits) CIDR notation (example) Specified IP address range
Configuration needed
To build an IPsec or GRE tunnel, you must configure:
• IPsec or GRE tunnel mapping in the MVISION Cloud UI
• IPsec or GRE tunnel interfaces on your networking device or in your SD-WAN service
SD-WAN solutions
You can build tunnels from any standard SD-WAN solution to McAfee WGCS. The following SD-WAN solutions have been tested
and validated with McAfee WGCS.
• Cisco
• Citrix
• Fortinet
• Silverpeak
• Versa
• VMware
IKE version 1 or 2
Permissions
You need Administrator → Setup & Configuration permissions to access the Web Gateway Setup UI and configure the privacy settings.
Web Dashboard
Web Dashboard provides the summary of web malware and web traffic activities. By default, it displays the data for last 7 days.
The dashboard provides easy and quick access to top web requests and trends.
Protect against data loss by applying classifications to data protection policies that trigger actions and generates incidents when
sensitive data is identified.
1. Start by defining and classifying sensitive data that needs to be protected with the Classifications editor.
2. Protect sensitive data by applying CASB or Web Data Protection rules.
3. Review incidents in the Policy Incidents page in MVISION Cloud to see potential policy violations and to fine-tune existing policies.
What a DLP policy can include when it is created using the Policy
Wizard
A Data Loss Prevention (DLP) policy consists of rules for preventing classified data from leaking out, which you can create using
the Policy Wizard with the complexity that is required to ensure your data is secure.
A DLP rule that you create with the Policy Wizard basically includes two parts:
• Condition — Specifies what must be given to let the rule apply.
This involves the type of classified data that has been detected by the DLP functions of MVISION Unified Cloud Edge, for
example, in a document.
On the user interface, you see the condition displayed, for example, as:
IF Classification is Confidential
Scope restriction
When you are working with the Policy Wizard to create a DLP policy, it applies by default to all traffic originating from cloud user
activities relating to your data. You can restrict this scope according to the following parameters:
• Client IP address
• Connection IP address
• Location
• Service
• Service Group
• User name
• User group
• Web (URL) category
For example, you can set the scope of a policy to let it apply only to traffic originating from cloud activities of users in Santa Clara
and San Jose.
Furthermore, you can let it apply only when these users work with the Dropbox cloud service. And you can let it apply to all of
them except for one individual user whose name is Bob Miller.
On the user interface, you would see this scope displayed as:
ZF Location is one of Santa Clara | San Jose AND Service is Dropbox AND User name is not bmiller@mycompany.com
Complex response
You can make the response of a rule in a DLP policy complex by configuring multiple measures for it. The following parameters
are involved here:
• Severity level — Setting it is required in a response.
On the user interface, you see this displayed, for example, as:
THEN Severity is High
• Rule action — Setting at least one is required for a sanctioned policy. More actions can be added.
For a Shadow/Web Policy, a Block action can be set optionally.
On the user interface, you see would see, for example, the following displayed when email with classified data is detected and
a response is triggered under a sanctioned policy:
THEN Quarantine AND Send Email Notification to dlpadmin@mycompany.com
Multiple rules
You can make a DLP policy complex by including multiple rules in it.
On the user interface, you see this displayed, for example, as:
Rule Group 1 IF Classification is Top Secret THEN Severity is Critical AND Block or Rule Group 2 IF
Classification is Confidential THEN Severity is Major AND Block
Rules
Rules are grouped in rule sets under the following headings in the Web Policy UI. The headings are branches in the policy tree. The
rule engine processes rule sets, proceeding from the top to the bottom of the policy tree until all rule sets are processed or
processing is stopped by a rule action. For example, when a rule blocks a web request, processing is stopped. The order of the
branches, rule sets, and rules can't be changed.
1 Global Bypass
2 HTTPS Scanning
3 Global Block
4 Common Rules
5 Web Filtering
6 Content Inspection
7 Application Control
8 Media Type
10 Threat Protection
Rule sets are processed in cycles, each cycle corresponding to a web request or a web response. Web requests are sent from the
user to the web, while web responses are sent from the web to the user. A web response is always sent in response to a web
request.
