McAfee Web Gateway 8.0.

x Interface
Reference Guide
Contents
User interface 7
Main elements of the user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Supporting configuration functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Alerts tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Rule Sets tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Lists tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Settings tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Appliances tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

System settings 18
Anti-Malware system settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Central Management settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Coaching settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Date and Time settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
DNS settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
ePolicy Orchestrator settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
External Lists system settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
File Server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Hybrid settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Kerberos Administration settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
License settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Network Interfaces settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Network Protection settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Port Forwarding settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Proxies settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Network Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
HTTP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
FTP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
ICAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
IFP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
SOCKS Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Data Exchange Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Web Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
DNS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
XMPP proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Periodic Rule Engine Trigger List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
 SNMP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Static Routes settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Telemetry settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Tenant Info settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
User Interface settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Windows Domain Membership settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Module settings 70
Anti-Malware settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Gateway Anti-Malware settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Gateway ATD settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Authentication settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Authorized Override settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Azure Directory settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Cache settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Coaching settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Cloud Storage Encryption settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Data Loss Prevention (Classifications) settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Data Loss Prevention (Dictionaries) settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Data Trickling settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
File System Logging settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Hardware Security Module settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
ICAP Client settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Next Hop Proxy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Progress Page settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
SSL Client Context with CA settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
SSL Client Context without CA settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
SSL Scanner settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
TIE Filter settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Stream Detector settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Time Quota settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
URL Filter settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Volume Quota settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Action settings 115

Authenticate settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Block settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Redirect settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Rule sets 118

Access log rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Advanced Threat Defense rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Key elements of the Advanced Threat Defense rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Complete rules of the Advanced Threat Defense rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

McAfee Web Gateway 8.0.x Interface Reference Guide 3

 Application Control rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Complete rules of the Application Control rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
ATD - Offline Scanning with Immediate File Availability rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Complete rules of the ATD - Offline Scanning with Immediate File Availability rule set. . . . . . . . . . 123
Authorized Override rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Blocking Sessions rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Bypass ePO Requests rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Bypass Microsoft (Office 365) Services rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Key elements of the Bypass Microsoft (Office 365) Services rule set. . . . . . . . . . . . . . . . . . . . . . . . . . 128
Bypass Microsoft (Office 365) Services rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Cloud Storage Encryption rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Cookie authentication with SAML back end and fixed ACS URL rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Intercept SAML assertion if IdP uses a fixed ACS URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Cookie authentication at HTTP(S) proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Cookie authentication at authentication server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Data Loss Prevention (DLP) rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Complete rules of the Data Loss Prevention (DLP) rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Data Loss Prevention (DLP) with ICAP for Cloud rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Complete rules of the Data Loss Prevention (DLP) with ICAP for Cloud rule set. . . . . . . . . . . . . . . . 140
Default error handler rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Enable Opener rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Key elements of the Enable Opener rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Complete rules of the Enable Opener rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Gateway Anti-Malware rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Key elements of the Gateway Anti-Malware rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Complete rules of the Gateway Anti-Malware rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Gateway Anti-Malware with TIE rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Global Whitelist rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Complete rules of the Global Whitelist rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Media Type Filtering rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Key elements of the Media Type Filtering rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Complete rules of the Media Type Filtering rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Single Sign On rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Select Services rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
HTTPS Handling rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Launchpad rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
OTP Authentication rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Get Login Action rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Process Common Tasks rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Perform SSO rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
HTTPS Scanning rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Complete rules of the HTTPS Scanning rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
SSO Log rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

4 McAfee Web Gateway 8.0.x Interface Reference Guide

 SSO Access Log rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
SSO Trace Log rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
SSO Stop Logging rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Time Quota rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
URL Filtering rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Key elements of the Special URL Filtering Group rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Complete rules of the Special URL Filtering Group rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Key elements of the Default rule set for URL filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Complete rules of the Default rule set for URL filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Volume Quota rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Web Cache rule set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Configuration lists 197

List of open ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
List of actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
List of block reason IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List of error IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
List of events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
List of incident IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List of operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
List of properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Properties - A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Properties - B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Properties - C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Properties - D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Properties - E. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Properties - F. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Properties - G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Properties - H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Properties - I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Properties - J. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Properties - L. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Properties - M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Properties - N. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Properties - P. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Properties - Q. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Properties - R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Properties - S. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Properties - T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Properties - U. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Properties - W. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
List of statistics counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Wildcard expressions 328

McAfee Web Gateway 8.0.x Interface Reference Guide 5

 List of special glob characters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
List of special regex characters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Rule sets change log 332

Log updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Log entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
7.6.2 – Controlled release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
7.6.2.6 - Main release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
7.6.2.7 - Main release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
7.7.0 - Controlled release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
7.7.0.3 - Controlled release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
7.7.1 - Controlled release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
7.7.2 - Controlled release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
7.8.1 - Controlled release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

6 McAfee Web Gateway 8.0.x Interface Reference Guide

User interface
The user interface allows you to work with rules, lists, settings, accounts, and other items for administering Web Gateway. It
provides information on key filtering and system parameters and enables you to perform troubleshooting measures.

McAfee Web Gateway 8.0.x Interface Reference Guide 7

Main elements of the user interface
The main elements of the user interface for Web Gateway can be seen in the following sample screen.

User interface

The table below describes the main elements of the user interface.

Main elements of the user interface

Option Definition

System information line Displays system and user information.

System Preferences Opens a window to let you configure settings for the browser
that you want to use when working with the user interface.

User Preferences Opens a window to let you configure settings for the user
interface and change your password.

Logout Logs you off from the user interface.

Help icon Opens the online Help.

You can browse through its pages or navigate on a tree
structure and perform a full text search or search for index
terms.

Top-level menu bar Lets you select one of the following menus:
• Dashboard — For viewing information on events, web usage,
filtering activities, and system behavior
• Policy — For configuring your web security policy
• Configuration — For configuring the system settings of the
appliance
• Accounts — For managing administrator accounts
• Troubleshooting — For solving problems on the appliance

Search Opens a window with the following search options:

• Search for objects — Lets you search for objects such as rule
sets, rules, lists, settings, and user-defined properties.
After typing a search term in the input field, all objects with
names matching the search term are shown.

8 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
When performing a search among rule sets and rules, you
can also search for operands in the rule criteria and event
parameters.
For example, the search will find mcafee.com in URL.Host
equals "mcafee.com" or in Email.Send ("[email protected]",
"testmail", "hello"<Default>).
The operands and parameters can be strings, numbers, or
regular expressions.
Boolean terms, lists, and settings used as operands or event
parameters cannot be searched for.
• Search for objects referring to — Lets you select a list, property, or
settings and displays all rules that use the selected item.

Save Changes Saves or discards your changes.

Clicking this button saves your latest changes.
Clicking the arrow next to the button opens a menu with
these options:
• Discard Changes and Reload — Discards all changes made since
the last save and reloads the old configuration.
• Save Changes with Comment — Opens a window to let you type a
plain-text comment before saving your latest changes.

Tab bar Provides the tabs of the currently selected top-level menu.
The top-level menus have the following tabs:
• Dashboard
◦ Alerts
◦ Charts and Tables
• Policy
◦ Rule Sets
◦ Lists
◦ Settings
◦ Templates
• Configuration
◦ Appliances
◦ File Editor
• Accounts
◦ Administrator Accounts
The Troubleshooting top-level menu has no tabs.

Toolbar (on tab) Provides varying tools (depending on the selected tab).

Navigation pane Provides tree structures of configuration items, such as rules,

lists, and settings.

Configuration pane Provides options for configuring the item that is currently
selected on the navigation pane.

Supporting configuration functions

The user interface provides several functions to support your configuration activities.

McAfee Web Gateway 8.0.x Interface Reference Guide 9

Supporting administration functions

Option Definition

Yellow triangle Appears attached to the name of a list that is still empty and
needs to be filled by you.
Some filter lists are created, but not filled by the policy
configuration wizard because they are too sensitive.

Yellow text insert Appears when you move your mouse pointer over an item on
the user interface providing information on the meaning and
usage of the item.

OK icon Appears in a window when the input you entered is valid.

False icon Appears in a window when the input you entered is invalid.

Message text Appears with the False icon, providing information on your
invalid input.

Light red color of input field Indicates an invalid entry.

Save Changes The button turns red when you change an item.
It turns gray again when you have saved your changes.

Red triangle Appears attached to tabs, icons, and list entries when you
have changed an item and not yet saved.
For example, when you have changed a rule, the red triangle
appears:
• In the row of the rule entry on the settings pane
• On the rule set icon
• On the projection of the Rule Sets tab
• On the Policy icon of the top-level menu bar

Alerts tab
The Alerts tab displays information on the status and alerts for an appliance. If the appliance is a node in a Central Management
cluster, information is also displayed for the other appliances that are nodes in the cluster.

Alerts tab

10 McAfee Web Gateway 8.0.x Interface Reference Guide

Rule Sets tab
Use the Rule Sets tab to work with rule sets, rules, and rule elements.

Rule Sets tab

Main elements of the Rule Sets tab

The following table describes the main elements of the Rule Sets tab.

Main elements of the Rule Sets tab

Element Description

Rule sets toolbar Items for working with the rule sets on the rule sets tree

Rule sets tree Tree structure displaying the rule sets of the appliance
configuration

Rule sets menu Buttons for displaying tree structures of:

• (General) rule sets
• Log handler rule sets
• Error handler rule sets
• User-defined properties (for use in rule set criteria, rule
criteria, and rule events)

Rules toolbar Items for working with rules

Rules Rules of the currently selected rule set

Rule sets toolbar

The rule sets toolbar provides the following options.

Rule sets toolbar

Option Definition

Add Opens a menu or a window for adding an item, depending on

what is currently selected from the Rule sets menu.
• (Rule Sets is selected) — Opens a menu, from which you can
select:

McAfee Web Gateway 8.0.x Interface Reference Guide 11

 Option Definition
◦ Rule Set from Library — Opens the Add from Rule Set
Library window for importing a rule set from the
rule set library.
◦ Rule Set — Opens the Add New Rule Set window to let
you add a rule set to the appliance configuration.
◦ Top-Level Rule Set — Opens the Add New Top-Level Rule
Set window for adding a rule set at the top level of
the rule sets tree.
• (Log Handler is selected) — Lets you select Log Handler from a
menu as the only accessible item to open the Add New Log
Handler window for adding a new Log Handler rule set.
• (Error Handler is selected) — Lets you select Error Handler from a
menu as the only accessible item to open the Add New Error
Handler window for adding a new Error Handler rule set .
• (User-Defined Property is selected) — Lets you select User-Defined
Property to open the Add New User-Defined Property window for
adding a property.

Export Opens the Export Rule Set window for exporting a rule set to the
library or into a file.

Edit Opens the Edit Rule Set window for editing a selected rule set.

Delete Deletes a selected rule set.

A window opens to let you confirm the deletion.

Move up Moves a rule set up among other rules sets on the same level.

Move down Moves a rule set down among other rule sets on the same
level.

Move out of Moves a rule out of its nesting rule set and onto the same
level as the nesting rule set.

Move into Moves a rule set out of its nesting rule set and into the rule
set following this rule set.

Expand all Expands all collapsed items on the rule sets tree.

Collapse all Lets all expanded items on the rule sets tree collapse.

Rules toolbar
The rules toolbar provides the following options.

Rules toolbar

Option Definition

Add Opens the Add Rule window for adding a rule.

Edit Opens the Edit Rule window for editing a selected rule.

Delete Deletes a selected rule.

A window opens to let you confirm the deletion.

Move up Moves a rule up within its rule set.

12 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Move down Moves a rule down within its rule set.

Copy Copies a selected rule.

Paste Pastes a copied rule.

Show details Shows (or hides) details of a rule entry including the criteria.

Lists tab
Use the Lists tab to work with lists.

Lists tab

Main elements of the Lists tab

The following table describes the main elements of the Lists tab.

Main elements of the Lists tab

Element Description

Lists toolbar Items for working with the lists on the lists tree

Lists tree Tree structure displaying the lists of the appliance

configuration

List entries toolbar Items for working with the entries of the currently selected
list

List entries Entries of the currently selected list

Lists toolbar
The lists toolbar provides the following options.

Lists toolbar

Option Definition

Add Opens the Add List window for adding a list.

Edit Opens the Edit List window for editing a selected list .

McAfee Web Gateway 8.0.x Interface Reference Guide 13

 Option Definition

Delete Deletes a selected list.

A window opens to let you confirm the deletion

Import Opens the file manager on your system to let you import a
list.

Export Opens the file manager on your system to let you export a list
that you have selected on the lists tree.

View Opens a menu to let you display the lists in different ways (A-
Z, Z-A, by list type, with or without list types for which
currently no lists exist).

Expand all Expands all collapsed items on the lists tree.

Collapse all Lets all expanded items on the lists tree collapse.

List entries toolbar

The list entries toolbar provides the following options.
Note: The range of options that are provided varies depending on the list type.

Lists entries toolbar

Option Definition

Add Opens the Add <List type> window for adding a list entry, for
example, the Add String window.

Add multiple Opens the Add <List type> window for adding multiple list
entries if this is possible for a list type.

Edit Opens the Edit <List type> window for editing a selected list
entry, for example, the Edit String window.

Delete Deletes a selected list entry.

A window opens to let you confirm the deletion.

Move up Moves an entry up the list.

Move down Moves an entry down the list.

Sort Sorts lists in ascending or descending order.

Note: This option is only available for lists of the IPRange
type.

Filter Input field for typing a filtering term to display only matching
list entries
Note: The filtering function works as soon as you type a
character in the field.

Append from file Imports and appends list from a file within your file system.

Settings tab
Use the Settings tab to work with settings for actions and modules (engines).

14 McAfee Web Gateway 8.0.x Interface Reference Guide

Settings tab

Main elements of the Settings tab

The following table describes the main elements of the Settings tab.

Main elements of the Settings tab

Element Description

Settings toolbar Controls for working with settings for actions and modules
(engines)

Settings tree Tree structure displaying actions and modules (engines)

Settings Parameters and values of the currently selected action or

module (engine)

Settings toolbar
The settings toolbar provides the following options.

Settings toolbar

Option Definition

Add Opens the Add Settings window for creating new settings.

Edit Opens the Edit Settings window for editing existing settings.

Delete Deletes the selected settings.

A window opens to let you confirm the deletion.

Expand all Expands all collapsed items on the settings tree.

Collapse all Lets all expanded items on the settings tree collapse.

Appliances tab
Use the Appliances tab to configure settings for the system of a Web Gateway appliance.

Appliances tab

McAfee Web Gateway 8.0.x Interface Reference Guide 15

Main elements of the Appliances tab
The following table describes the main elements of the Appliances tab.

Main elements of the Appliances tab

Element Description

Appliances toolbar Toolbar with items for adding appliances to a Central

Management cluster, removing them, and updating them all
at once

Appliances tree Tree structure of appliances with the system settings for each
appliance

Appliance toolbar Toolbar with items for working with a selected appliance
(appears when an appliance is selected on the appliances
tree)

Appliance settings System settings for the selected appliance

Appliances toolbar
The appliances toolbar provides the following options.

Appliances toolbar

Option Definition

Add/Join Opens the Add/Join Appliance window where you can include an
appliance as a node in a Central Management cluster.
To include an appliance, you can do one of the following
• Add an appliance to a cluster on the user interface of a
different appliance that is already a node of the cluster
• Join an appliance to a cluster on its own interface
Note: A cluster CA (certificate authority) must exist in both
cases on an appliance that is to be included in the cluster.

Delete Deletes a selected appliance.

Update engines Updates DAT files with virus signatures and other filtering
information for all appliances in a Central Management
cluster.

16 McAfee Web Gateway 8.0.x Interface Reference Guide

The following table describes the options of the Add/Join Appliance window.

Add/Join Appliance window

Option Definition

Host name or IP Specifies the host name or IP address of an appliance that is

included in a cluster.

Network group Provides a list for selecting a network group that an appliance
is assigned to.

Select Lets you select the mode of including an appliance in a

cluster.
• Add — Includes an appliance as a node in a cluster when you
are working on the interface of a different appliance that is
already a node of the cluster.
• Join — Includes an appliance as a node in a cluster when you
are working on the interface of this appliance.

Appliance toolbar
The appliance toolbar provides the following options.

Appliance toolbar

Option Definition

Reboot Restarts an appliance.

Flush cache Flushes the web cache of an appliance.

Update appliance software Installs an updated version of the appliance software.

Shutdown Lets an appliance become inactive.

Rotate logs Rotates log files on an appliance.

Rotate and push logs Rotates log files on an appliance and pushes them to the
destination that is specified within the Log File Manager settings.

McAfee Web Gateway 8.0.x Interface Reference Guide 17

System settings
System settings are used to configure the appliance system.

Anti-Malware system settings

The Anti-Malware system settings are used for configuring the anti-malware queue.

Global Anti-Malware Settings

Settings for the anti-malware queue

Global Anti-Malware Settings

Option Definition

Number of threads for AV scanning Sets the number of anti-malware working threads that are
available on an appliance.
The number you specify here applies to both the threads that
forward requests and responses to threads of the scanning
modules and the scanning module threads themselves.
For example, if you specify 25, there will be 25 threads for
forwarding and 25 for scanning.

Use at least as many AV threads as the number of CPU cores available When selected, the number of AV threads use for scanning
activities is at least the same as the number of available CPU
cores.

Maximum number of jobs in the queue Limits the number of requests or responses that can be
moved to the anti-malware queue as jobs for the scanning
modules.

Number of seconds a scanning job stays in the queue before being removed Limits the time (in seconds) that elapses before a request or
response is removed from the anti-malware queue if it has
not been forwarded for scanning.

Central Management settings

The Central Management settings are used for configuring appliances that you administer as nodes in a common configuration.

Central Management Settings

Settings for basic communication parameters of a node in a Central Management configuration

Central Management Settings

Option Definition

IP addresses and ports of this node for Central Management communication Provides a list for entering the IP addresses and port numbers
that a node uses to communicate with other nodes in a
Central Management configuration.

Timeout for distributing messages to other nodes
Limits the time (in seconds) that is allowed for another node
to respond to a message from the current node to the
specified value.
The time can range from 10 to 600 seconds.
It is set on a slider scale.

The following table describes the elements of an entry in the IP addresses and ports list.

18 McAfee Web Gateway 8.0.x Interface Reference Guide

IP addresses and ports – List entry

Option Definition

String Specifies the IP address and port number for a node.

Comment Provides a plain-text comment on an IP address and a port

number.

Advanced Management Settings

Settings for advanced administration of a Central Management configuration

Advanced Management Settings

Option Definition

Multiplier for timeout when distributing over multiple nodes
Sets a factor for increasing the time interval that has been
configured under Timeout for distributing messages to other nodes in
the Central Management Settings section.
Increasing the time interval gives messages more time to
proceed from one node to another, from there to the next
node, and so on.
The interval can be increased by a value between 1 and 2.
The value is set on a slider scale.

Node priority Sets the priority that a node takes within a node group
The highest priority is 1.
If the configuration data on a node is no longer synchronized
with that of other nodes, for example, because the node has
been down for some time, the node receives the most recent
configuration data from the node with the highest priority.
If this is not your intention, make sure that all nodes have the
same priority, which is also the recommended setting.
The priority of a node can range from 1 to 100.
It is set on a slider scale.

Allow a GUI server to attach to this node When selected, a server providing an additional user interface
for the appliance is allowed to connect to the node.

Allow to attach a GUI server from non-local host When selected, a server with an additional user interface that
is not running on the current node is allowed to connect to
the node.

GUI control address Specifies the IP address and port number the additional user
interface uses for connecting to the current node.

GUI request address Specifies the IP address and port number of this server used
when sending requests to it.

Use unencrypted communication When selected, messages sent from this node to other nodes
in the configuration are not encrypted.
However, authentication using certificates is still performed.
This option is not selected by default.
Note:

McAfee Web Gateway 8.0.x Interface Reference Guide 19

 Option Definition
Make sure that all nodes in a Central Management
configuration are configured in the same way with regard to
this option
Otherwise communication between the nodes will fail due to
the differences in encryption handling.

Enable IP checking for other nodes
When selected, the IP address can be verified when messages
are sent from this node to other nodes in the configuration.
This function is intended to increase web security, but can
lead to problems for some network setups, for example, NAT
setups.

Allowed time difference Limits the time difference (in seconds) allowed for accepting
configuration changes to the specified value.
The number of seconds can range from 10 to 600.
It is set on a slider scale.

Enable version checking for other nodes
When selected, the version of the appliance software is
checked before configuration changes are distributed
between nodes.
Configuration changes are not distributed to a node if the
version of the appliance software on this node does not
match the version on the node that distributes the changes.
• Level of version check – Sets a level of thoroughness when
verifying the version of the appliance software.
The level is set on a slider scale. It can take the following
values:
• 1 – Only major version number (7 in 7.3.0) must match.
• 2 – Minor version number (3 in 7.3.0) must also match.
• 3 – Feature version number (0 in 7.3.0) must also match.
• 4 – Maintenance version number (if any, for example, 1 in
7.3.0.1.2) must also match.
• 5 – Hotfix version number (if any, for example, 2 in 7.3.0.1.2)
must also match.
• 6 – Build number (for example, 14379) must also match.

This Node is a Member of the Following Groups

Settings for including a node in a group of nodes

This Node is a Member of the Following Groups

Option Definition

Group runtime Determines the group of a node, in which runtime data can
be shared with all nodes in the group, for example, time
quotas.

Group update Determines the group of a node, in which updates can be

shared with all nodes in the group

Group network Determines the group of a node, in which the node can
immediately connect to all other nodes in the group
A node can be a member of more than one network group.

20 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
In this case, the nodes of a group that a node is a member of
can connect through this node to nodes of another group
that this node is also a member of.
All groups that a node is a member of are listed in the Group
network list.

The following table describes the elements of a list entry in the group network list.

Group network – List entry

Option Definition

String Specifies the name of a network node group.

Comment Provides a plain-text comment on a network node group.

Automatic Engine Updates

Settings for scheduling automatic updates of database information for modules used in the filtering process

Automatic Engine Updates

Option Definition

Enable automatic updates When selected, database information is automatically

updated.

Allow to download updates from the internet When selected, database updates are downloaded from the
internet.

Allow to download updates from other nodes When selected, database updates are downloaded from other
nodes in a Central Management configuration.

Update interval Limits the time (in minutes) that elapses before database
information is again updated to the specified value.
The time is set on a slider scale.
Allowed values range from 15 to 360.

CRL update interval Limits the time (in hours) that elapses before certificate
revocation lists used in filtering SSL-secured web traffic are
updated to the specified value.
This update uses a method that differs from those of other
updates and must therefore be configured separately.
The time is set on a slider scale
Allowed values range from 3 to 168.

Enable update proxies When selected, proxies are used for performing updates.
The proxies are configured in the Update proxies (fail over) list.
These proxies are also used when the MLOS operating system
of a Web Gateway appliance is updated.

Update proxies (fail over) Provides a list for entering the proxies that are used for
performing updates.
The proxies are used in failover mode. The first proxy on the
list is tried first and only if the configured timeout has elapsed
is the next proxy tried.

McAfee Web Gateway 8.0.x Interface Reference Guide 21

The following table describes the elements of an entry in the Update proxies list.

Update proxies – List entry

Option Definition

Host Specifies the host name or IP address of a proxy for

performing updates.

Port Specifies the port on a proxy that listens for update requests.

User Specifies the name of a user who is authorized to access a

proxy for performing updates.

Password Sets a password for this user.

Comment Provides a plain-text comment on a proxy.

Advanced Update Settings

Settings for advanced update functions

Advanced Update Settings

Option Definition

Allow to upload updates to other nodes When selected, updated database information can be
uploaded from the appliance (as a a node in a Central
Management configuration) to other nodes.

The first time an update starts, it should wait an appropriate time before Limits the time (in seconds) that elapses before an update is
starting started to the specified value.
Allowed values range from 5 to 1200.

The first time an automatic update starts, it uses the startup interval to update Limits the time (in seconds) that elapses between attempts to
start an automatic update for the first time to the specified
value.
During an update, the coordinator subsystem, which stores
updated information on the appliance, tries to connect to the
appliance core, where the modules reside that use this
information.
A low value for this interval can therefore speed up updates
because it reduces the time the coordinator might have to
wait until the core is ready to receive data.
Allowed values range from 5 to 600.

Try to update with start interval Limits the number of attempts (1 to 9) the appliance makes
when trying to start an update to the specified value.

Use alternative URL Specified the URL of an update server that is used instead of
the default server.

Verify SSL tunnel When selected, a certificate sent to a node by an update

server in SSL-secured communication is verified.

Enter a special custom parameter sequence for an update server Updates of URL filtering information are taken from the URL
filter database server that is specified by the URL entered
here.

22 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

No updates should be made in defined time window Provides a list for entering daily time slots during which no
updates of database information should be made.

The following table describes the elements of an entry in the time slot list.

Time slot – List entry

Option Definition

Start of time slot (hour) Sets the hour when a daily time slot begins.

Start of time slot (minute) Sets the minute in an hour when a daily time slot begins.

Start of time slot (second) Sets the second in a minute when a daily time slot begins.

End of time slot (hour) Sets the hour when a daily time slot ends.

End of time slot (minute) Sets the minute in an hour when a daily time slot ends.

End of time slot (second) Sets the second in a minute when a daily time slot ends

Comment Provides a plain-text comment on a time slot.

Advanced Subscribed Lists Settings

Settings for advanced subscribed lists functions

Advanced Subscribed Lists Settings

Option Definition

Allow to download customer subscribed lists
When selected, customer subscribed lists can be downloaded
from the current appliance.
If the appliance is a node in a Central Management
configuration and this option is also selected on other nodes,
one of the nodes will download the lists.
If you want a particular node to download the lists, you need
to make sure the option is deselected on every other node.
When a node is restarted and one or more subscribed lists
are configured on this node, list content is downloaded to
ensure a valid configuration.
Note: The download is performed regardless of whether this
download option is selected or not.
When a node is added to a configuration with other nodes
that have subscribed lists configured, list content is
downloaded for these lists onto the new node.
To reduce internal traffic, the download is performed without
prior communication with other nodes.
Note: The download is performed regardless of whether this
download option is selected or not.

Manual Engine Updates

Setting for performing manual updates of database information for modules used in the filtering process

McAfee Web Gateway 8.0.x Interface Reference Guide 23

Manual Engine Updates

Option Definition

Manual Engine Update Updates database information for modules used in the
filtering process immediately.
Database information is only updated for the modules on the
appliance you are currently working on.

Handle Stored Configuration Files

Settings for storing configuration file folders on disk

Handle Stored Configuration Files

Option Definition

Keep saved configuration folders for a minimal time Limits the time (in days) that configuration file folders are at
least stored on disk to the specified value.
The number of days can range from 1 to 100.

Keep minimal number of configuration folders Limits the number of configuration file folders that are at
least stored on disk at any time to the specified value.
The number can range from 1 to 100.

Keep minimal number of packed folders
Limits the number of packed configuration file folders that
are at least stored on disk at any time to the specified value.
Configuration folders are packed when the minimal time
configured for storing them on disk has elapsed and the
minimal number of folders stored on disk at any time would
be exceeded if they were stored unpacked any longer.
The number of folders can range from 1 to 100.

Advanced Scheduled Jobs

Settings for scheduled jobs

Advanced Scheduled Jobs

Option Definition

Job list Provides a list of scheduled jobs.

The following table describes the elements of a list entry.

Job list – List entry

Option Definition

Start job Specifies the time setting for starting a scheduled job, for
example, hourly, daily, once.

Start job immediately if it was not started at its original schedule Lets a scheduled job start immediately if this has not
happened according to the originally configured schedule.

Job Specifies the type of job, for example, Backup Configuration.

Unique job ID Identifies a scheduled job.

When this job has finished run job with ID Provides the ID of a job that is run immediately after this job.

24 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Comment Provides a plain-text comment on a scheduled job.

Add Scheduled Job window

Settings in the window for adding a scheduled job
• Time Settings — Settings for the time when a scheduled job is started
• Job Settings — Settings for the type and ID of a scheduled job
• Parameter Settings — Settings for additional parameters of a scheduled job
These settings differ for each job type as follows:
◦ (Backup configuration settings) — Settings for a scheduled job that creates a backup of an appliance configuration
◦ (Restore backup settings) — Settings for a scheduled job that restores a backup of an appliance configuration
◦ (Upload file settings) — Settings for a scheduled job that uploads a file to an external server using the HTTP or HTTPS
protocol
◦ (Download file settings) — Settings for a scheduled job that downloads a file to the appliance using the HTTP or
HTTPS protocol
For a scheduled job that performs a yum update, there are no additional parameter settings.

Time Settings

Option Definition

Start job Lets you select a time setting.

• Hourly — Starts a scheduled job every hour
• Daily — Starts a scheduled job once on a day
• Weekly — Starts a scheduled job once in a week
• Monthly — Starts a scheduled job once in a month
• Once — Starts a scheduled job only once
• Activated by other job — Starts a scheduled job after another job
has been completed

(Time parameter settings) Settings specifying the parameters for a time setting, for
example, the minute in an hour when a job scheduled for
hourly execution should be started
Which time parameter settings are shown depends on the
selected time setting.
For example, if you have selected Hourly, you can configure
the minute in an hour, but not the day in a month.
• Minute — Sets a minute in an hour
• Hour — Sets an hour on a day
• Day of month — Sets a day in a month
• Enter day of week — Provides a list for setting a day in a week
• Month — Sets a month in a year (specified by a number from
1 to 12)
• Year — Sets a year (four digits)

Start job immediately if it was not started at its original schedule
When selected, a scheduled job is started immediately if this
has not happened according to the originally configured
schedule.
This can be the case, for example, when an appliance is
temporarily shut down due to overload and a job was
scheduled to run during this downtime.
The job is then executed as soon as the appliance is up again.

McAfee Web Gateway 8.0.x Interface Reference Guide 25

Job Settings

Option Definition

Job Lets you select the type of a scheduled job.

• Backup configuration — Creates a backup of an appliance
configuration
• Restore backup — Restores a backup of an appliance
configuration
• Upload file — Uploads a file to an external server using the
HTTP or HTTPS protocol
• Download file — Downloads a file onto the appliance using the
HTTP or HTTPS protocol
• Yum update — Performs a yum update on an appliance
configuration
Note: This scheduled job type is not available when an
appliance runs in a FIPS-compliant mode

Unique job ID Identifies a scheduled job.

The characters specified in this string are case-sensitive

Job description Provides an optional description of a scheduled job in plain-

text format.

When this job has finished run job with ID Provides the ID of a scheduled job that is to run immediately
after the job configured here has finished.
For this job, you must have configured the Activated by other job
time setting.

Execute job on remote node
Provides a list for selecting other nodes of the configuration
to execute a scheduled job.
The list displays the host names for the other nodes.
The scheduled job that you configure on this appliance is
executed with its time and parameter settings on the selected
node or nodes.
A message is sent to the other node or nodes to inform them
about the scheduled job.

Parameter Settings – Backup configuration

Option Definition

Use most recent configuration When selected, the scheduled job creates a backup from the
most recent appliance configuration
Format: |<path name>/<file name with extension>

Backup configuration path
Specifies the name of the path to the folder where the
configuration is stored that should be used for the backup.
Format: /opt/mwg/storage/default/configfolder
This setting is only available when Use most recent configuration is
deselected.

Save configuration to path Specifies the path and file name for a backup configuration.
Format: /<path name>/<file name with file name extension>

26 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
You must set user rights for the folder you want to store the
backup configuration in, making the appliance the owner who
is allowed to write data into the folder.
On the command line provided, for example, by a serial
console, run the appropriate commands to create a folder or
change the rights for an existing folder.

Parameter Settings – Restore backup

Option Definition

Restore backup from file Specifies the path and file name for the file that should be
used to restore a backup.
Format: |<path name>/<file name with extension>

Only restore policy When selected, a scheduled job backs up only settings related
to the web security policy that was implemented on an
appliance.
Other settings, for example, settings needed for connecting
an appliance to a network are not restored.

Lock storage during restore When selected, no other files can be stored on the appliance
until the scheduled job has completely restored the backup
configuration.

Password Sets a password that is submitted for basic authentication.

Set Opens the New Password window for setting a password.

When a password has been set, the Set button is replaced by a
Change button, which opens the New Password window for
changing a password.
This setting is only available when Enable basic authentication is
selected.

Parameter Settings – Upload file

Option Definition

File to upload Specifies the path and file name for a file that should be
uploaded.
Format: |<path name>/<file name with extension>

Destination to upload file to Specifies the name of the path to the server that a file should
be uploaded to under the HTTP or HTTPS protocol and the
file name for storing the file on the server.
Format: http|https: //<URL>/<file name with extension>

Enable basic authentication When selected, basic authentication is required for uploading
a file.

User name Specifies a user name that is submitted for basic

authentication.
This setting is only available when Enable basic authentication is
selected.

McAfee Web Gateway 8.0.x Interface Reference Guide 27

 Option Definition

Password Sets a password that is submitted for basic authentication.

Set Opens the New Password window for setting a password.

When a password has been set, the Set button is replaced by a
Change button, which opens the New Password window for
changing a password.
This setting is only available when Enable basic authentication is
selected.

Parameter Settings – Download file

Option Definition

URL to download Specifies a URL for the location of a file that should be
downloaded under the HTTP or HTTPS protocol and the name
of the file.
Format: http|https: //<URL>/<file name with extension>

Save downloaded file to Specifies a path to the location where a downloaded file
should be stored and the file name for storing the file.
Format: |<path name>/<file name with extension>

Enable basic authentication When selected, basic authentication is required for

downloading a file

User name Specifies a user name submitted for basic authentication.

This setting is only available when Enable basic authentication is
selected.

Password Sets a password that is submitted for basic authentication.

Set Opens the New Password window for setting a password.

When a password has been set, the Set button is replaced by a
Change button, which opens the New Password window for
changing a password.
This setting is only available when Enable basic authentication
is selected.

Coaching settings
The Coaching settings are used for configuring the module that handles coaching.

Hours and Minutes of Session Time

Settings for configuring the length of a coaching session

Hours and Minutes of Session Time

Option Definition

Days Sets the days of a coaching session.

Hours Sets the hours of a coaching session.

Minutes Sets the minutes of a coaching session.

28 McAfee Web Gateway 8.0.x Interface Reference Guide

Date and Time settings
The Date and Time settings are used for configuring the time servers that synchronize date and time of the appliance system. They
also allow you to set the system time manually.

Date and Time

Settings for date and time of the appliance system

Date and Time

Option Definition

Enable time synchronization with NTP servers
When selected, the appliance uses time servers under the
NTP (Network Time Protocol) for time synchronization.
The system time of the appliance is then synchronized with
the time on the NTP servers. This will fail, however, if the delta
between both times is too big.
Tip: Best practice: Restart the appliance after configuring
time synchronization with NTP servers. When the appliance
restarts, it sets system time to the time on the NTP servers.

NTP server list Provides a list for entering the servers that are used for time
synchronization under the NTP protocol.
The list elements are as follows:
• String — Specifies the name of an NTP server.
• Comment — Provides a plain-text comment on an NTP server.

Select time zone Provides a list for selecting a time zone.

Time synchronization performed by the NTP servers or
manually set time refer to the time zone that you select here

Set System Time Manually

Settings for configuring time and date on the appliance system manually

Set System Time Manually

Option Definition

Current date and time Provides items for setting date and time of the appliance
system.
• Date — Enables you to enter a date by typing it in the field or
using a calendar.
• Calendar icon — Opens a calendar for selecting a date.
After selecting a date on the calendar and clicking OK, the
date appears in the date field.
• Time — Lets you specify a time by typing it.
The system time of an appliance is then synchronized with
the time on the NTP servers. This will fail, however, if the delta
between both times is too big.
Tip: Best practice: Restart the appliance after configuring
time synchronization with NTP servers. When the appliance
restarts, it sets system time to the time on the NTP servers.

Set now Sets the date and time you have entered into the
corresponding fields.

McAfee Web Gateway 8.0.x Interface Reference Guide 29

DNS settings
The DNS settings are usedr for configuring the domain name servers an appliance connects to for retrieving IP addresses that
match the host names submitted in user requests.

Domain Name Service Settings

Settings for the IP addresses of different domain name servers

Domain Name Service Settings

Option Definition

Primary domain name server Specifies the IP address of the first server.

Secondary domain name server Specifies the IP address of the second server.

Tertiary domain name server Specifies the IP address of the third server.

ePolicy Orchestrator settings

The ePolicy Orchestrator settings are used for configuring the transfer of monitoring and other data from a Web Gateway appliance
to a McAfee ePO server.

ePolicy Orchestrator Settings

Settings for transferring monitoring data to a McAfee ePO server

ePolicy Orchestrator Settings

Option Definition

ePO user account Specifies a user name for the account that allows the retrieval
of monitoring data from an appliance.

Password Sets a password for a user.

Change Opens a window to create a new password.

Enable data collection for ePO When selected, monitoring data for the McAfee ePO server is
collected on an appliance.

Data collection interval in minutes Limits the time (in minutes) that elapse between data
collections.
The time is set on a slider scale, ranging from 10 minutes to 6
hours.

ePo DXL Settings

Settings for configuring the credentials submitted by Web Gateway when connecting to a McAfee ePO server to enable DXL
messaging

ePo DXL Settings

Option Definition

ePO host name Specifies the host name that Web Gateway uses when
connecting to a McAfee ePO server.

ePO user account Specifies a name for the user account that Web Gateway
submits when connecting to a McAfee ePO server.

30 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Password Specifies the password that Web Gateway submits when

connecting to a McAfee ePO server.
Clicking Set opens a window for setting a new password.

Rejoining ePO for DXL communication When clicked, rejoins communication with the McAfee ePO
server to complete the setup.
A message informs you of the result.

External Lists system settings

The External Lists system settings apply to all external lists that are processed on the appliance.

Global Configuration
Setting for the internal cache on the appliance that stores external list data

Global Configuration

Option Definition

Flush External Lists Cache Removes the data that is stored in the internal cache.

Time before retry after failure Limits the time (in seconds) that the External Lists module
remembers a failure to retrieve data from a particular
external source to the specified value.
The module will not perform retries for a source as long as it
remembers the failure.
We recommend that you keep the default value or modify it
according to the requirements of your network.
This way you avoid adding load by constant retries to a web
server that is already overloaded.

File Data Source Configuration

Setting for the local file system that external list data can be retrieved from

File Data Source Configuration

Option Definition

File system allowed for file data access
Specifies the path that leads to the folder for storing external
lists within your local file system.
External lists that data is retrieved from must be stored in this
folder.
Otherwise an attempt to retrieve the data will lead to an
access-denied error.
Note: When external list data is retrieved from an SQLite
database, the path specified here is the path to the folder
within your local file system that contains the database.

Web Data Source Configuration

Setting for all web services that are the sources of external list data

McAfee Web Gateway 8.0.x Interface Reference Guide 31

Web Data Source Configuration

Option Definition

Check SSL certificate identity When selected, a certificate that a web server submits in SSL-
secured communication under the HTTPS protocol is verified
The verification is performed according to the SSL scanning
rules that are implemented on the appliance.
This can, for example, lead to an error if the web server uses
a self-signed certificate.

File Server settings

The File Server settings are used for configuring dedicated file server ports on a Web Gateway appliance to enable, for example, file
downloads by clients.

HTTP Connector Port

Settings for dedicated file server ports on an appliance

HTTP Connector Port

Option Definition

Enable dedicated file server port over HTTP When selected, the dedicated HTTP file server ports that are
configured on an appliance are enabled.

HTTP connector Specifies a dedicated HTTP port for connecting to the file
server.
You can enter more than one port here, separating entries by
commas. Ports can range from 1024 to 65335.
To set up ports within the range from 1 to 1023, you can
create a port forwarding rule.
Together with a port, you can enter an IP address. This means
connecting to a file server on an appliance over this port
requires that you specify both the port and this IP address.
For example, there are two interfaces for connecting on an
appliance with these IP addresses:
eth0: 192.168.0.10, eth1: 10.149.110.10
You enter this under HTTP connector:
4711, 192.168.0.10:4722
Then connecting to a file server on the appliance over port
4711 is allowed using both IP addresses, whereas connecting
over port 4722 requires that IP address 192.168.0.10 is used.
Restricting connections in this way might be useful, for
example, if you want to set up an intranet.

Enable dedicated file server port over HTTPS When selected, the dedicated HTTPS file server ports that are
configured on an appliance are enabled.

HTTPS connector Specifies a dedicated HTTPS port for connecting to the file
server.
You can enter more than one port here, separating entries by
commas. Ports can range from 1024 to 65335.
To set up ports within the range from 1 to 1023, you can
create a port forwarding rule.

32 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
Entering a port together with an IP address can be done in
the same way as under HTTP connector and has the same
meaning.
Using the following options, you can specify a protocol and a
list of valid ciphers for the HTTPS communication.
• SSL protocol version — Specifies the version of the SSL protocol
that is used for communication with the file server.
You can select one of these versions or any combination of
them.
◦ TLS 1.2
◦ TLS 1.1
◦ TLS 1.0
• Server cipher list — Specifies a string of Open SSL symbols used
for encrypting communication with the file server.

Enable protection against cross-site scripting
When selected, the communication with the file server is
protected against cross-site scripting.
When a cross-site scripting attack is launched, malicious
JavaScript code is inserted into messages that are sent during
the communication.
Adding the following header to messages prevents the
execution of this attack:
Header name: X-XSS-Protection
Header value: 1

Enable protection against clickjacking
When selected, the communication with the file server is
protected against clickjacking.
When a clickjacking attack is launched, messages that are
sent during the communication are embedded in iFrames,
which can be used to steal data.
Adding the following header to messages prevents the
execution of this attack:
Header name: X-Frame-Options
Header value: DENY

Hybrid settings
When configured, the hybrid settings allow Web Gateway to connect to and communicate with McAfee WGCS.

Hybrid synchronization
The Web Gateway policy is synchronized with McAfee WGCS at the interval you specify in the hybrid settings. You can also
perform synchronization manually. Manual synchronization doesn't affect the synchronization interval or schedule which
continues as before.

Configuring the hybrid settings

The hybrid settings allow you to configure synchronization without a proxy server.

Web Hybrid Configuration

Option Definition

Synchronize policy to Cloud When selected, allows you to configure the Web Hybrid settings
and enables the hybrid solution.

McAfee Web Gateway 8.0.x Interface Reference Guide 33

 Option Definition

Appliance for Synchronization From the drop-down list, select the Web Gateway appliance
whose policy you want synchronized with McAfee WGCS.
If you are running multiple appliances in a Central
Management cluster, this setting ensures that the McAfee
WGCS policy is always synchronized with the same appliance.

Cloud address Specifies the address that Web Gateway uses to

communicate with McAfee WGCS.
Value: https://msg.mcafeesaas.com

Cloud administrator account name Specifies your McAfee ePO Cloud user name.

Cloud administrator account password Specifies your McAfee ePO Cloud password.
To change the password, click Set, then enter the new
password and click OK.

Customer ID Specifies your McAfee WGCS customer ID.

Local policy changes will be uploaded within the same interval as defined Specifies the synchronization interval.
below Default: 15 minutes (recommended)
Range: 10–60 minutes

Configuring the advanced hybrid settings

The advanced hybrid settings allow you to add a proxy server to the configuration.

Advanced Synchronization Settings

Option Definition

Verify server certificate on SSL connections When selected, Web Gateway verifies the proxy server
certificate for SSL connections.

Use a proxy for synchronization When selected, allows you to configure the proxy server
settings. When the settings are configured, the Web Gateway
policy is pushed to McAfee WGCS through the proxy server.

Proxy host Specifies the IP address or host name of the server which is
used as a proxy.

Proxy port Specifies the port number on the proxy server that listens for
Web Gateway requests to transfer synchronization data.
Default: 8080

Proxy user Specifies the user name that Web Gateway sends to the
proxy server when transferring synchronization data.

Proxy password Specifies the password that Web Gateway sends to the proxy
server when transferring synchronization data.
To change the password, click Set, then enter the new
password and click OK.

Kerberos Administration settings

The Kerberos Administration settings are specific settings for the Kerberos authentication method.