Each rule set applies to web requests or web responses or sometimes, to both requests and responses. The rule engine only
processes the rule sets that apply to the current request or response, skipping any rule sets that do not apply. For example, the
Global Block rule set only applies to web requests. The rule engine processes the Global Block rule set during request cycles, but
skips the rule set during response cycles.
Lists
Many rules use lists that you configure. For example, the Skip Content Decryption for these Categories rule compares the category
of the URL requested by the user to the list of URL categories configured for the rule. If there is a match, the web request is
allowed to skip HTTPS decryption and processing continues with the next rule set. If there is no match, the web request is not
allowed to skip HTTPS decryption.
Skip Content Decryption for List of URL categories • Matches in list • Matches in list = Skip HTTPS
these Categories • Does not match in list decryption
• Does not match in list =
Continue with HTTPS
decryption
You configure the list with the URL categories that you consider safe. Web requests sent to the URL categories in the list do not
require decryption and content inspection.
You can configure the lists with the rule sets, or you can configure them separately in the Policy → Web Policy → List Catalog UI.
You can configure the settings with the rule sets, or you can configure them separately in the Policy → Web Policy → Feature
Configuration UI.
Permissions
With Web Policy permissions, you can manage the web policy, which includes configuring the rules, lists, and features that make it
up. To view and directly edit the policy code underlying the rule sets, you need Web Policy Code permissions. The Code View feature is
intended for advanced users.
Domains block list The requested domain is in • Matches in list • Matches in list = The traffic
the list configured for this • Does not match in list is blocked, and rule
rule. processing stops.
• Does not match in list = Rule
processing continues with
the next rule.
Domains bypass The requested domain is in • Matches in list • Matches in list = The traffic
the list configured for this • Does not match in list is allowed, and rule
rule. processing stops.
• Does not match in list = Rule
processing continues with
the next rule.
Skip Content Decryption for The requested URL category is • Matches in list • Matches in list = Rule
these Categories in the list configured for this • Does not match in list processing skips the
rule. remaining rules in the rule
set and continues with the
next rule set.
• Does not match in list = Rule
processing continues with
the next rule.
Certificate Authority Lists of trusted root CAs — These lists are used by many
policy rules and features.
Host and Certificate Lists of host name and certificate pairs — These lists are used
to allow certificates that are otherwise invalid. For example,
they might be recently expired.
IP range Lists of IPv4 or IPv6 address ranges — These lists are used by
many policy rules and features.
Specify IP address ranges using:
• A starting IP address and ending IP address separated by a
hyphen
• CIDR notation
Number Lists of numbers — These lists are used by many policy rules
and features.
Regular expression Lists of regular expressions — These lists are used for string
matching.
Format: Perl regular expression syntax
Smart Match Lists of mixed URLs, host names, IP addresses, and domains
— These lists are used by policy rules and features that
support smart match.
String Lists of strings — These lists are used by many policy rules
and features.
User-defined lists
Initially, user-defined lists are empty. To populate a user-defined list with list items, you can add them individually or import them
from a .csv file. McAfee WGCS validates all list items and flags invalid items with error messages.
McAfee-maintained lists
McAfee maintains lists for you to use in policies and keeps them up-to-date.
• Subscribed lists — These lists are updated dynamically when new information is available.
• System lists — These lists only occasionally need updating.
McAfee-maintained lists are populated with list items and can't be changed or deleted. To identify lists that are maintained by
McAfee, select the name in the List Catalog, then view the URL in the browser address field.
• Names of subscribed lists — Begin with "McAfee_" in the URL.
Example URL string for a subscribed list:
How smart match URLs are formatted and matches are made
URL part Smart match URL (format) URL in the web request (match)
domain The domain is required if there is no URLs that match the domain result in a
path. true value. If the smart match URL
includes a subdomain in addition to a
domain, URLs that match must have one
of these formats:
• subdomain.domain.tld
• domain.tld
path The path is required if there is no URLs that match the path result in a true
domain. value. If the smart match URL includes a
path and subpath, URLs that match
must have one of these formats:
• /path/subpath
• /path
domain/path This format is allowed. URLs that match the domain, the path,
or both URL components result in a true
value.
http://www.myorg.com:8080/path https://www.myorg.com:8080 no
http://www.myorg.com:8080 yes
http://www.myorg.com yes
www.myorg.com:8080 yes
university.edu yes
/research/alumni yes
/research yes
Feature Config UI
When configuring feature settings in the Feature Config UI, you can:
• Create a new configuration — Select a feature, then click New Configuration.
• Clone and edit a configuration — Select a default or user-defined configuration, then select Clone and edit from the Actions drop-
down list. You can edit the configuration after cloning it.
• Delete a configuration — Select a user-defined configuration, then select Delete from the Actions drop-down list.
1. Add the rule set from the rule set group menu in the policy tree or from the list on the Getting Started page.
2. Select and configure the rules.
3. Complete the additional required configuration.
4. Set the rule set status to on.
5. Publish your changes to the cloud for the rules to take effect.
Activity Control This rule set gives you fine-grained control over the cloud
services in the Service Catalog, allowing you to select which
activities you want blocked instead of blocking entire services.
For example, you can select Box from the Service Catalog,
then select download and upload activities for blocking, while
allowing edit and post activities. Before you can configure these
rules, you must add cloud services from the Service Catalog.
Prerequisites:
• Add a cloud service from the Service Catalog
Advanced Threat Defense This rule set sends web objects to Gateway ATD for in-depth
static and dynamic analysis according to the rules that you
configure. For example, you can allow some media types to
skip ATD processing, while requiring other media types to be
processed by ATD.
Prerequisites:
Application Blocking This rule set blocks access to configured groups of cloud
services called Service Groups. Before you can add Service
Groups to this rule set, you must create them.
Prerequisites:
DLP Dictionary This rule set blocks the transfer of sensitive information
outside your organization according to the DLP dictionary
rules that you configure. For this rule set to work for your
organization, you must customize the default DLP Dictionary.
Prerequisites:
• Customize the default DLP Dictionary
DLP ICAP Server This rule set sends files to DLP ICAP servers according to the
rules that you configure. For example, you can send all files or
send only the file types that you specify. For the DLP ICAP
server rules to take effect, you must configure at least one
DLP ICAP server.
Prerequisites:
Next Hop Proxy This rule set forwards web traffic to proxy servers according
to the next hop proxy rules that you configure. For example,
you can forward all traffic or forward only risky traffic. For the
next hop proxy rules to take effect, you must configure at
least one proxy server. Adding more than one proxy server
enables round robin load balancing.
Prerequisites:
• Add a proxy server
Required settings: host name or IP address, port number
Tenant Restriction This rule set blocks users from accessing sanctioned cloud
services through their personal accounts, while allowing
access to these services through the accounts that you
configure. To configure each tenant restriction rule, you need
these application-specific details.
Prerequisites:
• Amazon Web Services (AWS) — Allowed AWS Account IDs
YouTube Control This rule set filters YouTube traffic according to the rules you
configure. For example, you can block traffic by title or
category and allow or block traffic by channel. McAfee WGCS
filters traffic by checking the metadata sent with a video
stream over the YouTube API. Before you can configure the
YouTube rules, you must provide your YouTube API key.
Prerequisites:
• Get a YouTube API key through Google APIs
Coaching rules
Coaching is implemented like blocking through rules. The rules are supported by lists that you fill with entries. You can, for
example, enter the URL categories or domain names of the websites you want to apply coaching to. Or you can enter groups of
services you want to allow coached access to.
Coaching page
When coaching is enabled, for example, for a website, users who attempt to access it will not see a block page, but a coaching
page.
This page informs the users that access to the requested website is blocked, but can be accessed with a business reason. Users
confirm by clicking a suitable button on the page that they have a business reason..
1. Anti-Malware module — Using signature-based antivirus technology with URL category and reputation data from McAfee®
Global Threat Intelligence™ (McAfee GTI), the Anti-Malware module filters known threats from web traffic, while allowing
known good traffic to pass. This step of the process detects most web-based threats.
McAfee GTI evaluates website reputation based on past behavior and assigns websites to categories of high, medium, low, or
unverified risk. It collects, analyzes, and distributes data in real time from millions of sensors worldwide.
2. Gateway Anti-Malware engine — The Gateway Anti-Malware engine then inspects the suspicious unknown traffic. Using
emulation technology, it observes dynamic web content and active code in a controlled environment. This step of the process
detects most remaining web-based threats. Known as zero-day malware, these threats are new or changed malware files that
do not have signatures yet.