34 McAfee Web Gateway 8.0.x Interface Reference Guide

Kerberos Administration
Settings for the Kerberos authentication method

Kerberos Administration

Option Definition

Key tab file Specifies the file that contains the master key required to
access the Kerberos server.
You can type a file name or use the Browse button to browse to
the file and enter its name in the field.
When a ticket is issued for authentication according to the
Kerberos method, the master key is read on the appliance
and used to verify the ticket.
If you are running a load balancer that directs web requests
to the appliance, tickets are issued for the load balancer and
verified on the appliance. It is then not checked whether a
request is directed to the appliance.

Kerberos realm Specifies an administrative domain configured for

authentication purposes.
Within the boundaries of this domain the Kerberos server has
the authority to authenticate a user who submits a request
from a host or using a service.
The realm name is case sensitive, however. normally only
uppercase letters are used, and it is good practice to make
the realm name the same as that of the relevant DNS domain.

Maximal time difference between appliance and client
Limits the time (in seconds) that the system clocks on the
appliance and its clients are allowed to differ to the specified
value.
Configuring Kerberos as the authentication method can lead
to problems when particular browsers are used for sending
requests:
• When the Microsoft Internet Explorer is used in a version
lower than 7.0, Kerberos authentication might not be
possible at all.
• When this explorer runs on Windows XP, Kerberos
authentication might not work as expected.
• When Mozilla Firefox is used, Kerberos authentication must
be configured in the browser settings to enable this
authentication method.

Enable replay cache When selected, a ticket that is issued for authentication
cannot be used more than once.
Note: Selecting this option reduces authentication
performance

License settings
The License settings are used for importing a license to an appliance. Information about the license is shown together with these
settings, and options for reviewing the agreements on license and data usage.

License Administration
Settings for importing a license

McAfee Web Gateway 8.0.x Interface Reference Guide 35

License Administration

Option Definition

Import license Provides the options that are required for importing a license.

I have read and accept the end user license agreement Provides a link to the End User License Agreement and a
checkbox to select after reading the document.
To import a license, the checkbox must be selected, otherwise
the import options remains grayed out.

License file Shows the name and path of the license file that has been
selected after browsing the local file system.
When the name and path appear in this field, more license
information is shown under License information.
The license is activated by clicking Save Changes.

Browse Opens the local file system to let you browse for a license file.

License Information
Information about an imported license and an option for reviewing the Data Usage Statement

License Information

Option Definition

Status Shows the name of a license file.

Creation Shows the date when a license file was created.

Expiration Shows the date when a license file expires.

License ID Shows the ID of a license.

Customer Shows the name of the license owner.

Customer ID Shows the ID of the license owner.

Seats Shows the number of workplaces in the license owner's

organization that the license is valid for,

Evaluation Shows whether the license has been evaluated.

Features Lists the features of Web Gateway that are covered by the
license.

I have read and understood the data usage statement Provides a link to the Data Usage Statement.

Network Interfaces settings

The Network Interfaces settings are used for configuring the network interfaces of an appliance.

Network Interface Settings

Settings for network interfaces

36 McAfee Web Gateway 8.0.x Interface Reference Guide

Network Interface Settings

Option Definition

Host name / Fully qualified domain name Specifies the host name of an appliance.
The name must be specified as fully qualified domain name.

Default gateway (IPv4) Specifies the default gateway for web traffic under IPv4.

Default gateway (IPv6) Specifies the default gateway for web traffic under IPv6.

Enable these network interfaces Provides a list of network interfaces that are available for
being enabled or disabled.
The eth0 network interface is by default included in the list
and enabled.

IPv4 Provides options for configuring network interfaces under

IPv4.
The options are provided on a separate tab.

IPv6 Provides options for configuring network interfaces under

IPv6.
The options are provided on a separate tab.

Advanced Provides options for configuring additional media and a

bridge for a network interface.
The options are provided on a separate tab.

Add VLAN Opens a window for adding a network interface for VLAN
traffic.
Note: You can use this option to run VLANs under IPv4 or
IPv6.
To add a network interface, you specify a number as its ID
and click OK.
The interface name is composed of two parts, separated by a
dot.
The first part is the name and number of the interface that is
enabled in the list of available network interfaces. The second
part is the number that you specify.
For example, if the eth0 interface is enabled and you specify 1,
a network interface for VLAN traffic is added as eth0.1. It is
initially not enabled.
The range of numbers for VLAN network interfaces is 1–4094.
Note:
After adding one or more network interfaces for VLAN traffic,
you must also add their IDs to the parameters of the port
redirects for the network mode that you are using, for
example, the transparent bridge mode.
The window for adding or editing port redirects provides the
Optional 802.1Q VLANs field for entering VLAN IDs. Separate
multiple entries by commas.

Delete Deletes a selected network interface for VLAN traffic.

The following tables describe the options on the IPv4, IPv6, and Advanced tabs.

McAfee Web Gateway 8.0.x Interface Reference Guide 37

IPv4
Tab for configuring network interfaces under IPv4

IPv4

Option Definition

IP settings Lets you select a method to configure an IP address for a

network interface.
• Obtain automatically (DHCP) — The IP address is automatically
obtained, using the Dynamic Network Host Protocol (DHCP).
• Configure manually — The IP address is configured manually.
• Disable IPv4 — IPv4 is not used for this interface.

IP address Specifies the IP address of a network interface (manually

configured).

Subnet mask Specifies the subnet mask of a network interface (manually

configured).

Default route Specifies the default route for web traffic using the network
interface (manually configured).

IP aliases Provides a list of aliases for the IP address.

• Add alias — Opens the Input window for adding an alias.
Note:
To enable usage of an alias, you must restart Web Gateway.
After entering an alias here, an alert reminds you of the
restart.
You can perform the restart by running the following
command from the command line of a system console:
service mwg restart
• Delete — Deletes a selected alias.

IPv6
Tab for configuring network interfaces under IPv6

IPv6

Option Definition

IP settings Lets you select a method to configure an IP address for a

network interface.
• Obtain automatically (DHCP) — The IP address is automatically
obtained, using the Dynamic Network Host Protocol (DHCP).
• Solicit from router — The IP address is obtained from a router.
• Configure manually — The IP address is configured manually.
• Disable IPv6 — IPv6 is not used for this interface.

IP address Specifies the IP address of a network interface (manually

configured).

Default route Specifies a default route for web traffic using the network
interface (manually configured).

IP aliases Provides a list of aliases for the IP address.

38 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
• Add alias — Opens a window for adding an alias.
Note:
To enable usage of an alias, you must restart Web Gateway.
After entering an alias here, an alert reminds you of the
restart.
You can perform the restart by running the following
command from the command line of a system console:
service mwg restart
• Delete — Deletes a selected alias.

Advanced
Tab for configuring advanced network interface functions.
Note: The tab provides different options when the currently selected network interface is a bonding interface. These options are
described in a second table.

Advanced

Option Definition

Media Lets you select additional media for use with a network
interface.
• Automatically detect — Media for use with a network interface
are automatically detected if available in the network
environment of an appliance.
• 1000BaseT-FD, 1000Base-HD, ... — The selected media item is
used with a network interface.

Bridge enabled When selected, web traffic is routed through a network

interface in transparent bridge mode.
• Name — Specifies the name of the transparent bridge.

Bond enabled When selected, the currently selected network interface, for
example, eth2, is configured as a bonded interface that is
subordinated to a bonding interface.
• Name — Specifies the name of the bonding interface.

MTU Limits the number of bytes in a single transmission unit to the

specified value.
The default number is 1500.
The minimum and maximum numbers depend on whether a
network interface is configured under IPv4 or IPv6.
• IPv4 — minimum: 576, maximum: 9216
• IPv6 — minimum: 1280, maximum: 9216
Note:
If the configured number was set to less than either of these
minimum values in an earlier product version, it is now set to
576 under IPv4 and 1280 under IPv6, respectively, by the
configuration system on Web Gateway.
If it was set to more than the maximum value, it is now set to
the default value of 1500.
This option is not accessible if the following applies:

McAfee Web Gateway 8.0.x Interface Reference Guide 39

 Option Definition
• This network interface is configured as a scanning node
(also known as slave node) in a transparent bridge
configuration.
In this case, Bridge enabled is selected above.
The value for the network interface that is configured as
bridge is then set to less than the value of any participating
scanning node.
• This network interface is configured as a bonded interface
in a bonding configuration.
In this case, Bond enabled is selected above.

The following table describes the options provided on the Advanced tab when a bonding interface is selected.

Advanced

Option Definition

Bonding options Provides options for a bonding interface.

• Mode — Specifies the mode used to let the bonded network
interfaces in the bonding configuration become active.
◦
Active/Passive — When selected, only one bonded
interface is active at any time.
A different bonded interface becomes active only
if the active bonded interface fails.
The MAC address of the bonding interface is only
visible externally on one port, which avoids
address confusion for a network switch.
Note: This mode is referred to in some system
messages as mode 1.
The mode is selected by default.
◦
802.3ad/LACP — When selected, all bonded
interfaces in the bonding configuration are active.
The bonded interface for outgoing traffic is
selected according to the configured hash policy.
Note: This mode is referred to in some system
messages as mode 4.
When this mode is selected, the LACP rate and Hash
policy options become accessible.
• Miimon — Sets the time interval (in milliseconds) for sending
the polling messages of the MII monitoring program.
The default interval is 100 milliseconds.
• LACP rate — Sets the transmission rate for sending LACP-DU
data packets in 802.3ad mode.
◦
Slow — When selected, data packets are sent
every 30 seconds.
This transmission rate is selected by default.
◦
Fast — When selected, data packets are sent every
second.
• Hash policy — Determines the way that a hash value is
calculated for a bonding configuration.

40 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
◦
Layer2 — When selected, a combination of layer 2
values is used to calculate the hash. The values
that are included in this combination are
hardware MAC addresses and packet type ID
addresses.
This hash policy is selected by default.
◦
Layer2+3 — When selected, a combination of layer
2 and layer 3 protocol information is used to
calculate the hash.

Network Protection settings

The Network Protection settings are system settings that are used for configuring protective rules for traffic coming in to an
appliance from your network.
Note:
We recommend configuring Network Protection settings only in explicit proxy mode.
The following network modes are not supported:
• Proxy HA
• Transparent router
• Transparent bridge

Network Protection Rules

Settings for configuring network protection rules

Network Protection Rules

Option Definition

Enable network protection When selected, the settings configured in the following for
network protection are enabled.

Input policy Lets you select the action taken on incoming traffic.
Incoming traffic can either be dropped or accepted.

Allow Ping requests When selected, the appliance accepts and answers Ping
requests.

Exceptions from default policy Provides a list for entering the network devices that send
traffic to an appliance.
Traffic from these devices is not handled according to the
rules that are currently implemented. When these rules drop
incoming traffic, traffic sent from the devices listed here is
accepted and vice versa.

The following table describes an entry in the list of exceptions from the default policy.

Exceptions from default policy – List entry

Option Definition

Device Specifies the name of a network device that sends traffic to

the appliance.
Typing * or no input means all devices are covered.

McAfee Web Gateway 8.0.x Interface Reference Guide 41

 Option Definition

Protocol Specified the protocol used for sending traffic.

Source Specifies the IP address or address range of the network

device or devices that send traffic to the appliance.

Destination port Specifies the port on an appliance that is the destination of

network traffic.

Comment Provides a plain-text comment on an exception.

Port Forwarding settings

The Port Forwarding settings are used for configuring rules that let an appliance forward web traffic sent from a port on a particular
host to another port.

Port Forwarding
Settings for configuring port forwarding rules

Port Forwarding

Option Definition

Port forwarding rules Provides a list of port forwarding rules.

The following table describes an entry in the list of port forwarding rules.

Port forwarding rules – List entry

Option Definition

Source host Specifies the IP address of a host that is the source of web
traffic in a port forwarding rule.

Bind IP Specifies the bind IP address.

Target port Specifies the port that web traffic from the source host is
forwarded to.

Destination host Specifies the IP address of the host that is the destination of
web traffic sent from the source host.

Destination port Specifies the port on the destination host used for listening to
web traffic coming in from the source host.

Comment Provides a plain-text comment on a port forwarding rule.

The Port Forwarding settings continue as follows.

Port Forwarding (continued)

Option Definition

Enable extended connection logging
When selected, all logs for port forwarding are stored on the
appliance system under /var/log/mwg_fwd.log.
The logging options that you configure here apply to all port
forwarding that performed under the configured port
forwarding rules.

42 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
The stored log files can also be viewed on the user interface
under the Troubleshooting top-level menu.
Select the appliance that you want to view log files for, then
select Log files and open the system folder.

Customize extended logging fields When selected, the input fields for configuring the type of
data that should be logged become accessible.

Log on success Lets you enter the type of data to be logged when web traffic
is successfully forwarded.
You can enter one or more of the following data types by
typing them in capital letters, separated by commas: PID,
HOST, USERID, EXIT, DURATION, TRAFFIC.

Log on failure Lets you enter the type of data to be logged when forwarding
web traffic failed.
You can enter one or more of the following data types by
typing them in capital letters, separated by commas: HOST,
USERID, ATTEMPT.
HOST data is logged by default.

Proxies settings
Proxies settings are used for configuring proxies.

Network Setup
Settings for implementing a network mode
When a network mode is selected, specific settings for this mode appear below these settings.

Network Setup

Option Definition

Proxy (optional WCCP) When selected, the explicit proxy mode is used and WCCP
services can redirect web traffic to an appliance.

Proxy HA When selected, the explicit proxy mode with High Availability
functions is used.

Transparent router When selected, the transparent router mode is used.

Transparent bridge When selected, the transparent bridge mode is used.

HTTP Proxy
Settings for running a proxy on an appliance under the HTTP protocol.
This protocol is used for transferring web pages and other data (also providing SSL encryption for enhanced security).

HTTP Proxy

Option Definition

Enable HTTP proxy When selected, a proxy is run on an appliance under the
HTTP protocol.

McAfee Web Gateway 8.0.x Interface Reference Guide 43

 Option Definition

HTTP Port Definition list Provides a list for entering the ports on an appliance that
listen to client requests.

Anonymous login for FTP over HTTP Specifies the user name for logging on as an anonymous user
when requests are transmitted to an FTP server by an HTTP
proxy on an appliance.

Password for anonymous login for FTP over HTTP Sets a password for a user name.

Add Via HTTP header When selected, a Via HTTP header is added to a request that
is processed on an appliance.
This option is selected by default.

Adjust content-type header for requests to archives (depending on the content When selected, a content-type header in a request for access
encoding) to an archive file is adjusted if this header does not match the
content encoding that was detected for the archive.

Host header has priority over original destination address (transparent proxy) When selected, requests that are sent to the proxy on an
appliance in transparent proxy mode are recognized as traffic
in explicit proxy mode and processed accordingly.
Requests can, for example, be received on an appliance in
transparent mode when they have been forwarded by a load
balancer. If the proxy does not recognize the requests as
traffic in explicit proxy mode, they will be forwarded to the
web without filtering.
This option is only available if the explicit proxy mode is not
already configured on an appliance.
If the option is available, it is selected by default.

The following table describes an entry in the HTTP port definition list.

HTTP port definition list – List entry

Option Definition

Listener address Specifies the IP address and port number for a port that
listens to HTTP requests.

Serve transparent SSL connections When selected, SSL-encrypted data can also be transferred
using this proxy.

Ports treated as SSL Provides a list of ports that handle incoming data as SSL-
encrypted.
Entries in this list are separated by commas. The list includes
port 443 by default.

Transparent common name handling for proxy requests When selected, common names sent within a request to the
proxy are handled transparently.

McAfee Web Gateway uses passive FTP over HTTP connections When selected, data can be transferred in FTP passive mode
using HTTP connections.

Accept Proxy Protocol header When selected, a Proxy Protocol header sent by a proxy
forwarding web server data downstream is processed on Web
Gateway.

44 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
Sending of this header is optional, not required for the
downstream proxy.
The header information is extracted and different parts of it
are stored as values of the Connection.IP, Connection.Port, and
Connection.OriginalDestination.IP properties.

Comment Provides a plain-text comment on a port that listens to HTTP

requests.

FTP Proxy
Settings for running a proxy on an appliance under the FTP protocol
This protocol is used for transferring files, using separate connections for control functions and data transfer.
Note:
When a file is uploaded to the web from an FTP client and processed on Web Gateway, you can send progress indicators to the
client by inserting the FTP Upload Progress Indication event into a suitable rule.
This will prevent a timeout on the client when processing takes more time, for example, due to scanning the file for infections by
viruses and other malware.

FTP Proxy

Option Definition

Enable FTP proxy When selected, a proxy is run on an appliance under the FTP
protocol.

FTP port definition list Provides a list for entering the ports on an appliance that
listen to client requests.

Allow character @ in FTP server user name (Authentication using USER When selected, this character is allowed in a user name.
ftpserveruser@ftpserver)

Enable authentication using USER proxyuser@ftpserveruser@ftpserver When selected, this syntax is allowed for a user name.

Enable authentication using USER ftpserveruser@proxyuser@ftpserver When selected, this syntax is allowed for a user name.

Enable customized welcome message When selected, you can edit the welcome message that is
shown to a user who sends a request for web access under
the FTP protocol.
Type the welcome message into the Customized welcome message
text field, using the appropriate values for the variables that
are contained in the message.
Welcome to §MWG-ProductName$ $MWG-Version$ - build
$MWG.BuildNumber$
Running on $System.HostName$ - $System.UUID$
$Proxy.IP$:$Proxy.Port$

Select the command to be used for next-hop proxy login Allows you to select the command that Web Gateway sends
for logon when connecting to a next-hop proxy under the FTP
protocol.
The following commands can be selected:
• SITE
• OPEN
• USER@Host

McAfee Web Gateway 8.0.x Interface Reference Guide 45

The following table describes an entry in the FTP port definition list.

FTP port definition list – List entry

Option Definition

Listener address Specifies the IP address and port number for a port that
listens to FTP requests.

Data port Specifies the port number of a port that is used for handling
data transfer under the FTP protocol.

Port range for client listener Configures a range of numbers for ports that listen to FTP
requests received from clients.
The range is configured by specifying port numbers for its
beginning and end.

Port range for server listener Configures a range of numbers for ports that listen to FTP
responses received from web servers that requests were
forwarded to.

Allow clients to use passive FTP connections When selected, requests can be sent from clients using
passive connections under the FTP protocol.

McAfee Web Gateway uses same connections (active/passive) as clients When selected, Web Gateway uses the same type for
does forwarding web traffic as a client that sent a request to Web
Gateway.

McAfee Web Gateway uses passive FTP connections
When selected, Web Gateway can forward web traffic using
passive connections under the FTP protocol.
Note: When the FTP-over-HTTP mode is configured, Web
Gateway always uses active connections to reach out to the
FTP server even if this checkbox is selected.

Comment Provides a plain-text comment on a port that listens to FTP

requests.

ICAP Server
Settings for running an ICAP server on an appliance that modifies requests and responses in communication with ICAP clients

ICAP Server

Option Definition

Enable ICAP server When selected, an ICAP server is run on an appliance.

ICAP Port Definition list Provides a list for entering the ports on an appliance that
listen to requests from ICAP clients.
When multiple ICAP servers are configured on different
appliances within your network, requests coming in from
ICAP clients are distributed among these servers in round-
robin mode.

The following table describes an entry in the ICAP port definition list.

46 McAfee Web Gateway 8.0.x Interface Reference Guide

ICAP port definition list – List entry
Option
Listener address
Send early 204 responses
Include Realm into authentication attributes
Wait for complete ICAP request
Maximum concurrent REQMOD connections
Maximum concurrent RESPMOD connections
Preview size
ICAPS
Subject, Issuer, Validity, Extensions, Fingerprint, Key
Server certificate
McAfee Web Gateway 8.0.x Interface Reference Guide
Definition
Specifies the IP address and port number for a port on the
ICAP server that listens for requests from ICAP clients.
When selected, these responses are sent.
When selected, the realm is included in the attributes that are
evaluated during the authentication process that is
performed in ICAP communication.
When selected, an ICAP request is only processed after it has
been completely received on the ICAP server, depending,
however, on what you select from the following.
• Never — Processing never waits until a request has been
completely received.
• Only for REQMOD requests — Processing only waits if a request
was sent in REQMOD mode.
• Only for FTP requests — Processing only waits if an FTP request
was sent.
• Always — Processing always waits until a request has been
completely received.
Limits the number of connections that can run in REQMOD
mode at the same time.
The default maximum number is 100.
Limits the number of connections that can run in RESPMOD
mode at the same time.
The default maximum number is 400.
Sets the preview size.
When selected, the connections used for the ICAP
communication are SSL-secured.
When this option is selected, the options explained in the
following are activated.
These options are related to the certificate that the ICAP
server submits when connecting to ICAP clients over SSL-
secured connections.
These fields display information about the server certificate
that is currently in use.
Provides options for handling a server certificate.
• Generate New — Opens a window for generating a new server
certificate.
• Import — Opens a window for importing a server certificate.
• Export — Lets you browse to a location within your file
system that a server certificate can be exported to.
• Export key — Lets you browse to a location within your file
system that the key file for a server certificate can be
exported to.
47
 Option Definition

Comment Provides a plain-text comment on a port that listens to

requests from ICAP clients.

IFP Proxy
Settings for running a proxy on an appliance under the IFP protocol
This protocol is used for transferring web pages.

IFP Proxy

Option Definition

Enable IFP proxy When selected, a proxy is run on an appliance under the IFP
protocol.

IFP port definition list Provides a list for entering the ports on an appliance that
listen to client requests for the IFP proxy.

Maximum number of concurrent IFP requests allowed Limits the number of IFP requests that are processed at the
same time to the specified value.
You can use this setting to prevent an overloading of the IFP
proxy.

The following table describes an entry in the IFP port definition list.

IFP port definition list – List entry

Option Definition

Listener address Specifies the IP address and port number for a port that
listens for IFP requests.

Send error message as redirect When set to true, a user who sent a request is informed, for
example, about a blocking of the request, by redirecting the
request to an error message page.
Otherwise the relevant information is sent as a normal
message under the IFP protocol.

Comment Provides a plain-text comment on a port that listens to IFP

requests.

SOCKS Proxy
Settings for running a proxy on an appliance under the SOCKS (sockets) protocol

SOCKS Proxy

Option Definition

Enable SOCKS proxy When selected, a proxy is run on an appliance under the
SOCKS protocol.

SOCKS port definition list Provides a list for entering the ports on an appliance that
listen to client requests for the SOCKS proxy.

The following table describes an entry in the SOCKS port definition list.

48 McAfee Web Gateway 8.0.x Interface Reference Guide

SOCKS port definition list – List entry

Option Definition

Listener address Specifies the IP address and port number of a port that
listens for SOCKS requests.

Port range for UDP Sets the range of ports used for listening to requests sent
under the UDP protocol when a SOCKS proxy is configured.

Comment Provides a plain-text comment on a port that listens to SOCKS

requests.

Data Exchange Layer

Settings for using the DXL (Data Exchange Layer) technology to exchange information between different web security products
Note:
You can implement a library rule set that uses DXL messages to exchange file reputation information between Web Gateway and
a TIE server.
Implementing this rule set is currently the only way to use DXL messages on Web Gateway. The rule set works without any
additional configuration of the Data Exchange Layer settings.

Data Exchange Layer

Option Definition

Time to wait for replies to DXL service requests Sets the time (in seconds) that Web Gateway waits for a
response after sending a request to DXL service.
The default waiting time is 60 seconds.

Subscription Topics Provides a list of topics that a security product can subscribe
to for receiving messages about these topics.

Services Provides a list of services that send messages about topics to

security products.

The following tables describe entries in the Subscription Topics and Services lists.

Subscription Topics – List entry

Option Definition

String Specifies the name of a topic.

Comment Provides a plain-text comment on a topic.

Services – List entry

Option Definition

Service Specifies the name of a service that sends messages about

topics.

Comment Provides a plain-text comment on a service.

Web Cache
Setting for enabling the web cache on a Web Gateway appliance

McAfee Web Gateway 8.0.x Interface Reference Guide 49

In addition to enabling the web cache, you need to implement a rule set that uses the Enable Cache event to control reading from
and writing to the cache.

Web Cache

Option Definition

Enable cache When selected, the web cache is enabled on an appliance.

Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP

Settings for timeouts on connections for communication under the HTTP, HTTPS, FTP, ICAP, SOCKS, and UDP protocols

Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP

Option Definition

Initial connection timeout Sets the time (in seconds) that is allowed to elapse before a
newly opened connection is closed if no request is received.

Connection timeout Sets the time (in seconds) that is allowed to elapse before a
connection is closed if a client or web server remains inactive
during an uncompleted connection request communication.

Client connection timeout Sets the time (in seconds) that is allowed to elapse between
one request and the next before a connection from an
appliance to a client is closed.

Maximum idle time for unused HTTP server connections Sets the time (in seconds) that is allowed to elapse between
one request and the next before a connection from an
appliance to a server under the HTTP protocol is closed.

UDP timeout (inactivity timeout) Sets the time (in seconds) that is allowed to elapse between
one request and the next before a connection from an
appliance to a client under the UDP protocol is closed.

DNS Settings
Settings for handling queries to a domain name system server (DNS server).

DNS Settings

Option Definition

IP protocol version preference Lets you select the protocol version that is preferred when
retrieving IP addresses from a DNS server.
• Same as incoming connection — When selected, the protocol
version is used that is already in use on the incoming
connection.
• IP4 — When selected, this protocol version is used.
• IP6 — When selected, this protocol version is used.
• Use other protocol version as fallback — When selected, the other
protocol version is used if using the preferred version
resulted in a failure.
When this option is selected, you can also configure the
following.
◦

50 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
Enable simultaneous DNS queries for IPv4 and IPv6 — When
selected, DNS queries for IPv4 and IPv6 addresses
are sent at the same time.
When this option is selected, you can also
configure the following.
◦ Time to wait for results with a preferred IP version
(IPv4/IPv6) after initiating simultaneous DNS
queries — Limits the time (in
milliseconds) that elapses until a
connection that uses the other protocol
version is accepted when no
connection could be set up using the
preferred version.
◦
Count of IP addresses of the preferred version
(IPv4/IPv6) to be used from the DNS query results
— Limits the number of IP addresses
that are tried under the preferred
protocol version for setting up a
connection before IP addresses are
tried under the other version.
The number of retries that can be
configured ranges from 1 to 4.
A query for retrieving IP addresses from a DNS server can
result in multiple IPv4 of IPv6 addresses, Whether an IPv4 or
an IPv6 address is used for setting up a connection, depends
on what you have configured above.
When multiple IP addresses are available within the same
address family (IPv4 or IPv6), addresses are sorted according
to several parameters. Connection attempts are then made
using these addresses in the order in which they are sorted.
The parameters for sorting IP addresses are listed in the
following. They are applied in the order they are listed.
• Precedence of an IP address
The precedence of an IP address is calculated based on its
address prefix. An IP address with a higher precedence
value is tried for connecting before an address with a lower
value.
• Scope of an IP address
An IP address can have different scopes as follows:
◦ Link local
◦ Site or uniquely local
◦ Global
The scopes are used for sorting in the order they are listed
here.
• Connection time (round trip time)
Connection history is recorded. So when less time was
required for setting up a connection using a particular IP
address on a previous occasion, this address is preferred
over another IP address that required more time.
• Least recently used IP address
Connection history is also used to determine when IP
addresses were used for the last time. An IP address that

McAfee Web Gateway 8.0.x Interface Reference Guide 51

 Option Definition
was used less recently than another IP address is preferred
of this address.

Minimal TTL for DNS cache Sets a minimum time (in seconds) that must have elapsed
before data stored in the DNS cache is deleted.

Maximal TTL for DNS cache Set a maximum time (in seconds) that must have elapsed
before data stored in the DNS cache is deleted.

Flush DNS cache Flushes the DNS cache.

XMPP proxy
When filtering instant messaging communication on an appliance, one of the methods you can use is to set up a proxy under the
XMPP (Extensible Messaging and Presence Protocol).
This protocol is also known under the name of Jabber. It is used, for example, to participate in Facebook chats or Google talk
going on between an XMPP client and server.
You can configure settings for the XMPP proxy on the user interface under Configuration → Proxies.
When the SSL Scanner rule set is not enabled on an appliance, traffic going on between an XMPP client and this appliance is not
encrypted, but filtered by all rules that are enabled on the appliance. If the client does not accept unencrypted traffic, the
connection is closed.
When the SSL Scanner rule set is enabled, traffic is encrypted and inspected using SSL scanning to make it available for filtering
by other rules on the appliance.

Advanced Settings
Settings for advanced proxy functions

Advanced Settings

Option Definition

Maximum number of client connections Limits the number of connections between a proxy on an
appliance and its clients.
Specifying 0 means that no limit is configured.

Handle responses from server (content-encoding)
Provides options for handling the content in the body of a
response from a web server that is forwarded to a client by
Web Gateway.
The content can be handled differently depending on
whether it is compressed, for example, when GZIP encoding
has been applied, or not.
Compressed content can be extracted to allow access,
inspection, and other treatment according to the rules that
are configured on Web Gateway.
Forwarding to the client is only performed if and to the extent
that the rules allow it.
• Extract but do not compress — Compressed content is extracted
and forwarded uncompressed to the client. Uncompressed
content is forwarded as it is.
• Extract and compress if server response is compressed — Compressed
content is extracted and compressed again before
forwarding it to the client. Uncompressed content is
forwarded as it is.

52 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option
Handle compressed requests from client
Number of working threads
Number of threads for AV scanning
Use TCP no delay
Maximum TTL for DNS cache in seconds
Timeout for errors for long running connections
McAfee Web Gateway 8.0.x Interface Reference Guide
Definition
• Extract and compress if client supports compression — Compressed
content is extracted and compressed again before
forwarding to the client if the client supports compression.
Otherwise it is forwarded uncompressed.
Uncompressed content is compressed and then forwarded
if the client supports compression. Otherwise it is
forwarded uncompressed.
• Do not extract and not compress — Compressed content is not
extracted and forwarded to the client compressed.
Uncompressed content is forwarded uncompressed.
Not extracting compressed content reduces load in content
forwarding. This option is therefore useful when content
inspection or other treatment is not required.
For example, if you only want to apply URL filtering to web
traffic, content extraction is unnecessary.
Compressed content is, however, extracted under this
option if the Dynamic Content Classifier (DCC) is called in
case a URL could not be rated using Trusted Source
information.
To call the DCC, the following setting within the URL settings
must be selected: Enable the Dynamic Content Classifier if GTI web
categorization yields no result.
The extracted content is forwarded uncompressed to the
client.
Provides options for handling requests that were received in
compressed format from a client of Web Gateway.
• Ignore — The compressed content is not extracted and
filtered, and the request is forwarded to the web server in
compressed format.
• Extract — The compressed content is extracted, so it can be
filtered, but not compressed again before it is eventually
forwarded to the web server.
• Extract and compress again — The compressed content is
extracted, so it can be filtered, and compressed again
before it is eventually forwarded to the web server.
Specifies the number of threads used for filtering and
transmitting web objects when a proxy is run on an appliance.
Specifies the number of threads used to scan web objects for
infections by viruses and other malware when a proxy is run
on an appliance.
When selected, delays on a proxy connection are avoided by
not using the Nagle algorithm to assemble data packets.
This algorithm enforces that packets are not sent before a
certain amount of data has been collected.
Limits the time (in seconds) that host name information is
stored in the DNS cache.
Sets the time (in hours) that a long-running connection to
another network component is allowed to remain inactive
before Web Gateway closes the connection.
The default time is 24 hours.
53
 Option
Check interval for long running connections
Maximum amount of data per connection or request
Volume interval for connections
Internal path ID
Bypass RESPmod for responses that must not contain a body
54
Definition
This setting prevents the performance of a Web Gateway
appliance from being impacted by long-running connections
that run extremely long.
Time is measured as follows for the different connection
protocols to determine whether the timeout has been
reached.
• HTTP, HTTPS (with content inspection), ICAP, and similar
protocols: Time is measured for every request that is sent
on a connection.
• SOCKS (when the embedded protocol is not followed),
tunneled HTTP, HTTPS (without content inspection), and
similar protocols: Time is measured for a connection as a
whole.
• FTP: Time is measured for the control connection.
When the connection is closed, an error is generated, which
can be handled by the rules in an Error Handler rule set.
Sets the time (in minutes) that elapses between check
messages sent over a long-running connection.
Sets the amount of data (in MB) that can be sent on a long-
running connection to another network component before
Web Gateway closes the connection.
The default amount is 10,240 MB.
This setting prevents the performance of a Web Gateway
appliance from being impacted by long-running connections
that carry a very high data load.
Data load is measured as follows for the different connection
protocols to determine whether the maximum amount has
been reached.
• HTTP, HTTPS (with content inspection), ICAP, and similar
protocols: Data load is measured for every request that is
sent on a connection.
• SOCKS (when the underlying protocol is not followed),
tunneled HTTP, HTTPS (without content inspection), and
similar protocols: Data load is measured for a connection as
a whole.
• FTP: Data load is measured for the data connection.
When the connection is closed, an error is generated, which
can be handled by the rules in an Error Handler rule set.
The following properties are then set to the value of the
measured data to be available for the error handling rules:
Bytes.ToClient, Bytes.ToServer, Bytes.FromClient,
Bytes.FromServer.
Sets the volume interval for long-running connections.
Identifies the path an appliance follows to forward internal
requests (not requests received from clients), for example,
requests for style sheets used to display error messages.
When selected, responses sent in communication under the
ICAP protocol are not modified according to the RESPMOD
mode if they do not include a body.
McAfee Web Gateway 8.0.x Interface Reference Guide
 Option
Call log handler for progress page updates and objects embedded in error
templates
Allow connections to use local ports using proxy
Use virtual IP as the Proxy.IP property value
HTTP(S): Remove all hop-by-hop headers
HTTP(S): Inspect via headers to detect proxy loops
HTTP(S): Host from absolute URL has priority over host header
Encode own IP address in progress page ID to enable non-sticky load
balancers
HTTP(S): Maximum size of a header
Listen backlog
Limit for working threads doing IO in web cache
Progress page limit
Enable TCP window scaling
McAfee Web Gateway 8.0.x Interface Reference Guide
Definition
When selected, the rules in the log handler rule set that is
implemented on the appliance are processed to deal with the
specified updates and objects.
When selected, local ports can be used for requests on an
appliance that a proxy is run on.
When selected, the value for the Proxy.IP property in High
Availability mode is a virtual IP address for all nodes in a
configuration.
It is the virtual IP address that is used by clients to connect to
the proxy.
When the director node redirects a request sent from a client
to a scanning node, this address is the value of the Proxy.IP
property also on the scanning node (not the physical address
of the scanning node).
When selected, hop-by-hop headers are removed from
requests received on an appliance that an HTTP or HTTPs
proxy is run on.
When selected, via headers in requests received on the
appliance that an HTTP or HTTPS proxy is run on are
inspected to detect loops.
When selected, the host names corresponding to absolute
URLs in requests received on an appliance that an HTTP or
HTTPS proxy is run on are preferred to the host names
contained in the request headers.
When selected the own IP address is encoded in the progress
page ID.
Sets a limit to the size (in MB) for the header of a request or
response sent in HTTP(S) traffic.
The default size is 10 MB.
Specifies a value for the listen backlog.
The default value is 128.
Sets a limit to the number of working threads for the web
cache.
The default number is 25.
Sets a limit to the size (in KB) of the progress page.
The default size is 40,000 KB.
When selected, the window for receiving data packages at the
TCP communication level is increased by the scaling factor
that you specify under TCP window scale.
Note:
This option is enabled by default.
If you disable the option, it means that there is no window
scaling. Disable the option only if you really want to configure
the receive window in this way.
55
 Option Definition

TCP window scale (format: 0-14) Sets the size of the window for receiving data packages on the
TCP communication level.
The initial size of the receive window can be scaled using a
scaling factor that is calculated by taking base 2 to the power
of the value that you specify here.
For example, if you specify 1, the scaling factor is 2^1 = 2,
which means the window size is doubled.
The range of values that you can specify is 0–14.
If you specify 0, it yields 1 as the scaling factor. It means that
you want to leave the initial size of your receive window as it
is.
It still allows, however, the use of window scaling for the
receive window of the communication partner.
The default value is 2.

Periodic Rule Engine Trigger List

Settings for connecting to web servers, calling the rule engine, and downloading data

Periodic Rule Engine Trigger List

Option Definition

Enable Periodic Rule Engine Trigger List
When selected, connections to the web servers specified in
list called URL definition list are set up in regular intervals.
The interval for each web server connection is also specified
on the list.
When the interval has elapsed, the rule processing module
(rule engine) on an appliance is called, a connection to the
web server is set up, and data is downloaded from the web
server and passed on to the rule engine for processing.
Data is only downloaded under the HTTP and HTTPS
protocols.
Web servers that connections are set up to in this way include
next-hop proxy servers and other servers used for providing
particular services in the web.

URL definition list Provides a list of web servers that a connection can be set up
to.

The following table describes a list entry in the URL definition list.

URL definition list – List entry

Option Definition

Host Specifies the IP address and port number or the URL of a web
server that a connection can be set up to.

Trigger interval Specifies the interval (in seconds) that elapses before the next
attempt to set up a connection to a web server.

Comment Provides a plain-text comment on a web server connection.

56 McAfee Web Gateway 8.0.x Interface Reference Guide

SNMP settings
The SNMP settings are settings for configuring the monitoring of system events under SNMP.

SNMP Port Settings

Settings for the ports of the SNMP agent on an appliance that listen to client requests

SNMP Port Settings

Option Definition

Listener address list Provides a list for entering the ports that listen to client
requests.

The following table describes an entry in the listener address list.

Listener address – List entry

Option Definition

Protocol Specifies the protocol used for the communication between a

port and the clients that it listens to.
• UDP — When selected, UDP is used for this communication
• TCP — When selected, TCP is used for this communication

Listener address Specifies the IP address and port number of a listener port.

Comment Provides a plain-text comment on a listener port.

The following two listener ports are available on an appliance and entered in this list by default.
• UDP — 0.0.0.0:161
• UDP — 0.0.0.0:9161

SNMP System Information

Settings for the appliance that is the monitored system

SNMP System Information

Option Definition

Description Identifies the monitored system.

Object ID Specifies the ID of the object in the Management Information

Base (MIB) where information on the monitored system
begins.
For example: .1.3.6.1.4.1.1230.2.7.1.1

Contact person Specifies the name of the person who administers the SNMP
functions of the monitored system.

Physical location Specifies the location of the monitored system.

SNMP Protocol Options

Settings for SNMP protocol versions and user access to SNMP information

McAfee Web Gateway 8.0.x Interface Reference Guide 57

SNMP Protocol Options

Option Definition

SNMP v1 When selected, system events are monitored under version 1

of SNMP.

SNMP v2c When selected, system events are monitored under version
2c of SNMP.

Communities for SNMPv1 and SNMPv2c access Provides a list for entering the user communities who are
allowed access to SNMP information under versions 1 and 2c
of SNMP.

SNMP v3c When selected, system events are monitored under version 3
of SNMP.

SNMP v3 users Provides a list for entering the users who are allowed access
to SNMP information under version 3 of SNMP

The following tables describe the entries in the list of user communities and the list of SNMP v3 users.

User communities – List entry

Option Definition

Community string Provides a string used for authenticating a user community to

let it access SNMP information, for example, public.

Allowed root OID Identifies the item on the MIB tree that is the beginning of the
information with allowed access.
If * or no value is specified here, access to all information is
allowed.

Allowed from Specifies the host name or IP address of a host system that
access to SNMP information is allowed from.
A range of IP addresses in an IP subnet can also be specified
here to allow access from them.
To specify this range, you must specify the IP address of the
subnet, which is also known as the network prefix, and its bit-
length, separated by a slash:
<network prefix/bit-length>
Example: 192.168.1.184/29
The IP address or prefix of the subnet is the IP address
immediately preceding the first IP address that serves to
identify a host system within the subnet.
For example, if you have a subnet with the following IP
addresses:
192.168.1.185
192.168.1.186
192.168.1.187
then 192.168.1.184 is the IP address or prefix of this subnet.

Read-only access When selected, only reading access to SNMP information is

allowed.

Comment Provides a plain-text comment on a user community.

58 McAfee Web Gateway 8.0.x Interface Reference Guide

SNMP v3 users – List entry

Option Definition

User name Specifies the name of a user who is allowed access to SNMP
information.

Allowed root OID Identifies the item on the MIB tree that is the beginning of the
information with allowed access.
If * or no value is specified here, access to all information is
allowed.

Authentication Sets the authentication method used when SNMP

information is accessed by a user.

Encryption Sets the encryption method used when SNMP information is

accessed by a user.

Read-only access When selected, only reading access to SNMP information is

allowed.

Comment Provides a plain-text comment on a user.

SNMP Trap Sinks

Settings for the host systems that receive SNMP messages

SNMP Trap Sinks

Option Definition

Trap sinks Provides a list for entering the host systems, known as trap
sinks, that receive messages about system events from the
SNMP agent on an appliance.

The following table describes an entry in the list of trap sinks.

Trap sinks – List entry

Option Definition

Host name or IP address Specifies the host name or IP address of a host system that
receives SNMP messages, which are known as traps.

Port Specifies the port on a host system that listens to SNMP

messages.

Community string Specifies the string used for authenticating a user community
to let it access SNMP information, for example, public.

Send SNMP v2c traps When selected, messages can be sent under version v2c of
the SNMP protocol.

Comment Provides a plain-text comment on a host system that receives

SNMP messages.

SNMP MIB Files

Files in txt format providing additional information about SNMP monitoring on an appliance

McAfee Web Gateway 8.0.x Interface Reference Guide 59

SNMP MIB Files

Option Definition

MCAFEE-SMI.txt Provides Structure of Management Information (SMI) on

McAfee, including contact information for the McAfee
customer service.

MCAFEE-MWG-MIB.txt Provides descriptions of the items in the Management

Information Base (MIB) that you can do SNMP monitoring for
on an appliance

Static Routes settings

The Static Routes settings are used for configuring routes that always use the same gateway and interface on this gateway when
web traffic is routed from an appliance to a particular host.

Static Routes
Settings for static routes under IPv4 or IPv6

Static Routes

Option Definition

Static routes list Provides a list of static routes for transmitting web traffic
under IPv4 or IPv6.

The following table describes an entry in the list of static routes.

Static routes list – List entry

Option Definition

Destination Specifies the IP address and (optionally) net mask of the host
that is the destination of a static route.

Gateway Specifies the IP address of the gateway for routing web traffic
from the appliance to a host.

Device Specifies the interface used on a gateway for a static route.

Description Provides a plain-text description of a static route.

Comment Provides a plain-text comment on a static route.

Source-based routing
Settings for source-based routing under IPv4 or IPv6

Source-based routing

Option Definition

Source-based routing for IPv4 When selected, source-based routing is performed under
IPv4.

Source-based routing for IPv6 When selected, source-based routing is performed under
IPv6.

60 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Static source routing table number Provides a list of entries for source routing tables that are
used to route the traffic that is sent and received through the
management user interface.

Source-based routing list for IPv4 Provides a list of routing entries for the traffic that is sent and
received through the management user interface.
These routing entries are for a network where IPv4 is
followed.

Source-based routing list for IPv6 These routing entries are for a network where IPv6 is
followed.

The following table describes an entry in the list for static source routing tables.

Static source routing table number – List entry

Option Definition

Source information to look up routing table Specifies the source IP address of the traffic that is routed
according to the configured static source routing table.

Routing table number Specifies the number of the routing table for routing the
traffic that is sent and received through the management
user interface.

Comment Provides a plain-text comment on a static source routing

table.

The following table describes an entry in the list for source-based routing under IPv4.

Source-based routing list for IPv4 – List entry

Option Definition

Destination Specifies the IP address range (in CIDR notation) for the
destinations of the traffic that is sent through the
management network interface.

Routing table number Specifies the number of the routing table for routing the
traffic that is sent and received through the management
user interface.

Gateway Specifies the IP address of the gateway for the traffic that is
sent and received through the management network
interface.

Device Specifies the name of the network interface that is configured

as the management network interface.

Source IP Specifies the IP address of the network interface that is

configured as the management network interface.
This address is the source IP address of the traffic that is
routed according to the routing table.