3. Advanced Threat Defense — McAfee® Advanced Threat Defense uses static analysis of unknown files combined with
dynamic analysis in a sandbox environment and machine learning to increase detection of zero-day malware and
ransomware, detecting nearly all remaining web-based threats.
Note: McAfee WGCS supports integration with Advanced Threat Defense software that you install and run, as long as McAfee
WGCS can connect to your Advanced Threat Defense instance.
User buckets
Seats allotted to users are entered in three buckets to record seat usage over particular periods in time. Usage occurring during
the last twelve hours is recorded in the first bucket. For the twelve hours preceding the last twelve, it is recorded in the second
bucket, and in the third for another twelve hours back.
When a user requests a Full Isolation browser session, former seat usage is checked for this user, beginning with the first bucket.
If a user has been using a seat during the last twelve hours, the check is positive, and further usage is allowed.
Otherwise checking continues with the second and third buckets. A user who was active on a seat during one of the twelve-hour
intervals recorded in these buckets is moved up to the first bucket.
A user who cannot be found in any of the three buckets is entered in the first bucket if the overall seat limit has not been reached
yet. Otherwise, no free seat is available, which means the user's request to start another Full Isolation browser session is
rejected.
VIP users
A user can be awarded VIP user status and entered in a VIP list. VIP users have seats reserved for their requests to apply Full
lsolation to their browser sessions.
Seats cannot be reserved for all VIP users on the list if their number is higher than the total number of available seats or if a user
is added to the VIP list while all available seats are occupied by VIP and other users.
Using a VIP list can impact other users who might not be able to apply Full Isolation to their browser sessions even if free seats
are available, but reserved for VIP users.
When this piece of code is processed, a file that a user requests access to is blocked if it is found to be infected. It is also referred
to as IF-THEN statement or simply as rule.
The following two code items are mainly involved here:
• Function: MWG.Body.Infected
• Procedure: MWG.Block
Referring to these items, you could also paraphrase the statement as follows:
• If a particular function returns a value (that shows there is a web threat), then a suitable procedure is executed.
Or, more shortly:
IF <Function returns (critical) value> THEN <Execute procedure>
The web policy code for MVISION Unified Cloud Edge includes all kinds of IF-THEN statements or rules that address all kinds of
web threats. Together they make up your web policy.
When a website sends a file in response to a user's request, it is usually sent as the body of the response. This is why the name of
the function in the example includes a Body part. The response body is scanned following a rule of your web policy. If it is found
to be infected, it is not forwarded to the user.
Routines
Code statements or rules that address the same kind of web threat are included, together with other code items, in a routine.
There is a routine with rules for anti-malware filtering, URL filtering, media type filtering, and so on.
Other routines include rules for applying a particular method of protection against web threats. For example, there are routines
for different modes of isolating a user's browser or for coaching a user's access to the web.
The name of a routine appears, together with the term ROUTINE, at the beginning of the code portion that makes up this routine,
for example:
ROUTINE Anti_Malware_Rules
On the normal user interface, the Web Policy pages also offer suitable options for dealing with all kinds of web threats and
unwanted web usage.
Usually each page addresses a particular kind of web threat as well. The code view option on each page allows you to access the
underlying routine.
Pages and routines correspond to each other, for example, as follows:
• Page: Anti-Malware — Routine: Anti_Malware_Rules
• Page: Category, Reputation & Geo — Routine: URL_Filtering_Rules
• Page: Full Isolation — Routine: Full_Isolation
• Variable setting — Variables are set here to particular values for further use in the routine.
While most variables are usually set in one place within a routine, this can also be done later on. In addition to variables, other
code items can also be set here.
Example:
NUMBER transferSizeLimit = 209715200
• IF-THEN statements — Several statements with an IF-THEN structure, which are also known as rules.
Example:
// Block If Virus Was Found IF MWG.BodyInfected (gam) THEN { MWG.Block (McAfee_Malware_found, "Block If Virus
Was Found", "Gateway Anti-Malware") }
This variable is set in a routine for anti-malware filtering to limit the size of the web objects that are filtered. If a web object
exceeds this limit, it is allowed to skip the filtering to save time and resources.