Comment Provides a plain-text comment on an entry for source-based

routing.

McAfee Web Gateway 8.0.x Interface Reference Guide 61

The following table describes an entry in the list for source-based routing under IPv6.

Source-based routing list for IPv6 – List entry

Option Definition

Destination Specifies the IP address range (in CIDR notation) for the
destinations of the traffic that is sent through the
management network interface.

Routing table number Specifies the number of the routing table for routing the
traffic that is sent and received through the management
user interface.

Gateway Specifies the IP address of the gateway for the traffic that is
sent and received through the management network
interface.

Device Specifies the name of the network interface that is configured

as the management network interface.

Source IP Specifies the IP address of the network interface that is

configured as the management network interface.
This address is the source IP address of the traffic that is
routed according to the routing table.

Comment Provides a plain-text comment on an entry for source-based

routing.

Telemetry settings
The Telemetry settings are used for configuring the collection of feedback data about web objects that are potentially malicious,
as well as about policy configuration.

Feedback Settings
Settings for collecting feedback data
Note: You can separately enable or disable each of the following options.

Feedback Settings

Option Definition

Send feedback to McAfee about system information and suspicious URLs to
improve its threat prediction and protection services
When selected, feedback data is collected and sent to special
McAfee feedback servers.
McAfee collects this data to analyze it and improve the threat
prediction and protection features of Web Gateway.
For more information, see the Data Usage Statement.

Send feedback to McAfee about potentially malicious websites When selected, relevant data for virus and malware filtering is
collected and sent to a special McAfee feedback server.

Send feedback to McAfee about dynamically classified websites When selected, relevant data for classifying websites is
collected and sent to a special McAfee feedback server.

Send feedback to McAfee about policy configuration to improve the product When selected, relevant data for policy configuration is
collected and sent to a special McAfee feedback server.

62 McAfee Web Gateway 8.0.x Interface Reference Guide

Further Information
Link to the Data Usage Statement

Further Information

Option Definition

Data Usage Statement Provides a link to the data usage statement, which explains:
• What McAfee uses collected feedback data for
• What data is collected
• How data collection can be turned off for different types of
data
Note: The data usage statement has also been presented to
you at the initial setup of the appliance.

Advanced Settings
Advanced settings for collecting feedback data

Advanced Settings

Option Definition

Use upstream proxy When selected, a proxy server is used to send feedback data
to McAfee.

IP or name of the proxy Specifies the IP address or host name of the proxy server.

Port of the proxy Specifies the port number of the port on the proxy server that
listens for requests to send feedback data.
The port number can range from 1 to 65635.
The default port number is 9090.

User name Provides the user name that is required for logging on to the
proxy server.

Password Provides the password that is required for logging on to the

proxy server.
Clicking Set opens a window for setting the password.

Choose feedback server When selected, an IP address and port number can be
configured for the server that feedback data is sent to.

IP of the server Specifies the IP address of the feedback server.

Port of the server Specifies the port number of the port on the feedback server
that listens for requests to send data.
The port number can range from 1 to 65635.
The default port number is 443.

Port of the server When selected, feedback-sending activities are logged.

Tenant Info settings

The Tenant Info settings are used for configuring a tenant ID.

Tenant ID Configuration
Settings for configuring a tenant ID

McAfee Web Gateway 8.0.x Interface Reference Guide 63

Tenant ID Configuration

Option Definition

Tenant ID generation status information Provides information about the generation status of the
tenant ID.

Show Provisioning Key Lets the provisioning key, which is used for generating the
tenant ID, appear in the provisioning key field.

Copy Copies the provisioning key.

Provisioning key field Shows the provisioning key.

Open cloud ePO and generate activation key. Provides information about how to continue with creating the
tenant ID.

Activation key field Shows the activation key for the tenant ID that you have
created by working with McAfee ePO and pasted into this
field.

Set Tenant ID Sets the tenant ID to make it known on Web Gateway.

User Interface settings

The User Interface settings are used for configuring the local user interface on a Web Gateway appliance. This includes the
configuration of ports, the logon page, a certificate for communication under HTTPS, and other items.

UI Access
Settings for configuring access to the interface of an appliance

UI Access

Option Definition

HTTP connector Provides options for configuring access to the interface of an

appliance under HTTP.
• Enable local user interface over HTTP — When selected, the HTTP
ports that are configured on an appliance for connecting to
the interface are enabled.
• HTTP connector — Specifies an HTTP port for connecting to the
interface.
You can enter more than one port here, separating entries
by commas. Ports can range from 1024 to 65335.
Together with a port, you can enter an IP address. This
means connecting to the interface of an appliance over this
port requires that you specify both the port and this IP
address.
For example, there are two interfaces for connecting on an
appliance with these IP addresses:
eth0: 192.168.0.10, eth1: 10.149.110.10
You enter this under HTTP connector:
4711, 192.168.0.10:4722
Then connecting to a file server on the appliance over port
4711 is allowed using both IP addresses, whereas
connecting over port 4722 requires that IP address
192.168.0.10 is used.

64 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
Restricting connections in this way might be useful, for
example, if you want to set up an intranet.
• Enable REST interface over HTTP — When selected, you can use
the HTTP ports that are configured to connect to the REST
interface.

HTTPS connector Provides options for configuring access to the interface of an

appliance under HTTPS.
• Enable local user interface over HTTPS — When selected, the HTTP
ports that are configured on an appliance for connecting to
the interface are enabled.
• HTTPS connector — Specifies an HTTPS port for connecting to
the interface.
You can enter more than one port here, separating entries
by commas. Ports can range from 1024 to 65335.
Entering a port together with an IP address can be done in
the same way as under HTTP connector and has the same
meaning.
• Enable REST interface over HTTPS — When selected, you can use
the HTTP ports that are configured to connect to the REST
interface.
Using the following options, you can specify a protocol and a
list of valid ciphers for the HTTPS communication.
• SSL protocol version — Specifies the version of the SSL protocol
that is used for communication with the interface.
◦ TLS 1.2
◦ TLS 1.1
◦ TLS 1.0
• Server cipher list — Specifies a string of Open SSL symbols used
for encrypting communication with the interface.

HTTPS client certificate connector
Provides options for configuring a client certificate connector.
• Enable client certificate authentication — When selected, client
certificate authentication can be performed.
• HTTPS connector for client certificate authentication — Specifies a port
for connecting to the interface when client certificate
authentication is performed.
You can enter more than one port here, separating entries
by commas. Ports can range from 1024 to 65335.
Entering a port together with an IP address can be done in
the same way as under HTTP connector and has the same
meaning.
• Redirect target after authentication — When selected, a request is
redirected after client certificate authentication has
successfully been performed.
• Redirection host and port — Specifies the host system and the
port on the system that requests are redirected to.

Miscellaneous Provides miscellaneous options for configuring access to the

interface of an appliance.
• Session timeout — Limits the time (in minutes) that elapses
before a session on the interface is closed if no activities
occur.

McAfee Web Gateway 8.0.x Interface Reference Guide 65

 Option
Login Page Options
Settings for the page that is used to log on to the interface of an appliance
Login Page Options
Option
Allow browser to save login credentials
Restrict browser session to IP address of user
Let user decide to restrict session for IP address or not
Allow multiple logins per login name
Use HTTPOnly session cookies (applet loading may take longer)
Enable protection against cross-site scripting and clickjacking
Maximum number of active applet users
Login message
66
Definition
The range for the session timeout is 1–99,999 minutes.
The timeout is 30 minutes by default.
Definition
When selected, credentials submitted by a user for logging on
to the interface are saved by the browser.
When selected, a session for working with the interface is
only valid as long as the IP address of the client that the user
started this session from remains the same.
When selected, it is up to the user who started a session for
working with the interface whether it should be valid only for
the IP address of the client that the session was started from.
When selected, more than one user can log on to the
interface under the same user name and password.
When selected, HTTPOnly cookies are used for a session with
the user interface.
When selected, the page used by the administrator for
logging on to the interface of a Web Gateway appliance from
a browser is protected against a common type of attack.
The attack can be performed by combining two methods. Two
HTTP headers are added when the page is sent to the
browser to prevent these methods from being executed.
• Cross-site scripting — Malicious JavaScript code is inserted
in the page, which is executed when the administrator
responds to a prompt on the page, for example, by entering
a user name.
Adding the following header to messages prevents the
execution of this attack:
Header name: X-XSS-Protection
Header value: 1
• Clickjacking — The page is embedded in an iFrame, which
can be used to steal the data that is entered on the page.
Adding the following header to messages prevents the
execution of this attack:
Header name: X-Frame-Options
Header value: DENY
Limits the number of users that can be logged on to the
interface at the same time.
The maximum number of users is 20 by default.
Provides the following options for displaying an additional
message on the page used for logging on to the interface.
McAfee Web Gateway 8.0.x Interface Reference Guide
 Option Definition
Note: You can work with these options if you want to display
a message, for example, to comply with internal policies or
external regulations.
• Show on login page — When selected, the text that you type in
the HTML message field, appears on the logon page.
• HTML message — The text that you type in this field appears
on the logon page.

User Interface Certificate

Settings for a certificate that is used in SSL-secured communication over the HTTPS port for the interface of an appliance.

User Interface Certificate

Option Definition

Subject, Issuer, Validity, Extensions Provide information about the certificate that is currently in
use.

Import Opens the Import Certificate Authority window for importing a new
certificate.

Certificate chain Displays a certificate chain that is imported with a certificate.

Import Certificate Authority window

Settings for importing a certificate that is used in SSL-secured communication

Import Certificate Authority window

Option Definition

Certificate Specifies the name of a certificate file.

The file name can be entered manually or by using the Browse
button in the same line.

Browse Opens the local file manager to let you browse for and select
a certificate file.

Private key Specifies the name of a private key file.

The file name can be entered manually or by using the Browse
button in the same line.
Only keys that are AES-128-bit encrypted or unencrypted keys
can be used here.

Browse Opens the local file manager to let you browse for and select
a private key file.

Password Sets a password that allows the use of a private key.

Import Opens the Import Certificate Authority window for importing a new
certificate.

OK Starts the import process for the specified certificate.

Certificate chain Specifies the name of a certificate chain file.

The file name can be entered manually or by using the Browse
button in the same line.

McAfee Web Gateway 8.0.x Interface Reference Guide 67

 Option Definition

Browse Opens the local file manager to let you browse for and select
a certificate chain file.
After importing a certificate with a certificate chain, the
certificate chain is displayed in the Certificate chain field of the
User Interface Certificate settings.

Memory Settings
Settings for the memory that is available when working with the interface of an appliance

Memory Settings

Option Definition

Amount of maximum memory available for GUI applet Limits the amount of memory (in MiB) that is available for the
interface applet.
The range for the available maximum is 100–999 MiB.
The available maximum is 512 MiB by default.

Amount of maximum memory available for MWG UI backend
Limits the amount of memory (in MiB) that is available for the
backedn of the interface.
The range for the available maximum is 100–9999 MiB.
If no value is specified here, the default maximum of 512 MiB
is configured.

REST Settings
Settings for configuring use of the REST interface to work with an appliance

REST Settings

Option Definition

Maximum size of a REST request Limits the size (in MiB) of a request that is sent to the REST
interface.
Note: The maximum amount of memory that is available
when working with the REST interface is 200 MiB.
The maximum size of a request is 2 MiB by default.

Maximum memory per REST session Limits the amount of memory (in MiB) that is available for a
session when working with the REST interface.
Note: The maximum amount of memory that is available
when working with the REST interface is 200 MiB.
The maximum amount of memory for a session is 10 MiB by
default.

Maximum number of active REST users Limits the number of users that can work with the REST
interface at the same time.
The maximum number of users is 20 by default.

Windows Domain Membership settings

The Windows Domain Membership settings are used for joining an appliance to a Windows domain.

Join Domain
Settings for joining an appliance to a Windows domain

68 McAfee Web Gateway 8.0.x Interface Reference Guide

Join Domain

Option Definition

Windows domain name Specifies the name of the domain.

McAfee Web Gateway account name Specifies the name of an account for an appliance.

Overwrite existing account When selected, an existing account is overwritten.

Use NTLM version 2 When selected, NTLM version 2 is used.

Timeout for requests to this NTLM domain Limits the time (in seconds) that elapses before processing
stops for a request sent from an appliance to a domain
controller if no response is received to the specified value.

Wait time for reconnect to domain controller Specifies the time (in seconds) that elapses before another
attempt is made to connect to a domain controller after a
previous attempt failed.
The allowed range is from 5 to 300 seconds.

Configured domain controllers Provides a list for entering the domain controllers that an
appliance can connect to in order to retrieve authentication
information.
Entries must be separated by commas.

Number of active domain controllers Maximum number of configured domain controllers that can
be active at the same time
The allowed range is from 1 to 10.

Administrator name Specifies the logon name of an existing administrator account

that has privileges to join an appliance to a domain by
creating a machine account in Active Directory.
Logon name and password are only used once to create the
machine account. They are not stored.

Password Specifies the password of the existing administrator account.

McAfee Web Gateway 8.0.x Interface Reference Guide 69

Module settings
Module settings are used to configure the behavior of modules on a Web Gateway appliance. These modules are also known as
engines or filters.
For example, the Anti-Malware module calls the scanning engines, such as the Gateway Anti-Malware (GAM) engine, when the body
of a response sent by a web server should be scanned for infections.
By configuring the settings for this module, you can modify the scanning process. Depending on what you configure, the module
might not call the GAM engine, which is the default, but a different engine for scanning.
Other modules are the URL Filter module, the TIE Filter module, or the Authentication module.

Different settings for a module

A module can have one particular instance of settings or several. Different instances of module settings are distinguished by
their names. Usually, they differ in how the values of the various settings options are configured.
For example, after the initial setup of Web Gateway, there is one instance of the settings for the Anti-Malware module available by
default. The settings name for this instance is Gateway Anti-Malware settings.
When the module runs with these settings, it calls the GAM engine for scanning, as this behavior is configured for one of the
settings options.
After importing the Advanced Threat Defense rule set, however, a second instance of settings for the module is available. Its name is
Gateway ATD settings.
When the module uses these settings, a web object is passed on from Web Gateway to Advanced Threat Defense for scanning, as
the value for the relevant option within the settings differs now from the value for the same option in the default settings.
You can also create and configure settings instances of your own for any of these modules to let them show the behavior that
meets your requirements.

Anti-Malware settings
The Anti-Malware settings are the settings for the Anti-Malware module, which handles the scanning of web objects for infections by
viruses and other malware.
Instances of the Anti-Malware settings include the following:
• Gateway Anti-Malware settings — Default settings
• Gateway ATD settings — Available after importing the Advanced Threat Defense rule set
These settings differ from the default settings not only in that different values are configured for some options. They also have
options that do not exist under the default settings and lack others that do exist there.

Gateway Anti-Malware settings

The Gateway Anti-Malware settings are the settings for the Anti-Malware module that are by default available after the initial setup of
Web Gateway.

Select Scanning Engines and Behavior

Settings for selecting a combination of scanning engines and their behavior in case one of them detects an infection.
The scanning engines are the submodules that run together as the Anti-Malware module to scan web objects.

Select Scanning Engines

Option Definition

Full McAfee coverage: The recommended high-performance configuration
When selected, the McAfee Gateway Anti-Malware engine and
the McAfee Anti-Malware engine are active.
Web objects are then scanned using:
Proactive methods + Virus signatures
This option is selected by default.

70 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Layered coverage: Full McAfee coverage plus specific Avira engine features
— minor performance impact
When selected, the McAfee Gateway Anti-Malware engine, the
McAfee Anti-Malware engine, and, for some web objects, also
the third-party Avira engine are active.
Web objects are then scanned using:
Proactive methods + Virus signatures + Third-party module
functions for some web objects

Duplicate coverage: Full McAfee coverage and Avira engine — less
performance and more false positives
When selected, the McAfee Gateway Anti-Malware engine, the
McAfee Anti-Malware engine, and the third-party Avira engine
are active.
Web objects are then scanned using:
Proactive methods + Virus signatures + Third-party module
functions

Avira only: Only uses Avira engine — not recommended When selected, only the Avira engine is active.
Web objects are then scanned using:
Third-party module functions

Stop virus scanning right after an engine detected a virus When selected, engines stop scanning a web object as soon
as one of them has detected an infection by a virus or other
malware.

Mobile Code Behavior

Settings for configuring a risk level in classifying mobile code.
The risk level ranges from 60 to 100.
A low value means the risk in proactively scanning the behavior of mobile code and not detecting that it is malware is low
because the scanning methods are applied very strictly. Mobile code will then be classified as malware even if only a few criteria
of being potentially malicious have been detected.
This can lead to classifying mobile code as malware that is actually not malicious (“false positives”).
While more proactive security is achieved with a stricter setting, accuracy in determining which mobile code is really malicious
will suffer. Consequently, the appliance might block web objects that you want to get through to your users.
A high value means the risk in not detecting malicious mobile code is high (more “false negatives”), but more accuracy is achieved
in classifying mobile code correctly as malicious or not (fewer “false positives”).

Mobile Code Behavior

Option Definition

Classification threshold Sets a risk level as described above on a slider scale.

• Minimum value (maximum proactivity): 60
• Maximum value (maximum accuracy): 100

Advanced Settings
Advanced settings for all scanning submodules.

Advanced Settings

Option Definition

Enable Antivirus prescan When selected, performance of the submodules is improved

Increase Web Gateway performance by making a light-weight pass on: by reducing the load sent to them for scanning.
• Common web files Note: This option is by default selected. We recommend that
• Common web files and other low-risk files you keep this setting.

McAfee Web Gateway 8.0.x Interface Reference Guide 71

 Option Definition
• Common web files, other low-risk files, and web content on trustworthy sites When this option is selected, the three options below it are
Files matching the selected option do not continue to the standard anti- also accessible.
malware scanning. You can select one of them to configure the range of file types
that light-weight malware scanning should be applied to.
The third option is selected by default.
The three options are related to each other: If the first option
is configured, the other two options are not effective. The
second option includes the first option, the third option
includes the first and the second option.
The URL Filter module is involved to verify whether the web
site that a file is downloaded from is trustworthy.
Note: Updates of virus and malware filtering information can
modify the categorization of file types as safe or rarely
exploited or hosted on trustworthy web sites.

Enable GTI file reputation queries When selected, information on the reputation of files
retrieved from the Global Threat Intelligence system is
included in the scanning result.

Enable heuristic scanning When selected, heuristic scanning methods are applied to
web objects.

Advanced Settings for McAfee Anti-Malware

Advanced settings for the McAfee Gateway Anti-Malware submodule.

Advanced Settings for McAfee Gateway Anti-Malware

Option Definition

Enable detection for potentially unwanted programs When selected, web objects are also scanned for potentially
unwanted programs.

Enable mobile code scanning When selected, mobile code is scanned in general.
Individual settings can be configured under Scan the following
mobile code types.

Enable removal of disinfectable content detected in HTML documents by When selected, the content described here can be removed.
mobile code filter

Enable Payload Heuristics When selected , the McAfee Gateway Anti-Malware engine
uses the highly proficient heuristics known as Payload
Heuristics for scanning web objects.
If this option is enabled, the scanning engine adds a
watermark to the URLs of executables and similar web
objects, for example, dynamic link libraries that are contained
within web pages.
When these URLs are forwarded from the appliances to the
appropriate web servers, these watermarks need to be
removed.
An event in a rule that is contained in a library rule set,
removes the watermarks by rewriting the URLs. The rule set
name is Payload Heuristic - Rewrite Watermarked URLs.
You need to import this rule set and place it at the top of the
rule set tree.

72 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
When you select the option, a message appears that tells you
about this additional requirement.

Scan the following mobile code types

When the following mobile code types are selected, they are scanned.

Windows executables Once downloaded from the web or received by email, these
executables can become a threat when launched because
they run with all the privileges of the current user.

JavaScript JavaScript code can be embedded virtually anywhere, from

web pages and PDF documents to video and HTML files.

Flash ActionScript ActionScript code can be embedded in flash videos and

animations and has access to the flash player and the
browser with all their functions.

Java applets Java applets can be embedded in web pages. Once activated,
they can run at different permission levels, based on a digital
certificate and the user’s choice.

Java applications Java applications run stand-alone with all privileges of the
current user.

ActiveX controls ActiveX controls can be embedded in web pages and office
documents. Once activated, they run with all privileges of the
current user.

Windows libraries These libraries usually come along with an executable in a

setup package or are downloaded from the web by a running
executable or by malicious code.

Visual Basic script Visual Basic script code can be embedded in web pages or in
emails.

Visual Basic for applications Visual Basic macros can be embedded in office documents
created with Word, Excel, or PowerPoint.

Block the following behavior

When the following types of behavior are selected, web objects showing this behavior are blocked.

Data theft: Backdoor Malicious applications grant an attacker full remote access
and control to a victim’s system through existing or newly
created network channels.

Data theft: Keylogger Malicious applications hook into the operating system to
record and save keyboard strokes.
The captured information, such as passwords, is sent back to
the attacking party.

Data theft: Password stealer Malicious applications gather, store, and leak sensitive
information, such as the system configuration, confidential
data, credentials, and other data for user authentication.

McAfee Web Gateway 8.0.x Interface Reference Guide 73

 Option
System compromise: Code execution exploit
System compromise: Browser exploit
System compromise: Trojan
Stealth activity: Rootkit
Viral Replication: Network worm
Viral Replication: File infector virus
System compromise: Trojan downloader
System compromise: Trojan dropper
System compromise: Trojan proxy
Web threats: Infected website
Stealth activity: Code injection
Detection evasion: Obfuscated code
Detection evasion: Packed code
74
Definition
Exploits for vulnerabilities in client applications, such as
browsers, office programs, or multi-media players, allow an
attacker to run arbitrary code on the compromised system.
Exploits for vulnerabilities in browser applications and plug-
ins allow an attacker to run arbitrary code, steal sensitive
data, or escalate privileges.
Malicious applications pretend to be harmless or useful, but
actually perform damaging activities.
Malicious applications or device drivers manipulate the
operating system and hide presence of malware on infected
systems.
After the compromise, files, registry keys, and network
connections belonging to the malware processes turn
invisible and can be hard to recover.
Malicious applications or device drivers self-replicate using
email, the internet, peer-to-peer networking, or by copying
themselves onto removable media such as USB devices.
Self-replicating applications infect existing files on the hard-
disk, embedding viral code in order to spread through the
newly infected host file.
Malicious applications or script code download and execute
additional payload from the web.
Malicious applications carry hidden payload, extract, and
launch it upon execution.
Malicious applications allow to relay potentially malicious
hidden network activities through the compromised system.
Websites contain injected malicious script code or request
additional malicious code as soon as it is opened in a
browser.
The initial infection could have taken place through an SQL
injection attack against the web server.
Applications copy their code into other, often legitimate
processes, which results in a hijacking of the respective
privileges and trust.
This technique is typically employed by malware that tries to
hide its presence on compromised systems and to evade
detection.
Applications consist of highly scrambled or encrypted code,
so malicious code portions are hard to detect.
Applications have their content compressed by a run-time
packer or protector. This changes the way the content looks,
so it is harder to classify.
McAfee Web Gateway 8.0.x Interface Reference Guide
 Option
Potentially unwanted: Ad-/Spyware
Potentially unwanted: Adware
Data theft: Spyware
Potentially unwanted: Dialer
Web threats: Vulnerable ActiveX controls
Potentially unwanted: Suspicious activity
Web threats: Cross-site scripting
Potentially unwanted: Deceptive behavior
Potentially unwanted: Redirector
Potentially unwanted: Direct kernel communication
Potentially unwanted: Privacy violation
Advanced Settings for Avira
Advanced settings for the Avira submodule.
Advanced Settings for Avira
Option
Maximum size of archive member
McAfee Web Gateway 8.0.x Interface Reference Guide
Definition
Applications show potentially annoying or unwanted
advertisements, but also track and analyze user behavior and
activities.
Applications show potentially annoying or unwanted
advertisements, but also track and analyze user behavior and
activities.
Applications track and analyze user behavior and activities,
steal sensitive data, and leak this data to the attacker’s
servers.
Applications provide access to content, for example,
pornography, through a more expensive network connection.
ActiveX controls appearing on web pages that are restricted
to other on-browser usage present potential vulnerabilities.
Potentially malicious code shows either non-standard or not
fully trusted behavior.
Malicious scripts exploit access-control vulnerabilities in
browsers or web applications to steal user data, for example,
cookies.
Messages mislead the user, play missing code tricks, and fake
alerts.
These threats could tell users that their systems are infected
with spyware and promote fake AV applications for cleaning.
Redirecting code forwards users visiting a website to other,
potentially malicious locations.
This behavior is often caused by an infection of a previously
legitimate website.
Applications directly communicate with a Windows kernel or
in kernel mode, trying, for example, to install a root kit or to
destabilize the system.
Potentially malicious code accesses sensitive or private data,
which can result in eavesdropping clipboard content or in
reading registry keys.
Definition
Limits the size (in MB) of a member in an archive that the
Avira engine scans for infections.
If an archive member exceeds this size, it is not scanned and
the archive is blocked.
The default size limit is 1024 MB.
75
Gateway ATD settings
The Gateway ATD settings are used for configuring the use of Advanced Threat Defense for scanning web objects that have been
passed on to it from Web Gateway.

Select Scanning Engines and Behavior

Settings for selecting a combination of scanning engines and their behavior in case one of them detects an infection

Select Scanning Engines

Option Definition

Full McAfee coverage: The recommended high-performance configuration When selected, the McAfee Gateway Anti-Malware engine is
active.
This option is selected by default.

Layered coverage: Full McAfee coverage plus specific Avira engine features When selected, the McAfee Gateway Anti-Malware engine
— minor performance impact and, for some web objects, also the third-party Avira engine
are active.

Duplicate coverage: Full McAfee coverage and Avira engine — less When selected, the McAfee Gateway Anti-Malware engine and
performance and more false positives the third-party Avira engine are active.

Avira only: Only uses Avira engine — not recommended When selected, only the Avira engine is active.

McAfee Advanced Threat Defense only: Send files to an MATD appliance for When selected, only scanning by Advanced Threat Defense is
deep analysis through sandboxing active.
Note: This option is by default selected.

Stop virus scanning right after an engine detected a virus When selected, engines stop scanning a web object as soon
as one of them has detected an infection by a virus or other
malware.

MATD Setup
Common part of the settings for configuring the use of Advanced Threat Defense

MATD Setup

Option Definition

User name Specifies the user name that Web Gateway submits when
trying to connect to Advanced Threat Defense.

Password Specifies the password that Web Gateway submits when

trying to connect to Advanced Threat Defense.
Clicking Set opens a window for setting the password.

Server list Provides a list of servers that Advanced Threat Defense runs
on.

List of certificate authorities Provides a drop-down list for selecting a list of known
certificate authorities
These certificate authorities will be used to refer to when
communication between Web Gateway and Advanced Threat
Defense is going on in SSL-secured mode under the HTTPS
protocol.

76 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Severity threshold to indicate a malicious file
Sets a threshold for the severity grade of the malicious
features that is detected in a web object, for example, a file,
when scanned by Advanced Threat Defense.
If this threshold is reached, the object is classified as
malicious and the value of the Antimalware.Infected property is set
to true.
The threshold is set on slider scale with values ranging from 0
to 5 (very high severity).

Reuse previous detection, McAfee Web Gateway will retrieve latest report
from MATD based on the hash of the file
When selected, the severity grade that was found for a web
object at its last scanning by Advanced Threat Defense is used
for classifying it as malicious or not.
When this option is selected, the following option becomes
accessible.

Maximum detection age Sets the maximum time (in minutes) that a severity grade for
a web object can be used to classify the object as malicious or
not.
The allowed time range is 1 to 999999 minutes.
The default maximum time is 30 minutes.

Reuse running task if same sample is analyzed When selected, a running task is used for evaluation if it is the
same web object that is analyzed.

Send client IP to MATD server When selected, the IP address of a client that has sent a
request for downloading a web object is sent to the server on
which Advanced Threat Defense is running.

The following table describes an entry in the server list.

Server list – List entry

Option Definition

String Specifies the name of a server that Advanced Threat Defense

runs on.

Comment Provides a plain-text comment on a server.

Network Setup
Settings for configuring the connection to the server that Advanced Threat Defense runs on

Network Setup

Option Definition

Connection timeout Sets the time (in seconds) that elapses before the connection
to a server is closed when no response is received from it.
The default time is 5 seconds.

Scan timeout Sets the time (in minutes and seconds) that Advanced Threat
Defense is allowed for scanning a web object.
If this time is exceeded, Web Gateway records it as an error.
Minutes — Time allowed in minutes
Seconds — Time allowed in seconds

McAfee Web Gateway 8.0.x Interface Reference Guide 77

 Option Definition
The default time is 10 minutes.

Poll interval Sets the time interval (in seconds) that elapses before the
next attempt is made to retrieve information from Advanced
Threat Defense about the progress made in scanning a web
object.
The default time is 20 seconds.

Authentication settings
The Authentication settings are the settings for the Authentication module, which handles authentication of users and user groups.

Authentication Method
Settings for selecting an authentication method.

Authentication Method

Option Definition

Authentication method Provides a list for selecting an authentication method.

You can select one of the following:
• NTLM
• NTLM-Agent
• User Database
• LDAP
Note:
If you want to configure Secure LDAP, also known as LDAPS,
you must work with LDAP version 3.
This version can be selected under LDAP Specific Parameters. It
is by default selected.
• RADIUS
• Kerberos
• SSL Client Certificate
• Authentication Server
• One-Time Password
• SWPS (McAfee® Client Proxy)
After selecting a method, settings that are specific to it appear
below the common settings

Authentication Test
Settings for testing whether a user with given credentials would be authenticated.

Authentication Test

Option Definition

User Specifies the user name that is tested.

Password Specifies the tested password.

Authenticate User Executes the test.

Test result Displays the outcome of the test.

Common Authentication Parameters

Settings common to all authentication methods.

78 McAfee Web Gateway 8.0.x Interface Reference Guide

Note: There is also an advanced setting that is common to all authentication methods. It is described at the end of this main
section after the last of the subsections for the specific authentication parameters.

Common Authentication Parameters

Option Definition

Proxy Realm Specifies the location of the proxy that receives requests from
users who are asked to authenticate.

Authentication attempt timeout Limits the time (in seconds) that elapses before the
authentication process terminates if not completed
successfully to the specified value.

Use authentication cache When selected, authentication information is stored in a

cache.
Authentication is then based on this stored information,
rather than on information retrieved from an authentication
server or the internal user database.

Authentication cache TTL Limits the time (in minutes) that authentication information is
stored in the cache to the specified value.

NTLM Specific Parameters

Settings for the NTLM authentication method.

NTLM Specific Parameters

Option Definition

Send domain and machine name to the client
When selected, the names of the appliance and its domain
are sent to the client that a user who is to be authenticated
sent a request from.
An appliance can, however, be joined to more than one
domain, so different domain names can be used when
connecting to a client, which can lead to problems with user
authentication.
Sending a particular domain name to the client might result in
an authentication failure because a particular user name is
unknown in this domain.
Web browsers do usually not require domain name
information, but some third-party applications that Web
Gateway works with might require it.
So we recommend proceeding as follows:
• If an appliance has been joined to only one domain: Select
this option.
• If an appliance has been joined to more than one domain:
Leave this option deselected.
There are, however, applications that require this option to be
selected anyway. Otherwise they will close the connection to
Web Gateway
This applies, for example, to some .NET based applications as
well as to some popular open-source products, such as the
Cntlm proxy.

McAfee Web Gateway 8.0.x Interface Reference Guide 79

 Option Definition

Default NTLM domain Specifies the name of the default Windows domain used for
looking up authentication information.
This is one of the domains you have configured on the
Appliances tab of the Configuration top-level menu.

Get global groups When selected, information on global user groups is searched
for on the Windows domain server.

Get local groups When selected, information on local user groups is searched
for on the Windows domain server.

Prefix group name with domain name (domain\group) When selected, the name of the Windows domain appears
before the name of the user group when authentication
information on this group is sent from the domain server.

Enable basic authentication
When selected, the basic NTLM authentication method is
applied to authenticate users.
Information that a user submits for authentication is then
sent in plain-text format (less secure) to the Windows domain
server.

Enable integrated authentication When selected, the integrated NTLM authentication method
is applied to authenticate users.
Information that a user submits for authentication is then
encrypted before it is sent to the Windows domain server.

Enable NTLM cache When selected, NTLM authentication information is stored in

this cache.
Authentication is then based on this stored information,
rather on information retrieved from the Windows domain
server.

NTLM cache TTL Limits the time (in seconds) that authentication information is
stored in this cache to the specified value.

International text support Specifies a set of characters used by default for a request sent
from a client, for example, ISO-8859-1.

NTLM Agent Specific Parameters

Settings for the NTLM Agent authentication method.

NTLM Agent Specific Parameters

Option Definition

Use secure agent connection When selected, the connection used for communicating with
the NTML Agent is SSL-secured

Authentication connection timeout in seconds Limits the time (in seconds) that elapses before the
connection to the NTLM Agent is closed if no activities occur
on it to the specified value.

Agent Definition Provides a list for entering the agents that are involved in
performing NTLM authentication.

80 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Default NTLM domain Specifies the name of the default Windows domain used for
looking up authentication information.
This is one of the domains you have configured on the
Appliances tab of the Configuration top-level menu.

Get global groups When selected, information on global user groups is searched
for on the Windows domain server.

Get local groups When selected, information on local user groups is searched
for on the Windows domain server.

Prefix group name with domain name (domain\group) When selected, the name of the Windows domain appears
before the name of the user group when authentication
information on this group is sent from the domain server.

Enable basic authentication When selected, the basic NTLM authentication method is
applied to authenticate users.
Information that a user submits for authentication is then
sent in plain-text format (less secure) to the Windows domain
server.

Enable integrated authentication When selected, the integrated NTLM authentication method
is applied to authenticate users.
Information that a user submits for authentication is then
encrypted before it is sent to the Windows domain server.

Enable NTLM cache When selected, NTLM authentication information is stored in

this cache.
Authentication is then based on this stored information,
rather on information retrieved from the Windows domain
server.

NTLM cache TTL Limits the time (in seconds) that authentication information is
stored in this cache to the specified value.

International text support Specifies a set of characters used by default for a request sent
from a client, for example, ISO-8859-1.

User Database Specific Parameters

Settings for the User Database authentication method.

User Database Specific Parameters

Option Definition

Send domain and machine name to the client When selected, the names of the appliance and the domain it
has been assigned to are sent to the client that a user who is
to be authenticated sent a request from.

Enable basic authentication When selected, the basic NTLM authentication method is
applied to authenticate users.
Information that a user submits for authentication is then
sent in plain-text format (less secure) to the Windows domain
server.

McAfee Web Gateway 8.0.x Interface Reference Guide 81

 Option Definition

Enable integrated authentication When selected, the integrated NTLM authentication method
is applied to authenticate users.
Information that a user submits for authentication is then
encrypted before it is sent to the Windows domain server.

Enable NTLM cache When selected, NTLM authentication information is stored in

this cache.
Authentication is then based on this stored information,
rather on information retrieved from the Windows domain
server.

NTLM cache TTL Limits the time (in seconds) that authentication information is
stored in this cache to the specified value.

International text support Specifies a set of characters used by default for a request sent
from a client, for example, ISO-8859-1.

LDAP Specific Parameters

Settings for the LDAP authentication method.

LDAP Specific Parameters

Option Definition

LDAP server(s) to connect to Provides a list for entering the LDAP servers that
authentication information is retrieved from.

List of certificate authorities Provides a list for entering the certificate authorities that
issue certificates when a Secure LDAP (S-LDAP) connection is
used for communication with an LDAP server.

Credentials Specifies the user name of an appliance for logging on to an

LDAP server.

Password Sets the password for a user name.

The Set button opens a window for configuring a new
password.

International text support Specifies a set of characters used by default for a request sent
from a client, for example, ISO-8859-1.

Enable LDAP version 3 When selected, version 3 of the LDAP protocol is used.
Note: If you want to configure Secure LDAP authentication,
also known as LDAPS, it is this LDAP version that you must
use.
This version is by default selected.

Allow LDAP library to follow referrals When selected, the lookup of user information can be
redirected from the LDAP server to other servers.

Connection live check Limits the time (in minutes) that elapses between checks to
see whether the connection to the LDAP server is still active
to the specified value.

82 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

LDAP operation timeout Limits the time (in seconds) that elapses before the
connection to the LDAP server is closed if no communication
occurs to the specified value.

Base distinguished name to user objects Specifies the Distinguished name (DN) in the directory on an
LDAP server where the lookup of user attributes should
begin.

Map user name to DN When selected, the name of the user who asks for
authentication must map to a DN (Distinguished Name).
This name identifies the user in the directory on the LDAP
server

Filter expression to locate a user object Specifies a filtering term for restricting the lookup of user
attributes.
To substitute the user name in the filtering term, u% is used
as a variable.

Get user attributes When selected, user attributes are looked up on the LDAP
server to authenticate a user.

User attributes to retrieve Provides a list for entering the user attributes that should be
retrieved from an LDAP server.

Attributes concatenation string Specifies a string for separating user attributes found by a
lookup, for example, / (slash).

Get groups attributes When selected, user group attributes are also looked up on
the LDAP server to authenticate a user.

Base distinguished name to group objects Specifies the Distinguished name (DN) in the directory on the
LDAP server where the lookup of group attributes should
begin

Filter expression to locate a group object Specifies a filtering term for restricting the lookup of group
attributes.
To substitute the user name in the filtering term, u% is used
as a variable.

Group attributes to retrieve Provides a list for entering the group attributes that should be
retrieved from an LDAP server.

Digest Authentication
Settings for LDAP digest authentication.

Digest Authentication

Option Definition

Enable digest authentication When selected, digest authentication is performed as method

for authenticating users under the LDAP authentication
method.

User attribute with password hash Specifies the attribute of a user entry on the LDAP server that
stores the value for the authentication hash.

McAfee Web Gateway 8.0.x Interface Reference Guide 83

 Option Definition

Nonce maximal use count Sets a limit to repeated uses of the nonce (number only once)
that is transmitted in the authentication process and required
as a parameter for calculating the authentication hash.
The maximum number of times that a nonce can be used by
default is 100.

Nonce maximal TTL Sets a limit to the time period (in minutes) that a nonce
remains valid.
The maximum time that a nonce can remain valid by default
is 30 minutes.

Enable digest URI check When selected, a check is performed to ensure that the URL
that a client sends as a parameter for calculating the
authentication hash is the same as the URL that this client
sends in its request for accessing a particular destination in
the web.
If this check fails, the request is blocked.
As this check might also fail due to problems with the
different formats that the browsers on the clients use for
sending URLs, it is optional.
The check is enabled by default.

Allow digest authentication only When selected, digest authentication must always be
performed if a user is to be authenticated under the LDAP
authentication method.

Novell eDirectory Specific Parameters

Settings for the Novell eDirectory authentication method.

Novell eDirectory Specific Parameters

Option Definition

LDAP server(s) to connect to Provides a list for entering the eDirectory servers that take
the role of LDAP servers in providing authentication
information.

List of certificate authorities Provides a list for entering the certificate authorities that
issue certificates when a Secure LDAP (S-LDAP) connection is
used for communication with an LDAP server.

Credentials Specifies the user name of an appliance for logging on to an

LDAP server.

Password Sets a password for a user name.

The Set button opens a window for configuring a new
password.

International text support Specifies a set of characters used by default for a request sent
from a client, for example, ISO-8859-1.

Enable LDAP version 3 When selected, version 3 of the LDAP protocol is used.

Allow LDAP library to follow referrals When selected, the lookup of user information can be
redirected from an LDAP server to other servers.

84 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Connection live check Limits the time (in minutes) that elapses between checks to
see whether the connection to an LDAP server is still active to
the specified value.

LDAP operation timeout Limits the time (in seconds) that elapses before the
connection to an LDAP server is closed if no communication
occurs to the specified value.

eDirectory network address attribute Specifies the name of the attribute that provides the network
addresses used for an eDirectory server

eDirectory network login time attribute Specifies the name of the attribute that provides the logon
time used on an eDirectory server.

eDirectory network minimal update interval Specifies the time that elapses (in seconds) before
information from an eDirectory server is updated.

Base distinguished name to user objects Specifies the Distinguished name (DN) in the directory on an
LDAP server where the lookup of user attributes should
begin.

Map user name to DN When selected, the name of the user who asks for
authentication must map to a DN (Distinguished Name). This
name identifies the user in the directory on the LDAP server.

Filter expression to locate a user object Specifies a filtering term for restricting the lookup of user
attributes.
To substitute the user name in the filtering term, u% is used
as a variable.

Get user attributes When selected, user attributes are looked up on the LDAP
server to authenticate a user.

User attributes to retrieve Provides a list for entering the user attributes that should be
retrieved from an LDAP server.

Attributes concatenation string Specifies a string for separating user attributes found by a
lookup, for example, / (slash).

Get groups attributes When selected, user group attributes are also looked up on
the LDAP server to authenticate a user.

Base distinguished name to group objects Specifies the Distinguished name (DN) in the directory on an
LDAP server where the lookup of group attributes should
begin.

Filter expression to locate a group object Specifies a filtering term for restricting the lookup of group
attributes.
To substitute the user name in the filtering term, u% is used
as a variable.

Group attributes to retrieve Provides a list of group attributes that should be retrieved
from an LDAP server.

RADIUS Specific Parameters

Settings for the RADIUS authentication method.

McAfee Web Gateway 8.0.x Interface Reference Guide 85

RADIUS Specific Parameters

Option Definition

RADIUS server definition Provides a list for entering the RADIUS servers that
authentication information is retrieved from.

Default domain name Specifies the name of the domain that information is
retrieved from if no other domain is specified.

Shared secret Sets the password used by an appliance to get access to a

RADIUS server.

Radius connection timeout in seconds Limits the time (in seconds) that elapses before the
connection to the RADIUS server is closed if no traffic occurs
to the specified value.

International text support Specifies the set of characters used by default for a request
sent from a client, for example, ISO-8859-1.

Value of attribute with code Sets the code value for the attribute retrieved with the user
group information, according to RFC 2865.
For example, 25 is the code for the “class” attribute.

Vendor specific attribute with vendor ID
Sets the Vendor ID that is required for retrieving vendor-
related data in the search for user group information.
According to RFC 2865, the vendor ID is a part of the vendor
attribute, followed by a number of subattributes. Its code
value is 26.

Vendor subattribute type Sets a code value for the type of subattributes included in a
vendor attribute. according to RFC 2865.
Since not all vendors adhere to this structure, we recommend
to specify 0 as value here. This allows the authentication
module to retrieve all available vendor information.

Kerberos Specific Parameters

Settings for the Kerberos authentication method.
Note: More settings for this authentication method can be configured using the Kerberos Administration system settings, which can
be accessed under the Configuration top-level menu.

Kerberos Specific Parameters

Option Definition

Extract group membership IDs from the ticket
When selected, information to identify the groups that a user
is a member of is retrieved from the ticket that is used in the
process of authenticating users under the Kerberos
authentication method.
When this option is selected, the following option becomes
accessible.

Look up group names via NTLM When selected, the names of the groups that a user is a
member of are retrieved using the NTLM authentication
method.