The variable is used later on in an IF-THEN statement:
// Bypass Based on Size (default 200 MB) IF skipBigSize AND MWG.CycleName == "Response" AND MWG.BodySize >
transferSizeLimit THEN { END }
A comparison between the value of this variable and the size of a web object shows whether the limit is exceeded. The object
size is the return value of the MWG.BodySize function. The result of this comparison is one of three conditions in the IF clause.
If all three are met, a web object is allowed to skip anti-malware filtering. It means that no procedure is executed. So, THEN is
immediately followed by END.
An IF clause can include a function, which can have one or more parameters.
The condition that is specified in an IF clause can be complex and include, for example, more than one function. Functions are
connected by operators such as AND or OR.
• Function — Code item in an IF clause that is run to return a value to find out whether the condition specified by this clause is
met.
Example:
MWG.Body.Infected (gam)
If the return value for a condition to be met is TRUE, it is usually left out in the code. So ...
IF MWG.Body.Infected (gam)
• Function parameters — Modify the behavior of a function, for example, by specifying the settings of a component that
supports the function
Example:
(gam)
A component that is available on MVISION Unified Cloud Edge for supporting a function is referred to as a feature.
For example, when the MWG.Body.Infected function is run, it is supported by the Anti-Malware feature. This feature has settings that
can involve a particular scanning engine, for example, the Gateway Anti-Malware (GAM) engine, in the filtering process.
The GAM engine scans a file when it is received as the body of a response sent from a website. The result might be that this file
is infected.
Then the Anti-Malware feature provides the MWG.Body.Infected function with this result. The function returns TRUE, so the
condition is met and a block procedure is executed.
The settings for a feature are specified as a function parameter. In the example, the settings name is gam.
• THEN clause — Code item in an IF-THEN statement specifying what is to happen if the condition in the IF clause is met.
Example:
THEN { MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware") }
• Procedure — Code item in a THEN clause that is executed if the condition in the IF clause is met.
A procedure can have one or more parameters.
Example:
MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware")
MWG.BodyInfected(<Setting>)
Returns value of type: Boolean
This function lets a web object, for example, a file, be scanned and returns TRUE if the result of the scanning is that the file is
infected by a virus or other malware. Otherwise it returns FALSE.
The file might have been received, for example, as the body of a response that a website sent to respond to a user's download
request.
The file can be scanned using different methods involving different scanning devices, for example, the Gateway Anti-Malware
(GAM) scanning engine. The setting parameter specifies a setting for the function that determines which method and engine or
engines are involved in the scanning.
The setting for involving the GAM scanning engine is the MWG.AntimalwareSetting:
MWG.BodyInfected(MWG.AntimalwareSetting)
This setting name can be replaced with gam in a routine, for example, in the variable setting part.
MWG.AntimalwareSetting gam = McAfee_Gateway_AntiMalware
The name that the setting has when it is configured for a web policy feature is specified here as McAfee_Gateway_AntiMalware.
When the function is used in an IF clause to find out whether the condition of being infected is met for a file, the parameter name
is gam.
IF MWG.BodyInfected (gam)
This statement is included in the Anti_Malware_Rules routine where it blocks malware-infected web objects.
Working with web policy items in the code view and on the user
interface
You can complete many web policy activities both in the code view and on the normal user interface, for example, setting a
variable or enabling a rule.
So, to understand the code view, it helps if you have a good understanding of the options on the normal user interface.
For example, if you know you can enable a rule on the user interface that lets web objects skip anti-malware filtering, you can
look for items that correspond to this rule when reviewing the code. Understanding what this rule does from working with it on
the user interface helps you recognize corresponding items in the code view.
There are also web policy items that you can only work with in the code view, but not on the user interface. On the other hand,
you can complete some activities only using options of the user interface.
In the following, examples are given for all three kinds of web policy items and the way you can work with them.
For a code item, the routine that it belongs to is added. For an option on the user interface, the web policy page where it appears
is added.
transferSizeLimit variable
This variable is an example of a web policy item that you can work with both in the code view and on the user interface.
The value that this variable is set to is a limit that is observed in the anti-malware filtering process. If a file exceeds this limit, it
can be exempted from anti-malware filtering to save time and resources.
Here's how this variable appears in the code and on the user interface.
• In the code view:
◦
Routine: Anti_Malware_Rules
◦
Code item:
NUMBER transferSizeLimit = 209715200
Lists
A list of your web policy is an item that you can only work with in the code view to some extent.