86 McAfee Web Gateway 8.0.x Interface Reference Guide

Authentication Server Specific Parameters
Settings for the Authentication Server method.
Authentication Server Specific Parameters
Option
Authentication server URL
Require client ID
Store authentication result in a cookie
Allow persistent cookie for the server
Cookie TTL for the authentication server in seconds
Cookie prefix
One-Time Password Specific Parameters
Settings for the One-Time Password authentication method.
One-Time Password Specific Parameters
Option
OTP server
Communicate with SSL and trust certificate below
McAfee Web Gateway 8.0.x Interface Reference Guide
Definition
Specifies the URL of a server that is used under this method
to look up authentication information.
When selected, the authentication server requires the ID of
the client that a user sent a request from.
When selected, the information retrieved from the
authentication server is stored in a cookie
If cookie authentication is implemented, the cookie is added
to the next request sent by the respective user, so that this
user need not authenticate again.
When selected, a cookie can be used persistently for sending
multiple requests to the authentication server
Limits the time (in seconds) that a cookie sent with a request
to the server is stored to the specified value.
Specifies a prefix that is added on the appliance to a cookie,
for example, MWG_Auth .
Definition
Specifies the IP address and port number of the OTP server
that Web Gateway connects to when authenticating a user
under the One-Time Password authentication method.
When selected, communication with the OTP server is
performed using an SSL-secured connection.
When this option is selected, the information in the following
four fields is no longer grayed out and the Import button below
these fields becomes accessible.
The fields provided detailed information about the certificate
that is currently used in SSL-secured communication with the
OTP server.
• Subject — Provides general information about the certificate.
◦
Common Name (CN) — Specifies the common name
of the certificate.
By default, this name is localhost.
◦
Organization (O) — Specifies the organization of the
certificate.
By default, the organization is OTP Server.
◦
87
 Option Definition
Organizational Unit (OU) — Specifies the organizational
unit of the certificate.
By default, the organizational unit is not set.
• Issuer — Provides information about the issuer of the
certificate.
◦
Common Name (CN) — Specifies the common name
of the issuer.
By default, this name is localhost.
◦
Organization (O) — Specifies the organization of the
issuer.
By default, the organization is OTP Server.
◦
Organizational Unit (OU) — Specifies the organizational
unit of the server certificate.
By default, the organizational unit is not set.
• Validity — Limits the time the certificate is valid.
◦ Not before — Shows the date and time when the
validity of the certificate begins.
◦ Not after — Shows the date and time when the
validity of the server certificate ends.
• Extensions — Provides additional information on the
certificate.
◦
Comment — Provides a plain-text comment on the
certificate.
By default no comment is provided.
• Import — Opens a window for importing a certificate.

WS client name Specifies the user name for Web Gateway in communication
with the OTP server.

WS client password Specifies the password for Web Gateway in communication

with the OTP server.

OTP message Specifies the prefix to messages that are sent from the OTP
server to Web Gateway and the delimiters that include a
message.
By default a message looks like this:
OTP for MWG: $$<OTP message>$$

McAfee Client Proxy

Settings for the SWPS (McAfee Client Proxy) authentication method.

McAfee Client Proxy

Option Definition

Customer ID Specifies an identifier for a customer.

Shared password Sets a password for a customer.

Clicking Set opens a window that allows you to perform the
setting.

88 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Keep domain in group name When selected, domain information contained in the name of
a user group is kept.
This option is selected by default.

Remove custom headers used for authentication When selected, headers contained in the information that is
submitted for authentication are removed.
This option is selected by default.

Export MCP credentials to XML file
Lets you export the credentials that are submitted when
performing the SWPS (McAfee Client Proxy) authentication
method.
By default a message looks like this:
OTP for MWG: $$<OTP message>$$

Advanced Parameters
Setting for configuring advanced authentication.
Note:
This is setting is the same for all authentication methods. Its description is therefore also provided at the beginning of this
description of the authentication settings, after the description of the common settings.

Advanced Parameters

Option Definition

Always evaluate property value When selected, a new evaluation to assign a value to a
property is performed each time a rule containing this
property is processed.
If a value has been stored for a property in the cache, it is not
used.
While it is normally recommended to let cache values be used
to improve performance, there can be situations where the
new evaluation of a property is required.
In these situations, the same property is used more than once
within the authentication rules and with the same settings of
the Authentication module. A new evaluation ensures the
most current value is assigned to the property each time.

Authorized Override settings

The Authorized Override settings are used for configuring the module that handles authorized overriding.

Hours and Minutes of Maximum Session Time

Settings for configuring the maximum time length of a session with authorized overriding.

Hours and Minutes of Maximum Session Time

Option Definition

Days Sets the days of an Authorized Override session.

Hours Sets the hours of an Authorized Override session.

Minutes Sets the minutes of an Authorized Override session.

McAfee Web Gateway 8.0.x Interface Reference Guide 89

Azure Directory settings
The Azure Directory settings are the settings for the Azure Directory module, which handles the retrieval of user group lists from an
Azure Active Directory (Azure AD).
There is no default instance of the Azure Directory settings.

Application Settings
Settings for the application that is registered at a Microsoft Application Registration Portal to represent Web Gateway in
communication with an Azure AD.

Application Settings

Option Definition

Tenant ID Identifies an Azure AD.

App ID Identifies the application.

Password Provides the password that the application submits when

attempting to access the Azure AD.

Redirect URI Identifies a location that a request for accessing the Azure AD
is redirected to.

Search Parameters
Settings for the parameters used when searching for user group information in an Azure AD.

Search Parameters

Option Definition

Map user name to UPN When selected, a user name is mapped accordingly.

Filter expression to locate a user object Specifies a term that serves as a filter when searching for a
user name.
Within this term use {user} to substitute the user name, for
example:
mailnickname eq '{user}'

UPN attribute Specifies the UPN attribute that is searched for.

Default: id

Group attribute Specifies the group attribute that is searched for.

Default: memberOf

Group name Specifies the name of the group that is searched for.
Default: displayName

Use cache When selected, user group information that is searched for is
stored and retrieved from a cache.

Cache entry TTL Limits the time (in minutes) that an entry remains in the
cache.
Default: 30 minutes

Network Setup
Settings for the network setup that is configured to enable the retrieval of user group lists from an Azure AD.

90 McAfee Web Gateway 8.0.x Interface Reference Guide

Network Setup

Option Definition

Use system proxy list to connect to MS Graph API When selected, the proxies that have been configured for
Web Gateway on an appliance system and entered in a list are
used when setting up a connection for retrieving user group
information from an Azure AD.

TCP timeout Limits the time (in seconds) that a TCP connection is kept
open if no traffic occurs in the process of retrieving user
group information.
Default: 5 seconds

Search operation timeout Limits the time (in seconds) that elapses before a search
operation performed to retrieve user group information is
terminated.
Default: 10 seconds

Retry interval if token request fails Specifies the time that must elapse after a failed token
request before a new request is performed in the process of
retrieving user group information.
Default: 15 seconds

List of certificate authorities Provides a list of certificate authorities that are used for
securing the communication performed to retrieve user
group information under HTTPS.
Clicking Add or Edit opens windows for adding or editing the
list.

Revocation checking method order Allows you to choose the order in which to use the OCSP and
CRL methods for checking whether a certificate has been
revoked.
• OCSP, CRL
• CRL, OCSP

Treat OCSP response 'unknown' as revoked When selected, a certificate is considered as revoked if the
response to an OCSP query is that its revocation status is
unknown.
Default: 30 minutes

Cache settings
The Cache settings are module (engine) settings for configuring the behavior of the web cache on Web Gateway.
The following particular settings are provided for the Cache module after the initial setup.
• Cache HTTP — Default settings

Coaching settings
The Coaching settings are used for configuring the module that handles coaching.

Hours and Minutes of Session Time

Settings for configuring the length of a coaching session

McAfee Web Gateway 8.0.x Interface Reference Guide 91

Hours and Minutes of Session Time

Option Definition

Days Sets the days of a coaching session.

Hours Sets the hours of a coaching session.

Minutes Sets the minutes of a coaching session.

Cloud Storage Encryption settings

The Cloud Storage Encryption settings are used for configuring the encryption and decryption of cloud storage data.

Encryption Parameters
Settings for encrypting and decrypting cloud storage data

Encryption Parameters

Option Definition

Cipher Provides a list for selecting an algorithm to encrypt and

decrypt cloud storage data.
The following algorithms can be selected:
• AES 128
• AES 192
• AES 256

Data Loss Prevention (Classifications) settings

The Data Loss Prevention (Classifications) settings are used for configuring entries in classification lists that specify sensitive or
inappropriate content.

DLP Classifications Parameters

Settings for configuring the use of classification lists when searching for sensitive or inappropriate content

DLP Classifications Parameters

Option Definition

Tracking policy Sets the scope of the search for sensitive or inappropriate
content in the body text of requests and responses.
The search is carried out for all classifications that have been
selected. You can, however, configure it in the following ways:
• Minimum — The search stops when an instance of sensitive
or inappropriate content has been found for a particular
classification or if no instance could be found. It is then
continued for the next classification.
This goes on until all classifications have been processed.
• Maximum — The search tries to find all instances of
sensitive or inappropriate content for a particular
classification. When the search is completed for a
classification, it continues with the next.
This goes on until all classifications have been processed.

92 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

DLP Classifications Provides a list for selecting entries in classification lists from
the system lists provided under DLP Classification on the lists
tree.

The following table describes an entry in the DLP Classifications list

DLP Classifications Parameters – List entry

Option Definition

DLP Classification Provides information about detecting sensitive or

inappropriate content.

Comment Provides a plain-text comment on an entry.

Advanced Parameters
Settings for configuring advanced functions for data loss prevention

Advanced Parameters

Option Definition

Reported context width Limits the number of characters shown around a matching
term in a list to the specified value.
The matching term is the value of the
DLP.Classification.Matched.Terms property.

Context list size Limits the number of matching terms shown in a list to the
specified value.
The matching terms are the values of the
DLP.Classification.Matched.Terms property.

Data Loss Prevention (Dictionaries) settings

The Data Loss Prevention (Dictionaries) settings are used for configuring text and wildcard expressions that specify sensitive or
inappropriate content.

DLP Dictionary Parameters

Settings for configuring text and wildcard expressions specifying sensitive or inappropriate content

DLP Dictionaries Parameters

Option Definition

Tracking policy Sets the scope of the search for sensitive or inappropriate
content in the body text of requests and responses.
The search is carried out for all dictionary entries that have
been created. It can, however, be configured in the following
ways:
• Minimum — The search stops when an instance of sensitive
or inappropriate content has been found for a particular
dictionary entry or if no instance could be found. It is then
continued for the next entry.
This goes on until all entries have been processed.
• Maximum — The search tries to find all instances of
sensitive or inappropriate content for a particular dictionary

McAfee Web Gateway 8.0.x Interface Reference Guide 93

 Option Definition
entry. When the search is completed for an entry, it
continues with the next.
This goes on until all entries have been processed.

Dictionary Provides a list for entering text strings and wildcard

expressions that are sensitive or inappropriate content or
match with it.

The following table describes an entry in the Dictionary list.

Dictionary – List entry

Option Definition

Text or wildcard expression Specifies a text string or wildcard expression that is sensitive
or inappropriate content or matches with it.

Comment Provides a plain-text comment on a text string or wildcard

expression.

Advanced Parameters
Settings for configuring advanced functions for data loss prevention

Advanced Parameters

Option Definition

Reported context width Limits the number of characters shown around a matching
term in a list to the specified value.
The matching term is the value of the
DLP.Dictionary.Matched.Terms property-

Context list size Limits the number of matching terms shown in a list to the
specified value.
The matching terms are the values of the
DLP.Classification.Matched.Terms property.

Data Trickling settings

The Data Trickling settings are used for configuring the data trickling process that is applied when a user has started the
download of a web object.

Data Trickling Parameters

Settings for the portions of a web object that are forwarded in data trickling mode

Data Trickling Parameters

Option Definition

Size of first chunk Specifies the size (in bytes) of the first chunk of a web object
that is forwarded using the data trickling method.

Forwarding rate Specifies the portion of a web object that is forwarded every
five seconds.

94 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
The forwarding rate is the thousandth part of the entire
volume that is to be forwarded multiplied by the value you
configure here.

File System Logging settings

The File System Logging settings are used for configuring the rotation, deletion, and pushing of log files that are maintained by
logging rules.

File System Logging Settings

Settings for the log that stores rule-maintained log files

File System Logging Settings

Option Definition

Name of the log Specifies the name of a log.

Enable log buffering When selected, the log is buffered.

The buffer interval is 30 seconds.

Enable header writing When selected, the header below is added to all log files.

Log header Specifies a header for all log files.

Encrypt the log file When selected, log files are stored encrypted.

First password, Repeat password Sets a password for access to encrypted log files.

[Optional] Second password, Repeat password Sets a second password for access to encrypted log files.

Settings for Rotation, Deletion, and Pushing

Settings for log file management
The settings for rotating, deleting, and pushing rule-maintained log files include the same options and are configured in the same
way as the corresponding settings for module-maintained log files, which are configured as part of the Log File Manager settings.

Hardware Security Module settings

The Hardware Security Module settings are used to configure the handling of private keys on a Hardware Security Module.

HSM Server
Settings for implementing an HSM solution on the Web Gateway appliance that you are currently configuring

HSM Server

Option Definition

Start local HSM server When selected, an HSM solution for storing and loading keys
is implemented on this appliance.
Other Web Gateway appliances in your network can connect
to this appliance as clients.
The appliance then takes the role of as server towards these
clients.

Crypto module Provides a list for selecting an HSM solution.

• Thales nShield Solo/Connect — These solutions let the functions
of a Hardware Security Module be provided on a module

McAfee Web Gateway 8.0.x Interface Reference Guide 95

 Option Definition
card (nShield Solo), which is installed on a Web Gateway
appliance, or on an additional appliance (nShield Connect).
Note: The module card and the appliance are provided by
an Intel partner (Thales).
• SafeNet Network HSM (formerly LUNA SA) — This solution lets the
functions of a Hardware Security Module be provided on a
remote server.
Note: The remote server is provided by an Intel partner
(Gemalto).
• OpenSSL — This solution is an emulation that runs on the
appliance and uses OpenSSL to provide the functions of a
Hardware Security Module.

Keys to be loaded Provides a list of IDs for the private keys that are stored on a
Hardware Security Module and can be loaded from there.
For every key that you want to use, you must add the key ID in
string format to this list.
Note: The key IDs are configured when private keys are
generated on the Hardware Security Module.

Allow local connections When selected, connections are allowed for using the
functions of a Hardware Security Module on the appliance
that you are currently configuring.

Allow remote connections When selected, connections are allowed for letting other
appliances that are configured as clients of this appliance use
the functions of a Hardware Security Module.

HSM server port definition list Provides a list of the ports on the appliance that takes the role
of a server towards other appliances.

Permitted clients Provides a list of other appliances in your network that run as
clients of this appliance.

These tables describe the entries in the key list and the lists of HSM server ports and permitted clients.

Keys to be loaded – List entry

Option Definition

String Specifies the key ID for a private key that is stored on the
Hardware Security Module.

Comment Provides a plain-text comment on a key.

HSM server port definition list – List entry

Option Definition

Listener address Specifies the IP address and port number of a port on the
appliance that takes the role of a server towards other
appliances.

Comment Provides a plain-text comment on a port.

96 McAfee Web Gateway 8.0.x Interface Reference Guide

Permitted clients – List entry

Option Definition

Host Specifies the host name or IP address of an appliance that is

permitted to run as client of this appliance.

Certificate Provides a certificate that a client submits when connecting to

the server.

Comment Provides a plain-text comment on a permitted client.

Server Identification
Settings for the certificate that an appliances submits when taking the role of a server towards other appliances that run as its
clients
Note:
A certificate issued by the McAfee root CA is provided by default after the initial setup of a Web Gateway appliance.
We recommend that you replace this certificate by a certificate of your own.

Server Identification

Option Definition

Subject, Issuer, Validity, Extensions, Private key These fields provide information on the server certificate that
is currently in use.

Server certificate Provides buttons for performing various activities that are
related to a server certificate:
• Generating a certificate
• Importing a certificate
• Exporting a certificate
• Exporting a certificate key

HSM Client
Settings for configuring an appliance as client of an appliance that has an HSM solution implemented

HSM Client

Option Definition

Use remote HSM server When selected, this appliance runs a client of another
appliance that has an HSM solution implemented.

Remote server Provides a list of appliances in your network that have an

HSM solution implemented and that this appliance can
connect to.

This table describes an entry in the list of remote servers.

Remote server– List entry

Option Definition

Host Specifies the host name or IP address of an appliance in your

network that takes the role of a server towards this appliance.

McAfee Web Gateway 8.0.x Interface Reference Guide 97

 Option Definition

Certificate Specifies the certificate that an appliance submits when

connecting to a client.

Comment Provides a plain-text comment on a remote server.

Client Identification
Settings for the certificate that this appliance submits when connecting as a client to an HSM server
Note:
A certificate issued by the McAfee root CA is provided by default for this client after the initial setup of a Web Gateway appliance.
We recommend that you replace this certificate by a certificate of your own.

Client Identification

Option Definition

Subject, Issuer, Validity, Extensions, Private key These fields provide information on the client certificate that
is currently in use.

Client certificate Provides buttons for performing various activities that are
related to a client certificate:
• Generating a certificate
• Importing a certificate
• Exporting a certificate
• Exporting a certificate key

Troubleshooting
Settings for troubleshooting the use of a Hardware Security Module

Troubleshooting

Option Definition

Write connection traces When selected, traffic on the connections set up for using the
functions of a Hardware Security Module are traced.

ICAP Client settings

The ICAP Client settings are the settings for the ICAP Client module, which handles communication between an ICAP client on a Web
Gateway appliance and ICAP servers.

Instances of the ICAP Client settings

There are no instances of the ICAP Client settings available by default.
After importing suitable rule sets, instances are available as follows.
• ReqMod — Available after importing the Data Loss Prevention (DLP) with ICAP rule set
• ReqMod for Cloud — Available after importing the Data Loss Prevention (DLP) with ICAP for Cloud rule set

ICAP Service
Settings for ICAP servers that the ICAP client on an appliance sends requests to.

ICAP Service

Option Definition

List of ICAP Servers Provides a list for selecting a list of servers that are used in
ICAP communication.

98 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
Requests coming in from ICAP clients are distributed to the
servers on the selected list in round-robin mode.

Add Opens the Add List window to let you add a list of ICAP servers.

Edit Opens the Edit List window to let you edit a list of ICAP servers.

Select deployment type for these settings
Allows you to select the type of deployment for the Web
Gateway appliance that you want to run an ICAP client on.
You can select one of the following deployment types:
• On premise — Web Gateway is deployed on premise.
• Cloud only — Web Gateway is deployed in the cloud.
• Hybrid — Web Gateway is deployed as a hybrid solution,
which combines on-premise and cloud use.

Exclude below user-defined ICAP request header(s)
Drops authentication headers that are included by default
when an ICAP client sends a request to an ICAP server.
Configuring this option is useful because some ICAP servers
don't accept lengthy authentication headers in a request and
respond with an error message.
Note: This option can be configured for on-premise and
cloud use.
You can drop either or both of these headers:
• X-Authenticated-User — When selected, requests to an ICAP
server are forwarded without this header.
• X-Authenticated-Groups — When selected, requests to an ICAP
server are forwarded without this header.

The following table describes an entry for an ICAP server in the list.

List of ICAP servers — List entry

Option Definition

URI Specifies the URI for an ICAP server using the following
format:
icap[s]://<IP address>|<fully qualified domain
name>[:<port>][/<ICAP method>]
The list contains the following entry for an ICAP server by
default:
icap://0.0.0.0:1344

Respect max concurrent connections limit When selected, the ICAP client on the appliance does not
open more connections at the same time for sending
requests than the ICAP server can handle.

Comment Provides a plain-text comment on an ICAP server.

Secure ICAP (ICAPS) Certificate Verification

Settings for configuring certificate verification in Secure ICAP communication.

McAfee Web Gateway 8.0.x Interface Reference Guide 99

Secure ICAP (ICAPS) Certificate Verification

Option Definition

Enable server certificate verification
When selected, certificate verification is performed in Secure
ICAP (ICAPS) communication.
Note: This option can be configured for on-premise and
cloud use.
This allows you to implement certificate verification, for
example, in the communication between an ICAP client
running in the cloud and a DLP server that runs on-premise
on a Web Gateway appliance taking the role of an ICAP server.
To perform this verification, the ICAP client checks whether
the certificate sent by the DLP server (ICAP server) is included
in a list of trusted server certificates.

Server certificate list Provides a list of trusted server certificates for performing
verification in Secure ICAP communication.
There is no list available by default.

Add Opens the Add List window where you can add a list of server
certificates.
Note: The ICAP client does not accept any server certificate
that has a private key with a format of less than 2048 bit.

Edit Opens the Edit List window where you can edit a list of server
certificates.

Next Hop Proxy settings

The Next Hop Proxy settings are used for configuring next-hop proxies to forward requests that have been received on the
appliance to the web.

Next Hop Proxy Server

Settings for next-hop proxies

Next Hop Proxy Server

Option Definition

List of next-hop proxy servers Provides a list for selecting a next-hop proxy server list.

Round robin When selected, the Next Hop Proxy module uses the next-hop
proxy following the one in the list that has been used last.
When the end of the list has been reached, the first next-hop
proxy in the list is again selected.

Fail over When selected, the Next Hop Proxy module tries the first
next-hop proxy in the list first.
If the first next-hop proxy fails to respond, it is retried until
the configured retry maximum has been reached. Then the
second next-hop proxy in the list is tried, and so on, until a
server responds or all are found to be unavailable.

100 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Sticky When selected, the Next Hop Proxy module uses the same
next-hop proxy over a time period that you can also
configure.

Minimum time for stickiness Sets the period of time (in seconds) that the same next-hop
proxy is used for forwarding a request.
The default time period is 300 seconds.

Proxy style requests When selected, requests in proxy style are forwarded to the
requested web servers using next-hop proxies.
This options is selected by default.

Progress Page settings

The Progress Page settings are used for configuring the progress page that is shown to users when they are downloading web
objects.

Progress Page Parameters

Settings for the progress page

Progress Page Parameters

Option Definition

Templates Provides settings for the templates that are used by the
progress page.

Timeouts Provides settings timeouts that are related to the progress

page.

Templates
Settings for the templates used by the progress page

Templates

Option Definition

Language Provides settings for selecting the language of the progress

page.
• Auto (Browser) — When selected, the message is in the
language of the browser that the blocked request was sent
from.
• Force to — When selected, the message is in the language
chosen from the list that is provided here.
• Value of ‘Message.Language’ property — When selected, the
message is in the language that is the value of the
Message.Language property
This property can be used for creating a rule.

Collection Provides a list for selecting a template collection.

• Add — Opens the Add Template Collection window for
adding a template collection.
• Edit — Opens the Template Editor for editing a template
collection.

McAfee Web Gateway 8.0.x Interface Reference Guide 101

 Option
Template name for progress bar page
Template name for download finished page
Template name for download canceled page
Timeouts
Settings for the timeouts that are related to the progress page
Templates
Option
Delay for redirects to progress page
File availability time before download
File availability time after download
SSL Client Context with CA settings
The SSL Client Context with CA settings are used to configure the sending of certificates with information about the certificate
authority to the clients of a Web Gateway appliance.
Define SSL Client Context (Certificate Authority)
Settings for sending a certificate to the clients with information about the certificate authority
Define SSL Client Context (Certificate Authority)
Option
(Current certificate and default root certificate authority)
102
Definition
Provides a list for selecting a template.
• Add — Opens the Add Template window for adding a
template.
• Edit — Opens the Template Editor for editing a template,
Provides a list for selecting a template.
• Add — Opens the Add Template window for adding a
template
• Edit — Opens the Template Editor for editing a template
Provides a list for selecting a template.
• Add — Opens the Add Template window for adding a
template.
• Edit — Opens the Template Editor for editing a template.
Definition
Limits the time (in seconds) that elapses before the progress
page appears to the specified value.
Limits the time (in minutes) that elapses before a file is no
longer available to a user before the download to the
specified value.
Limits the time (in minutes) that elapses before a file is no
longer available to a user after the download to the specified
value.
Definition
Under Subject, Issuer, and other field names. information about
the certificate is provided that is currently sent to the clients
of an appliance in SSL-secured communication.
Information is also provided about the root certificate
authority (root CA) that signed this certificate.
After the initial setup, the certificate is signed by the default
root certificate authority. This certificate authority is McAfee.
The certificate is therefore called a self-signed certificate, as
McAfee signed a certificate for one of their own products.
McAfee Web Gateway 8.0.x Interface Reference Guide
 Option Definition
Self-signed certificates are not trusted by all partners in SSL-
secured communication.
For further administration of the SSL functions on Web
Gateway, we recommend that you create your own root
certificate authority.
Use the Generate New option to create this certificate authority.

Certificate Authority Provides several options for performing activities that are
related to a certificate authority.
• Generate New — Opens a window for generating a new
certificate authority.
• Import — Opens a window for importing a certificate
authority.
The window provides an option for importing a file with
information about a certificate authority and the certificate
that was signed by it.
Additionally, you can include a file with information about
the chain of certificate authorities that were involved in the
validation process.
Note:
The file with information about the certificate chain can be a
file that you created and stored in the file system before.
In this case, the file will contain information about the
following:
◦ The certificate that an appliance sends as server
to its clients
◦ The intermediate certificate authorities, one of
which signed the certificate, while the others each
validated another certificate authority
◦ The root certificate authority, which is the first
instance that validated another certificate
authority
When importing a certificate chain file, you must make sure
that it only contains information about the intermediate
certificate authorities.
All other information must be removed from the file.
Otherwise the import will fail.
• Export — Lets you browse to a location within your file
system that you can export a certificate authority file to.
• Export key — Lets you browse to a location within your file
system that you can export the key file for a certificate
authority to.

Send certificate chain When selected, the appliance sends information on the chain
of certificates and certificate authorities that were involved in
the process of validating a certificate with this certificate to its
clients.
To retrieve this information, you must include the certificate
chain when using the option for importing a certificate
authority.
The appliance sends the certificate that is configured here as
a server to its clients. The certificate is therefore also referred
to as the server certificate.

McAfee Web Gateway 8.0.x Interface Reference Guide 103

 Option Definition
The server certificate is considered to exist on level 0. When a
certificate authority signs this certificate to validate it, it is
done on level 1.
When an additional certificate authority validates the first
certificate authority, it is done on level 2. With each additional
certificate authority that is involved, the level increases by
one.

Certificate chain Provides information on a certificate chain.

After importing a certificate authority file with information
about the certificate chain, the information appears in this
field.

Use custom domain key When selected, a key is sent with the certificate that you have
configured on your own.
This key is used for sending certificates throughout the
domain of a Web Gateway appliance.

Custom domain key Provides the following options for handling a custom domain
key.
• Import Key — Lets you browse to a location within your file
system that you can import a custom domain key file from.
• Export Key — Lets you browse to a location within your file
system that you can export a custom domain key file to.

Digest Provides a list for selecting a digest mode.

RSA server key size Limits the size of the key file for a certificate.

Certificates that are signed by the CA are valid for Limits the time (in days) that a certificate signed by the
certificate authority configured here is valid.

Client cipher list Specifies a string of Open SSL symbols used for decrypting
client data.

Include OCSP responder URL When selected, a URL for sending responses to OCSP queries
is included in the Authority Information Access (AIA) field of
the certificate to enable the retrieval of information about
revoked certificates.

Include CRL distribution point When selected, a URL for accessing CRL lists is provided on
the certificate to enable the retrieval of information about
revoked certificates.

SSL session cache TTL Limits the time (in seconds) that SSL session parameters are
stored in the cache.

Perform insecure renegotations When selected, Web Gateway renegotiates the parameters for
the SSL-secured communication even if this is insecure to do.

Send empty plain-text fragment When selected, an empty plain-text fragment is sent with the
certificate to the clients.

Allow legacy signatures in the handshake When selected, legacy signatures are allowed in the initial
handshake.

104 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option
SSL protocol version
SSL Client Context without CA settings
The SSL Client Context without CA settings are used to configure the sending of certificates with no information about the certificate
authority to the clients of a Web Gateway appliance.
Define SSL Client Context (Without Certificate Authority)
Settings for sending a certificate to the clients with no information about the certificate authority
Define SSL Client Context (Without Certificate Authority)
Option
Select server certificate by host or IP
Select server certificate by host or IP — List entry
Option
Host
Server Certificate
McAfee Web Gateway 8.0.x Interface Reference Guide
Definition
Selects the version of the protocol that the SSL scanning
module follows when dealing with handshakes.
• TLS 1.2 — When selected, TLS (Transport Layer Security)
version 1.2 is used.
• TLS 1.1 — When selected, TLS (Transport Layer Security)
version 1.1 is used.
• TLS 1.0 — When selected, TLS (Transport Layer Security)
version 1.0 is used
• SSL 3.0 — When selected, SSL version 3.0 is used.
Definition
Provides a list of certificates that are sent to the clients and
the host systems that they have been retrieved from. A host
system is identified by a host name or an IP address.
The certificates are sent from an appliance in its role as a
server to the clients. The certificates are therefore referred to
as server certificates.
Definition
Specifies the host name or IP address of the host system that
a certificate is retrieved from.
Provides information on the certificate that is currently sent
from an appliance in its role as a server to its clients.
When adding an entry for a new certificate to the list, you can
generate or import the certificate. Options for performing
these activities are provided in the window for adding a list
entry under Server Certificate.
• Generate — Opens a window for generating a new certificate.
• Import — Opens a window for importing a certificate.
The window provides an option for importing a file with
information about a certificate.
Additionally, you can include a file with information about
the chain of certificate authorities that were involved in the
validation process.
Note:
The file with information about the certificate chain can be a
file that you created and stored in the file system before.
In this case, the file will contain information about the
following:
105
 Option Definition
◦ The certificate that an appliance sends as server
to its clients
◦ The intermediate certificate authorities, one of
which signed the certificate, while the others each
validated another certificate authority
◦ The root certificate authority, which is the first
instance that validated another certificate
authority
When importing a certificate chain file, you must make sure
that it only contains information about the intermediate
certificate authorities.
All other information must be removed from the file.
Otherwise the import will fail.
• Export — Lets you browse to a location within your file
system that you can export a certificate authority file to.
• Export key — Lets you browse to a location within your file
system that you can export the key file for a certificate
authority to.

HSM Provides information on a Hardware Security Module that is

used to protect the certificate information.

Certificate chain Provides information on the chain of certificates and

certificate authorities that were involved in the validation of
the certificate that is sent to the clients.

Comment Provides a plain-text comment on a certificate.

Define SSL Client Context (Without Certificate Authority) — Continued

Option Definition

SSL Scanner functionality applies only to client connection When selected, traffic is only processed using the SSL
scanning functions on the connection from an appliance to its
clients.

Client cipher list Specifies a string of Open SSL symbols used for decrypting
client data.

SSL session cache TTL Limits the time (in seconds) that SSL session parameters are
stored in the cache.

Perform insecure renegotations When selected, Web Gateway renegotiates the parameters for
the SSL-secured communication even if this is insecure to do.

Send empty plain-text fragment When selected, an empty plain-text fragment is sent with the
certificate to the clients.

SSL protocol version Selects the version of the protocol that the SSL Scanner
module follows when dealing with handshakes.
• TLS 1.2 — When selected, TLS (Transport Layer Security)
version 1.2 is used.
• TLS 1.1 — When selected, TLS (Transport Layer Security)
version 1.1 is used.
• TLS 1.0 — When selected, TLS (Transport Layer Security)
version 1.0 is used.

106 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
• SSL 3.0 — When selected, SSL version 3.0 is used.

SSL Scanner settings

The SSL Scanner settings are used for configuring the way certificates are verified and content inspection is enabled for SSL-
secured web traffic.

Enable SSL Scanner

Settings for configuring certificate verification or the enabling of content inspection

Enable SSL Scanner

Option Definition

SSL scanner function Selects the function that is performed by the SSL Scanner
module.
• Certificate verification — When selected, the module verifies
certificates submitted in SSL-secured communication.
• SSL inspection — When selected, the module inspects the
content of web objects transmitted in SSL-secured
communication.
• Identify and bypass Skype for Business traffic — When selected, web
traffic going on over the Skype for Business communication
tool is exempted from any SSL scanning.

SSL protocol version When selected, the module inspects the content of web
objects transmitted in SSL-secured communication.
• TLS 1.0 — When selected, TLS (Transport Layer Security)
version 1.0 is used.
• SSL 3.0 — When selected, SSL version 3.0 is used.

Server cipher list Specifies a string of Open SSL symbols used for decrypting
server data.
The SSL Scanner module uses different strings for default
certificate verification and for verifying certificates from
servers that do not support the EDH (Ephemeral Diffie-
Hellman) method.

SSL session cache TTL Limits the time (in seconds) for keeping the parameter values
of a session in SSL-secured communication stored in the
cache to the specified value.

Allow handshake and renegotiation with servers that do not implement RFC When selected, the SSL Scanner module performs these
5746 activities also in communication with web servers that fail to
comply with the specified standard.

Allow Alternative Handshakes

Settings for handshakes in SSL-secured communication that use alternative parameter values

McAfee Web Gateway 8.0.x Interface Reference Guide 107

Allow Alternative Handshakes

Option Definition

Use alternative handshake settings after handshake failure When selected, the SSL Scanner module uses alternative
parameter values after the first attempt to perform a
handshake in SSL-secured communication has failed.

SSL protocol version Selects the version of the protocol the SSL Scanner module
follows when it performs an alternative handshake.
• TLS 1.0 — When selected, TLS (Transport Layer Security)
version 1.0 is used
• SSL 3.0 — When selected, SSL version 3.0 is used

Server cipher list Specifies a string of Open SSL symbols used for decrypting
server data.
The SSL Scanner module uses different strings for default
certificate verification and for verifying certificates from
servers that do not support the EDH (Ephemeral Diffie-
Hellman) method.

TIE Filter settings

The TIE Filter settings are used for configuring the TIE Filter module, which is involved in the process of exchanging information
between Web Gateway and a TIE server.

Stream Detector settings

The Stream Detector settings are used to configure the module that calculates the probability for web objects that they are
streaming media.

Streaming Detector
Setting for the module that calculates streaming media probabilities

Streaming Detector

Option Definition

Minimal probability Sets the probability (in percent, specified by a number from 0
to 100) that is sufficient for a web object to be considered as
streaming media.

Time Quota settings

The Time Quota settings are used for configuring the module that handles time quota management.

Time Quota per Day, Week, Month, and Session Time

Settings for time quotas
When a time unit or the session time is selected, the heading of the next section reads accordingly.

Time Quota per Day, Week, Month, and Session Time

Option Definition

Time quota per day (week, month) When selected, the quota that is configured in the next
section applies to the selected time unit.

108 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Session time When selected, the quota that is configured in the next
section applies to the session time.

Hours and Minutes for . . .

Settings for time quotas that apply to the selected time unit or the session time
The heading of this section varies according to what you selected in the preceding section.
For example, if you selected Time quota per week, the heading reads Hours and Minutes for Time Quota per Week.

Hours and Minutes for . . .

Option Definition

Hours Sets the allowed hours per day, week, month, or for the
session time.

Minutes Sets the allowed minutes per day, week, month, or for the
session time.

Actual Configured Time Quota

Displays the configured time quotas.

Actual Configured Time Quota

Option Definition

Time quota per day (week, month) Shows the allowed time per day, week, or month.

Session time Shows the allowed session time.

URL Filter settings

The URL Filter settings are settings for the URL Filter module, which handles the retrieval of information about URLs from the Global
Threat Intelligence system and other sources.
Instances of the URL Filter settings include the following:
• Default settings — Default settings
These settings are used when working with the default rule set for URL filtering. This rule set is named Default and nested within
the URL Filtering rule set.
• Special URL Filtering Group settings — Settings used when working with the nested Special URL Filtering Group rule set

Extended List
Settings for extended lists.

Extended List

Option Definition

Use the extended list Provides a list for selecting an extended list.

Add Opens the Add List window for adding an extended list.

Edit Opens the Edit List (Extended List) window for editing the selected
extended list.

Rating Settings
Settings for retrieving rating information on URLs based on categories and reputation scores.

McAfee Web Gateway 8.0.x Interface Reference Guide 109

Rating Settings

Option Definition

Search the CGI parameters for rating When selected, CGI parameters are included in the search for
information.
CGI (Common Gateway Interface) parameters in a URL trigger
scripts or programs when the URL is accessed. Information on
CGIs is considered when categorizing a URL.

Search for and rate embedded URLs When selected, embedded URLs are included in the search
for information and rated.
Information on an embedded URL is considered when
categorizing the embedding URL.
Note: Searching for embedded URLs can impact
performance.

Do a forward DNS lookup to rate URLs When selected, a DNS lookup is performed for a URL that no
relevant information has been found for.
The IP address that was looked up is used for another search.

Do a backward DNS lookup for unrated IP-based URLs When selected, a backward DNS lookup, based on its IP
address, is performed for a URL that no relevant information
has been found for.
The host name that was looked up is used for another search.

Use the built-in keyword list When selected, the built-in keyword list is included in the
search.

Disable local GTI database When selected, no information about web reputation and
categories is retrieved from the local Global Threat
Intelligence database..

Use online GTI web reputation and categorization services if local rating yields When selected, information on URL categories and reputation
no result scores is only retrieved from the Global Threat Intelligence
service if the search in the internal database yielded no
results.

Use default server for online GTI web reputation and categorization services
When selected, the appliance connects to the default server
for retrieving information on URL categories and reputation
scores from the Global Threat Intelligence system.
• IP of the server — Specifies the IP address of the server used to
connect to the Global Threat Intelligence system when the
default server is not used.
Format: <domain name> or <IPv4 address> or <IPv4
address mapped to IPv6 address>
Regular IPv6 addresses cannot be specified here.
• Port of the server — Specifies the port number of the port on
this server that listens to requests from the appliance.
Allowed range: 1–65535

Enabke the Dynamic Content Classifier if GTI web categorization yields no When selected, the Dynamic Content Classifier is involved in
result the URL filtering process if a search performed by the Global
Threat Intelligence service yielded no results.

110 McAfee Web Gateway 8.0.x Interface Reference Guide

Advanced Settings
Advanced settings for the URL Filter module.

Advanced Settings

Option Definition

Treat connection problems to the cloud as errors
When selected, problems arising on the connection from the
appliance to the Global Threat Intelligence server are logged
as errors.
Properties for error handling are set and eventually rules
from an Error Handler rule set are executed.

Do a backward DNS lookup also for private addresses When selected, private IP addresses are included in the
backward DNS lookup.
Excluding these addresses from the lookup leads to an
increase in performance for URL filtering.
This option is disabled by default.
The lookup includes the following types of addresses:
• IPv4
◦ Private addresses
◦ Zeroconf addresses
• IPv6
◦ Link local addresses
◦ Site local addresses
◦ Unique local addresses

Proxy SettingsSettings for configuring a proxy the appliance can use to connect to the Global Threat Intelligence
service.

Option Definition

Use upstream proxy When selected, the appliance uses a proxy for connecting to
the Global Threat Intelligence server on which lookups for
URL category information, also known as “in-the-cloud”
lookups, can be performed.

IP or name of the proxy Specifies the IP address or host name of the proxy.

Port of the proxy Specifies the number of the port on the proxy that listens for
lookup requests from the appliance.

User name Specifies a user name for the appliance when logging on to
the proxy.

Password Sets a password for an appliance.

Set Opens a window for setting a password.

Connect to GTI cloud via host name also when a proxy is configured When selected, Web Gateway connects to a cloud service for
performing GTI lookups using the host name of the server
where the cloud service resides, regardless of whether a
proxy is also configured..

Try to bypass the proxy if unreachable When selected, Web Gateway tries to bypass a proxy that has
been set up if this proxy cannot be reached.

McAfee Web Gateway 8.0.x Interface Reference Guide 111

 Option Definition

Trust server certificate When selected, a certificate sent under HTTPS by a cloud
service for performing GTI lookups is trusted on Web
Gateway.
• Subject, Issuer, Validity, Extensions, Fingerprint, Private Key — Provide
information about the certificate that is sent by the cloud
service..
• Import — Opens a window for importing a server certificate..

Provide client certificate When selected, Web Gateway provides a certificate when
connecting as a client under HTTPS to a cloud service for
performing GTI lookups.
• Subject, Issuer, Validity, Extensions, Fingerprint, Private Key — Provide
information about the certificate that Web Gateway sends
to the cloud serviice.
• Import, Export, Export Key — Open windows for importing a
client certificate and for exporting a client certificate and
key.

LoggingSettings for logging URL filtering activities on the appliance.

Option Definition

Enable logging When selected, URL filtering activities are logged on the
appliance.
If this option is not selected, the following logging options are
grayed out.

Log level Provides a list for selecting the log level.

Log levels are as follows:
• 00 FATAL — Logs only fatal errors.
• 01 ERRORS — Logs all errors.
• 02 WARNING — Logs errors and warnings.
• 03 INFO — Logs errors, warnings, and additional
information.
• 04 DEBUG1 ... 013 DEBUG9 — Log information required for
debugging URL filtering activities.
The amount of logged information increases from level
DEBUG1 to DEBUG9.
• 14 TRACE — Logs information required for tracing URL
filtering activities.
• 15 ALL — Logs all URL filtering activities

(Log area) Provides a set of options for including different areas of URL
filtering activities into the logging.
• LOG_AREA_ALL — When selected, all URL filtering activities
are logged.
• LOG_AREA_NETWORK — When selected, activities regarding
the network connections used for URL filtering are logged.
• LOG_AREA_DATABASE_SEARCH — When selected, activities
regarding the retrieval of data for URL filtering from the
internal database are logged.
• LOG_AREA_DNS — When selected, activities regarding a DNS
lookup that is performed for URL filtering are logged.

112 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
• LOG_AREA_URL — When selected, activities for handling
URLs, such as parsing them, are logged.
• LOG_AREA_CLOUD — When selected, activities regarding the
retrieval of information from the Global Threat Intelligence
system are logged.

Cloud settingsSettings for cloud use of URL filtering.

Option Definition

Connection count (maximum) Limits the number of connections that can be active at the
same time.
Maximum number of connections by default: 4

Request timeout Limits the time between retries of requests on a connection.

Maximum time by default: 2000 ms

Request attempts Limits the number of retries.

Maximum number of retries: 3

Volume Quota settings

The Volume Quota settings are used for configuring the module that handles volume quota management.

Volume Quota per Day, Week, and Month

Settings for volume quotas
When a time unit or the session time is selected, the heading of the next section reads accordingly.

Volume Quota per Day, Week, and Month

Option Definition

Volume quota per day (week, month) When selected, the quota that is configured in the next
section applies to the selected time unit

Session time When selected, the quota that is configured in the next
section applies to the session time

Volume for . . .
Settings for volume quotas that apply to the selected time unit or the session time
The heading of this section varies according to what you selected in the preceding section.
For example, if you selected Volume quota per week, the heading reads Volume for Volume Quota per Week.
However, if you selected Session Time, the heading reads Hours and Minutes.

Volume for . . .

Option Definition

GiB Specifies the number of GiB that are allowed as volume.

MiB Specifies the number of MiB that are allowed as volume.

Actual Configured Volume Quota

Displays the configured volume quotas.

McAfee Web Gateway 8.0.x Interface Reference Guide 113

Actual Configured Volume Quota

Option Definition

Volume quota per day (week, month) Shows the allowed volume per day, week, or month.

Session time Shows the allowed session time.

114 McAfee Web Gateway 8.0.x Interface Reference Guide

Action settings
Action settings are used for configuring rule actions.
The following rule actions can be configured using action settings.
• Authenticate
• Block
• Redirect

Authenticate settings
The Authenticate settings are used for configuring the way the Authenticate action is executed when a filtering rule with that
action applies.

Failed Login Message Template

Settings for configuring user messages and a block reason for logging purposes

Failed Login Message Template

Option Definition

Language Provides settings for selecting the language of a user

message.
• Auto (Browser) — When selected, the message is in the
language of the browser that the blocked request was sent
from.
• Force to — When selected, the message is in the language
chosen from the list that is provided here.
• Value of Message.Language property — When selected, the
message is in the language that is the value of the
Message.Language property.
This property can be used for creating a rule.

Template collection Provides a list for selecting a template collection.

• Add — Opens the Add Template Collection window for adding a
template collection.
• Edit — Opens the Template Editor for editing a template
collection.

Template name Provides a list for selecting a template.

• Add — Opens the Add Template window for adding a template.
• Edit — Opens the Template Editor for editing a template.

McAfee Web Reporter block reason ID Provides a numerical value that identifies a block reason.

Block reason States the block reason in plain text.

Block settings
The Block settings are used for configuring the way the Block action is executed when a filtering rule with that action applies.

Language and Template Settings

Settings for configuring user messages and a block reason for logging purposes

McAfee Web Gateway 8.0.x Interface Reference Guide 115

Language and Template Settings

Option Definition

Language Provides settings for selecting the language of a user

message.
• Auto (Browser) — When selected, the message is in the
language of the browser that the blocked request was sent
from.
• Force to — When selected, the message is in the language
chosen from the list that is provided here.
• Value of Message.Language property — When selected, the
message is in the language that is the value of the
Message.Language property.
This property can be used for creating a rule.

Template collection Provides a list for selecting a template collection.