In the code view, you can specify a list as a parameter of a function in a rule. For example, in a rule that lets URLs skip URL
filtering a list named skipURLs can be a parameter of the MWG.Url.Smart.Match function.
// Bypass URL Filtering for URL Filtering Bypass URLs IF skipByURL AND MWG.Url.SmartMatch (skipURLs) THEN
{ END }
But you cannot fill list entries in the code view. To do this, you need to work with the pages of the List Catalog on the user interface.
Initial part
This part of the routine includes the usual ROUTINE term, routine name, processing cycles during which the routine is run, and
enabling information.
ROUTINE Anti_Malware_Rules ON (Web.Request, Web.Response, EmbeddedObject) [enabled="true"]
Variable setting
There are seven variables set in this part for use later in the routine.
• Three of them serve the purpose of enabling or disabling a particular rule of the routine.
Example:
BOOLEAN skipGAMByUrls = TRUE
This variable is evaluated when the rule that allows web objects to skip anti-malware filtering is processed. Processing only
continues for the rule if the value of this variable is TRUE.
• The remaining four variables serve other purposes.
Example:
NUMBER transferSizeLimit = 209715200
This variable is evaluated when the rule that allows web objects to skip anti-malware filtering depending on their size is
processed.
These variables can also be set using options on the normal user interface.
IF-THEN statements
This part includes six IF-THEN statements (rules).
• There is a rule for blocking infected web objects. It is only visible and accessible in the code view.
• Three rules are for allowing web objects to skip anti-malware filtering based on various criteria, for example, user agents or
domains. These rules have corresponding options on the normal user interface.
For example, the rule that allows web objects to skip anti-malware filtering based on URLs can also be enabled or disabled
using a checkbox on the user interface. It relies on a list of web objects, which you enter in the list on the normal user interface.
• Two rules serve other purposes. Like the block rule, they are only visible and accessible in the code view.
Is a web object that was received as the body of a request or response infected by malware? If it is, then this
condition is met, and the procedure in the THEN clause is executed.
The MWG.BodyInfected function is run to find out whether a web object is infected. It is supported by the Anti-Malware
for GAM feature, which runs with a setting that involves the Gateway Anti-Malware (GAM) scanning engine in the
filtering process. It is this engine that performs the scanning of the web object.
In the code, the feature setting appears in parentheses next to the function.
MWG.BodyInfected (gam)
The setting is specified shortly here as gam. In the variable setting part of the routine, gam is set as the name of the
current setting for the Anti-Malware for GAM feature and identified as the McAfee_Gateway_AntiMalware setting. This
setting or configuration is also accessible over the normal user interface.
MWG.AntimalwareSetting gam = McAfee_Gateway_AntiMalware
On the Web Policy — Anti-Malware page of the user interface, which is also the page that provides access to this routine, it
is indicated when the Anti-Malware for GAM feature is in use and what its current configuration is.
◦
If the condition matches, the MWG.Block procedure is executed to block the infected web object. Depending on the
setting of the procedure, a block message is also sent to the user who requested access to this web object.
THEN { MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware" }
The first of them is met if the value of skipGAMByUrls is TRUE. It means this rule, which lets web objects skip anti-
malware filtering, is enabled. The variable is set in the variable setting part of the routine. It can also be set using an
option of the user interface.
The second condition matches if the MWG.Url.SmartMatch (bypassGAMURLs) function returns that the URL of the web
object matches with an entry in the bypassGAMURLs list.
◦
The first of them is met if the value of skipBigSize is TRUE. It means this rule, which lets web objects skip anti-
malware filtering if they are too big, is enabled. The variable is set in the variable setting part of the routine. It can
also be set using an option of the user interface.
The second condition is met if the MWG.Cycle.Name function returns "Response", which means the routine is currently
running in the response cycle of the filtering process.
Large files and other large web objects can be received from web sites in response to requests from users. This is
why the routine is run in the response cycle.
The third condition is the key condition of this bypass rule. It is about what the bypassing is based on. It is met if the
size of a web object, which the MWG.Body.Size function delivers as its return value, is higher than the value of the
transferSizeLimit variable. This variable is set in the variable setting part of the routine or using an option on the
user interface.