• Add — Opens the Add Template Collection window for adding a
template collection.
• Edit — Opens the Template Editor for editing a template
collection.

Template name Provides a list for selecting a template.

• Add — Opens the Add Template window for adding a template.
• Edit — Opens the Template Editor for editing a template.

McAfee Web Reporter block reason ID Provides a numerical value that identifies a block reason.

Block reason States the block reason in plain text.

Redirect settings
The Redirect settings are used for configuring the way the Redirect action is executed when a filtering rule with that action
applies.

Redirect Settings
Settings for configuring user messages and a block reason for logging purposes

Redirect Settings

Option Definition

Redirect.URL When selected, the value of the Redirect.URL property is the

URL that is used for redirecting.
This property can be used in a suitable rule.

User-defined URL When selected, the redirecting URL must be specified by you

Redirect URL Specifies the URL for a redirecting URL.

Language Provides settings for selecting the language of a user

message.
• Auto (Browser) — When selected, the message is in the
language of the browser that the blocked request was sent
from.
• Force to — When selected, the message is in the language
chosen from the list that is provided here.

116 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition
• Value of Message.Language property — When selected, the
message is in the language that is the value of the
Message.Language property.
This property can be used for creating a rule.

Template collection Provides a list for selecting a template collection.

• Add — Opens the Add Template Collection window for adding a
template collection.
• Edit — Opens the Template Editor for editing a template
collection.

Template name Provides a list for selecting a template.

• Add — Opens the Add Template window for adding a template.
• Edit — Opens the Template Editor for editing a template.

McAfee Web Reporter block reason ID Provides a numerical value that identifies a block reason.

Block reason States the block reason in plain text.

McAfee Web Gateway 8.0.x Interface Reference Guide 117

Rule sets
Rule sets contain rules for a handling a particular field of web security. These fields include anti-malware filtering, URL filtering,
media type filtering, and others.

Availability of rule sets

Rule sets are made available for your administration activities as follows:
• Default rule sets — After the initial setup of Web Gateway, default rule sets are provided for some important fields of web
security.
You can modify, rename, and delete these rule sets and the rules within them later on and also create new rule sets and rules.
• Library rule sets — A built-in rule set library is shipped with Web Gateway. You can import rule sets from this library to cover
more fields of web security or extend the coverage of the default fields. All default rule sets are also contained in this library.
An online rule set library offers even more rule sets, which you can import with relevant documentation after accessing the built-
in library.

Rule set views

When working with a default or library rule set, there are usually two views available:
• Key elements view — This view allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. They include, for example, lists of web objects or settings for modules.
In some cases, you can also enable or disable a rule, but you cannot view any rule completely, nor perform any other activities
where a complete rule would be involved, such as deleting or creating a rule.
• Complete rules view — This view allows you to view all rules in the rule set and to configure all their elements, including the
key elements.
You can also enable or disable, move, copy, delete, and create rules in this view.
When you create a rule set on your own, this can only be done using the complete rules view. This is also the only view that will
be available for a rule set of this kind later on.

Access log rule set

The Access Log rule set is a nested rule set in the Default Log Handler rule set.

Nested default rule set – Access Log

Criteria – Always

The rule set contains the following rule.

Write access.log

Always –> Continue —

Set User-Defined.logLine = DateTime.ToWebReporterString + “ ”” ...

FileSystemLogging.WriteLogEntry (User-Defined.logLine)<Access Log Configuration>

The rule uses an event to fill a log file entry with parameter values relating to requests sent by users, such as user names or
request headers.

It uses another event to write this entry into a log file.

The log file entry is specified as a parameter in both events. The log that stores the log file is specified by the settings of the
write event.

118 McAfee Web Gateway 8.0.x Interface Reference Guide

 Values for the following parameters are set and logged by the events of the rule (properties used by the event that sets the
values are shown in italics):
• Date and time — DateTime.ToWebReporterString
• User name — Authentication.UserName
• Client IP address — String.ReplaceIfEquals (IP.ToString(Client.IP), “”, “-”)
• Response status — String.ReplaceIfEquals (Number.ToString (Response.StatusCode), “”, “-”)
• Request header — RequestHeader.FirstLine
• URL category — List.OfCategory.ToString (URL.Categories)
• URL reputation — String.ReplaceIfEquals (URL.ReputationString, “”, “-”) (URL.Reputation<Default>)
• Media type — MediaType.ToString (MediaType.FromHeader)
• Body size — String.ReplaceIfEquals (Number.ToString (Body.Size), “”, “-”)
• User agent — Header.Request.Get(“User-Agent”)
• Virus and malware names — List.OfString.ToString (Antimalware.VirusNames)
• Block action ID — Number.ToString (Block.ID)

The logging rule applies whenever a request for access to the web is received.

The two rule events for filling and writing a log entry are then executed.

Processing continues with the next rule or rule set.

Advanced Threat Defense rule set

The Advanced Threat Defense rule set is a library rule set. It enables Web Gateway to use Advanced Threat Defense for
additional scanning of web objects in the anti-malware filtering process.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

Key elements of the Advanced Threat Defense rule set

The key elements of the Advanced Threat Defense rule set deal with important elements of the process that performs additional
scanning of web objects.

Enable Advanced Threat Defense for These Supported Media Types

Key element for selecting web objects that are eligible for additional scanning by Advanced Threat Defense.

Enable Advanced Threat Defense for These Supported Media Types

Option Definition

Media types to insert Clicking Edit opens a window to let you edit the Advanced Threat
Defense Supported Media Types list that is used by a rule.
Only web objects that belong to media types on this list will
additionally be scanned by Advanced Threat Defense if also
the other criteria are met.
You can add, modify, and remove entries on the list.

Gateway Anti-Malware Settings

Key element for configuring the scanning by the Anti-Malware module before the additional scanning by Advanced Threat Defense.

McAfee Web Gateway 8.0.x Interface Reference Guide 119

Gateway Anti-Malware Settings

Option Definition

Settings Clicking Edit opens a window to let you edit the settings for the
Anti-Malware module when it runs with the module components
that are usually available on Web Gateway.
This scanning is performed before any scanning by Advanced
Threat Defense. Depending on the result of this scanning,
additional scanning by Advanced Threat Defense is
performed or not.

Gateway Advanced Threat Defense Settings

Key element for configuring additional scanning by Advanced Threat Defense.

Bypass scanning for these agents and hosts

Option Definition

Settings Clicking Edit opens a window to let you edit the settings for the
Anti-Malware module on Web Gateway when the scanning is
actually performed by Advanced Threat Defense.

Complete rules of the Advanced Threat Defense rule set

When working with the complete rules of the Advanced Threat Defense rule set, all rules and rule elements of this rule set can be
viewed and configured.

Library rule set – Advanced Threat Defense

Criteria – Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or equals 60 AND MediaType.EnsuredTypes at

least one in list Advanced Threat Defense Supported Types

Cycles – Responses, Embedded Objects

The rule set criteria specifies that the rule set applies if the following is true:
• As a result of previous scanning by the anti-malware engines on Web Gateway, the probability that a web object is malicious
equals or exceeds 60 percent
• The media type of the object is on the list of supported types for scanning by Advanced Threat Defense.
The rule set contains the following rules.

Enable progress page

Always –> Continue – Enable Progress Page<Default>

The rule enables an event that lets a page be shown to indicate the progress made when a web object is downloaded to a
client.

Upload file to ATD and wait for scanning result

Antimalware.Infected<Gateway ATD> –> Block<Virus Found> – Statistics.Counter.Increment("BlockedByMATD",1)<Default>

The rule uses the Antimalware.Infected property to check whether a web object, for example, a file, is infected by a virus or other
malware.

120 McAfee Web Gateway 8.0.x Interface Reference Guide

 The scanning that is required for this check is performed under the Gateway ATD settings, which means it is carried out by
Advanced Threat Defense.

If the object is found to be infected, the process of forwarding the object to the requesting client is blocked and a block
message is shown to the user who requested access to the object.

The block action is recorded by the statistics counter.

Application Control rule set

The Application Control rule set is a library rule set for application filtering.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

Complete rules of the Application Control rule set

When working with the complete rules of the Application Control rule set, all rules and rule elements of this rule set can be viewed
and configured.

Library rule set – Application Control

Criteria – Always

Cycles – Requests (and IM), Responses

The following rule sets are nested in this rule set:

• Block Applications in Request Cycle
• Block Applications in Response Cycle

Block Applications in Request Cycle

This nested rule set handles application filtering in the request cycle.

Nested library rule set – Block Applications in Request Cycle

Criteria – Always

Cycle – Requests (and IM)

The rule set contains the following rules:

Block instant messaging applications

Application.Name is in list Instant Messaging –> Block<Default>

The rule uses the Application.Name property to check whether the name of an application is contained in a specified list. If it is,
it blocks a request for this application.

The action settings specify a message to the requesting user.

The rule is not enabled by default.

McAfee Web Gateway 8.0.x Interface Reference Guide 121

 Block web applications with high risk

Application.HighRisk equals true AND Application.Name is in list Web Browsing and Web Conferencing –> Block<Default>

The rule uses the Application.HighRisk property to check the reputation score of an application and the Application.Name property
to check whether the name of this application is contained in a specified list. If the reputation score reaches or exceeds the
high-risk level and the application name is also on the list, it blocks a request for this application.

The action settings specify a message to the requesting user.

Block Facebook chat

Application.ToString (Application .Name) equals "Facebook.Chat" –> Block<Default>

The rule uses the Application.To String property to check whether the name of an application is equal to a specified string. For
this purpose, the name of the application is converted into a string. If the converted application name equals the specified
string, a request for the application is blocked.

The action settings specify a message to the requesting user.

The rule is not enabled by default.

Block Applications in Response Cycle

This nested rule set handles application filtering in the response cycle.

Nested library rule set – Block Applications in Response Cycle

Criteria – Always

Cycle – Responses

The rule set contains the following rule:

Applications to be looked for in response cycle

Application.Name is in list of Applications to Search for in Response Cycle –> Block<Default>

The rule uses the Application.Name property to check whether the name of an application is contained in a specified list. If it is,
it blocks a request for this application.

The action settings specify a message to the requesting user.

The rule is not enabled by default.

Block web applications with high risk

Application.HighRisk equals true AND Application.Name is in list Web Browsing and Web Conferencing –> Block<Default>

The rule uses the Application.HighRisk property to check the reputation score of an application and the Application.Name property
to check whether the name of this application is contained in a specified list. If the reputation score reaches or exceeds the
high-risk level and the application name is also on the list, it blocks a request for this application.

The action settings specify a message to the requesting user.

122 McAfee Web Gateway 8.0.x Interface Reference Guide

 Block Facebook chat

Application.ToString (Application .Name) equals "Facebook.Chat" –> Block<Default>

The rule uses the Application.To String property to check whether the name of an application is equal to a specified string. For
this purpose, the name of the application is converted into a string. If the converted application name equals the specified
string, a request for the application is blocked.

The action settings specify a message to the requesting user.

The rule is not enabled by default.

ATD - Offline Scanning with Immediate File Availability rule set

The ATD – Offline Scanning with Immediate File Availability rule set is a library rule set for enabling Web Gateway to work with Advanced
Threat Defense when filtering web objects in offline scanning mode.
When this rule set is implemented, a web object is forwarded to the user who requested it before it has been additionally
scanned by Advanced Threat Defense, so the object is immediately available to the user.
If the scanning result is that the web object is infected, a message is sent to the administrator of the network that the user sent
the request from.
This use of the scanning functions of Advanced Threat Defense is also known as offline scanning or background scanning.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in this rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

Complete rules of the ATD - Offline Scanning with Immediate File Availability rule set
When working with the complete rules of the ATD - Offline Scanning with Immediate File Availability rule set, all rules and rule elements of
this rule set can be viewed and configured.
After importing this rule set, the following two rule sets are implemented and appear on the rule sets tree:
• ATD - Init Offline Scan
• ATD - Handle Offline Scan
A rule set with the name ATD - Offline Scanning with Immediate File Availability is not implemented.

ATD - Init Offline Scan

This rule set initiates the additional scanning by Advanced Threat Defense.

Library rule set – ATD - Init Offline Scan

Criteria – Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or equals 60 AND MediaType.EnsuredTypes at

least one in list Advanced Threat Defense Supported Types AND Body.Size less than 30000000

Cycles – Responses, Embedded Objects

The rule set criteria specifies that the rule set applies if the following is true:
• As a result of previous scanning by Web Gateway, the probability that a web object is malicious equals or exceeds 60 percent.
• The media type of the object is on the list of supported types for scanning by Advanced Threat Defense.
• The web object does not exceed a particular size.
The rule set contains the following rule.

McAfee Web Gateway 8.0.x Interface Reference Guide 123

 Offline scanning with immediate file availability

Antimalware.MATD.InitBackgroundScan(5) equals false –> Block<ATD Communication Failed>

When this rule is processed, all data related to the request for web access that has been sent to Web Gateway is recorded,
including the response that was received from the requested web server. The response usually includes in its body the
requested web object, for example, a file. The body with the web object is stored on Web Gateway.
An internal request is also created within Web Gateway to initiate the scanning by Advanced Threat Defense. Web Gateway
then waits for an answer to this internal request to see whether the request is accepted and the scanning will be
performed.
The time that Web Gateway waits for this answer is measured in seconds and a parameter of the
Antimalware.MATD.InitBackgroundScan property. By default, this time is 5 seconds. You can configure this time by editing the
property parameter.

If no answer to the internal request is received within the configured time, the property is set to false, so this criteria
matches and the rule applies. A message is then sent to inform the administrator that the additional scanning by Advanced
Threat Defense could not be executed.
If the answer is received within the configured time, the web object is forwarded to the user.

Further handling of the additional scanning is performed by the next rule set..

Library rule set – ATD - Handle Offline Scan

Criteria – Antimalware.MATD.IsBackgroundScan equals true

Cycles – Requests, Embedded Objects

The rule set criteria specifies that the rule set applies if the value of the Antimalware.MATD.IsBackgroundScan is true.
It is true if the additional scanning by Advanced Threat Defense has successfully been initiated by the rule in the preceding rule
set . In this case, the data that was recorded and stored by this rule is used by Advanced Threat Defense to scan a requested web
object.
The rule set contains the following rules.

Upload file to ATD and wait for scanning result

Antimalware.Infected<Gateway ATD> equals true –> Continue – Statistics.Counter.Increment("BlockedByMATD",1)<Default>

The rule uses the Antimalware.Infected property to check whether a web object, for example, a file, is infected by a virus or
other malware. The scanning that is required for this check is performed under the Gateway ATD settings, which means it is
carried out by Advanced Threat Defense.
For this purpose, the previously stored web object is forwarded from Web Gateway to Advanced Threat Defense.

If the scanning result is that the web object is infected, this is recorded by a statistics counter.

Offline scanning with immediate file availability

Antimalware.Infected<Gateway ATD> equals true –> Block<Virus Found> – Set User-Defined.MessageText =

"Client.IP: "
+ IP.ToString(Client.IP)
+ "Requested URL: "
+ URL

124 McAfee Web Gateway 8.0.x Interface Reference Guide

 + "Virus name: "
+ ListOfString.ToString (Antimalware.VirusNames<Gateway.ATD>, ","
Email.Send ("Administrator@", "MATD offline scan detected a virus", User-Defined.MessageText)<Default>

When the rule is processed, it is checked whether the value of the Antimalware.Infected property is true.
If it is, it means the scanning that was performed by Advanced Threat Defense has found a web object to be infected by a
virus or other malware.

A warning message is then created and sent to the administrator for the network of the user who sent the request to access
the web object. The message contains information on the request that was recorded by the rule of the preceding rule set.

Stop cycle

Always –> Stop Cycle

This rule stops the processing cycle. It is always executed after the preceding rules have been processed.

Authorized Override rule set

The Authorized Override rule set is a library rule set for imposing a time limit on web usage that can be passed by through the
action of authorized user.

Library rule set – Authorized Override

Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other communication, which
does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
• Authorized Override With URL Configuration
• Authorized Override With IP Configuration
This rule set is not enabled initially.
• Authorized Override With Authenticated User Configuration
This rule set is not enabled initially.

Authorized Override With URL Configuration

This nested rule set handles authorized overriding related to URL categories.

Nested library rule set – Authorized Override With URL Configuration

Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Authorized Override

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls into a category on the
blocking list for authorized overriding related to URL categories.
The rule set contains the following rules:

Redirect after authenticating for authorized override

McAfee Web Gateway 8.0.x Interface Reference Guide 125

 Quota.AuthorizedOverride.lsActivationRequest<URL Category Configuration> equals true AND Authentication.Authenticate<User
Database> equals true –> Redirect<Redirection After Authorized Session Activation>

The rule redirects a request to let a user again access a web object after session time has been exceeded and the
credentials the user submitted to continue with a new session have been validated.

The action settings specify a message to the requesting user.

Check if authorized override session has been exceeded

Quota.AuthorizedOverride.SessionExceeded<URL Category Configuration> equals true –> Block<Action Authorized Override

Blocked>

The rule uses the Quota.AuthorizedOverride.SessionExceeded property to check whether the configured session time has been
exceeded for a user. If it has, the user’s request for web access is blocked.

The URL Category Configuration settings, which are specified with the property, are the settings of the module that handles
authorized overriding.

The action settings specify a message to the requesting user.

Authorized Override With IP Configuration

This nested rule set handles authorized overriding related to IP addresses.

Nested library rule set – Authorized Override With IP Configuration

Criteria – Client.IP is in list IP Blocklist for Authorized Override

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request from a client with an IP address that is on the
blocking list for authorized overriding related to IP addresses.
The rules in this rule set are the same as in the Authorized Override with URL Configuration rule set, except for the module
settings in the rule criteria, which are IP Configuration.

Authorized Override With Authenticated User Configuration

This nested rule set handles authorized overriding related to user names.

Nested library rule set – Authorized Override With Authenticated User Configuration

Criteria – Authenticated.RawUserName is in list User Blocklist for Authorized Override

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a request is sent by a user whose user name is on the blocking list for
authorized overriding related to user names.
The rules in this rule set are the same as in the Authorized Override with URL Configuration rule set, except for the module
settings in the rule criteria, which are Authenticated User Configuration.

Blocking Sessions rule set

The Blocking Sessions rule set is a library rule set for blocking web sessions after an attempt to access a web object that is not
allowed.

126 McAfee Web Gateway 8.0.x Interface Reference Guide

 Library rule set – Blocking Sessions

Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other communication, which
does not use the CONNECT command at the beginning.
The following rule set is nested in this rule set: Blocking Sessions With URL Configuration

Blocking Sessions With URL Configuration

This nested rule set handles blocking sessions related to URL categories.

Nested library rule set – Blocking Sessions With URL Configuration

Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Blocking Sessions

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls into a category on the
blocking list for blocking sessions related to URL categories.
The rule set contains the following rules:

Block user if blocking session is active

BlockingSession.IsBlocked<Blocking Session Configuration> equals true –> Block<Blocking Session Template>

The rule uses the BlockingSession.IsBlocked property to check whether a blocking session has been activated for a user who
sends a request. If it has, the request is blocked.

The action settings specify a message to the requesting user.

Activate blocking session if category is in list Category List for Blocking Sessions

URL.Categories<Default> at least one in list Category List for Blocking Session –> Continue — BlockingSession.Activate<Blocking
Session Configuration>

The rule uses the URL.Categories property to check whether a URL that a user requests access to falls into a category on the
blocking list maintained especially for blocking sessions. If it falls into a category on the list, a blocking session is activated
for the user.

The BlockingSession.Activate event is used to activate the blocking session. The event settings are specified with the event.

Bypass ePO Requests rule set

The Bypass ePO Requests rule set is a library rule set for allowing requests from a McAfee ePO server to bypass filtering rules on
an appliance.

Library rule set – Bypass ePO Requests

Criteria – Command.Name equals “CONNECT”

Cycles – Requests (and IM)

McAfee Web Gateway 8.0.x Interface Reference Guide 127

The rule set criteria specifies that the rule set applies when the SSL-secured communication between an ePO server and an
appliance begins with a request from the server to connect to the appliance.
The rule set contains the following rule.

Skip subsequent rules for ePO requests

URL.Host equals “127.0.0.1” OR URL.Host equals “[::1]” –> Stop Cycle – Enable SSL Client Context<Default CA> – Enable SSL
Scanner <Certificate verification without edh>

The rule uses the URL.Host property to identify the host of a requested URL, based on the IP address of the host.

If this address is 127.0.0.1, the host of the requested URL is the appliance. When the ePO server sends a request to connect
to the appliance, it uses this address.

So if 127.0.0.1 is the requested address, the rule applies and stops all further processing in the request cycle. This way the
CONNECT request is allowed to pass through.

The next step in this process is sending and verifying certificates. The rule includes an event to enable the sending of a client
certificate that is issued by the default certificate authority.

You can modify the event settings to have the certificate issued by another authority.

When certificate verification has been completed, the SSL-secured communication can go ahead.

Bypass Microsoft (Office 365) Services rule set

The Bypass Microsoft (Office 365) Services rule set is the default rule set for letting requests and responses in traffic to and from Office
365 and other Microsoft services bypass filtering on Web Gateway.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create rules in this view.

Key elements of the Bypass Microsoft (Office 365) Services rule set
The key elements of the rules that handle bypassing for Office 365 and other Microsoft services are related to the individual
services that requests and responses are sent to and received from.

Bypassing for Microsoft services

Options for handling Microsoft services bypassing.

Bypassing for Microsoft services

Option Definition

Bypass Exchange Online, Bypass Microsoft Federation Gateway, and
other options for handling Microsoft services bypassing
When selected, a request from a client of Web Gateway to
access Exchange Online or another Microsoft service is
forwarded to the service unfiltered.
When a response is received from the service, it is also
passed on to the client unfiltered.
None of these options is enabled by default.

128 McAfee Web Gateway 8.0.x Interface Reference Guide

Bypass Microsoft (Office 365) Services rule set
When working with the complete rules of the Bypass Microsoft (Office 365) Services rule set, all rules and rule elements of this rule set
can be viewed and configured.

Default rule set – Bypass Microsoft (Office 365) Services

Criteria – Always

Cycles – Requests (and IM), Responses

The rule set contains the following rules.

Shortcut Microsoft service in response

Cycle.Name equals "Response" AND User-Defined.Shortcut_Microsoft_Service equals true – Stop Cycle

The rule uses the Cycle.Name property to find out whether processing on Web Gateway is currently going on in the response
cycle.

It also uses a user-defined property to check whether the response that is processed in this cycle was triggered by a client
requesting access to Office 365 or any of several other Microsoft services.

If such a request is received on Web Gateway, a particular rule that is processed in the request cycle sets the user-defined
property to true. The current rule checks whether the property is actually set this way in the response cycle, using the
second part of its criteria.

If both criteria parts match, the rule applies and the response cycle is stopped. The response is then forwarded to the
requesting client without filtering.

This rule is enabled by default.

Note:
All rules that follow the first rule in the rule set work in a similar way. They ensure that a request sent by a client of Web Gateway
to a particular Microsoft service is forwarded to this service unfiltered.
Each of them also sets the property that is evaluated by the first rule to true after receiving such a request.
The first of these subsequent rules is explained here as an example in full detail. A summary is then given for all other rules.

Bypass Exchange Online

URL.Destination.IP is in range list Exchange Online IP Addresses OR URL.Destination.IP is in range list Exchange Online Protection P Addresses OR
URL.Host matches in list Exchange Online URLs – Stop Cycle – Set User-Defined.Shortcut_Microsoft_Service = true

The rule uses the URL.Destination.IP and URL.Host properties to find out whether the IP address and URL that are sent with a
request are on particular lists.

If they are, the request cycle is stopped and the request is forwarded to the requested destination, which is the Microsoft
Exchange Online service.

The User-Defined.Shortcut_Microsoft_Service property is then set to true by an event. The property is evaluated in the response cycle
by the first rule in the rule set.

This rule is not enabled by default.

McAfee Web Gateway 8.0.x Interface Reference Guide 129

 Bypass Microsoft Federation Gateway, Bypass Microsoft Lync/Skype for Business Online, and other rules for Microsoft services bypassing

Similar to the Bypass Exchange Online rule, these rules use the URL.Destination.IP property or the URL.Host property or both (in one
case also the URL property) to find out whether the IP addresses or URLs that are sent with requests are on particular lists.
The lists vary with each rule depending on the respective service.

If the IP addresses or URLs are found on the lists, the request cycle is stopped and the request is forwarded to the
requested destination, which is one of the Microsoft services.

The User-Defined.Shortcut_Microsoft_Service property is then set to true by an event. The property is evaluated in the response cycle
by the first rule in the rule set.

None of these rules is enabled by default.

Cloud Storage Encryption rule set

The Cloud Storage Encryption rule set is a library rule set for encrypting and decrypting data that is uploaded to and downloaded
from cloud storage services.

Library rule set – Cloud Storage Encryption

Criteria – Always

Cycles – Requests (and IM), Responses

The rule set contains the following rules.

Set encryption password

Always –> Continue – Set User-Defined.Encryption Password = "webgateway"

The rule uses an event to set the default password for Web Gateway as the password that is used when data is encrypted.

Enable encryption

CloudEncryption.IsEncryptionSupported<Default> equals true –> Continue – CloudEncryption.Encrypt(User-Defined.Encryption

Password)<Default>

The rule uses the CloudEncryption.IsEncryptionSupported property to check whether encryption of data can be performed.
If this is the case, an event is used to perform the encryption.

Enable decryption

CloudEncryption.IsDecryptionSupported<Default> equals true –> Continue – CloudEncryption.Decrypt(User-Defined.Encryption

Password)<Default>

The rule uses the CloudEncryption.IsDecryptionSupported property to check whether decryption of data can be performed.
If this is the case, an event is used to perform the decryption.

Fix content type after decryption

130 McAfee Web Gateway 8.0.x Interface Reference Guide

 CloudEncryption.IsDecryptionSupported<Default> equals true –> Continue – MediaType.Header.FixContentType

The rule uses the CloudEncryption.IsDecryptionSupported property to check whether a decryption of cloud storage data
was performed.

If this is the case, an event is used to modify the Content-Type field in the header of the response that was sent to deliver
the data to Web Gateway. Cloud storage services set this field by default to application/octet-stream, as they are not able to
recognize real media types when data is encrypted. The MediaType.Header.FixContentType event sets the field to a value for a
real media type.set to the value

This rule fixes the issue that cloud storage services set this field by default to application/octet-stream, as they cannot
recognize different media types when data is encrypted. The MediaType.Header.FixContentType event sets the field to a value
for the real media type.

The rule is not enabled by default.

Log encryption password

CloudEncryption.IsEncryptionSupported<Default> equals true –> Continue –

Set User-Defined.encrypt-log.=
DateTime.ToGMTString
+ ", User: "
+ Authentication.UserName
+ ", IP: "
+ IP.ToString (Client.IP)
+ ", Service: "
+ CloudEncryption.ServiceName
+ ", Cipher: "
+ CloudEncryption.CipherName<Default>
+ ", Password: "
+ User-Defined.EncryptionPassword
FileSystemLogging.WriteLogEntry (User-Defined.encrypt-log)<Encryption Log>

The rule uses an event to create a log entry for an encryption.

A second event is used to write this entry into the log called Encryption Log, which is specified by the event settings. Since
data is written into the log in encrypted format, you need a password to access it (default password: webgateway).

The rule is not enabled by default.

Cookie authentication with SAML back end and fixed ACS URL rule set
To support SAML authentication using an external Identity Provider, Web Gateway performs the Service Provider role. The rules
in this rule set support this SAML scenario.

Library rule set – Cookie authentication with SAML back end and fixed ACS URL

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following nested rule sets:

• Cookie authentication with SAML back end and fixed ACS URL
◦ Intercept SAML assertion if IdP uses a fixed ACS URL

McAfee Web Gateway 8.0.x Interface Reference Guide 131

 ◦ Cookie authentication at HTTP(S) proxy
◦ Set cookie for authenticated clients
◦ Authenticate clients with authentication server
◦ Cookie authentication at authentication server
◦ Authentication server request
This rule set contains the following rule.

Set client context

Rule element Definition

Criteria Always

Action Continue

Events Enable SSL Client Context without CA <Default Without CA>

This rule secures all HTTP communication with the SSL protocol using the default certificate that comes with Web Gateway or
one that you import. To configure the SSL certificate, click <Default Without CA>.

Intercept SAML assertion if IdP uses a fixed ACS URL

The proxy intercepts SAML authentication responses containing a static ACS URL. It processes the SAML response and redirects
the SAML assertion to the authentication server, which provides the Assertion Consumer Service.

Nested library rule set – Intercept SAML assertion if IdP uses a fixed ACS URL

Criteria – Command.Name equals "POST" AND URL.Path is in list SAMLAuthResponseList

Cycles – Requests (and IM)

Note: To configure the list of fixed ACS URLs, click SAMLAuthResponseList.

This rule set contains the following rules.

Handle incoming SAML response

Rule element Definition

Criteria Always

Action Continue

Events Set Authentication.Token = Request.POSTForm.Get ("SAMLResponse")

Set Authentication.SAML.RelayState = Request.POSTForm.Get ("RelayState")

The proxy retrieves the SAML response and RelayState parameter from the POST form sent by the external Identity Provider. It
stores the response in the Authentication.Token property and the RelayState in the property Authentication.SAML.RelayState. When the
Identity Provider does not support dynamic URLs, the proxy uses the URL returned in the RelayState to restore the dynamic
authentication server URL.

Redirect SAML assertion to authentication server

Rule element Definition

Criteria Always

132 McAfee Web Gateway 8.0.x Interface Reference Guide

 Rule element Definition

Action Block <SAMLRedirectToAuth>

Events HTTP.SetStatus (200)

After restoring the dynamic authentication server URL, the proxy redirects the SAML assertion (stored in the Authentication.Token
property) to the authentication server and sets the HTTP status code to 200 (OK). To provide custom settings for logging
purposes, click <SAMLRedirectToAuth>.

Cookie authentication at HTTP(S) proxy

In the context of SAML authentication using an external Identity Provider, the proxy redirects requests that do not contain a valid
cookie to the authentication server. The authentication server consumes SAML assertions and stores the user's identity in a
cookie.

Nested library rule set – Cookie authentication at HTTP(S) Proxy

Criteria –
Authentication.IsServerRequest equals false AND (
Connection.Protocol equals "HTTP" OR
Connection.Protocol equals "HTTPS") AND
Command.Name does not equal "CONNECT" AND
Command.Name does not equal "CERTVERIFY"

Cycles – Requests (and IM)

This rule set contains the following nested rule sets:

• Set Cookie for Authenticated Clients
• Authenticate Clients with Authentication Server

Set cookie for authenticated clients

After the authentication server consumes the SAML assertion and stores the user's identity in a cookie, it redirects the user with
the cookie through the proxy to the requested application.

Nested library rule set – Set cookie for authenticated clients

Criteria – Authentication.IsLandingOnServer equals true

Cycles – Requests (and IM)

This rule set contains the following rules.

P3P header to permit third party cookies in Internet Explorer

Rule element Definition

Criteria Always

Action Continue

Events Header.Block.Add ("P3P", "CP="NOI CUR OUR STP STA"")

The P3P string is required for the Platform for Privacy Preferences Project (P3P). The string must match the privacy settings in the
user's browser. If the P3P string is not updated as shown in the table and the browser is Internet Explorer, processing fails.

McAfee Web Gateway 8.0.x Interface Reference Guide 133

Set cookie and redirect client to the requested URL

Rule element Definition

Criteria Always

Action Redirect <Redirect Back From Authentication Server>

Events None

The authentication server redirects the authenticated user with a cookie through the proxy to the requested application. To
provide custom settings for logging purposes, click <Redirect Back From Authentication Server>.

Authenticate clients with authentication server

The proxy allows requests from external Identity Providers whose URLs are on the SAML IdP Whitelist and checks for a valid cookie in
the requests. If none exists, the proxy redirects the requests to the authentication server.

Nested library rule set – Authenticate clients with authentication server

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following rules.

Allow IDP requests

Rule element Definition

Criteria URL.Domain matches in list SAML IdP Whitelist

Action Stop Rule Set

Events None

The proxy checks that the URL of the external Identity Provider making a request matches one of the URLs in the SAML IdP Whitelist.
Note: To add URLs to the whitelist, click SAML IdP Whitelist.

Redirect clients that do not have a valid cookie to the authentication server

Rule element Definition

Criteria Authentication.Authenticate <Local Cookie Authentication Server> equals false

Action Authenticate <Default>

Events None

If the request from the external Identity Provider does not include a valid cookie, the proxy redirects the request to the
authentication server. To configure a different authentication method, click <Local Cookie Authentication Server>. To provide custom
settings for logging purposes, click <Default>.

Cookie authentication at authentication server

This rule set is a container for the Authentication server request rule set.

134 McAfee Web Gateway 8.0.x Interface Reference Guide

 Nested library rule set – Cookie authentication at authentication server

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following nested rule set: Authentication server request.

Authentication server request

The rules in this rule set apply to the authentication server when it manages SAML authentication using an external Identity
Provider. The authentication server processes the SAML authentication response, but does not set the cookie in this rule set.
Cookie authentication is handled by the rules in the Cookie authentication at HTTP(S) rule set instead.

Nested library rule set – Authentication server request

Criteria – Authentication.IsServerRequest equals true

Cycles – Requests (and IM)

This rule set contains the following rules.

Redirect clients that have a valid cookie

Rule element Definition

Criteria Authentication.Authenticate <Authentication Server - Cookie Check> equals true

Action Redirect <Redirect Back From Authentication Server>

Events None

The authentication server redirects users having a valid cookie to the proxy. To change the cookie checking settings used by the
authentication server, click <Authentication Server - Cookie Check>. To provide custom settings for logging purposes, click <Redirect Back
From Authentication Server>.

Prepare fixed ACS URL

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.SAMLUrlRewrite = URL.Protocol + "://" + URL.Host + "- enter your

URL here -"

You can configure a static ACS URL for external Identity Providers who do not support dynamic URLs in this rule. If set, this value
must match the ACS URL value configured in the SAML Response settings.

POST SAML authentication request

Rule element Definition

Criteria Command.Name does not match POST

Action Block <SAML request>

McAfee Web Gateway 8.0.x Interface Reference Guide 135

 Rule element Definition

Events Set Authentication.SAML.RelayState = URL

Set Authentication.Token = Authentication.SAML.CreateAuthnRequest
(User-Defined.SAMLUrlRewrite)<SAML Request>
HTTP.SetStatus (200)

The authentication server sends the RelayState parameter and SAML authentication request in a POST form to the external
Identity Provider. The RelayState parameter saves the value of the authentication server URL at the time the request is created.
The request is created using values configured in the Web Gateway interface. The authentication server then sets the HTTP
status code to 200 (OK). To change the SAML authentication request configuration, click <SAML Request> in this event.

Handle SAML authentication response

Rule element Definition

Criteria Command.Name equals "POST"

Action Continue

Events Set Authentication.Token = Request.POSTForm.Get ("SAMLResponse")

Set Authentication.IsAuthenticated =
Authentication.SAML.ParseAuthnResponse ("POST",
User-Defined.SAMLUrlRewrite,
Authentication.Token) <SAML Response>

This rule retrieves the SAML response in the POST form sent by the external Identity Provider and stores it in the Authentication.Token
property. It parses the response and returns a TRUE value if the response is valid and a FALSE value if it is not. To change the
SAML authentication response configuration, click <SAML Response>.

Block invalid SAML response

Rule element Definition

Criteria Command.Name equals "POST" AND Authentication.IsAuthenticated equals false

Action Block <Authorized Only>

Events None

After the SAML response is parsed, this rule checks the value of the property Authentication.IsAuthenticated. If the property is false, the
SAML response is invalid and processing of the response is blocked. To provide custom settings for logging purposes, click
<Authorized Only>.

Set user name and groups

Rule element Definition

Criteria Always

Action Continue

Events Set Authentication.UserName = Map.GetStringValue (Authentication.SAML.Attributes,

"userId")
Set Authentication.UserGroups = String.ToStringList (Map.GetStringValue
(Authentication.SAML.Attributes, "userGroup"), ", ", "")

136 McAfee Web Gateway 8.0.x Interface Reference Guide

This rule maps the SAML attributes "userId" and "userGroup" to the Authentication.UserName and Authentication.UserGroups properties,
respectively. You can use the rule editor to change the names of the SAML attributes that are mapped to the authentication
properties.

Block empty user name

Rule element Definition

Criteria Authentication.UserName equals ""

Action Block <Authorized Only>

Events None

If the user name property is empty, this rule blocks processing of the response. To provide custom settings for logging purposes,
click <Authorized Only>.

P3P header to permit third party cookies in Internet Explorer

Rule element Definition

Criteria Always

Action Continue

Events Header.Block.Add ("P3P", "CP="NOI CUR OUR STP STA"")

The P3P string is required for the Platform for Privacy Preferences Project (P3P). The string must match the privacy settings in the
user's browser. If the P3P string is not updated as shown in the table and the browser is Internet Explorer, processing fails.

Redirect authenticated client back to proxy

Rule element Definition

Criteria Always

Action Redirect <Redirect Back From Authentication Server>

Events None

According to the final rule in the rule set, the authentication server redirects the authenticated user back to the proxy. To provide
custom settings for logging purposes, click <Redirect Back From Authentication Server>.

Data Loss Prevention (DLP) rule set

The Data Loss Prevention (DLP) rule set is a library rule set. It is used for preventing sensitive content from leaving your network or
inappropriate content from entering it.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

McAfee Web Gateway 8.0.x Interface Reference Guide 137

Complete rules of the Data Loss Prevention (DLP) rule set
When working with the complete rules of the Data Loss Prevention (DLP) rule set, all rules and rule elements of this rule set can be
viewed and configured.

Library rule set – Data Loss Prevention (DLP)

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded objects

The following rule sets are nested in this rule set:

• DLP in Request Cycle
• DLP in Response Cycle
This rule set is not enabled by default.

DLP in Request Cycle

This nested rule set blocks requests that are sent from clients of our network to web servers if it is detected that sensitive
content is involved. For example, a request to upload a file to the web that has sensitive content is blocked.

Nested library rule set – DLP in Request Cycle

Criteria – Cycle.TopName equals "Request"

Cycles – Requests (and IM), Embedded objects

The rule set criteria specifies that the rule set applies when a request is processed on the appliance.
The rule set contains the following rules:

Block files with HIPAA information

DLP.Classification.BodyText.Matched <HIPAA> equals true –> Block<DLP.Classification.Block> – Statistics.Counter.Increment

(“BlockedByDLPMatch”,1)<Default>

The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the request that is currently
processed contains text that is considered to be sensitive content. This text could, for example, be in a file that uploading to
the web is requested for.

Text is considered to be sensitive content according to the HIPAA health care regulations. Use of the relevant information is
configured as part of the module settings, which are specified after the property name.

If there is sensitive content in the text of a request body, the request is blocked. The settings of the Block action specify a
message to the requesting user.

The rule also uses an event to count blocking due to a data loss prevention match.

Block files with Payment Card Industry information

DLP.Classification.BodyText.Matched <Payment Card Industry> equals true –> Block<DLP.Classification.Block> –

Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>

The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the request that is currently
processed contains text that is considered to be sensitive content. This text could, for example, be in a file that uploading to
the web is requested for.

138 McAfee Web Gateway 8.0.x Interface Reference Guide

 Text is considered to be sensitive content according to the regulations that apply for payment cards. A credit card number
would, for example, be content under these regulations. Whether there is sensitive content in a text, is detected using
appropriate information in the same way as for the HIPAA-related rule.

If there is sensitive content in the text of a request body, the request is blocked. The settings of the Block action specify a
message to the requesting user.

The rule also uses an event to count blocking due to a data loss prevention match.

Block files with SOX information

DLP.Classification.BodyText.Matched <SOX> equals true –> Block<DLP.Classification.Block> – Statistics.Counter.Increment

(“BlockedByDLPMatch”,1)<Default>

The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the request that is currently
processed contains text that is considered to be sensitive content. This text could, for example, be in a file that uploading to
the web is requested for.

Text is considered to be sensitive content according to the regulations of the Sarbanes-Oxley (SOX) act on public company
accountability. Board meeting minutes would, for example, be sensitive content under this act. Whether there is sensitive
content in a text, is detected using appropriate information in the same way as for the HIPAA-related rule.

If there is sensitive content in the text of a request body, the request is blocked. The settings of the Block action specify a
message to the requesting user.

The rule also uses an event to count blocking due to a data loss prevention match.

DLP Response Cycle

This nested rule set blocks responses that are received on the appliance from web servers if it is detected that they contain
inappropriate content, for example, discriminatory or offensive language.

Nested library rule set – DLP Response Cycle

Criteria – Cycle.TopName equals "Response"

Cycles – Responses and embedded objects

The rule set criteria specifies that the rule set applies when a response is processed on the appliance.
The rule set contains the following rule:

Acceptable use

DLP.Classification.BodyText.Matched <Acceptable Use> equals true –> Block<DLP.Classification.Block> –

Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>

The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the response that is currently
processed contains text that is considered to be sensitive content. This text could, for example, be in a file that is sent in
response to a download request.

The module that ls called by the rule to find out whether there is inappropriate content in the response body uses
appropriate information from classification lists. Use of these lists is configured as part of the module settings, which are
specified after the property name.

McAfee Web Gateway 8.0.x Interface Reference Guide 139

 If there is inappropriate content in the text of a response body, the response is blocked. The settings of the Block action
specify a message to the user who the response should have forwarded to.

The rule also uses an event to count blocking due to a data loss prevention match.

Data Loss Prevention (DLP) with ICAP for Cloud rule set
The Data Loss Prevention (DLP) with ICAP for Cloud rule set is a library rule set. It is used for data loss prevention in the cloud.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

Complete rules of the Data Loss Prevention (DLP) with ICAP for Cloud rule set
When working with the complete rules of the Data Loss Prevention (DLP) with ICAP for Cloud rule set, all rules and rule elements of this
rule set can be viewed and configured.

Library rule set – Data Loss Prevention (DLP) with ICAP for Cloud

Criteria — URL.Host does not equal “ ” AND Cycle.TopName equals "Request" AND InTheCloud equals true

Cycles — Requests (and IM), Embedded Objects

The rule set criteria specifies that the rule set applies if all of these criteria match:
• A host name can be found for a URL that is sent in a request to the appliance.
• The processing cycle that is currently performed is the request cycle.
• The rule set is applicable for cloud use
The rule set contains the following rules.

Skip requests that do not carry information

Body.Size equals 0 AND ListOfString.IsEmpty(URL.Parameters) equals true –> Stop Rule Set

The rule uses the Body.Size property to check whether a request has a body that is empty. It also uses the ListOfString.IsEmpty
property to check whether a request has URL parameters.

If one of the two parts of this criteria is matched, processing of the rule set stops and the request is not forwarded to the
ICAP server.

Skip body that is greater than 50 MB

Body.Size greater than 52428800 –> Stop Rule Set

The rule uses the Body.Size property to check whether the body of a request does not exceed 50 MB. If it does, processing of
the rule set stops and the request is not forwarded to the ICAP server.

In the rule set criteria, the size of a request body that must not be exceeded is specified in bytes.

140 McAfee Web Gateway 8.0.x Interface Reference Guide

 Skip all GET requests

Command.Name equals GET –> Stop Rule Set

The rule uses the Command.Name property to check whether the command that is sent with a request is GET. If it is, processing
of the rule set stops and the request is not forwarded to the ICAP server.

This rule is not enabled by default.

Store original authentication method

Always –> Continue – Set User-Defined.Original.Method = Authentication.Method

The rule event always sets the name of the currently used authentication method as the value of a user-defined property to
store it, so it can be restored after this name has temporarily been replaced with "NTLM".

Set authentication method to "NTLM" (for ICAP compatibility)

Authentication.Method does not equal "NTLM" AND Authentication.Method does not equal "LDAP" AND Authentication.Method does not equal "Radius" –>
Continue — Set Authentication.Method = "NTLM"

The rule uses the Authentication.Method property to check whether the authentication method that is currently in use is NTLM,
LDAP or Radius. These methods are compatible with using ICAP in a DLP configuration.

If a different method is used, which would not be compatible, the rule event replaces this method with "NTLM" by setting
the value of Authentication.Method accordingly.

Call ReqMod server

ICAP.ReqMod.Satisfaction<ReqMod> equals true –> Stop Cycle

When a request has passed filtering according to the first two rules of the rule set, it is forwarded to the ICAP server. If this
has been done, the value of the ICAP.ReqMod.Satisfaction property is true.

The rule checks whether this is the case for a request and if it is, stops processing the current cycle, as no more processing
of the rules in this cycle is required after forwarding a request to the ICAP server.

Restore original authentication method

Always –> Continue — Set Authentication.Method = User-Defined.Original.Method

The rule event always sets the name that was stored using the user-defined property to the value of the Authentication.Method
property. The name of the authentication method is this way restored to its original value.

The rule is only processed if the proceeding rule, which stops processing the remaining rules in the cycle, has not applied.

This means no ICAP communication is performed and the original authentication method, which might not be ICAP-
compatible, can be used again.

McAfee Web Gateway 8.0.x Interface Reference Guide 141

Default error handler rule set
The Default error handler rule set is the default rule set for error handling.

Default error handler rule set – Default

Criteria – Always

The following rule sets are nested in this rule set:

• Long Running Connections
• Monitoring
◦ Check CPU Overload
◦ Check Cache Partition
◦ Check Request Overload
• Log File Manager Incidents
• Handle Update Incidents
• Handle License Incidents
• Block on Antimalware Engine Errors
• Block on URL Filter Errors
• Block on All Errors

Long Running Connections

This nested error handler rule set keeps connections alive when a proxy module error occurs.

Nested error handler rule set – Long Running Connections

Criteria – Error.ID equals 20000

The rule set criteria specifies that the rule set applies when the value of the Error.ID property is 20000, which indicates a
malfunction of the proxy module.
The rule set contains the following rule.

Keep connection always alive

Always –> Stop Cycle

When the rule is executed, it stops the current processing cycle. The rule is always executed when the criteria of its rule set
is matched. Stopping the processing cycle prevents the connection from being closed in the course of further rule
processing.

The rule is not enabled by default.

Monitoring
This nested error handler rule set handles measures taken when an incident occurs that involves the appliance system.

Nested error handler rule set – Monitoring

Criteria – Incident.ID equals 5

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 5, which indicates an incident
that involves the appliance system.
The following rule sets are nested in this rule set:
• Check CPU Overload

142 McAfee Web Gateway 8.0.x Interface Reference Guide

• Check Cache Partition
• Check Request Overload

Check CPU Overload

This nested error handler rule set handles measures that are taken when the CPU load exceeds a configured value.

Nested error handler rule set – Check CPU Overload

Criteria – Statistics.Counter.GetCurrent(“CPULoad”)<Default> greater than or equals 95

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. GetCurrent property for CPU load
is 95 or higher. This value indicates the percentage of the maximum load that the CPU is currently running with.
The Statistics module, which provides the value, runs with default settings, as is specified after the CPU Load property parameter.
The rule set contains the following rules.

Create notification message

Always –> Continue – Set User-Defined.loadMessage =

“CPU load at “
+ Number.ToString (Statistics.Counter.GetCurrent(“CPULoad”)<Default>)
+ “%”

The rule is always executed when the criteria of its rule set is matched.

The rule then uses an event to set a user-defined property to a chain of values that make up a message text about the CPU
overload.

The Continue action lets processing continue with the next rule.

Send SNMP trap and other rules

Always –> Continue – ...

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set criteria is matched.

The rules then use different events for taking measures to make the administrator aware of the CPU overload.

These rules are not enabled by default.

Check Cache Partition

This nested error handler rule set handles measures that are taken when the web cache usage exceeds a configured value.

Nested error handler rule set – Check Cache Partition

Criteria – Statistics.Counter.GetCurrent(“WebCacheDiskUsage”)<Default> greater than or equals 95

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. GetCurrent property for web
cache usage is 95 or higher.This value indicates the percentage of the maximum allowed usage of the web cache that is currently
in use.
The Statistics module, which provides the value, runs with default settings, as is specified after the WebCacheDiskUsage property
parameter.
The rule set contains the following rules.

McAfee Web Gateway 8.0.x Interface Reference Guide 143

 Create notification message

Always –> Continue – Set User-Defined.cacheMessage =

“Cache partition usage at “
+Number.ToString (Statistics.Counter.GetCurrent(“WebCacheDiskUsage”)<Default>)
+ “%”

The rule is always executed when the criteria of its rule set is matched.

The rule then uses two events to set user-defined properties. One of these properties is set to the number of requests that
are currently processed on the appliance per second. The other is set to a chain of values that make up a message text
about the web cache usage..

The Continue action lets processing continue with the next rule.

Send SNMP trap and other rules

Always –> Continue – ...

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set criteria is matched.

The rules then use different events for taking measures to make the administrator aware of the web cache usage.

These rules are not enabled by default.

Check Request Overload

This nested error handler rule set handles measures that are taken when the number of requests processed on an appliance per
second exceeds a configured value.

Nested error handler rule set – Check Request Overload

Criteria – Statistics.Counter.GetCurrent(“HttpRequests”)<Default> greater than or equals 480000

The rule set criteria specifies that the rule set applies when the value of the Statistics.Counter. GetCurrent property for requests
is 480,000 or higher. This value is the number of requests that are currently processed one an appliance per second.
The Statistics module, which provides the value, runs with default settings, as is specified after the HttpRequests property
parameter.
The rule set contains the following rules.

Create notification message

Always –> Continue – Set User-Defined.requestsPerSecond =

Statistics.Counter.GetCurrent(“HttpRequests”)<Default>)
/ 60
Set User-Defined.requestLoadMessage =
“detected high load: ”
+ Number.ToString (User-Defined.requestsPerSecond)
+ “requests per second”

The rule is always executed when the criteria of its rule set is matched.

144 McAfee Web Gateway 8.0.x Interface Reference Guide

 The rule then uses two events to set user-defined properties. One of these properties is set to the number of requests that
are currently processed on an appliance per second. The other is set to a chain of values that make up a message text about
this number.

The Continue action lets processing continue with the next rule.

Send SNMP trap and other rules

Always –> Continue – ...

The Send SNMP trap rule and other rules in the rule set are always executed when the rule set criteria is matched.

The rules then use different events for taking measures to make the administrator aware of the request overload.

These rules are not enabled by default.

Log File Manager Incidents

This nested error handler rule set handles measures taken when an incident occurs that involves the Log File Manager.

Nested error handler rule set – Log File Manager Incidents

Criteria – Incident.ID greater than or equals 501 AND Incident ID less than or equals 600

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is within the range of incidents
that involve the Log File Manager.
The rule set contains the following rules.

Create notification message

Incident.ID equals 501 –> Continue – Set User-Defined.notificationMessage =

“License expires in ”
+ Number.ToString (License.RemainingDays)
+ “ days”

The rule is always executed when the criteria of its rule set is matched.

The rule then uses an event to set a user-defined property to a chain of values that make up a message text on the
remaining number of days for your license.

The Continue action lets processing continue with the next rule.

Create syslog entry

Always –> Continue – ...

The Create syslog entry rule and other rules in the rule set check the value of the Incident.ID property in the same way as
the Create notification message rule and use different events to take measures if this value is 501.

These rules are not enabled by default.

Handle Update Incidents

This nested error handler rule set handles measures taken when an incident occurs that involves the Log File Manager.

McAfee Web Gateway 8.0.x Interface Reference Guide 145

 Nested error handler rule set – Handle Update Incidents

Criteria – IIncident.OriginName equals “Updater” OR Incident.ID equals 850 OR Incident.ID equals 851 OR Incident.ID equals 940
OR Incident.ID equals 941 OR Incident.ID equals 1050 OR Incident.ID equals 1051 OR Incident.ID equals 1650 OR Incident.ID equals
1651

The rule set criteria specifies that the rule set applies when the update module is specified by the value of the
Incident.OriginName property or the value of the Incident.ID property is one of those hat involve the update module.
The rule set contains the following rules.

Create update incident message

Always –> Continue – Set User-Defined.eventMessage =

“Update Event triggered [“
+ Number.ToString (Incident.ID)
+ “]:”
+ Incident.Description
+ “; origin:”
+ Incident.OriginNamey
+ “; severity:”
+ Number.ToString (Incident.Severity)

The rule is always executed when the criteria of its rule set is matched.

The rule then uses an event to set a user-defined property to a chain of values that make up a message text about the
update incident. The message includes values for several incident properties.

The Continue action lets processing continue with the next rule.

Create syslog entry

Always –> Continue – ...

The Create syslog entry rule and other rules in the rule set use different events to take measures if the respective rule
criteria is matched.

These rules are not enabled by default.

Handle License Incidents

This nested error handler rule set handles measures taken when an incident occurs that involves the expiration date of the
license for your appliance.

Nested error handler rule set – Handle License Incidents

Criteria – Incident.ID equals 200

The rule set criteria specifies that the rule set applies when the value of the Incident.ID property is 200, which indicates that the
remaining number of days for your licence has been checked.
The rule set contains the following rules.

Create license incident message

146 McAfee Web Gateway 8.0.x Interface Reference Guide

 Always –> Continue – Set User-Defined.notificationMessage =
“A log file cannot be pushed. Please have a look at the mwg-logfilemanager errors log (/opt/mwg/log/mwg-errors/mwg-
logmanager.errors.log).”

The rule checks whether the value of the Incident.ID property is 501, which indicates that the Log File manager could not
push a log file.

If this is the case, the rule uses an event to set a user-defined property for sending a notification message to a string value
that is the text of this message.

The Continue action lets processing continue with the next rule.

Create syslog entry

Always –> Continue – ...

The Create syslog entry rule and other rules in the rule set use different events to take measures if the respective rule
criteria is matched.

These rules are not enabled by default.

Block on Anti-Malware Errors

This nested error handler rule set blocks access to all web objects when the Anti-Malware module cannot be loaded or is
overloaded.

Nested error handler rule set – Block on Anti-Malware Errors

Criteria – Always

The rule set contains the following rules.

Block if Anti-Malware engine cannot be loaded

Error.ID equals 14000 –> Block<Cannot Load Anti-Malware>

The rule blocks access to all web objects when the value of the Error.ID property is 14000, which indicates an error that
prevents the Anti-Malware module (also known as engine) from loading.

The action settings specify a message to a requesting user.

Block if Anti-Malware engine is overloaded

Error.ID equals 14001 –> Block<Anti-Malware Engine Overloaded>

The rule blocks access to all web objects when the value of the Error.ID property is 14001, which indicates all connections to
the Anti-Malware module (also known as engine) are currently in use and the module is overloaded.

The action settings specify a message to a requesting user.

Block on URL Filter Errors

This nested error handler rule set blocks access to all web objects when the URL Filter module cannot be loaded or another error
regarding this module occurs.

McAfee Web Gateway 8.0.x Interface Reference Guide 147

 Nested error handler rule set – Block on URL Filter Errors

Criteria – Error.ID greater than or equals 15000 AND Error.ID less than or equals 15999

The rule set criteria specifies that the rule set applies when the value of the Error.ID property lies within the specified range,
which is the range for errors related to URL filtering.
The rule set contains the following rules.

Block if the URL Filter engine cannot be loaded

Error.ID equals 15000 OR Error.ID equals 15002 OR Error.ID equals 15004 OR Error.ID equals15005 –> Block<Cannot Load URL
Filter>

The rule blocks all requests for web access when the value of the Error.ID property is one of those specified in the rule
criteria. These values indicate errors that prevent the URL Filter module (also known as engine) from loading.

The action settings specify a message to a requesting user.

Block all other internal URL Filter errors

Always –> Block<Internal URL Filter Error>

The rule is always executed when its rule set applies and the rule preceding it in the rule set has not been executed. The
rule then blocks all requests for web access.

The action settings specify a message to a requesting user.

Block on All Errors

This nested error handler rule set blocks access to all web objects when an internal error occurs on the appliance.

Nested error handler rule set – Block on All Errors

Criteria – Always

The rule set contains the following rule.

Always block

Always –> Block<Internal Error>

The rule blocks access to all web objects when an internal error occurs.

The action settings specify a message to a user who requested access.

The rule in this rule set is for handling internal errors on the appliance. It is executed at the time when an internal error
occurs, which can, of course, not be predicted and can happen at any time during the filtering process or not at all. In this
sense, processing the rule is not part of the normal process flow.

After executing the blocking, the rule stops all further processing of rules for the requests,responses, or embedded objects
that were being filtered when the internal error occurred.

This way it is ensured that no malicious or inappropriate web objects enter your network or leave it while the appliance is
not fully available.

148 McAfee Web Gateway 8.0.x Interface Reference Guide

 The process flow continues when the next request is received if the internal error did not lead to a general interruption of
the appliance functions.

Enable Opener rule set

The Enable Opener rule set is the default rule set for handling file opening on Web Gateway.

Key elements of the Enable Opener rule set

The key elements of the Enable Opener rule set include settings for file opening and several block options.

Key elements of the Enable Opener rule set

Option Definition

Composite Opener settings Clicking Edit makes the Composite Opener settings available for
editing.

Block encrypted media types When selected, a rule is enabled that blocks encrypted media
types.

Block multipart media types When selected, a rule is enabled that blocks multipart media
types.

Block corrupted media types When selected, a rule is enabled that blocks corrupted media
types.

Complete rules of the Enable Opener rule set

The Enable Opener rule set includes the following rules.

Default rule set – Enable Opener

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

Enable Composite Opener

Always –> Continue – Enable Composite Opener <Default>

The rule uses the Enable Composite Opener event to enable the Composite Opener on Web Gateway for file opening.

The opener is enabled with the Default settings.

Block encrypted media types

Body.IsEncryptedObject equals true –> Block<Not Supported Archive>

The rule uses the Body.IsEncryptedObject property to check whether a requested media type is encrypted.

If it is, the request is blocked and not passed on to the requested web server.

The event settings specify a message to the requesting user.

McAfee Web Gateway 8.0.x Interface Reference Guide 149

 Block multipart media types

Body.IsMultiPartObject equals true –> Block<Multipart Archive>

The rule uses the Body.IsMultiPartObject property to check whether a requested media type is a multipart object.

If it is, the request is blocked and not passed on to the requested web server.

The event settings specify a message to the requesting user.

Block corrupt media types

Body.IsCorruptedObject equals true –> Block<Media Type (Common)>

The rule uses the Body.IsMultiPartObject property to check whether a requested media type is a multipart object.

If it is, the request is blocked and not passed on to the requested web server.

The event settings specify a message to the requesting user.

Gateway Anti-Malware rule set

The Gateway Anti-Malware rule set is the default rule set for anti-malware filtering.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create rules in this view.

Key elements of the Gateway Anti-Malware rule set

The key elements of the Gateway Anti-Malware rule set deal with important parts of the anti-malware filtering process.

Bypass Scanning for These Agents and Hosts

Key elements for bypassing scanning by the Anti-Malware module.

Bypass scanning for these agents and hosts

Option Definition

User agent whitelist Clicking Edit opens a window to let you edit the User Agent
Whitelist that is used by a rule.
You can add, modify, and remove entries on the list.

URL host whitelist Clicking Edit opens a window to let you edit the URL Host Whitelist
that is used by a rule.
You can add, modify, and remove entries on the list.

Scanning Options
Key elements for the scanning activities of the Anti-Malware module.

150 McAfee Web Gateway 8.0.x Interface Reference Guide

Scanning Options

Option Definition

Remove partial content for HTTP requests
When selected, a rule is enabled that removes the
specification in an HTTP or HTTPS request for accessing only a
part of the content of a web object and lets the request ask
for the complete content.
If a web object, for example, a file, is delivered completely by
the web server in question, it can also be scanned completely
on Web Gateway. A complete scan can detect infections that
might not be noticed if only a part of the web object was
scanned.

Block partial content for FTP requests
When selected, a rule is enabled that blocks FTP requests for
access to only a part of the content of a web object.
Under the FTP protocol. it is not possible to remove a
specification in a request for access to only a part of the
content of a web object. For this reason it might be advisable
to block such requests.

Use the Media Stream Scanner When selected, the Media Stream Scanner scans and delivers
web objects that are streaming media chunk-by-chunk, to
speed up the process.
The proactive functions of the McAfee Gateway Anti-Malware
engine are used for the scanning, but the other engines that
are available for this purpose on Web Gateway are not
involved.

Gateway Anti-Malware Settings

Key elements for configuring the settings of the Anti-Malware module.

Gateway Anti-Malware Settings

Option Definition

Enable Anti-Malware scanning When selected, a rule is enabled that calls the Anti-Malware
module, which scans web objects for infections by viruses
and other malware.

Settings Clicking Edit opens a window to let you edit the settings for the
Anti-Malware module.

Complete rules of the Gateway Anti-Malware rule set

When working with the complete rules of the Gateway Anti-Malware rule set, all rules and rule elements of this rule set can be viewed
and configured.

Default rule set – Gateway Anti-Malware

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

The rule set contains the following rules.

McAfee Web Gateway 8.0.x Interface Reference Guide 151

 Allow if user agent matches User Agent Whitelist

Header.Request.Get (“User-Agent”) matches in list User Agent WhiteList –> Stop Rule Set

The rule uses the Header.Request.Get property to check the user agent information that is sent with the header of a request.

If the user agent in question is on the specified whitelist, processing of the rule set stops, so the blocking rule at the end of
the rule set is not processed.

A parameter of the property specifies that it is the user agent information that must be checked when the rule is processed.

This rule is not enabled by default.

Note: Using this rule alone for whitelisting will cause a security problem because usually a client can set whatever user
agent it prefers.

Allow URL host that matches in list Anti-Malware URL Whitelist

URL.Host matches in list Anti-Malware URL Whitelist –> Stop Rule Set

The rule uses the URL.Host property to check whether a given URL matches one of the entries on the specified whitelist.

If it does, processing of the rule set stops and the blocking rule at the end of the rule set is not processed.

You can use this rule to exempt web traffic from filtering when the hosts of the URLs involved are well-known web servers
for which it is safe to assume that they spread no viruses and other malware.

Whitelisting increases performance because it avoids the effort of scanning the respective web objects.

Remove partial content for HTTP requests

Cycle.TopName equals “Request” AND (Connection.Protocol equals “http” OR Connection.Protocol equals “https”) –> Continue –
Header.RemoveAll (“Range”)

The rule uses the Cycle.TopName and Connection.Protocol properties to check whether the current processing cycle is the
request cycle and whether a request is sent in HTTP or HTTPS mode.

If this is the case, the Header.RemoveAll event modifies the request by removing the specification that only partial content is
requested. A request for complete content is then forwarded to the relevant web server and eventually received from there,
so that the complete content of a web object can be processed on the appliance.

For example, a complete archive can be opened and scanned for viruses and other malware. Malicious content that is
distributed over several parts of a file can be detected by scanning the complete file, while it could go unnoticed if only parts
of the file were scanned.

The Continue action lets processing continue with the next rule.

Block partial content for FTP requests

Cycle.TopName equals “Request” AND Connection.Protocol equals “ftp” AND Command.Categories contains “Partial” –>
Block<Partial Content Not Allowed>

152 McAfee Web Gateway 8.0.x Interface Reference Guide

 The rule uses the Cycle.TopName, Connection.Protocol, and Command.Categories properties to check whether the current
processing cycle is the request cycle, the request is sent in FTP mode, and the command category used for the FTP transfer
contains Partial as a string.

This allows Web Gateway to detect an FTP request for partial content and block it.

Unlike with HTTP or HTTPS requests, an FTP request for partial content cannot be modified to make it a request for
complete content. However, security problems would arise if partial content was accepted on the appliance, which are the
same as the ones that were explained in the comment on the rule for blocking HTTP and HTTPS requests.

The action settings specify a message to the requesting user.

Start Media Stream Scanner on streaming media and skip anti-malware scanning

Cycle.Name equals "Response" AND StreamDetector.IsMediaStream<Default Streaming Detection> equals true –> Stop Rule Set –
Enable Media Stream Scanner

The rule uses the Cycle.Name property to check whether processing is in the response cycle and the
StreamDetector.IsMediaStream property to check whether the web object that is sent in response to Web Gateway is
streaming media.

If both are the case, processing of the rule set stops, so the remaining rule is not processed, and an event is used to start
the Media Stream Scanner.

Block if virus was found

Antimalware.Infected<Gateway Anti-Malware> equals true –> Block<Virus Found> – Statistics.Counter.Increment

(“BlockedByAntiMalware”,1)<Default>

The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware.

When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware settings, as specified with
the property. These settings let the module use all its three submodules and their methods to scan web objects.

If the module finds that a web object is infected, processing of all rules stops and the object is not passed on further. Access
to it is blocked this way.

In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is
not passed on to the user who requested it.

The action settings specify a message to this user.

The rule also uses an event to count blocking due to virus and malware infections.

The event parameters specify the counter that is incremented and the size of the increment. The event settings specify the
settings of the Statistics module, which executes the counting.

Gateway Anti-Malware with TIE rule set

The Gateway Anti-Malware with TIE rule set is a library rule set for integrating anti-malware flitering on Web Gateway with information
retrieved from a TIE server.

McAfee Web Gateway 8.0.x Interface Reference Guide 153

 Library rule set – Gateway Anti-Malware with TIE

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

The rule set contains the rules that are also contained in the default Gateway Anti-Malware rule set, as well the following rules, which
are needed to enable the integrated filtering.
Note: This rule set is provided only in the complete rules view.

TIE - Trusted reputations

MediaType.EnsuredTypes at least one in list Executables AND TIE.Filereputation<TIE Reputations> greater than or equals 70 AND TIE.Filereputation<TIE
Reputations> less than or equals 99 –> Stop Rule Set

The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in
a list.

It also uses the TIE.Filereputation property to check whether the file reputation score for this object, which is retrieved from a
TIE server, is between 70 and 99. This score means that the object is not considered malicious.

When the TIE.Filter module is called to retrieve the file reputation, it runs with the TIE.Reputation settings, as specified with the
property.

If all parts of the criteria match, processing of the rule set stops and the rules that follow this rule in the rule set are skipped.

Skipping these rules means that the object is not scanned and filtered by the submodules of the Anti-Malware module on Web
Gateway, which include the Gateway Anti-Malware (GAM) and Avira engines.

TIE - Unknown reputations

TIE.Filereputation<TIE Reputations> equals 50 AND TIE.Filereputation<TIE Reputations> greater than 0 –> Continue

The rule uses the TIE.Filereputation property to check whether the file reputation score for this object, which is retrieved from a
TIE server, equals 50, which means the reputation is not known.

When the TIE.Filter module is called to retrieve the file reputation, it runs with the TIE.Reputation settings, as specified with the
property.

If the criteria matches, processing continues, which means the rule does not take any particular action on objects with
unknown reputations.

This rule is not enabled by default.

TIE - Malicious reputations

TIE.Filereputation<TIE Reputations> less than or equals 30 AND TIE.Filereputation<TIE Reputations> greater than 0 –> Block<TIE Reputation>

The rule uses the TIE.Filereputation property to check whether the file reputation score for this object, which is retrieved from a
TIE server, is between 30 and 0, which means it is considered malicious.

When the TIE.Filter module is called to retrieve the file reputation, it runs with the TIE.Reputation settings, as specified with the
property.

154 McAfee Web Gateway 8.0.x Interface Reference Guide

 If both parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is
blocked this way.

In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is
not passed on to the user who requested it. The action settings specify a message to this user.

This rule is not enabled by default.

Block if virus was found

MediaType.EnsuredTypes at least one in list Executables AND Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND
Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> greater than or equals 60 AND Antimalware.Proactive.Probability<Gateway Anti-Malware
with TIE> less than 80 –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default> – TIE: Report File Reputation (30)

The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in
a list.

It also uses the Antimalware.Infected and Antimalware.Proactive.Probability properties to find out whether this object is infected by a
virus or other malware and whether the probability that it is infected is between 60 and 80, which means it is likely that it is
malicious.

When the Anti-Malware module is called to scan the object and rate its malware probability, it runs with the Gateway Anti-Malware
with TIE settings, as specified with the properties.

These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and
their methods to scan web objects.

If all parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked
this way.

In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is
not passed on to the user who requested it. The action settings specify a message to this user.

The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the
counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module,
which executes the counting.

The rule uses another event to notify the TIE server that there is a high probability that the scanned object is malicious.
Corresponding to this high probability grade, a low reputation score is sent to the TIE server.

Block if virus was found

MediaType.EnsuredTypes at least one in list Executables AND Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND
Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> greater than or equals 80 AND Antimalware.Proactive.Probability<Gateway Anti-Malware
with TIE> less than 90 –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default> – TIE: Report File Reputation (15)

The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in
a list.

It also uses the Antimalware.Infected and Antimalware.Proactive.Probability properties to find out whether this object is infected by a
virus or other malware and whether the probability that is infected is between 80 and 90, which means it is very likely that it
is malicious.

McAfee Web Gateway 8.0.x Interface Reference Guide 155

 When the Anti-Malware module is called to scan the object and rate its malware probability, it runs with the Gateway Anti-Malware
with TIE settings, as specified with the properties.

These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and
their methods to scan web objects.

If all parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked
this way.

In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is
not passed on to the user who requested it. The action settings specify a message to this user.

The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the
counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module,
which executes the counting.

The rule uses another event to notify the TIE server that there is a very high probability that the scanned object is malicious.
Corresponding to this very high probability grade, a very low reputation score is sent to the TIE server.

Block if virus was found

MediaType.EnsuredTypes at least one in list Executables AND Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND
Antimalware.Proactive.Probability<Gateway Anti-Malware with TIE> greater than or equals 90 –> Block<Virus Found> – Statistics.Counter.Increment
(“BlockedByAntiMalware”,1)<Default> – TIE: Report File Reputation (1)

The rule uses the MediaType.EnsuredTypes property to check whether a given web object is an executable file by looking it up in
a list.

It also uses the Antimalware.Infected and Antimalware.Proactive.Probability properties to find out whether this object is infected by a
virus or other malware and whether the probability that is infected is greater than or equals 90, which means it is almost
sure that it is malicious.

When the Anti-Malware module is called to scan the object and rate its malware probability, it runs with the Gateway Anti-Malware
with TIE settings, as specified with the properties.

These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and
their methods to scan web objects.

If all parts of the criteria match, processing of all rules stops and the object is not passed on further. Access to it is blocked
this way.

In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is
not passed on to the user who requested it. The action settings specify a message to this user.

The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the
counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module,
which executes the counting.

The rule uses another event to notify the TIE server that it is almost sure that the scanned object is malicious.
Corresponding to this extremely high probability grade, an extremely low reputation score is sent to the TIE server.

Block if virus was found

156 McAfee Web Gateway 8.0.x Interface Reference Guide

 Antimalware.Infected<Gateway Anti-Malware with TIE> equals true –> Block<Virus Found> – Statistics.Counter.Increment (“BlockedByAntiMalware”,
1)<Default>

The rule uses the Antimalware.Infected property to check whether a given web object is infected by a virus or other malware.

When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware with TIE settings, as specified with
the property.

These settings let the module use both its submodules, the Gateway Anti-Malware (GAM) engine and the Avira engine, and
their methods to scan web objects.

If the module finds that a web object is infected, processing of all rules stops and the object is not passed on further. Access
to it is blocked this way.

In a request cycle, the infected web object is not passed on to the web. In the response and embedded object cycles, it is
not passed on to the user who requested it. The action settings specify a message to this user.

The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the
counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module,
which executes the counting.

Note: The rule does not notify the TIE server of any scanning results.

Global Whitelist rule set

The Global Whitelist rule set is the default rule set for global whitelisting.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

Complete rules of the Global Whitelist rule set

When working with the complete rules of the Global Whitelist rule set, all rules and rule elements of this rule set can be viewed and
configured.

Default rule set – Global Whitelist

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

The rule set contains the following rules.

Client IP is in list Allowed Clients

Client.IP is in list Allowed Clients –> Stop Cycle

The rule uses the Client.IP property to check whether the IP address of a client that a request was sent from is on the
specified whitelist.

McAfee Web Gateway 8.0.x Interface Reference Guide 157

 If it is, the rule applies and stops the current processing cycle. The request is then forwarded to the appropriate web server.

URL.Host matches in list Global Whitelist

URL.Host matches in list Global Whitelist –> Stop Cycle

The rule uses the URL.Host property to check whether the host that a URL sent in a request provides access to is on the
specified whitelist.

If it is, the rule applies and stops the current processing cycle. The request is then forwarded to the web server that is the
requested host.

Media Type Filtering rule set

The Media Type Filtering rule set is the default rule set for media type filtering.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete all existing rules, as well as create new rules in this view.

Key elements of the Media Type Filtering rule set

The key elements of the Media Type Filtering rule set deal with important parts of the media type filtering process.

Block Media Types in Uploads

Key elements for filtering media that are uploaded to the web

Block Media Types in Uploads

Option Definition

Media types to block Clicking Edit opens a window to let you edit the Upload Media Type
Block List that is used by a rule.
You can add, modify, and remove entries on the list.

Block Media Types in Downloads

Key elements for filtering media that are downloaded from the web

Block Media Types in Downloads

Option Definition

Media types to block Clicking Edit opens a window to let you edit the Download Media
Type Block List that is used by a rule.
You can add, modify, and remove entries on the list.

Block undetectable media types When selected, a rule is enabled that blocks media if no type
could be detected for them.

Block unsupported media types When selected, a rule is enabled that blocks media if it
belongs to a type that cannot be handled on Web Gateway.

158 McAfee Web Gateway 8.0.x Interface Reference Guide

 Option Definition

Block multimedia When selected, a rule is enabled that blocks media if it

belongs to the multimedia type.

Block streaming media When selected, a rule is enabled that blocks media if it is
streaming media.

Complete rules of the Media Type Filtering rule set

When working with the complete rules of the Media Type Filtering rule set, all rules and rule elements of this rule set can be viewed
and configured.

Library rule set – Media Type Filtering

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

The following rule sets are nested in this rule set:

• Upload Media Type

This rule set is not enabled by default.
• Download Media Type

Upload Media Type

This nested rule set blocks the upload of media belonging to particular media types. It is processed in request cycles when
users request to upload media to the web, as well as in embedded object cycles when objects are embedded in media.

Nested library rule set – Upload Media Type

Criteria – Always

Cycles – Requests (and IM), Embedded Objects

The rule set contains the following rule:

Block types from list Upload Media Type Blocklist

Media.TypeEnsuredTypes at least one in list Upload Media Type Blocklist –> Block<Media Type (Block List)> —
Statistics.Counter.Increment (“BlockedByMediaFilter”, 1)<Default>

The rule uses the Media.TypeEnsuredTypes property to check for media that have their type ensured if they are on the specified
list. If they are, access to the media type is blocked and processing rules stops.

The rule uses an event to count blocking due to media type filtering. The event parameters specify the counter that is
incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes
the counting.

McAfee Web Gateway 8.0.x Interface Reference Guide 159

 Processing continues with the next request that is received on the appliance.

Download Media Type

This nested rule set blocks the download of media belonging to particular media types. It is processed in response cycles
when web servers send media in response to user requests for downloading them, as well as in embedded object cycles
when objects are embedded in media.

Nested library rule set – Download Media Type

Criteria – Always

Cycles – Responses, Embedded Objects

The rule set contains the following rule.

Block types from list Download Media Type Blocklist

Media.TypeEnsuredTypes at least one in list Download Media Type Blocklist –> Block<Media Type (Block List)> —
Statistics.Counter.Increment (“BlockedByMediaFilter”, 1)<Default>

The rule uses the Media.TypeEnsuredTypes property to check for media that have their type ensured if they are on the
specified list. If they are, access to the media type is blocked and processing rules stops.

The rule uses an event to count blocking due to media type filtering. The event parameters specify the counter that is
incremented and the size of the increment. The event settings specify the settings of the Statistics module, which executes
the counting.

Processing continues with the next request that is received on the appliance.

Single Sign On rule set

Using the nested rule sets that come with the Single Sign On rule set, you can configure SSO access to cloud services and
applications for users in your organization.

Library rule set – Single Sign On

Criteria – Always

Cycles – Requests (and IM), Responses

The Single Sign On rule set contains the following nested rule sets:
• Select Services
• SSO Management
◦ HTTPS Handling
◦ Launchpad
◦ OTP Authentication
◦ Get Login Action
◦ Get Attributes on Premise
◦ Get Attributes in the Cloud

160 McAfee Web Gateway 8.0.x Interface Reference Guide

 ◦ Perform SAML SSO
◦ Perform IceToken SSO
◦ Process Common Tasks
• Perform SSO
The rule sets nested in the SSO Management rule set are executed when the SSO.IsManagementRequest property returns a true value.
This property is set to true in response to internal and external SSO requests, as follows:
• Internal SSO requests — The SSO.Action property returns a string value corresponding to an internal SSO request action.
• External SSO requests — An external SSO request is sent to the Web Gateway SSO service URL.
The rule sets nested in the Get Login Action rule set fetch user information and perform single sign-on to SAML cloud services and
applications.

Select Services rule set

The rules in this rule set retrieve the specified list of cloud services, which the authenticated user or users of a shared account
are allowed to access. The list and other information that you configure using the rules in this rule set are then available to the
module for other SSO operations.

Nested library rule set – Select Services

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following rules.

Add default SSO services (individual accounts)

Rule element Definition

Criteria Authentication.IsAuthenticated equals true AND

String.IsEmpty(Authentication.UserName) equals false

Action Continue

Events SSO.AddServices ("defaultIDP",

Authentication.UserName,
Default SSO Services, {
"label":"Individual",
"permit-usage":"yes",
"permit-management":"yes"
})<Default>

If the user is authenticated, the Single Sign On module retrieves the specified list of cloud services, which the user is then allowed to
access.
The Single Sign On module executes the event with the following properties and settings:
• "defaultIDP" — Specifies the domain in the credential store where user account information is stored.
• Authentication.UserName — Specifies the name of the authenticated user.
• Default SSO Services — Specifies a list of services that the authenticated user is allowed to access.
• The following options form one parameter in JSON format:
◦ "label" — Specifies the type of account: individual or shared.
◦ "permit-usage" — Allows you to permit, deny, or require OTP authentication for access to the services on the list by the
authenticated user. To configure access, specify the following values respectively: "yes", "no", or "otp".
◦ "permit-management" — Allows you to permit, deny, or require OTP authentication for access to account management
functions by the authenticated user. To configure access, specify the following values respectively: "yes", "no", or
"otp".

McAfee Web Gateway 8.0.x Interface Reference Guide 161

• <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Add OTP secured SSO services (individual accounts, use after OTP authentication)

Rule element Definition

Criteria Authentication.IsAuthenticated equals true AND

String.IsEmpty(Authentication.UserName) equals false

Action Continue

Events SSO.AddServices ("defaultIDP",

Authentication.UserName,
OTP Secured SSO Services, {
"label":"Individual",
"permit-usage":"otp",
"permit-management":"otp"
})<Default>

If the user is authenticated, the Single Sign On module retrieves the specified list of cloud services. The user is allowed to access or
manage these OTP-secured services after authenticating again with a one-time password entered on the launchpad.
The module executes the event with the following properties and settings:
• "defaultIDP" — Specifies the domain in the credential store where user account information is stored.
• Authentication.UserName — Specifies the name of the authenticated user.
• OTP Secured SSO Services — Specifies a list of services that the authenticated user is allowed to access after authenticating again
with a one-time password.
• The following options form one parameter in JSON format:
◦ "label" — Specifies the type of account: individual or shared.
◦ "permit-usage" — Allows you to require OTP authentication for access to the services on the list by the authenticated
user. Value: "otp"
◦ "permit-management" — Allows you to require OTP authentication for access to account management functions by the
authenticated user. Value: "otp"
• <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Add shared SSO services (shared accounts)

Rule element Definition

Criteria Always

Action Continue

Events SSO.AddServices ("defaultIDP",

"sharedAccounts",
Shared SSO Services, {
"label":"Shared",
"permit-usage":"yes",
"permit-management":"yes"
})<Default>

The Single Sign On module retrieves the specified list of cloud services, which authenticated users of the shared account are then
allowed to access.
• "defaultIDP" — Specifies the domain in the credential store where user account information is stored.
• "sharedAccounts" — Specifies a shared account.
• Shared SSO Services — Specifies a list of services, which authenticated users of the shared account are allowed to access.

162 McAfee Web Gateway 8.0.x Interface Reference Guide

• The following options form one parameter in JSON format:
◦ "label" — Specifies the type of account: individual or shared.
◦ "permit-usage" — Allows you to permit, deny, or require OTP authentication for access to the services on the list by
users of the shared account. To configure access, specify the following values respectively: "yes", "no", or "otp".
◦ "permit-management" — Allows you to permit, deny, or require OTP authentication for access to account management
functions by users of the shared account. To configure access, specify the following values respectively: "yes", "no", or
"otp".
• <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Handle single sign on using memorable hosts

Rule element Definition

Criteria Map.HasKey (SSO Host to Service ID mapping, URL.Host) equals true

Action Redirect

Events Set Redirect.URL = "http://" + SSO.ManagementHost<Default> + "/login?

service=" + Map.GetStringValue (SSO Host to Service ID mapping, URL.Host)

If the SSO Host to Service ID Mapping includes the host name configured for the requested cloud service, the request is redirected to
the URL configured for that service.
The Single Sign On module constructs the redirect URL from the specified string values and the following properties and settings:
• SSO.ManagementHost — Specifies the host name of the SSO service provided by Web Gateway.
• <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.
• Map.GetStringValue (SSO Host to Service ID Mapping, URL.Host) — Looks up the host name of the requested service in the SSO Host to Service
ID map and returns the Service ID of that service.

HTTPS Handling rule set

This rule set secures SSO communication between users and the launchpad with the HTTPS protocol.

Nested library rule set – HTTPS Handling

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following rules.

Enable SSL

Rule element Definition

Criteria Command.Name equals "CONNECT"

Action Stop Cycle

Events Enable SSL Client Context without CA <Launchpad certificate>

Enable SSL Scanner <Enable Content Inspection>

If an SSO connection is required, this rule stops the request cycle. The Single Sign On module provides an SSL certificate and
enables content inspection.
The module executes the events with the following settings:
• <Launchpad certificate> — Specifies the SSL certificate and settings. This certificate can be the default or one that you import.
• <Enable Content Inspection> — Specifies the settings that enable content inspection by the SSL Scanner module.

McAfee Web Gateway 8.0.x Interface Reference Guide 163

Enforce SSL

Rule element Definition

Criteria Connection.Protocol equals "HTTP"

Action Redirect<Default>

Events Set URL.Protocol = "https"

Set Redirect.URL = URL

If the connection protocol is HTTP, the Single Sign On module sets the SSO protocol to "https" and the SSO request is redirected to
the requested URL.
The rule executes the redirect action with the following settings:
<Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Launchpad rule set

This rule set assembles all information needed for generating the launchpad or a logon page.

Nested library rule set – Launchpad

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following rules.

Create launchpad

Rule element Definition

Criteria URL.Path equals "/" OR URL.Path equals "/launchpad"

Action Block<SSO Launchpad>

Events HTTP.SetStatus (200)

If the requested URL specifies the SSO service or the launchpad, this rule generates the launchpad using the following settings:
<SSO Launchpad> — Specifies the language and template settings used to generate the launchpad.
Note: We recommend that you do not modify the launchpad settings.
The Single Sign On module sets the HTTP status code to 200 (OK).

Create automatic login page

Rule element Definition

Criteria URL.Path equals "/login"

Action Block<SSO Login Page>

Events HTTP.SetStatus (200)

If the requested URL specifies the SSO logon page, this rule generates the logon page, including the JavaScript, using the
following settings:
<SSO Login Page> — Specifies the language and template settings used to generate the logon page.
Note: We recommend that you do not modify the logon page settings.

164 McAfee Web Gateway 8.0.x Interface Reference Guide

The Single Sign On module sets the HTTP status code to 200 (OK).

Create automatic login page (compatibility with some services)

Rule element Definition

Criteria URL.Path matches regex(/login-.+)

Action Block<SSO Login Page>

Events Set URL.Parameters = List.OfString.Append

(URL.Parameters, String.Concat
("service=", String.SubString
(URL.Path, 7, -1)))
Set URL.Path = "/login"
HTTP.SetStatus (200)

This rule applies when the requested URL specifies the SSO logon page using the format "/login-<Service ID>" instead of the
default format that the SSO service is expecting: "/login?service=<Service ID>". This rule generates the logon page using the
following settings:
<SSO Login Page> — Specifies the language and template settings used to generate the logon page.
Note: We recommend that you do not modify the logon page settings.
The Single Sign On module rebuilds the requested URL using the default format and sets the HTTP status code to 200 (OK).
Note: Some SAML services do not allow query parameters in the IdP URL when single sign-on is SP-initiated.

OTP Authentication rule set

Enabling this rule set allows you to enforce OTP authentication as a secondary authentication method for users who want to
access cloud services and applications.

Nested library rule set – OTP Authentication

Criteria – SSO.OtpRequired<Default> equals true

Cycles – Requests (and IM)

The rules in this rule set are executed when the SSO action requires OTP authentication.

Prepare OTP context

Rule element Definition

Criteria URL.HasParameter ("requestOTP") equals true OR

URL.HasParameter ("pledgeOTP") equals true

Action Continue

Events Authentication.SendOTP<OTP>

If there is a request for a one-time password from an authenticated user, the Single Sign On module sends the password to the
user. The types of OTP requests are:
• "requestOTP" — The user requests the one-time password through the McAfee OTP server.
• "pledgeOTP" — The user requests the one-time password through Pledge, an OTP client running locally on a computer or mobile
device.
The module executes the event with the following settings:
<OTP> — Specifies settings for OTP authentication.

McAfee Web Gateway 8.0.x Interface Reference Guide 165

Return OTP context

Rule element Definition

Criteria URL.HasParameter ("requestOTP") equals true

Action Stop Cycle

Events HTTP.GenerateResponse (JSON.ToString

(JSON.StoreByName (JSON.CreateObject,
"otp-context", JSON.FromString
(Authentication.OTP.Context<OTP>))))
HTTP.SetStatus (403)

If there is a request for a one-time password from an authenticated user, this rule stops the request cycle. The Single Sign On
module generates a response containing the OTP context in a JSON object. The OTP context is provided in a header field when
the McAfee OTP Server responds with a one-time password.
The module executes this event with the following settings:
<OTP> — Specifies settings for OTP authentication.
The module sets the HTTP status code to 403 (Forbidden).

Verify delivered OTP

Rule element Definition

Criteria Authentication.Authenticate<OTP> equals false

Action Stop Cycle

Events HTTP.GenerateResponse
("{"authentication-required":"delivered-otp"}")
HTTP.SetStatus (403)

If OTP authentication fails, this rule stops the request cycle. The Single Sign On module generates a response specifying the
authentication result and method. The method, delivered OTP, specifies delivery of the one-time password by the McAfee OTP
Server.
The module executes this event with the following settings:
<OTP> — Specifies settings for OTP authentication.
The module sets the HTTP status code to 403 (Forbidden).
Note: Enable this rule if one-time passwords are delivered by McAfee OTP Server.

Verify Pledge generated OTP

Rule element Definition

Criteria Authentication.Authenticate<OTP> equals false

Action Stop Cycle

Events HTTP.GenerateResponse
("{"authentication-required":"generated-otp"}")
HTTP.SetStatus (403)

166 McAfee Web Gateway 8.0.x Interface Reference Guide

If OTP authentication fails, this rule stops the request cycle. The Single Sign On module generates a response specifying the
authentication result and method. The method, generated OTP, specifies generation of the one-time password by the Pledge OTP
client.
The module executes this event with the following settings:
<OTP> — Specifies settings for OTP authentication.
The module sets the HTTP status code to 403 (Forbidden).
Note: Enable this rule if one-time passwords are generated by the Pledge OTP client.

Get Login Action rule set

This rule set retrieves information about the connector to the requested cloud service or application. For HTTP cloud connectors,
processing of the rule set then stops. For other cloud connectors, the rule set checks whether the user has the right to access the
requested cloud service or application.

Nested library rule set – Get Login Action

Criteria – SSO.Action<Default> equals "GetLoginAction"

Cycles – Requests (and IM)

This rule set contains the following rules.