◦
If all three conditions are met, the THEN clause applies. Because the purpose of this rule is to let web objects skip
anti-malware filtering, nothing is done here. No procedure is executed, so THEN is followed by END.
Initial part
This part of the routine includes the usual ROUTINE term, routine name, processing cycle in which the routine is run, and enabling
information.
ROUTINE Category_And_Domain_Coaching ON (Web.Request) [enabled="true"]
Only Web.Request is specified here as the processing cycle because this is a routine for filtering requests for access sent by users
to websites.
Variable setting
There are four variables set in this part for use later in the routine.
• Two of them are used to determine if there is a time limit for a coaching session and, if so, what this limit is.
BOOLEAN sessionTTL = TRUE NUMBER coachSessionMinutes = 60
• Another variable is used to determine if the coaching that this routine enables is to be performed based on URLs for particular
domains or not. The list of URLs that the rule for enabling URL-based coaching relies on is specified as well.
A similar variable is set for coaching based on URL categories. The relevant lists are also specified.
BOOLEAN coachByCategory = TRUE VECTOR<MWG.UrlCategory> coachCategories = Coach_URL_Categories
These variables can also be set using options on the normal user interface.
IF-THEN statements
In this part, there are two complex IF-THEN statements (rules) for performing coaching based on different criteria.
• A rule for coaching based on URLs for particular domains
• A rule for coaching based on URL categories
These rules are explained here in more detail:
• Coaching based on URLs for particular domains — This coaching rule relies on a list with URLs for domains. When a user
requests access to a domain with a URL that is in this list, it is granted with coaching.
To perform the coaching itself, the rule calls another routine, which is not explained here.
CALL "CoachingAction"
The first of them is met if the value coachByURL variable is TRUE. This means that coaching based on URLs for
particular domains is performed. The variable can be set in the variable setting part of the routine.
The second condition is met if the MWG.Url.SmartMatch function returns that the URL of a particular domain is in the
coachURLs list.
◦
If both conditions are met, the THEN clause applies.
THEN { callParameter = callParameter.Set ("coaching_session_minutes", coachSessionMinutes)
callParameter = callParameter.Set ("coaching_session_id", "coachURL") CALL ("CoachingAction") }
Coaching is not performed by a procedure here. The "CoachingAction" routine is called instead to handle the
coaching.
Before this routine is called, two sets of call parameters, including the session length, the session ID, and the list with
the URLs for coaching, are handed over.
• Coaching based on URL categories — This coaching rule relies on a list with URL categories. When a user requests access to a
domain with a URL that falls under a category in this list, it is granted with coaching.
To perform the coaching itself, the rule calls another routine, which is not explained here.
CALL ("CoachingAction")
This rule has the same structure and uses mostly the same code items as the rule for coaching based on URLs for particular
domains. The following is different:
◦
A different variable is evaluated to find out whether the condition is met that the rule is enabled. Its name is
coachByCategory, not coachByURL.
IF coachByCategory
This method checks whether there is an overlap between the list of URL categories for coaching and the URL
category that the URL for the requested website falls under, or rather whether this URL category is in the list.
Because a URL can fall under more than one category, the overlap can involve several categories.
The MWG.UrlCategories function, which is specified here as a parameter, retrieves the category or categories that the
URL for the requested website falls under.
MWG.UrlCategories (MWG.LAST_USED_config)
The setting that this function uses while retrieving categories is provided by another function. The name of this
function is MWG.LAST_USED_config. It is specified here as a parameter of the MWG.UrlCategories. function, which is
itself a parameter of the method that finds out about the overlap.
Initial part
This part of the routine includes the usual ROUTINE term, routine name, processing cycles during which the routine is run, and
enabling information.
ROUTINE Full_Isolation ON (Web.Request, Web.Response) [enabled="false"]
Variable setting
About 40 variables and other items are set in this part for use later in the routine. Most of them are set for one of the following
purposes:
• Specifying the criteria on which full isolation should be applied
It could be applied, for example, only when a user requests access to a domain that is in a list.
BOOLEAN isolateByDomain = TRUE
When isolation is performed in this way, it is specified which list is used here. It is also specified how this list relates to the list
for isolating by domain that is in the list catalog of MVISION Unified Cloud Edge.