Get connector info

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.sso-conn-info = SSO.GetConnectorInfo

(String.ToSSOConnector (URL.GetParameter ("service")))

The Single Sign On module retrieves information about the connector to the service the user is requesting and stores it as a JSON
object in a local variable named sso-conn-info. This information includes the following:
• Name (string) — Specifies a user-defined name for the cloud connector.
• Service ID (string) — Uniquely identifies the cloud service or application.
• Type (string) — Specifies the authentication method used by the cloud service.
Values: HTTP, SAML2
• Inline (Boolean) — If true, the cloud connector supports a dynamic HTTP cloud service, which requires single sign-on in proxy
or inline mode.
• Deprecated (Boolean) — If true, the cloud connector is no longer supported.

Stop rule set for form based logins

Rule element Definition

Criteria JSON.AsString (JSON.GetByName (User-Defined.sso-conn-info, "type"))

equals "http"

Action Stop Rule Set

Events None

If the cloud connector type is HTTP, this rule stops the Get Login Action rule set.

McAfee Web Gateway 8.0.x Interface Reference Guide 167

Validate user's access permissions

Rule element Definition

Criteria SSO.UserHasAccessToService (URL.GetParameter ("realm"),

URL.GetParameter ("user"),
URL.GetParameter ("service"),
"usage")<Default> equals false

Action Block<SSO: User Has No Access To Service>

Events None

This rule checks the "service" and "usage" parameters to verify that the user has the right to access the requested service or
application. If the "service" parameter is empty or the "usage" parameter is set to "no", this rule blocks access to the requested
service.
This rule is executed with the following settings:
• <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.
• <SSO: User Has No Access To Service> — Specifies the language and template settings used to generate the block message for the
user.

Get Attributes on Premise rule set

The rules in this rule set fetch user information from an external LDAP data source for SAML single sign-on. This rule set is
disabled by default and only applies when Web Gateway is installed and running on premise and the SSO type is SAML2.

Nested library rule set – Get Attributes on Premise

Criteria – InTheCloud equals false AND JSON.AsString (JSON.GetByName (User-Defined.sso-conn-info, "type")) does not equal "HTTP"

Cycles – Requests (and IM)

This rule set contains the following rules.

Get additional attributes from LDAP

Rule element Definition

Criteria Always

Action Continue

Events Set Authentication.RawUserName = Authentication.UserName

Set User-Defined.sso-user-data = Authentication.GetUserGroupsJSON<LDAP
Authentication>

The Single Sign On module fetches information about the user from an external LDAP data source through the Authentication filter.
It then stores the information as a JSON object in a local variable named sso-user-data. The user information consists of the
attribute name-value pairs expected by the SAML service or application.
This event is executed with the following settings:
<LDAP Authentication> — Specifies the Authentication module settings configured for the external LDAP data source.

168 McAfee Web Gateway 8.0.x Interface Reference Guide

Get additional attributes from LDAP using External Lists

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.sso-user-data = ExtLists.JSON (Authentication.UserName,

"", "")<LDAP Source>

The Single Sign On module fetches information about the user from an external LDAP data source through the External Lists module.
It then stores the information as a JSON object in a local variable named sso-user-data. The user information consists of the
attribute name-value pairs expected by the SAML service or application.
This event is executed with the following settings:
<LDAP Source> — Specifies the External Lists module settings configured for the external LDAP data source.

Get Attributes in the Cloud rule set

This rule set constructs the data needed for SAML single sign-on from the authenticated user name. It is disabled by default and
only applies when Web Gateway is installed and running in the cloud and the SSO type is SAML2.

Nested library rule set – Get Attributes in the Cloud

Criteria – InTheCloud equals true AND JSON.AsString (JSON.GetByName (User-Defined.sso-conn-info, "type")) does not equal "HTTP"

Cycles – Requests (and IM)

This rule set contains the following rule.

Populate user's data from user name

Rule element Definition

Criteria Authentication.IsAuthenticated equals true AND

Authentication.UserName matches *@* AND
JSON.Size (User-Defined.sso-user-data) equals 0

Action Continue

Events Set User-Defined.sso-user-data =

JSON.StoreByName
(User-Defined.sso-user-data, "mail",
JSON.FromString (Authentication.UserName))

This rule only applies when the user is authenticated, the user name is an email address, and the sso-user-data variable is empty.
The rule stores the attribute name-value pair formed by "mail" and the user's email address as a JSON object in the sso-user-data
variable.

Perform SAML SSO rule set

This rule set generates a response that contains the user information needed for completing single sign-on to the requested
SAML service or application.

Nested library rule set – Perform SAML SSO

Criteria – Always

McAfee Web Gateway 8.0.x Interface Reference Guide 169

 Nested library rule set – Perform SAML SSO

Cycles – Requests (and IM), Responses, Embedded Objects

This rule set contains the following rule.

Get login action (SAML)

Rule element Definition

Criteria JSON.AsString (JSON.GetByName (User-Defined.sso-conn-info, "type"))

matches saml*

Action Stop Cycle

Events HTTP.GenerateResponse (SSO.GetSAMLLoginAction

(URL.GetParameter ("service"),
User-Defined.sso-user-data)<Default>)

If the cloud connector type is SAML2, this rule stops the request cycle. The Single Sign On module generates a response containing
the user information needed for completing single sign-on to the requested SAML service or application.
This event is executed with the following settings:
<Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Perform IceToken SSO rule set

This rule set generates a response that contains the user information needed for completing single sign-on to the requested
service or application.

Nested library rule set — Perform IceToken SSO

Criteria — Always

Cycles — Requests (and IM)

This rule set contains the following rule.

Get login action (IceToken)

Rule element Definition

Criteria JSON.AsString (JSON.GetByName (User-Defined.sso-conn-info, "type"))

equals "icetoken"

Action Stop Cycle

Events HTTP.GenerateResponse (SSO.GetIceTokenLoginAction

(URL.GetParameter ("service"),
User-Defined.sso-user-data)<Default>)

If the cloud connector type is IceToken, this rule stops the request cycle. The Single Sign On module generates a response
containing the user information needed for completing single sign-on to the requested service or application.
This event is executed with the following settings:
<Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Process Common Tasks rule set

This rule set processes common SSO tasks and blocks access to SSO resources that do not exist.

170 McAfee Web Gateway 8.0.x Interface Reference Guide

 Nested library rule set – Block Management Requests

Criteria – Always

Cycles – Requests (and IM)

This rule set contains the following rules.

Process common tasks

Rule element Definition

Criteria SSO.ProcessTask<Default> equals true

Action Stop Cycle

Events None

This rule processes common SSO tasks, such as credential management.

Block invalid or unhandled management requests

Rule element Definition

Criteria Always

Action Block<File Not Found>

Events HTTP.SetStatus (404)

This rule blocks access to a requested resource, when the resource does not exist, and is executed with the following settings:
<File Not Found> — Specifies the language and template settings used to generate the block message for the user.
The Single Sign On module sets the HTTP status code to 404 (Not Found).

Perform SSO rule set

This rule set allows the user to log on to an HTTP cloud service or application when single sign-on is implemented in proxy
(inline) mode.

Nested library rule set – Perform SSO

Criteria – Always

Cycles – Requests (and IM), Responses

This rule set contains the following rule.

Process form login

Rule element Definition

Criteria Always

Action Continue

Events SSO.ProcessFormLogin<Default>

McAfee Web Gateway 8.0.x Interface Reference Guide 171

The Single Sign On module processes the logon form that users complete to access HTTP cloud services or applications in proxy
(inline) mode. The execution of the event depends on the step in the logon process, as follows:
• The user requests the logon form — The event adds JavaScript to the logon page, enabling single sign-on to dynamic HTTP
cloud services, and replaces the real password with a password token.
• The user submits the logon form — The event replaces the password token with the real password.
The SSO module executes this event with the following settings:
<Default> - Specifies settings for connecting to the SSO service provided by Web Gateway.

HTTPS Scanning rule set

The HTTPS Scanning rule set is the default rule set for HTTPS scanning. This scanning mode is also known as SSL scanning.
Note: After the initial setup of Web Gateway, this rule set is part of the default rule set system. It is, however, not enabled by
default.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in this rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

Complete rules of the HTTPS Scanning rule set

When working with the complete rules of the HTTPS Scanning rule set, all rules and rule elements of this rule set can be viewed and
configured.

Default rule set — HTTPS Scanning

Criteria — Always

Cycles — Requests (and IM)

This rule set is part of the default rule set system, but not enabled by default.

The following rule sets are nested in this rule set:

• Handle CONNECT Call

• Certificate Verification
◦ Verify Signature Algorithms
◦ Verify Common Name (Proxy Setup)
• Content Inspection
• Verify Common Name (Transparent Setup)

Handle CONNECT Call

This nested rule set handles the CONNECT call in SSL-secured communication and enables certificate verification.

Nested library rule set — Handle CONNECT Call

Criteria — Command.Name equals “CONNECT”

Cycles — Requests (and IM)

172 McAfee Web Gateway 8.0.x Interface Reference Guide

The rule set criteria specifies that the rule set applies when a request is received on the appliance that contains the CONNECT
command, which is sent in the opening phase of SSL-secured communication.
The rule set contains the following rules:

Set client context

Always –> Continue — Enable SSL Client Context with CA <Default CA>

The rule enables the use of a server certificate that is sent to a client.

The event settings specify the McAfee Web Gateway root certificate authority (CA), which is implemented on the appliance
after the initial setup, as the default issuer of this certificate.

The Continue action lets processing continue with the next rule.

Tunneled hosts

URL.Host is in list SSL Host Tunnel List –> Stop Cycle

The rule lets requests for access to hosts with a URL that is on the specified whitelist skip HTTPS scanning.

Restrict destination ports to Allowed CONNECT Ports

URL.Port is not in list Allowed Connect Ports –> Block<Connect not allowed>

The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports.

The action settings specify a message to the requesting user.

Enable certificate verification without EDH for hosts in no-EDH server list

URL.Host is in list No-EDH server –> Block<Connect not allowed> Stop Rule Set — Enable SSL Scanner<Certificate Verification
without edh>

The rule enables the certificate verification for requests sent from a host on the non-EDH (Ephemeral Diffie-Hellman) server
list.

The action settings specify a message to the requesting user.

The event settings specify running in verification mode for the SSL Scanner module and a special cipher string for data
encryption on non-EDH hosts.

Enable certificate verification

Always –> Stop Rule Set — Enable SSL Scanner<Default certificate verification>

The rule enables certificate verification.

The event settings specify that the SSL Scanner module runs in verification mode.

McAfee Web Gateway 8.0.x Interface Reference Guide 173

Certificate Verification
This nested rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted certificates skip verification
and blocks others according to particular criteria.

Nested library rule set — Certificate Verification

Criteria — Command.Name equals “CERTVERIFY*

Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on the appliance that contains the CERTVERIFY
command, which is sent to request the verification of a certificate.
The following rule sets are nested in this rule set:
• Verify Signature Algorithms
• Verify Common Name (Proxy Setup)
The rule set contains the following rules:

Skip verification for certificates found in Certificate Whitelist

SSL.Server.Certificate.HostAndCertificate is in list Certificate Whitelist –> Stop Rule Set

The rule lets whitelisted certificates skip verification.

Block self-signed certificates

SSL.Server.Certificate.SelfSigned equals true –> Block <Certificate incident>

The rule blocks requests with self-signed certificates.

The action settings specify a message to the requesting user.

Block expired server (7 day tolerance) and expired CA certificates

SSL.Server.Certificate.DaysExpired greater than 7 OR SSL.Server.CertificateChain.ContainsExpiredCA<Default> equals true –> Block

<Certificate incident>

The rule blocks requests with expired server and CA certificates.

The action settings specify a message to the requesting user.

Block too long certificate chains

SSL.Server.CertificateChain.PathLengthExceeded<Default> equals true –> Block <Certificate incident>

The rule blocks a certificate chain if it exceeds the path length.

The settings in the property specify a list for the module that checks the certificate authorities.

The action settings specify a message to the requesting user.

174 McAfee Web Gateway 8.0.x Interface Reference Guide

 Block revoked certificates

SSL.Server.CertificateChain.ContainsRevoked<Default> equals true –> Block <Certificate incident>

The rule blocks a certificate chain if one of the included certificates has been revoked.

The settings in the property specify a list for the module that checks the certificate authorities.

The action settings specify a message to the requesting user.

Paranoid Certificate Chain Verification

SSL.Server.CertificateChain.AllRevocationStatusesKnown<Default> equals false OR SSL.Server.CertificateChain.IsComplete<Default>

equals false –> Block <Certificate incident>

The rule blocks a certificate chain if the revocation status of at least one certificate is unknown or if the certificate chaiin is
incomplete.

The settings in the property specify a list for the module that checks the certificate authorities.

The action settings specify a message to the requesting user.

Block unknown certificate authorities

SSL.Server.CertificateChain.FoundKnownCA<Default> equals false –> Block <Certificate incident>

The rule blocks a certificate chain if none of the certificate authorities (CAs) issuing the included certificates is a known CA.

The settings in the property specify a list for the module that checks the certificate authorities.

The action settings specify a message to the requesting user.

Block untrusted certificate authorities

SSL.Server.FirstKnownCAIsTrusted<Default> equals false –> Block <Certificate incident>

The rule blocks a certificate chain if the first known CA that was found is not trusted.

The settings in the property specify a list for the module that checks the certificate authorities.

The action settings specify a message to the requesting user.

Verify Signature Algorithms

This nested rule set verifies the algorithms that are used in creating signatures for certificates.

Nested library rule set – Verify Signature Algorithms

Criteria – Always

Cycles – Requests (and IM)

The rule criteria specifies that the rule set applies for all requests that are received.

McAfee Web Gateway 8.0.x Interface Reference Guide 175

The rule set contains the following rules:

Verify signature algorithms

SSL.Server.Certificate.SignatureMethod is in list Safe Signature Algorithms AND

SSL.Server.CertificateChain.SignatureMethods<Default> is in list Safe Signature Algorithms –> Stop Rule Set

The rule uses the SSL.Server.Certificate.SignatureMethod and SSL.Server.CertificateChain.SignatureMethods properties to check whether a
signature algorithm for a certificate that was sent with a request is on both of the two lists referred to in the rule criteria.

If a signature algorithm is on these lists, processing of the rule set stops, so the blocking rule that follows this rule is not
processed anymore.

Block unsafe signature algorithms

Always –> Block <Certificate incident>

The rule blocks any request that has passed the filtering that was performed when processing the preceding rule. This
means that blocking will occur whenever a signature algorithm is not on the lists used in that rule.

The action settings specify a message to the requesting user.

Verify Common Name (Proxy Setup)

This nested rule set verifies the common name in a certificate. It applies to requests sent in explicit proxy mode.

Nested library rule set — Verify Common Name (Proxy Setup)

Criteria — Connection.SSL.TransparentCNHandling equals false

Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on a connection used in SSL-secured communication
and verification of the common name is not performed in transparent mode.
The rule set contains the following rules:

Allow matching hostname

URL.Host equals Certificate.SSL.CN –> Stop Rule Set

The rule allows a request if the URL of the requested host is the same as the common name in the certificate.

Allow wildcard certificates

Certificate.SSL.CN.HasWildcards equals true AND URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set

The rule allows requests to hosts sending certificates that have wildcards in their common names matching the URLs of the
hosts.

To verify that a common name containing wildcards matches a host, this name is converted into a regular expression.

176 McAfee Web Gateway 8.0.x Interface Reference Guide

 Allow alternative common names

URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set

The rule allows requests to hosts with alternative common names in their certificates if the host matches at least one of
them.

Block incident

Always –> Block <Common name mismatch>

If any of the rules for allowing matching common names applies, processing of the rule set stops and this rule is not
processed. Otherwise, requests are blocked by this rule because it is then a common name mismatch.

The action settings specify a message to the requesting user.

Content Inspection
This nested rule set completes the handling of a CERTVERIFY call. It lets some requests skip content inspection according to
particular criteria and enables inspection for all others.

Nested library rule set — Content Inspection

Criteria — Command.Name equals “CERTVERIFY*

Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on the appliance that contains the CERTVERIFY
command, which is sent to request the verification of a certificate.
The rule set contains the following rules:

Skip content inspection for hosts found in SSL Inspection Whitelist

Connection.SSL.Transparent equals false AND URL.Host matches in list SSL Inspection Whitelist –> Stop Rule Set

The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in non-transparent mode.

Skip content inspection for CN found in SSL Inspection Whitelist

Connection.SSL.Transparent equals true AND Certificate.SSL.CN matches in list SSL Inspection Whitelist –> Stop Rule Set

The rule lets requests with whitelisted common names in their certificates skip content inspection. It applies only in
transparent mode.

The rule is not enabled initially.

Do not inspect connections with client certificates

Connection.Client.CertificateIsRequested equals true –> Stop Rule Set

The rule lets requests skip inspection if they require the use of client certificates.

McAfee Web Gateway 8.0.x Interface Reference Guide 177

 The rule is not enabled initially.

Enable content inspection

Always –> Continue — Enable SSL Scanner<Enable content inspection>

The rule enables content inspection.

The event settings specify that the SSL Scanner module runs in inspection mode.

If any of the rules for skipping content inspection applies, processing of the rule set stops and this last rule, which enables
the inspection, is not processed. Otherwise, content inspection is enabled by this rule.

Verify Common Name (Transparent Setup)

This nested rule set verifies the common name in a certificate. It applies to requests sent in explicit proxy mode. It applies only to
requests sent in transparent mode.
With requests sent in explicit proxy mode, the host name that is compared to the common name is taken from the CONNECT
request that a client sends.
As in transparent mode no CONNECT request is sent, the host name is taken from the request for web access that a client sends.

Nested library rule set — Verify Common Name (Transparent Setup)

Criteria — Connection.SSL.TransparentCNHandling equals true AND Command.Name does not equal “CONNECT” AND
Command.Name does not equal “CERTVERIFY”

Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on a connection used in SSL-secured communication
and verification of the common name is performed in transparent mode.
The rule set contains the following rules:

Allow matching hostname

URL.Host equals Certificate.SSL.CN –> Stop Rule Set

The rule allows a request if the URL of the requested host is the same as the common name in the certificate.

Allow wildcard certificates

Certificate.SSL.CN.HasWildcards equals true AND URL.Host matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set

The rule allows requests to hosts sending certificates that have wildcards in their common names matching the URLs of the
hosts.

To verify that a common name containing wildcards matches a host, this name is converted into a regular expression.

Allow alternative common names

URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set

178 McAfee Web Gateway 8.0.x Interface Reference Guide

 The rule allows requests to hosts with alternative common names in their certificates if the host matches at least one of
them.

Block incident

Always –> Block <Common name mismatch>

If any of the rules for allowing matching common names applies, processing of the rule set stops and this rule is not
processed. Otherwise, requests are blocked by this rule because it is then a common name mismatch.

The action settings specify a message to the requesting user.

SSO Log rule set

The SSO Log rule set is activated when the request is made by an SSO component, including the SSO.Client and SSO.Proxy
components.

SSO Log rule set

Library rule set – SSO Log

Criteria – JSON.AsString (JSON.GetByName (SSO.LogAttributes, "origin")) matches SSO.*

Cycles – Requests (and IM), Responses, Embedded Objects

The SSO.LogAttributes property is a JSON object containing the SSO request attributes shown in the following table. The SSO Log rule
set generates the SSO access log and optionally the SSO trace log from the attributes in the JSON object.

SSO.LogAttributes property

SSO request log attribute Definition

action Specifies the name of the internal action performed in

response to the SSO request. Examples include:
• LoadLaunchpad
• GetServices
• StartHTMLLogin, StartSAMLLogin, and StartIceTokenLogin
• AddCredentials, UpdateCredentials, and DeleteCredentials

config Specifies the name of the settings used by the internal action
performed in response to the SSO request.

message Describes the SSO request.

origin Specifies the source of the values that the proxy copies to the
SSO.LogAttributes property. The source can be one of the
following SSO components:
• SSO.Client — The proxy copies the values provided by the
client (browser) to this property without checking them first.
• SSO.Proxy — The proxy checks the values provided by the
client (browser) before copying them to this property.
SSO.Client values are used by developers when testing and
debugging SSO features and are included in the SSO trace log.

McAfee Web Gateway 8.0.x Interface Reference Guide 179

 SSO request log attribute Definition
For security reasons, only values checked by the proxy
(SSO.Proxy values) are included in the SSO access log.

level Specifies the log level. Only SSO requests having a log level of
four or less are included in the SSO access log. SSO requests
having a log level higher than four are also included in the
SSO trace log, which is more detailed.
The log levels are:
• Off (0) — Logging is turned off.
• Error (1, 2) — Only error messages are logged.
• Info (3, 4) — Error and info messages are logged to the SSO
access log file.
• Full (5, 6) — All messages are logged to the SSO trace log file.

service Specifies the name of the cloud service in the SSO request.

outward Specifies whether Web Gateway performs the web server role
or the web server is external to Web Gateway. This attribute
has one of the following values:
• FALSE — Web Gateway is the destination of the SSO request
and creates the SSO response. In this case, Web Gateway
performs the role of a web server. For example, Web
Gateway performs the web server role when the user
accesses the launchpad.
• TRUE — The SSO request is directed to an external web
server, which creates the SSO response. In this case, Web
Gateway does not perform the role of a web server.

SSO Access Log rule set

If the Access Log rule set's criteria are met, the rule in this rule set writes a log entry to the SSO access log file. Each SSO log entry
corresponds to one SSO request. To meet the criteria, the SSO component making the request must be the proxy and the log
level in the request must be less than or equal to four.

Nested library rule set – Access Log

Criteria – JSON.AsString (JSON.GetByName (SSO.LogAttributes, "origin")) matches SSO.Proxy* AND JSON.AsNumber (JSON.GetByName
(SSO.LogAttributes, "level")) less than or equals 4

Cycles – Requests (and IM), Responses, Embedded Objects

This rule set contains the following rule.

Write sso_access.log

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.logLine = DateTime.ToWebReporterString

+ " ""
+ Authentication.UserName
+ "" "

180 McAfee Web Gateway 8.0.x Interface Reference Guide

 Rule element Definition
+ String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-")
+""
+ String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-")
+ " ""
+ Request.Header.FirstLine
+ "" "
+ """
+ JSON.AsString (JSON.GetByName (SSO.LogAttributes, "action"))
+ "" ""
+ JSON.AsString (JSON.GetByName (SSO.LogAttributes, "service"))
+ "" ""
+ JSON.AsString (JSON.GetByName (SSO.LogAttributes, "message"))
+ """
FileSystemLogging.WriteLogEntry (User-Defined.logLine)<SSO Access Log>

This rule creates the SSO access log entry, then writes the entry to the SSO access log file. The rule creates the log entry by
retrieving the following information in string format and concatenating the strings:
• Date and time stamp in Web Reporter format
• User name
• Client IP address (if it exists)
• Status code in the response (if it exists)
• First line of the SSO request header
• Type of SSO request (action)
• Name of the cloud service in the SSO request (service)
• Description of the SSO request (message)
Note: To open and configure the file system log settings, click <SSO Access Log>.

SSO Trace Log rule set

The rules in the Trace Log rule set build an SSO trace log entry and write it to the SSO trace log file. The trace log is more detailed
than the access log and is intended for debugging the SSO feature.
Note: The Trace Log rule set is disabled by default. When you enable trace logging, we recommend that you set the log level to Full.
To locate the log level setting, select Policy → Settings → Engines → Single Sign On → Default → Advanced Settings.

Nested library rule set – Trace Log

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

This rule set contains the following rules.

Web reporter timestamp

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.logLine = DateTime.ToWebReporterString

This rule sets the SSO trace log entry equal to the date and time stamp in Web Reporter format.

McAfee Web Gateway 8.0.x Interface Reference Guide 181

Add all sso attributes

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.logLine = User-Defined.logLine

+ " '"
+ JSON.ToString (SSO.LogAttributes)
+ "'"

This rule adds the SSO log attributes in string format to the existing SSO trace log entry.

Add firstline for outward requests

Rule element Definition

Criteria JSON.AsBool (JSON.GetByName (SSO.LogAttributes, "outward")) equals true

Action Continue

Events Set User-Defined.logLine = User-Defined.logLine

+ " '"
+ Request.Header.FirstLine
+ "'"

If the SSO request is handled by an external web server, this rule adds the first line of the request header to the SSO trace log
entry.

Add firstline

Rule element Definition

Criteria Always

Action Continue

Events Set User-Defined.logLine = User-Defined.logLine

+ " '"
+ Request.Header.FirstLine
+ "'"

This rule is disabled by default. When enabled, it adds the first line of the SSO request header to the SSO trace log entry for
external and internal requests.

Write sso_trace.log

Rule element Definition

Criteria Always

Action Continue

Events FileSystemLogging.WriteLogEntry (User-Defined.logLine)<SSO Trace Log>

182 McAfee Web Gateway 8.0.x Interface Reference Guide

This rule writes the SSO trace log entry to the SSO trace log file. To open and configure the file system log settings, click <SSO Trace
Log>.

SSO Stop Logging rule set

The SSO Stop Logging rule set stops the logging cycle after internal SSO requests are logged to the SSO access log and before they
can be logged to the general access log.

Nested library rule set – Stop Logging

Criteria – Always

Cycles – Requests (and IM), Responses, Embedded Objects

This rule set contains one rule.

Avoid additional logging of internal SSO requests

Rule element Definition

Criteria JSON.AsBool (JSON.GetByName (SSO.LogAttributes, "outward")) equals false

Action Stop Cycle

Events None

If the SSO request is handled by Web Gateway internally, this rule stops the current cycle of the SSO Log rule set. This action
prevents internal SSO requests from being logged to the general access log.
Note: For this rule to be effective, you must add the SSO Log rule set to the Log Handler tree above the Default logging rule set.

Time Quota rule set

The Time Quota rule set is a library rule set for imposing time quotas on web usage.

Library rule set – Time Quota

Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other communication, which
does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
• Time Quota With URL Configuration
• Time Quota With IP Configuration
This rule set is not enabled initially.
• Time Quota With Authenticated User Configuration
This rule set is not enabled initially.

Time Quota With URL Configuration

This nested rule set handles time quotas related to URL categories.

Nested library rule set – Time Quota With URL Configuration

Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Time Quota

McAfee Web Gateway 8.0.x Interface Reference Guide 183

 Nested library rule set – Time Quota With URL Configuration

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls into a category on the
blocking list for time quotas related to URL categories.
The rule set contains the following rules:

Redirecting after starting new time session

Quota.Time.lsActivationRequest equals true –> Redirect<Redirection After Time Session Activation>

The rule redirects a request to let a user again access a web object after session time has been exceeded and the user has
chosen to continue with a new session.

The action settings specify a message to the requesting user.

Check if time session has been exceeded

Quota.Time.Session.Exceeded<URL Category Configuration> equals true –> Block<ActionTimeSessionBlocked>

The rule uses the Quota.Time.SessionExceeded property to check whether the configured session time has been exceeded for
a user. If it has, the user’s request for web access is blocked.

The URL Category Configuration settings, which are specified with the property, are the settings of the module that handles
time quotas.

The action settings specify a message to the requesting user.

Check if time quota has been exceeded

Quota.Time.Exceeded<URL Category Configuration> equals true –> Block<ActionTimeQuotaBlocked>

The rule uses the Quota.Time.Exceeded property to check whether the configured time quota has been exceeded for a user.
If it has, the user’s request for web access is blocked.

The URL Category Configuration settings, which are specified with the property, are the settings of the module that handles
time quotas.

The action settings specify a message to the requesting user.

Time Quota With IP Configuration

This nested rule set handles time quotas related to IP addresses.

Nested library rule set – Time Quota With IP Configuration

Criteria – Client.IP is in list IP Blocklist for Time Quota

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request from a client with an IP address that is on the
blocking list for time quotas related to IP addresses.

184 McAfee Web Gateway 8.0.x Interface Reference Guide

The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for the module settings that
appear in the rule criteria, which are IP Configuration.

Time Quota With Authenticated User Configuration

This nested rule set handles time quotas related to user names.

Nested library rule set – Time Quota With Authenticated User Configuration

Criteria – Authenticated.RawUserName is in list User Blocklist for Time Quota

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a request is sent by a user whose user name is on the blocking list for
time quotas related to user names.
The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for the module settings that
appear in the rule criteria, which are Authenticated User Configuration.

URL Filtering rule set

The URL Filtering rule set is the default rule set for URL filtering.
When working with this rule set, you can use different views:
• Key elements view — Allows you to configure key elements of the rules in this rule set.
Key elements are those parts of the rules that you will most likely want to work with when configuring your policy for a
particular field of web security. You can also enable or disable some rules in this view.
• Complete rules view — Allows you to view all rules in the rule set and to configure all their elements, including the key
elements.
You can also enable or disable, move, copy, or delete any of the existing rules, as well as create new rules in this view.

General rule
The URL Filtering rule set includes a general rule and two nested rule sets for performing different kinds of URL filtering.
The general rule is by default processed before the work flow continues with the nested rule sets.

Name

Set policy-filtered flag

Criteria Action Event

Always –> Continue Set User-Defined.alreadyFiltered = fal

The rule uses an event to set a user-defined property for indicating whether the URL filtering rules were already processed for a
given request to false.
The property serves as a flag, which is checked at the beginning of each of the two nested rule sets. When the first nested rule
set is processed, a rule in this rule set the flag to true.
When processing of the first rule set is completed or the rule set was not processed because its criteria was not matched, the
value of the flag is checked in the criteria of the second rule set.
If the value of the flag is true, the second rule set is not processed, as URL filtering has already been performed under the rules
of the first rule set. Otherwise, the second rule set is processed.

Nested rule sets

The following nested rule sets are by default included in the URL Filtering rule set:
• Special URL Filtering Group rule set — Allows you to specify particular users, user groups, and ranges of IP addresses that URL
filtering is performed for.

McAfee Web Gateway 8.0.x Interface Reference Guide 185

• Default rule set — Lets you perform URL filtering for all users, user groups, and IP addresses.
The key elements view and the complete rules view are both available for each of these nested rule sets.

Key elements of the Special URL Filtering Group rule set

The key elements of the Special URL Filtering Group rule set for URL filtering deal with important parts of this process.

Special URL Filtering

Key elements for performing URL filtering according to users, user groups, and IP address ranges.

Special URL Filtering

Option Definition

User groups to include Clicking Edit opens a window where you can edit a string list of
user groups that URL filtering is to be performed for.

Users to include Clicking Edit opens a window where you can edit a string list of
users that URL filtering is to be performed for.

IP ranges to include Clicking Edit opens a window where you can edit a list of IP
address ranges that URL filtering is to be performed for.

Basic Filtering
Key elements for performing basic URL filtering.

Basic Filtering

Option Definition

URL whitelist Clicking Edit opens a window to let you edit the URL whitelist
that is used by a rule.
You can add, modify, and remove entries on the list.

URL blocklist Clicking Edit opens a window to let you edit the URL blocklist
that is used by a rule.
You can add, modify, and remove entries on the list.

URL category blocklist Clicking Edit opens a window to let you edit the URL category
blocklist that is used by a rule.
You can add, modify, and remove entries on the list.

SafeSearch
Key elements for integrating SafeSearch in the URL filtering process.

SafeSearch

Option Definition

Enable SafeSearch When selected, a rule is enabled that controls the SafeSearch
part of the URL filtering process.

SafeSearch settings Clicking Edit opens a window to let you edit the settings for the
SafeSearch Enforcer module (or engine).
This module handles the integration of the SafeSearch
Enforcer, which is an additional web security product, in the
URL filtering process on Web Gateway.

186 McAfee Web Gateway 8.0.x Interface Reference Guide

GTI reputation
Key element for evaluating reputation scores retrieved from the Global Threat Intelligence service within the URL filtering
process.

GTI reputation

Option Definition

Block URLs with a High Risk reputation
When selected, a rule is enabled that blocks URLs with a
reputation score that lets them appear to be a high or
medium risk to web security.
The reputation score of a URL is established by the Global
Threat Intelligence service, which is provided by McAfee. It is
retrieved from this service by the URL Filter module.

Uncategorized URLs
Key element for handling URLs that could not be categorized during the URL filtering process.

Uncategorized URLs

Option Definition

Uncategorized URLs Selecting Block enables a rule that blocks requests for access
to web objects with URLs that could not be categorized during
the URL filtering process.
Selecting Allow means that no action is executed by this rule.
URL filtering continues with processing the next rule.

Complete rules of the Special URL Filtering Group rule set

When working with the complete rules of the Special URL Filtering Group rule set for URL filtering, all rules and rule elements of this
rule set can be viewed and configured.

Nested default rule set – Special URL Filtering Group

Criteria – User-Defined.alreadyFiltered = false

Cycles – Requests (and IM)

The rule set contains the following rules.

Allow URLs that match in URL WhiteList

URL matches in list URLWhiteList –> Stop Rule Set

The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, processing of the rule set
stops and the blocking rules that follow the whitelisting rule are not processed.

You can use this rule to exempt URLs from filtering to make sure they are available to the users of your network and do not
get blocked by any of the following blocking rules. Whitelisting also increases performance because it avoids the effort of
retrieving information about the respective URLs.

Block URLs that match in URL BlockList

URL matches in list URL BlockList –> Block<URLBlocked> — Statistics.Counter.Increment (“BlockedByURLFilter”,1)<Default>

McAfee Web Gateway 8.0.x Interface Reference Guide 187

 The rules uses the URL property to check whether a given URL is on the specified blocking list. If it is, processing of all rules
stops and the request for access to the URL is not passed on to the appropriate web server. Access to it is blocked this way.

The action settings specify a message to the requesting user.

The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the
counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module,
which executes the counting.

Enable SafeSearchEnforcer

Always –> Continue — Enable SafeSearchEnforcer<Default>

The rule enables the SafeSearchEnforcer, which is an additional module for filtering access to web sites with adult content.

The enabling is done by executing an event. The settings of the module are specified with the event.

Processing continues with the next rule.

Allow uncategorized URLs

List.OfCategory.IsEmpty(URL.Categories<Default>) equals true –> Stop Rule Set

The rule uses the List.OfCategory.IsEmpty property, which has the URL.Categories property as a parameter, to check whether
the list of categories for categorizing a URL is empty. This would mean that the URL is uncategorized, as it could not be
assigned to any of the existing categories. Specifying the URL.Categories property as a parameter ensures that it is a
particular list of categories that is checked. It is the list that is the value of this property.

To provide a list of categories as the value for the URL.Categories property, the URL Filter module is called, which retrieves
this list from the Global Threat Intelligence system. The module runs with the specified Default settings.

If a URL is uncategorized, processing of the rule set stops and the blocking rules that follow this rule are not processed. The
request for the URL is forwarded to the appropriate web server and, unless access to the URL is blocked in the response or
embedded object cycle, the user is allowed to access the web object that was requested by submitting the URL.

Block URLs whose category is in URL Category BlockList

URL.Categories<Default> at least one in list Category BlockList –> Block<URLBlocked> — Statistics.Counter.Increment

(“BlockedByURLFilter”,1)<Default>

The rule uses the URL.Categories property to check whether one of the categories a given URL belongs to is on the specified
blocking list. The URL Filter module, which is called to retrieve information on these categories, runs with the Default
settings, as specified with the property.

If one of the URL’s categories is on the list, processing of all rules stops and the request for access to the URL is not passed
on to the appropriate web server. Access to it is blocked this way.

The URLBlocked action settings specify that the user who requested this access is notified of the blocking.

The rule also uses an event to count blocking due to URL filtering in the same way as the blocking rule for individual URLs in
this rule set.

188 McAfee Web Gateway 8.0.x Interface Reference Guide

 Block URLs with bad reputation

URL.IsHighRisk<Default> equals true –> Block<URLBlocked> — Statistics.Counter.Increment (“BlockedByURLFilter”,1)<default>

The rules uses the URL.IsHighRisk property to find out whether a URL has a reputation that lets access to it appear as a high
risk. If the value for this property is true, processing of all rules stops and the request for access to the URL is not passed on
to the appropriate web server. Access to it is blocked this way.

The reputation score is retrieved by the URL Filter module, which runs with the settings specified after the property.

The URLBlocked action settings specify that the user who requested this access is notified of the blocking.

The rule also uses an event to count blocking due to URL filtering in the same way as the blocking rule for individual URLs in
this rule set.

Key elements of the Default rule set for URL filtering

The key elements of the Default rule set for URL filtering deal with important parts of this process.

Basic Filtering
Key elements for performing basic URL filtering.

Basic Filtering

Option Definition

URL whitelist Clicking Edit opens a window to let you edit the URL whitelist
that is used by a rule.
You can add, modify, and remove entries on the list.

URL blocklist Clicking Edit opens a window to let you edit the URL blocklist
that is used by a rule.
You can add, modify, and remove entries on the list.

URL category blocklist Clicking Edit opens a window to let you edit the URL category
blocklist that is used by a rule.
You can add, modify, and remove entries on the list.

SafeSearch
Key elements for integrating SafeSearch in the URL filtering process.

SafeSearch

Option Definition

Enable SafeSearch When selected, a rule is enabled that controls the SafeSearch
part of the URL filtering process.

SafeSearch settings Clicking Edit opens a window to let you edit the settings for the
SafeSearch Enforcer module (or engine).
This module handles the integration of the SafeSearch
Enforcer, which is an additional web security product, in the
URL filtering process on Web Gateway.

GTI reputation
Key element for evaluating reputation scores retrieved from the Global Threat Intelligence service within the URL filtering
process.

McAfee Web Gateway 8.0.x Interface Reference Guide 189

GTI reputation

Option Definition

Block URLs with a High Risk reputation
When selected, a rule is enabled that blocks URLs with a
reputation score that lets them appear to be a high or
medium risk to web security.
The reputation score of a URL is established by the Global
Threat Intelligence service, which is provided by McAfee. It is
retrieved from this service by the URL Filter module.

Uncategorized URLs
Key element for handling URLs that could not be categorized during the URL filtering process.

Uncategorized URLs

Option Definition

Uncategorized URLs Selecting Block enables a rule that blocks requests for access
to web objects with URLs that could not be categorized during
the URL filtering process.
Selecting Allow means that no action is executed by this rule.
URL filtering continues with processing the next rule.

Complete rules of the Default rule set for URL filtering

When working with the complete rules of the Defaultrule set for URL filtering, all rules and rule elements of this rule set can be
viewed and configured.

Nested default rule set – Default

Criteria – User-Defined.alreadyFiltered = false

Cycles – Requests (and IM)

The rule set contains the following rules.

Allow URLs that match in URL WhiteList

URL matches in list URLWhiteList –> Stop Rule Set

The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is, processing of the rule set
stops and the blocking rules that follow the whitelisting rule are not processed.

You can use this rule to exempt URLs from filtering to make sure they are available to the users of your network and do not
get blocked by any of the following blocking rules. Whitelisting also increases performance because it avoids the effort of
retrieving information about the respective URLs.

Block URLs that match in URL BlockList

URL matches in list URL BlockList –> Block<URLBlocked> — Statistics.Counter.Increment (“BlockedByURLFilter”,1)<Default>

The rules uses the URL property to check whether a given URL is on the specified blocking list. If it is, processing of all rules
stops and the request for access to the URL is not passed on to the appropriate web server. Access to it is blocked this way.

190 McAfee Web Gateway 8.0.x Interface Reference Guide

 The action settings specify a message to the requesting user.

The rule also uses an event to count blocking due to virus and malware infections. The event parameters specify the
counter that is incremented and the size of the increment. The event settings specify the settings of the Statistics module,
which executes the counting.

Enable SafeSearchEnforcer

Always –> Continue — Enable SafeSearchEnforcer<Default>

The rule enables the SafeSearchEnforcer, which is an additional module for filtering access to web sites with adult content.

The enabling is done by executing an event. The settings of the module are specified with the event.

Processing continues with the next rule.

Allow uncategorized URLs

List.OfCategory.IsEmpty(URL.Categories<Default>) equals true –> Stop Rule Set

The rule uses the List.OfCategory.IsEmpty property, which has the URL.Categories property as a parameter, to check whether
the list of categories for categorizing a URL is empty. This would mean that the URL is uncategorized, as it could not be
assigned to any of the existing categories. Specifying the URL.Categories property as a parameter ensures that it is a
particular list of categories that is checked. It is the list that is the value of this property.

To provide a list of categories as the value for the URL.Categories property, the URL Filter module is called, which retrieves
this list from the Global Threat Intelligence system. The module runs with the specified Default settings.

If a URL is uncategorized, processing of the rule set stops and the blocking rules that follow this rule are not processed. The
request for the URL is forwarded to the appropriate web server and, unless access to the URL is blocked in the response or
embedded object cycle, the user is allowed to access the web object that was requested by submitting the URL.

Block URLs whose category is in URL Category BlockList

URL.Categories<Default> at least one in list Category BlockList –> Block<URLBlocked> — Statistics.Counter.Increment

(“BlockedByURLFilter”,1)<Default>

The rule uses the URL.Categories property to check whether one of the categories a given URL belongs to is on the specified
blocking list. The URL Filter module, which is called to retrieve information on these categories, runs with the Default
settings, as specified with the property.

If one of the URL’s categories is on the list, processing of all rules stops and the request for access to the URL is not passed
on to the appropriate web server. Access to it is blocked this way.

The URLBlocked action settings specify that the user who requested this access is notified of the blocking.

The rule also uses an event to count blocking due to URL filtering in the same way as the blocking rule for individual URLs in
this rule set.

Block URLs with bad reputation

McAfee Web Gateway 8.0.x Interface Reference Guide 191

 URL.IsHighRisk<Default> equals true –> Block<URLBlocked> — Statistics.Counter.Increment (“BlockedByURLFilter”,1)<default>

The rules uses the URL.IsHighRisk property to find out whether a URL has a reputation that lets access to it appear as a high
risk. If the value for this property is true, processing of all rules stops and the request for access to the URL is not passed on
to the appropriate web server. Access to it is blocked this way.

The reputation score is retrieved by the URL Filter module, which runs with the settings specified after the property.

The URLBlocked action settings specify that the user who requested this access is notified of the blocking.

The rule also uses an event to count blocking due to URL filtering in the same way as the blocking rule for individual URLs in
this rule set.

Volume Quota rule set

The Volume Quota rule set is a library rule set for imposing volume quotas on web usage.

Library rule set – Volume Quota

Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies to SSL-secured communication and to other communication that does
not use the CONNECT command at the beginning.

The following rule sets are nested in this rule set:

• Time Quota With URL Configuration

• Time Quota With IP Configuration
This nested rule set is not enabled initially.
• Time Quota With Authenticated User Configuration
This nested rule set is not enabled initially.

Library rule set – Volume Quota

Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other communication, which
does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
• Volume Quota With URL Configuration
• Volume Quota With IP Configuration
This rule set is not enabled initially.
• Volume Quota With Authenticated User Configuration
This rule set is not enabled initially.
• Volume Quota With Media Type Configuration
This rule set is not enabled initially.

Volume Quota With URL Configuration

This nested rule set handles volume quotas related to URL categories.

192 McAfee Web Gateway 8.0.x Interface Reference Guide

 Nested library rule set – Volume Quota With URL Configuration

Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Volume Quota

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls into a category on the
blocking list for volume quotas related to URL categories.
The rule set contains the following rules:

Redirecting after starting new time session

Quota.Volume.lsActivationRequest<URL Category Configuration> equals true –> Redirect<Redirection After Volume Session
Activation>

The rule redirects a request to let a user again access a web object after session time has been exceeded and the user has
chosen to continue with a new session.

The URL Category Configuration settings, which are specified with the property, are the settings of the module that handles
volume quotas.

The action settings specify a message to the requesting user.

Check if volume session has been exceeded

Quota.Volume.Session.Exceeded<URL Category Configuration> equals true –> Block<ActionVolumeSessionBlocked>

The rule uses the Quota.Volume.SessionExceeded property to check whether the configured session time has been exceeded
for a user. If it has, the user’s request for web access is blocked.

The URL Category Configuration settings, which are specified with the property, are the settings of the module that handles
volume quotas.

The action settings specify a message to the requesting user.

Check if volume quota has been exceeded

Quota.Time.Exceeded<URL Category Configuration> equals true –> Block<ActionVolumeSessionBlocked>

The rule uses the Quota.Volume.Exceeded property to check whether the configured volume quota has been exceeded for a
user. If it has, the user’s request for web access is blocked.

The URL Category Configuration settings, which are specified with the property, are the settings of the module that handles
volume quotas.

The action settings specify a message to the requesting user.

Volume Quota With IP Configuration

This nested rule set handles volume quotas related to IP addresses.