MWG.SmartMatchList alwaysIsolatedDomains = Domainstoalwaysisolate3
These variables can also be set using options on the normal user interface.
IF-THEN statements
This part includes two rather complex and six less complex IF-THEN statements (rules).
• There is a complex rule for applying the full isolation mode of browser isolation.
• Another complex rule handles permissions to use the clipboard when full isolation is applied.
• Five rules are about not applying full isolation depending on criteria such as URLs, URL categories, and IP addresses.
• One rule is for finding out whether a different type of browser isolation is already being applied when a user requests web
access. Full isolation is then not applied.
The rule that applies full isolation is explained here in more detail:
• Applying full isolation — This rule is the key rule in this routine. It is rather complex and includes also code for handling file
uploads and downloads during the isolation, along with code for handling license expiration.
To perform the isolation itself, the rule calls another routine, which is not explained here.
CALL "RBI_Isolation"
◦ In the IF clause of this basic statement, the startIsolation variable is evaluated, which is set before the overall
statement for applying full isolation is processed.
BOOLEAN startIsolation = isolateAll OR (isolateByDomain AND MWG.Url.SmartMatch
(alwaysIsolatedDomains)) OR (isolateByRegex AND alwaysIsolatedRegexList.Matches (MWG.Url.Host)) OR
(isolateByIPRange AND Net.IsInRangeList (MWG.DestinationIP, alwaysIsolatedIPRanges)) OR
(isolateByCategory AND MWG.UrlCategories (MWG.LAST_USED_config).Overlaps (alwaysIsolatedCategories))
OR (isolateUncategorized AND MWG.UrlCategories (MWG.LAST_USED_config).Size == 0)
The value of startIsolation varies according to how the range for applying full isolation has been set.
For example, this range might have been set to isolating the user's browser for all that the user wants to access in
the web, which can be done by setting the isolateAll variable in the variable setting part of this routine accordingly.
isolateALL = TRUE
If this range is not set to everything in the web, but limited to particular domains or destinations with particular IP
addresses or depending on other criteria, startIsolation is set to the respective value.
A function is also used then to find out if the domain or IP address, or whatever it is, is in a list.
For example, for applying full isolation to particular domains, the value for startIsolation is:
isolateByDomain AND MWG.Url.SmartMatch (alwaysIsolatedDomains)
◦
If a range for applying full isolation can be determined by evaluating startIsolation, the condition for actually
starting it is met. What is included in the THEN clause of the basic statement is executed, which means the routine for
applying full isolation itself is called.
Before this routine is called, a procedure hands over settings for this isolation, for example, regarding what should be
allowed while it is applied.
RBI.ApplyFullIsolationSettings (blockOnLicenseExceeded, cookiesOnLocalMachine, copyLocalMachine,
pasteLocalMachine, maxClipboardPasteSize,
◦
The embedded statement for handling file uploads includes a Boolean variable in the IF clause. If its value is TRUE,
the condition for executing what is included in the THEN clause is met.
Otherwise, what is in the ELSE clause is executed. This way file uploads are either allowed or denied under full
isolation.
// Isolated File Upload Control IF permitUploadByDomain THEN { RBI.SetUploadFileControlPermit
(permitUploadExceptions) } ELSE { RBI.SetUploadFileControlBlock (denyUploadExceptions) }
File downloads under full isolation are handled in the same way.
◦
The embedded statement on license expiration blocks access to all websites that isolation would otherwise have
been applied to. The condition for this is that the license for the isolation feature has expired.
IF blockOnLicenseExceeded AND RBI.MustBeIsolated THEN { MWG.Block (McAfee_RBI_No_Session, "Full
Browser Isolation cannot be used", "Full Browser Isolation") }
Term Description
1. Authenticates users before granting access to an application. McAfee Client Proxy intercepts the traffic, validates the
application type (Private or Public), and directs the traffic to the nearest McAfee PoP.
2. The administrators create Private Access policies that sync with all McAfee PoPs. The McAfee PoPs apply the private access
policies, and the traffic diverges depending on the application type.
a. Directs traffic to the internet if the request is for accessing a public application.
b. Directs traffic to the McAfee POP that is nearest to the customer network (application server) if the request is for accessing
a private application
3. The McAfee PoP directs traffic through the tunnel to a connector, and the connector forwards the traffic to the requested
private application.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.