McAfee Web Gateway 8.0.x Interface Reference Guide 193

 Nested library rule set – Volume Quota With IP Configuration

Criteria – Client.IP is in list IP Blocklist for Volume Quota

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request from a client with an IP address that is on the
blocking list for volume quotas related to IP addresses.
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except for the module settings
that appear in the rule criteria, which are IP Configuration.

Volume Quota With Authenticated User Configuration

This nested rule set handles volume quotas related to user names.

Nested library rule set – Volume Quota With Authenticated User Configuration

Criteria – Authenticated.RawUserName is in list User Blocklist for Volume Quota

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a request is sent by a user whose user name is on the blocking list for
volume quotas related to user names.
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except for the module settings
that appear in the rule criteria, which are Authenticated User Configuration.

Volume Quota With Media Type Configuration

This nested rule set handles volume quotas related to media types.

Nested library rule set – Volume Quota With Media Type Configuration

Criteria – MediaType.FromFileExtension at least one n list Media Type Blocklist for Volume Quota

Cycle – Requests (and IM)

The rule set criteria specifies that the rule set applies when a request is sent to access a web object belonging to a media type
that is on the blocking list for volume quotas related to media types.
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except for the module settings
that appear in the rule criteria, which are Media Type Configuration.

Web Cache rule set

The Web Cache rule set is a library rule set for web caching.

Library rule set – Web Cache

Criteria – Always

Cycles – Requests (and IM), Responses

The following rule sets are nested in this rule set:

• Read from Cache
• Write to Cache

Read from Cache

This nested rule set enables the reading of web objects from the cache and forbids it for URLs that are on a bypassing list.

194 McAfee Web Gateway 8.0.x Interface Reference Guide

 Nested library rule set – Read from Cache

Criteria – Always

Cycles – Requests (and IM)

The rule set contains the following rules.

Skip caching URLs that are in Web Cache URL Bypass List

URL matches in list Web Cache URL Bypass List –> Stop Rule Set

The rule uses the URL property to check for requested URLs whether they are on the specified bypass list.

If they are, processing of the rule set stops. The rule that enables reading from the cache is then not processed.

Processing continues with the next rule set.

Enable Web Cache

Always –> Continue — Enable Web Cache

The rule is always processed unless it is skipped because the bypassing rule placed before it in the rule set applies. It
enables the web cache, so objects stored in it can be read.

Processing continues with the next rule set.

Write to Cache
This nested rule set enables the writing of web objects to the cache and forbids it for large objects, as well as for URLs and media
types on particular bypassing lists.

Nested library rule set – Write to Cache

Criteria – Always

Cycles – Responses

The rule set contains the following rules.

Skip caching URLs that are in Web Cache URL Bypass List

URL matches in list Web Cache URL Bypass List –> Stop Rule Set

The rule uses the URL property to check for requested URLs whether they are on the specified bypass list.

If they are, processing of the rule set stops. The rule that enables reading from the cache is then not processed.

Processing continues with the next rule set.

Skip caching objects that are larger than x bytes

StringToNumber(Header.Response.Get("Content-Length") greater than 8388608 –> Stop Rule Set

McAfee Web Gateway 8.0.x Interface Reference Guide 195

 The rule uses the StringToNumber property, which takes the Header.Response.Get property as a parameter to find out what the size
of a given web object in bytes is.

The web object is the one that is sent in response to a request to Web Gateway. Its size in bytes is submitted in the Content-
Length part of the header that is sent with the body of the object.

This part is configured as a parameter of the Header.Response.Get property, which lets the object size be retrieved as value of
this property. The StringToNumber property is used to convert the header part that contains the size in string format into a
numerical value.

If the number of bytes found in this way exceeds the number that is configured as the value of the operand, processing of
the rule set stops. The rule that enables reading from the cache is then not processed.

Processing continues with the next rule set.

The rule is not enabled by default.

Skip caching media types that are in Web Cache Media Type Bypass List

URL matches in list Web Cache Media Type Bypass List –> Stop Rule Set

The rule uses the URL property to check for requested URLs whether they are on the specified bypass list.

If they are, processing of the rule set stops. The rule that enables reading from the cache is then not processed.

Processing continues with the next rule set.

Enable Web Cache

Always –> Continue — Enable Web Cache

The rule is always processed unless it is skipped because the bypassing rule placed before it in the rule set applies. It
enables the web cache, so objects stored in it can be read.

Processing continues with the next rule set.

196 McAfee Web Gateway 8.0.x Interface Reference Guide

Configuration lists
Lists of items for configuring Web Gateway provide an overview and guidance on how to use them. Some items, such as IP
addresses and ports, are used for configuring the appliance system that a web security policy is run on, others, such as
properties and actions, are used for configuring this policy.

System configuration
The following list is important for system configuration:
• List of open ports — Several network ports must be open on the firewall if one exists in a configuration to enable
communication between Web Gateway and update servers or databases outside the local network.

Policy configuration
The following lists are important for policy configuration:
• List of actions — Actions are configured in web security rules to protect your network against threats arising from the web.
• List of block reason IDs — Block reason IDs are configured in block messages to identify the reasons why user requests for
web access were blocked.
• List of error IDs — Error IDs are configured in the criteria of web security rules to identify errors when measures are taken for
handling them.
• List of events — Events are configured in web security rules to let activities happen in addition to the execution of rule actions.
• List of incident IDs — Incident IDs are configured in the criteria of web security rules to identify incidents when measures are
taken for handling them.
• List of operators — Operators are configured in the criteria of web security rules to create meaningful connections between
properties and their values on one side and operands on the other.
• List of properties — Properties are configured in the criteria of web security rules and evaluated in rule processing to
determine whether criteria matches and rules apply.
• List of statistics counters — Statistics counters are configured in the events of web security rules to record the execution of
rule actions.

List of open ports

Several network ports must be open on a firewall if one exists to enable communication between Web Gateway and update
servers and databases outside the local network.
Web Gateway accesses these servers and databases to retrieve information in real time.
The following table lists the ports that are usually open by default. Some ports are, however, configurable. Also, not all inbound
ports might be open by default, depending on your configuration.
Different directions of web traffic are indicated in the table as:
• Inbound — Connection is initiated by a remote system.
• Outbound — Connection is initiated by a local system.
• Bidirectional — Connection can be initiated from both directions.

List of open ports

Direction
Port Transport protocol Application protocol Destination Use Note

Inbound
22 TCP SSH Local Admin secure shell

Inbound
161 TCP/UDP SNMP Local SNMP

Inbound
1080 TCP SOCKS Local SOCKS proxy

Inbound
1344 TCP ICAP Local ICAP

Inbound
2000-20000 TCP FTP Local Passive FTP data From
connection FTP
client
to

McAfee Web Gateway 8.0.x Interface Reference Guide 197

 Direction
Port Transport protocol Application protocol Destination Use Note
Web
Gateway

Inbound
2121 TCP FTP Local FTP control port

Inbound
4005 TCP IFP Local IFP

Inbound
4711 TCP HTTP Local Admin interface Also
REST
if
enabled

Inbound
4712 TCP HTTPS Local Admin interface Also
REST
if
enabled

Inbound
4713 TCP HTTP Local File server

Inbound
4714 TCP HTTPS Local File server

Inbound
5050 TCP Yahoo Local Yahoo proxy

Inbound
5190 TCP ICQ Local ICQ proxy

Inbound
5222 TCP XMPP Local XMPP (Jabber) proxy

Inbound
9090 TCP HTTP Local HTTP(S) proxy

Inbound
9393 TCP HTTPS Local Intel Active System
Console

Inbound
16000-17000UDP Local SOCKS-UDP relay

Inbound
20001-40000TCP FTP Local Active FTP data connection From
FTP
server
to
Web
Gateway

Bidirectional
520 UDP RIP Your RIP routers IP routing

Bidirectional
12346 TCP Proprietray Your Web Gateway Web Gateway cluster
appliances communication

Bidirectional IP Protocol 47 GRE Your Web Gateway WCCP and traffic tunneling
appliances and WCCP between Web Gateway
routers cluster nodes

Bidirectional IP Protocol 89 OSPF Your OSPF routers IP routing

Bidirectional IP Protocol 112 VRRP Your Web Gateway VIP failover

appliances

Bidirectional IP Protocol 253 Proprietary Your Web Gateway Network-driver cluster

appliances communication

198 McAfee Web Gateway 8.0.x Interface Reference Guide

Direction
Port Transport protocol Application protocol Destination Use Note

Outbound
21 TCP FTP Arbitrary FTP servers File transfer protocol Active
and
passive

Outbound
25 TCP SMTP Your email server Email notifications

Outbound
53 TCP/UDP DNS Your DNS server Domain name system

Outbound
80 TCP HTTP appliance1.webwasher.com System update
appliance2.webwasher.com

Outbound
80, TCP HTTP(S) Arbitrary HTTP(S) servers User HTTP(S) traffic Other
443 ports
depending
on
configuratio

Outbound
80, TCP HTTP(S) Update servers Centralized Updater
443 (tau.mcafee.com, tau-
europe.mcafee.com, tau-
usa.mcafee.com, tau-
usa1.mcafee.com, tau-
usa2.mcafee.com, tau-
asia.mcafee.com, mwg-
update.mcafee.com)
CRL download servers,
OCSP requests, telemetry

Outbound
80, TCP HTTP(S) Your customer- Subscribed Lists Manager
443 maintained subscribed
lists servers

Outbound
80, TCP HTTP(S) Your scheduled-job Scheduled Job Manager
443 servers (upload,
download)

Outbound
123 TCP/UDP NTP Your NTP servers, Time synchronization
ntp.webwasher.com

Outbound
162 TCP/UDP SNMP Your SNMP trap sink SNMP traps

Outbound
389 TCP LDAP Your directory servers Directory service and
Active Directory

Outbound
443 TCP HTTPS tunnel.web.trustedsource.org
GTI cloud lookups
(default, can be (reputation, categories,
configured) geolocation, file
reputation)

Outbound
443 TCP HTTPS tunnel.web.trustedsource.org
GTI telemetry (Malicious
(default, can be URL feedback)
configured)

Outbound
514 TCP/UDP Syslog Your syslog servers Syslog

McAfee Web Gateway 8.0.x Interface Reference Guide 199

 Direction
Port Transport protocol Application protocol Destination Use Note

Outbound
636 TCP LDAP Your directory servers Secure directory and
Active Directory

Outbound
1344 TCP ICAP Your ICAP servers ICAP

Outbound
2020 TCP FTP Local Active FTP data connection From
(Source) Web
GatewayG
to
FTP
client

Outbound
8883 TCP DXL Connection to the DXL Communication between
broker Web Gateway and DXL
broker installed on ePO

Outbound
9111 TCP HTTP Pushing logs from Web
Gateway to CSR

Outbound
9112 TCP HTTPS Pushing logs from Web
Gateway to CSR

Outbound
9121 FTP Pushing logs from Web
Gateway to CSR

Outbound
Your TCP HTTP Your parent proxies HTTP proxy For
proxy user
ports traffic
and
various
internal
connection
(AV
update),
configured
individually

List of actions
The following table provides a list of the actions you can use in rules.

List of actions

Action Description

Authenticate Stops processing the rules in the current cycle.

Sends an authentication request to the client of the user who
requested access to a web object.
Continues processing with the next cycle.

Block Blocks access to a requested web object.

Stops processing rules.
Continues when the next request is received on the
appliance.

Continue Continues processing with the next rule.

200 McAfee Web Gateway 8.0.x Interface Reference Guide

 Action Description

Redirect Redirects a client that requested access to a web object to

another object.

Remove Removes a requested web object.

Stops processing the rules in the current cycle.
Continues processing with the next cycle.

Stop Cycle Stops processing the rules in the current cycle.

Does not block access to a requested web object.
Continues processing with the next cycle.

Stop Rule Set Stops processing the rules of the current rule set.
Continues processing with the next rule set.

List of block reason IDs

The following table provides a list of block reason IDs with descriptions of their meanings.
You can configure block reason IDs in user message templates to provide a value that identifies a block reason in a log entry.

List of block reason IDs

Block reason ID Description

0 Allowed

1 Internal error

2 Default message template being used for an action

3 Internal URL filter error

10 Blocked due to an entry in the URL filter database

14 Blocked according to URL filtering by expression

15 Blocked by the Real-Time Classifier

20 Blocked due to lack of content type

22 Blocked due to the media type

30 Blocked due to a multi-part archive having been found

35 Blocked due to an archive not handled by the Archive Handler

80 Blocked due to a virus having been found

81 Blocked due to unauthorized access

82 Blocked due to a bad request

85 Blocked due to an internal anti-malware error

92 Blocked due to expiration of a certificate

93 Blocked due to a revoked certificate

94 Blocked due to a forbidden certificate authority (CA)

McAfee Web Gateway 8.0.x Interface Reference Guide 201

 Block reason ID Description

95 Blocked due to an unknown certificate authority (CA)

97 Blocked due to a self-signed certificate

98 Blocked due to a common name mismatch

102 Blocked due to an unspecified certificate incident

103 Blocked due to CONNECT not allowed

104 Blocked due to the reverse proxy destination not being

allowed

140 Blocked due to an internal DLP filter error

150 Blocked due to an internal Application Control filter error

151 Blocked due to a request belonging to an application that is

not allowed

160 Blocked due to missing policy for Web Hybrid

161 Blocked due to web access not being allowed by Web Hybrid

162 Blocked due to URL filtering by Web Hybrid

200 Blocked due to the coaching session of a user having been

exceeded

201 Blocked due to the time quota session of a user having been
exceeded

202 Blocked due to the time quota for a user having been
exceeded

203 Blocked due to the volume quota session of a user having

been exceeded

204 Blocked due to the volume quota for a user having been
exceeded

205 Blocked due to the authorized override session of a user

having been exceeded

206 Blocked due to the blocking session of a user being active

300 Blocked due to a quota redirect

301 Blocked due to an authentication redirect

400 Blocked due to an authorized override redirect

List of error IDs

The following table provides a list of the error IDs you can use in rules.
The error IDs are grouped in numerical ranges as follows.

202 McAfee Web Gateway 8.0.x Interface Reference Guide

 10000–10049 Incorrect usage of properties or events

10050–10099 Errors of the rule processing module

10100–10199 General errors

11000–11999 License Manager errors

12000–12999 Errors related to the appliance system

13000–13999 Persistent Database (PDStore) errors

14000–14999 Virus and malware filtering errors

15000–15999 URL filtering errors

16000–16999 ICAP client errors

20000–21000 Proxy module errors

25000–25999 External lists errors

26000–26999 Data loss prevention (DLP) errors

32000–32999 Cloud storage encryption errors

34000–34999 Single sign-on errors

35000–35999 DXL errors

List of error IDs

Error ID Name Description

10000 WrongPropParams $onPosition$: Wrong parameters or types for property

$propName$.

10001 UnknownProperty $onPosition$: Error in rule ‘$ruleName$’: Property dispatcher

does not know property $propName$.

10002 NoPropParam $onPosition$: No parameter for property $propName$ given.

10003 WrongThirdPropParam $onPosition$: Wrong type of third parameter for property

$propName$.

10004 InvalidPropertyParameter $onPosition$: Parameters for property $propName$ are invalid,

reason: $reason$.

10005 InvalidPropertyParameter2 Parameters are invalid. Reason: $reason$.

10005 UnknownProperty2 $onPosition$: Unknown property $propName$.

10007 UnknownFunc $onPosition$: Unknown function $funcName$. Details: $reason$.

10050 WrongOperator $onPosition$: Error in rule '$ruleName$': wrong operator

'$operator$' used on left hand side type $typeLeft$ and right
hand side type $typeRight$.

McAfee Web Gateway 8.0.x Interface Reference Guide 203

 Error ID Name Description

10051 WrongOperatorNoNames $onPosition$: $action$ failed. Type of $property$ is $typeName$,

but it has to be $formatType$.

10052 FormatError $onPosition$: User-defined property '$propName$' could not be

found. Reason: it was not yet set (not initialized).

10053 UserDefinedPropertyNotFound $onPosition$: User-defined property '$propName$' could not be

found. Reason: it was not yet set (not initialized).

10054 PropertyNotFound $onPosition$: Property '$propName$' could not be found.

Reason: it was not yet set (not initialized).

10055 NeedMoreDataOnLastCall On computing property '$propName$' the filter returned

'NeedMoreData' though there is no more data.

10056 WrongPropState $onPosition$: State of Property $propName$ is $propState$.

10057 ZombieRuleElemIsExecuted $rule$ (name: '$name$', id: '$id$') could not be executed because
it is a zombie. Reason: '$reason$'.

10058 SetPropertyFailed $onPosition$: Error in Rule '$ruleName$': Event could not be

evaluated. Reason: $reason$.

10059 EventError $onPosition$: Error while $operation$ the $objName$. Reason:

$reason$.

10100 ErrorDuringOperation $onPosition$: Error while $operation$ the $objName$. Reason:

$reason$.

10101 InitializeFailed $onPosition$: Could not initialize/create $objName$. Reason:

$reason$.

11000 NoLicense The requested functionality '$func$' is not covered by your

license.

12000 CannotOpenPipe Cannot open pipe.

12001 CannotOpenFile Cannot open file '$name$' in mode '$mode$' with errno '$errno$'.

13000 NoUser No user available.

14000 AVError Error in AntivirusFilter: $reason$.

14001 AVScanFailedFull Cannot call McAfee Gateway Anti-Malware engine. All connections
in use.

14002 AVError Internal error in Anti-Malware filter.

Note:
As the IDs of error messages are used in the rules for error
handling, you need to adapt these rules on your appliance to
account for the new error messages and IDs (14003, 14004,
14005) that were introduced with McAfee Web Gateway version
7.3.
The library rule set for error handling has been adapted to fit in
with the new messages and IDs.

14003 AVError Timeout occurred while filtering.

204 McAfee Web Gateway 8.0.x Interface Reference Guide

 Error ID Name Description
Note: See also the note on error message 14002.

14004 AVError Cannot filter because a special update is performed.

Note: See also the note on error message 14002.

14005 AVError Scanning failed.

Note: See also the note on error message 14002.

14010 ATDError Communication failed.

Communication to a server that Advanced Threat Defense runs on
failed.
This can be due to several reasons, including network problems
(the server is offline, a request timed out), to an issue with the
HTTP protocol, or ton an unexpected or malformed server reply.

14011 ATDError Timeout occurred while filtering.

Advanced Threat Defense took longer to scan a web object than is
allowed according to the configured time.
The time allowed by default is 10 minutes.

14012 ATDError File cannot be scanned.

Advanced Threat Defense was not able to scan a web object.
In the scanning report that is returned by Advanced Threat
Defense, the value for Severity is set to N/A.

14013 ATDError Background scan not started in time.

Advanced Threat Defense was not started in time for scanning a
web object.
This error occurs if the Antimalware.MATD.InitBackgroundScan
property is not evaluated before the configured timeout has
elapsed.
The most likely reason for this evaluation failure error is that the
MATD - Handle Offline Scan rule set has been deleted or is
disabled or has not been placed in a proper position within the
rule sets tree.

14014 ATDError Invalid parameters in internal request for background scan.

An internal request for passing on a web object to Advanced
Threat Defense contained invalid parameters.
This error occurs if the Antimalware.MATD.IsBackgroundScan
property is evaluated and invalid parameters are detected in the
internal request.
The most likely reason for these invalid parameters to appear is
that someone tried to simulate an internal request.

14015 ATDError Already in background scan.

The scanning process was already started for a web object that
had been passed on to Advanced Threat Defense when another
request for scanning the same object was submitted.
This error occurs if the Antimalware.MATD.InitBackgroundScan
property is evaluated in the course of processing a scanning
request and another request regarding the same object is
received at the same time.

McAfee Web Gateway 8.0.x Interface Reference Guide 205

 Error ID Name Description

15000 TSDatabaseExpired Global Threat Intelligence system database expired error:

Database is expired. '$desc$'.

15001 TSInvalidURL The URL '$url$' is invalid. In function $func$.

15002 TSBinaryNotProperlyLoaded Binary could not be loaded from '$path$'. In function $func$.

15003 TSCommon Global Threat Intelligence system error (code: $errorCode$). In

function $func$.

15004 TSBinaryDoesNotExist Global Threat Intelligence system library is not yet available. In
function $func$.

15005 TSDatabaseNotProperlyLoaded Database was not properly loaded. In function $func$.

15006 TSNoMem Global Threat Intelligence system is out of memory. In function

$func$.

15007 TSInsufficientSpace Insufficient space in buffer for Global Threat Intelligence system.
In function $func$.

15008 TSNetLookup Global Threat Intelligence system net error (code: TS_NET_ERROR).
In function $func$.

15009 TSCommonNetLookup Global Threat Intelligence system net error (code: $errorCode$). In
function $func$.

15010 TSPipe Cannot open Global Threat Intelligence system pipe. In function
$func$.

16000 NoICAPServerAvailable No ICAP server available from list: $list$.

16001 NoRespModPropInReqMod Property $propName$ cannot be calculated in request cycle.

16002 ICAPBadResponse ICAP client filter error: ICAP server sent bad response.

16003 ICAPMaxConnectionLimit ICAP client filter error: Maximum number of connections reached.

16004 ICAPCannotConnectToServer ICAP client filter error: Cannot connect to ICAP server.

16005 ICAPCommunicationFailure ICAP client filter error: Failure in communication with ICAP server.

16006 ICAPSCertVerifyFailure SSL certificate verification failure with ICAP server: $server IP$

20000 CheckLongRunningConnection A timeout occurred on a long-running connection.

20001 CheckSizeOfConnection The maximum amount of data that can be sent on a long-running
connection has been exceeded.

25000 Unknown error happened An uncategorized error was encountered by the External Lists
module.

25001 Error during data fetch An uncategorized error was encountered by the External Lists
module during the data fetch.

25002 Error during data conversion An error occurred while external list data was converted.

25003 Too much data The configured limit for the number of list entries that can be
retrieved from an external source has been exceeded.

206 McAfee Web Gateway 8.0.x Interface Reference Guide

 Error ID Name Description

25004 Timeout during data fetch The configured timeout for retrieving external list data has
expired.

25005 Data access denied The rights required for accessing a source of external list data
have not been granted to the appliance.

25006 No such resource A source of external list data, for example, a file or web server,
could not be found.

26001 DLP engine not loaded The DLP engine could not be loaded.

27001 AppRisk database not available The AppRisk database is not available for filtering web traffic.

32002 Empty password is not allowed An empty password was submitted, for example, when passwords
were retrieved from an external data source.

32003 Invalid configuration for filter The settings of the module for encryption and decryption are
invalid. This error occurs very rarely. It could be caused by a
general issue with policy configuration on Web Gateway.

32004 Encryption failed: Unknown content type Data could not be encrypted because it was of an unknown type.
This could be caused by an invalid description for a cloud storage
service.

32005 Encryption failed: Parsing of message body The data sent in the body of an upload request is in multi-part/
failed form data format. Parsing this type of data, which is required for
encryption, is not supported on Web Gateway.

32006 Encryption failed: Fetching of file name The name of a file containing data that should be encrypted could
failed not be fetched.

32007 Encryption failed: Cipher NNNN is not The cipher that is provided for encrypting data is invalid. This is
supported very unlikely to happen, as the administrator selects the
encryption cipher from a pre-configured list.

32008 Encryption failed: Generation of salt failed The process of salt generation, which is required for encrypting
data, could not be performed successfully. This is usually caused
by an internal OpenSSL error.

32009 Encryption failed: Fetching of key failed The key that is required for encrypting data could not be fetched.

32010 Encryption failed: Initialization of The encryption process could not be initialized.
encryption failed

32011 Encryption failed: Data encryption failed An error occurred during the encryption process.

32012 Encryption failed: Finalization of decryption The encryption process could not be completed.
failed

32013 Encryption failed: Generic error Other encryption-related error

32014 Decryption failed: Unknown content type Data could not be decrypted because it was of an unknown type.
This could be caused by an invalid description for a cloud storage
service.

McAfee Web Gateway 8.0.x Interface Reference Guide 207

 Error ID Name Description

32015 Decryption failed: Multi-part message body A cloud storage service sent data in the body of its response to a
is not supported download request that is in multi-part/form data format.
Decrypting this type of data is not supported on Web Gateway.

32016 Decryption failed: Cipher NNNN is not The cipher that is provided for decrypting data is invalid. This is
supported very unlikely to happen, as the administrator selects the
decryption cipher from a pre-configured list.

32017 Decryption failed: Fetching of key failed The key that is required for decrypting data could not be fetched.

32018 Decryption failed: Initialization of The decryption process could not be initialized.
decryption failed

32019 Decryption failed: Data decryption failed An error occurred during the decryption process.

32020 Decryption failed: Finalization of The decryption process could not be completed.
decryption failed

32021 Decryption failed: Generic error Other decryption-related error

34000 Generic SSO filter error An error happened during the single sign-on process. Reason:
'General error...'

34001 Generic SSO filter error A user tried to get single sign-on access using a non-existing cloud
connector. Reason: 'No such connector'

34003 Generic SSO filter error No cloud connector was configured for the single sign-on process.
Reason: 'There is no connector catalog'

34004 SSO service mismatch error The value for a token did not match the value that was stored in a
cloud connector: Service mismatch. Token ID: '$tokenid$', Service
ID: '$serviceid$'

34005 SSO service not enabled A cloud application was not available for a user: Realm: '$realm$',
user: '$userid$', service ID: '$serviceid$'.

34006 SSO non-inline mode error A cloud application was not available in the non-proxy (non-inline)
mode of the single sign-on process: Service ID: '$serviceid$

34050 Credential store generic error See the error log for details.

34051 Credential store generic error This request is not allowed for current user.

34052 Credential store generic error The credential store request could not be created.

34060 Credential store server HTTP error The credential store server responded to a request with an HTTP
error. See the error log for details.

34070 Credential store server error The credential store server responded with an error. See the error
log for details. The log includes the error code returned by the
credential store server.

34080 Credential store connection error A credential store request failed because of a connection error.
See the error log for details.

34090 Credential store request error An internal error occurred while a credential store request was
performed. See the error log for details.

208 McAfee Web Gateway 8.0.x Interface Reference Guide

 Error ID Name Description

35000 DXLNotAvailable No DXL messages can currently be sent.

37002 Generic application filtering error A generic error occurred in application filtering. See the error log
for details.

List of events
The following table provides a list of the events you can use in rules.

List of events

Name Description Parameters

Authentication.AddMethod Adds an authentication method.

1. String: Name of an authentication
method
2. String: Value for an authentication
method
3. Boolean: If true, an existing method
is overwritten.

Authentication.ClearCache Clears the cache.

Authentication.ClearMethodList
Clears the authentication methods list.

Authentication.ClearNTMLCache
Clears the NTML cache.

Authentication.GenerateICEResponse
Generates a token that is sent in response to McAfee
Cloud Identity Manager to enable seamless
authentication.

Authentication.SendOTP Sends a one-time password to an authenticated user.

Bandwidth.FromClient Limits the speed of data transfer from a client to the String: Name of bandwidth class
appliance.

Bandwidth.FromServer Limits the speed of data transfer from a web server to String: Name of bandwidth class
the appliance.

Bandwidth.ToClient Limits the speed of data transfer from the appliance to String: Name of bandwidth class
a client.

Bandwidth.ToServer Limits the speed of data transfer from the appliance to String: Name of bandwidth class
a web server.

BlockingSession.Activate Activates a blocking session.

Body.Insert Inserts a string into the body of the request or

response that is currently processed. 1. Number: Byte position where
insertion begins
2. String: Pattern
a. string embedded in double
quotes (“ ...”, can also contain hex
values preceded by \)
or:

McAfee Web Gateway 8.0.x Interface Reference Guide 209

 Name Description Parameters
b. sequence of hex values

Body.Remove Removes a number of bytes from the body of the

request or response that is currently processed. 1. Number: Byte position where the
removal begins
2. Number: Number of bytes to
remove

Body.Replace Replaces a portion from the body of the request or

response that is currently processed with a string. 1. Number: Byte position where
replacement begins
2. String: Pattern
a. string embedded in double
quotes (“ ...”, can also contain hex
values preceded by \)
or:
b. sequence of hex values

Body.ToFile Writes the body of the request or response that is String: Name of the file that the body is
currently processed to the specified file. written to
The file is stored in the directory /opt/mwg/log/debug/
BodyFilterDumps.
The body is written to the file only after it has been
completely loaded, even if the Body.ToFile event
occurred when only one or more chunks of the body
had been loaded.
To prevent the stored files from filling up the hard disk
of an appliance, enable their auto-deletion on the user
interface under Configuration → <appliance> → Log File
Manager → Advanced.

CloudEncryption.Encrypt Performs the encryption of cloud storage data using

the encryption algorithm configured in the settings
and the password specified as a parameter of the
event.
This event can be triggered several times with
different settings and passwords, so encryption is also
performed several times.

CloudEncryption.Decrypt Performs the decryption of data using the decryption

algorithm specified in the settings and the password
specified as a parameter of the event.
This event can be triggered several times with
different settings and passwords, so decryption is also
performed several times.
Order of calls to this event should be the reverse of
calls to the encryption event.

Connection.Mark Sets a connection mark. Number: Number of a connection

Discard.RuleEngine.Trace Deletes a rule trace that has been generated by rule

tracing on Web Gateway.

210 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description Parameters
The event can be used in a suitable rule to discard
traces that are filtered according to particular rule
criteria.
For example, if a trace has been generated for a
request that required less than ten seconds
processing time, this trace can be considered not
worthwhile storing and therefore be discarded.
The Timer.TimeInTransaction property can be used in a rule
like this to filter rule traces.
The rule might be placed in a nested rule set of the Log
Handler rule set that takes final position in this nesting
rule set.
Using the event in this way allows you to perform rule
trace storing with a focus on traces that are
considered relevant.

DSCP.Mark.Request Sets an IP address header field. Number: Value of the header field
This field is the DSCP header field. Setting this header
is also known as flagging.
The header can be evaluated by network devices
supporting DSCP (Differentiated Services Code Point)
for directing data packets sent from Web Gateway to a
requested web server.
Load balancing can, for example, be performed this
way.
The header can only be set for requests that are sent
over an HTTP or HTTPS connection.
Setting the header also works for tunneled SSL
connections. It can be set here immediately after the
CONNECT part of the process has completed.
The value that the header is set to can be a number
ranging from 0 to 63.
Note:
When using this header in configuring Web Gateway
and connected network devices, be sure not to impact
existing routes or connections.
When multiple requests are sent to a web server over
the same connection, a header value that is set at any
point within the processing cycle, for example, after
the CONNECT or CERTVERIFY part of this cycle, will be
used for directing the data packets of all following
requests.
So, when using the header, for example, in a rule for
handling streaming media, setting the header
inappropriately might lead to directing data packets in
a way that throttles the connection.

DSCP.Mark.Response Sets an IP address header field. Number: Value of the header field
This field is the DSCP header field. Setting this header
is also known as flagging.
The header can be evaluated by network devices
supporting DSCP (Differentiated Services Code Point)

McAfee Web Gateway 8.0.x Interface Reference Guide 211

 Name Description Parameters
for directing data packets sent back in response from
Web Gateway to a client.
Load balancing can, for example, be performed this
way.
The header can only be set for responses that are sent
over an HTTP or HTTPS connection.
Setting the header also works for tunneled SSL
connections. It can be set here immediately after the
CONNECT part of the processing cycle has completed.
The value that the header is set to can be a number
ranging from 0 to 63.
Note:
When using this header in configuring Web Gateway
and connected network devices, be sure not to impact
existing routes or connections.
When multiple responses are sent back to a client over
the same connection, a header value that is set at any
point within the processing cycle will be used for
directing the data packets of all following responses.
The same connection is, for example, used when
persistent client connections have been configured.
Also ACP packets requiring a longer processing time or
buffered data packets from previously used
connections that still exist in the TCP buffer, might use
a header value even if it has been set at a later point in
the processing cycle.

DXL.Event Sends a DXL message with information about a web

security topic to the subscribers. 1. String: Topic to send information
about
2. String: Information to send about
topic

Email.Send Sends an email.

1. String: Recipient
2. String: Subject
3. String: Body

Enable Cache Enables the web cache.

Using this event, web objects from traffic going on
under HTTP or HTTPS can be cached.
An event setting can be configured to enable caching
for either of the two protocols. Default is HTTP.
HTTP2 is not supported.
Rules that use this event must specify the protocol
that caching is configured for in their criteria.
To increase the hit rate, the isssl and X-Forwarded-
Proto request headers are ignored.
The Accept-Encoding header is also ignored if the
requested content can be extracted on Web Gateway.
The default cache key is the URL for a web object with
the protocol name added.

212 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description Parameters
An additional cache key can be configured using the
Cache.AdditionalKey property in a rule.

Enable CompositeOpener Enables the composite opener.

Enable Data Trickling Enables data trickling.

Enable FTP Upload Progress Enables the sending of responses to an FTP client,
Indication stating that processing of a file that has been sent for
uploading to the web is still in progress.
This is intended to prevent a timeout on the FTP client
when processing on Web Gateway takes more time,
for example, due to scanning the file that should be
uploaded for infections by viruses and other malware.

Enable HTML Opener Enables the HTML opener.

Enable Media Stream Enables the Media Stream Scanner, which is provided
Scanner by the McAfee Gateway Anti-Malware engine.

Enable Next Hop Proxy Enables use of next-hop proxies.

Enable Outbound Source IP Enables the replacement of different outbound source List of string: List of IP addresses for
Override IP addresses by a single IP address. replacing other IP addresses in string
format

Enable Progress Page Enables display of a progress page.

Enable RuleEngine Tracing Enables tracing of the activities that are completed by
the rule processing module (rule engine).

Enable SSL Client Context Enables sending of client certificates issued by a

with CA certificate authority.

Enable SSL Client Context Enables sending of client certificates not issued by a
without CA certificate authority.

Enable SSL Scanner Enables module for SSL scanning.

Enable SafeSearchEnforcer Enables the SafeSearchEnforcer.

Enable Proxy Control Enables proxy control

FileSystemLogging.WriteDebugEntry
Writes a debugging entry.
1. String: Debugging entry
2. Boolean: If true, entry is written to
stdout.

FileSystemLogging.WriteLogEntry
Writes an entry into a log. String: Log entry

HTMLElement.InsertAttribute Inserts an attribute into an HTML element.

1. String: Attribute name
2. String: Attribute value

HTMLElement.RemoveAttribute
Removes an attribute from an HTML element. String: Attribute name

McAfee Web Gateway 8.0.x Interface Reference Guide 213

 Name Description Parameters

HTMLElement.SetAttributeValue
Sets an attribute to a value.
1. String: Attribute name
2. String: Value to set attribute to

Header.Add Adds a header to a request or response.

1. String: Header name
2. String: Header value

Header.AddMultiple Adds a header with a list of values to a request or

response. 1. String: Header name
2. List of string: List of header values

Header.Block.Add Adds a block header to a request or response.

1. String: Header name
2. String: Header value

Header.Block.AddMultiple Adds a block header with a list of values to a request

or response. 1. String: Header name
2. List of string: List of header values

Header.Block.RemoveAll Removes all block headers with a given name from a String: Header name
request or response.

Header.ICAP.Response.Add Adds a header to an ICAP response.

1. String: Header name
2. String: Header value

Header.ICAP.Response.AddMultiple
Adds a header with a list of values to an ICAP
response. 1. String: Header name
2. List of string: List of header values

Header.ICAP.Response.RemoveAll
Removes all headers with a given name from an ICAP String: Header name
response.

Header.RemoveAll Removes all headers with a given name from a String: Header name
request or response.

Header.Response.Add Adds a header to the page generated by a block

action.

HTTP.GenerateResponse Generates a response to the request made in the String: Response body
request cycle.

HTTP.SetStatus Sets the HTTP status code at the end of the response Number: HTTP status code
cycle.

ICAP.AddRequestInformation Adds information to an ICAP request.

1. String: Name of the request
2. String: Added information

MediaType.Header.FixContentType
Replaces a media type header with an appropriate
header when it is found after inspection of the media

214 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description Parameters
body that the original header does not match the
body.

Notice Writes an entry with notice level into syslog. String: Log entry

PDStorage.AddGlobalData.Bool
Adds global variable of type Boolean.
1. String: Variable key
2. Boolean: Variable value

PDStorage.AddGlobalData.Category
Adds global variable of type Category.
1. String: Variable key
2. Category: Variable value

PDStorage.AddGlobalData.Dimension
Adds global variable of type Dimension.
1. String: Variable key
2. Dimension: Variable value

PDStorage. Adds global variable of type Hex.

AddGlobalData.Hex 1. String: Variable key
2. Hex: Variable value

PDStorage. Adds global variable of type IP.

AddGlobalData.IP 1. String: Variable key
2. IP: Variable value

PDStorage.AddGlobalData.IPRange
Adds global variable of type IPRange.
1. String: Variable key
2. IPRange: Variable value

PDStorage.AddGlobalData.List.Category
Adds global variable of type List of Category.
1. String: Variable key
2. List of Category: Variable value

PDStorage. Adds global variable of type List of Dimension.

AddGlobalData.List. 1. String: Variable key
Dimension 2. List of Dimension: Variable value

PDStorage.AddGlobalData.List.Hex
Adds global variable of type List of Hex.
1. String: Variable key
2. List of Hex: Variable value

PDStorage. Adds global variable of type List of IP.

AddGlobalData.List.IP 1. String: Variable key
2. List of IP: Variable value

PDStorage. Adds global variable of type List of IPRange.

AddGlobalData.List.IPRange 1. String: Variable key
2. List of IPRange: Variable value

McAfee Web Gateway 8.0.x Interface Reference Guide 215

 Name Description Parameters

PDStorage.AddGlobalData.List.MediaType
Adds global variable of type List of MediaType.
1. String: Variable key
2. List of MediaType: Variable value

PDStorage. Adds global variable of type List of Number.

AddGlobalData.List. Number 1. String: Variable key
2. List of Number: Variable value

PDStorage. Adds global variable of type List of String.

AddGlobalData.List. String 1. String: Variable key
2. List of String: Variable value

PDStorage. Adds global variable of type List of Wildcard

AddGlobalData.List. Expression. 1. String: Variable key
Wildcard 2. List of Wildcard Expression: Variable
value

PDStorage. AddGlobalData. Adds global variable of type MediaType.

MediaType 1. String: Variable key
2. MediaType: Variable value

PDStorage. Adds global variable of type Number.

AddGlobalData.Number 1. String: Variable key
2. Number: Variable value

PDStorage. Adds global variable of type String.

AddGlobalData.String 1. String: Variable key
2. String: Variable value

PDStorage. AddGlobalData. Adds global variable of type Wildcard Expression.

Wildcard 1. String: Variable key
2. Wildcard Expression: Variable value

PDStorage. Adds user variable of type Boolean.

AddUserData.Bool 1. String: Variable key
2. Boolean: Variable value

PDStorage. Adds user variable of type Category.

AddUserData.Category 1. String: Variable key
2. Category: Variable value

PDStorage. AddUserData. Adds user variable of type Dimension.

Dimension 1. String: Variable key
2. Dimension: Variable value

PDStorage. Adds user variable of type Hex.

AddUserlData.Hex 1. String: Variable key
2. Hex: Variable value

216 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description Parameters

PDStorage. AddUserData.IP Adds user variable of type IP.

1. String: Variable key
2. IP: Variable value

PDStorage. Adds user variable of type IPRange.

AddUserData.IPRange 1. String: Variable key
2. IPRange: Variable value

PDStorage. Adds user variable of type List of Category.

AddUserData.List. Category 1. String: Variable key
2. List of Category: Variable value

PDStorage. Adds user variable of type List of Dimension.

AddUserData.List. 1. String: Variable key
Dimension 2. List of Dimension: Variable value

PDStorage. Adds user variable of type List of Hex.

AddUserData.List.Hex 1. String: Variable key
2. List of Hex: Variable value

PDStorage. Adds user variable of type List of IP.

AddUserData.List.IP 1. String: Variable key
2. List of IP: Variable value

PDStorage.AddUserData.List.IPRange
Adds user variable of type List of IPRange.
1. String: Variable key
2. List of IPRange: Variable value

PDStorage.AddUserData.List.MediaType
Adds user variable of type List of MediaType.
1. String: Variable key
2. List of MediaType: Variable value

PDStorage.AddUserData.List.Number
Adds user variable of type List of Number.
1. String: Variable key
2. List of Number: Variable value

PDStorage.AddUserData.List.String
Adds user variable of type List of String.
1. String: Variable key
2. List of String: Variable value

PDStorage.AddUserData.List.Wildcard
Adds user variable of type List of Wildcard Expression.
1. String: Variable key
2. List of Wildcard Expression: Variable
value

PDStorage.AddUserData.MediaType
Adds user variable of type MediaType.
1. String: Variable key
2. MediaType: Variable value

McAfee Web Gateway 8.0.x Interface Reference Guide 217

 Name Description Parameters

PDStorage.AddUserData.Number
Adds user variable of type Number.
1. String: Variable key
2. Number: Variable value

PDStorage.AddUserData.StringAdds user variable of type String.

1. String: Variable key
2. String: Variable value

PDStorage.AddUserData.Wildcard
Adds user variable of type Wildcard Expression.
1. String: Variable key
2. Wildcard Expression: Variable value

PDStorage.Cleanup Cleans up persistently stored data.

PDStorage. Deletes all permanently stored global data.

DeleteAllGlobalData

PDStorage. Deletes all permanently stored user data.

DeleteAllUserData

PDStorage.DeleteGlobalData Deletes all permanently stored global variables of a String: Variable key
given type.

PDStorage.DeleteUserData Deletes all permanently stored user variables of a String: Variable key
given type.

ProtocolDetector.ApplyFiltering
Applies processing of web filtering rules on web traffic
that has been found to follow a protocol that is
supported on Web Gateway.

SNMP.Send.Trap.Application Sends an SNMP trap message with application

information.

SNMP.Send.Trap.System Sends an SNMP trap message with system

information.

SNMP.Send.Trap.User Sends an SNMP trap message with user information.

1. Number: User ID
2. String: Message body

SNMP.Send.Trap.UserHost Sends an SNMP trap message with information on the

host of a user. 1. Number: User ID
2. String: Message body
3. IP: IP address of the host

SSO.AddCredentials Creates new credentials for a user who attempts to log

on in a single sign-on process to a cloud application. 1. String: Identity provider
To authenticate a user, the credentials are evaluated 2. String: User name
by an authentication instance, which is also known as 3. String: Cloud application
identity provider (IdP), for example, an LDAP or NTLM 4. JSON: Credentials in JSON format
database.
The new credentials are stored in the database of the
identity provider.

218 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description Parameters

SSO.AddServices Prepares the availability of cloud applications for a

user who attempts to select one of them for logon in a 1. String: Identity provider
single sign-on process. 2. String: User name
3. List: List of cloud applications
Note:
A cloud application is also referred to as cloud service.

SSO.DeleteCredentials Deletes credentials of a user who attempts to logon in

a single sign-on process to a cloud application. 1. String: Identity provider
To authenticate a user the credentials are evaluated by 2. String: User name
an authentication instance, which is also known as 3. String: Cloud application
identity provider (IdP), for example, an LDAP or NTLM 4. JSON: Credentials in JSON format
database.
The new credentials are stored in the database of the
identity provider.

SSO.ProcessFormLogin Processes the data that was submitted for a user in a

form on a logon page to perform logon to a cloud
application in a single sign-on process.
One of the following is executed for the logon form:
• When a logon form is sent with a POST request to a
cloud application, the password token that had been
inserted into the logon form before is replaced by
the real password of the user who requests single
sign-on access.
• When a logon form is requested for a user with a
GET request that is sent from a browser, script code
is inserted into the form to fill it out and forward it to
the cloud application.
This event is only executed when the proxy (inline)
mode is configured for the single sign-on process.

SSO.UpdateCredentials Updates credentials of a user who attempts to log on

in a single sign-on process to a cloud application. 1. String: Identity provider
To authenticate a user, the credentials are evaluated 2. String: User name
by an authentication instance, which is also known as 3. String: Cloud application
identity provider (IdP), for example, an LDAP or NTLM 4. JSON: Credentials in JSON format
database.
The new credentials are stored in the database of the
identity provider.

Statistics.Counter.Increment Increments a counter.

Statistics.Counter.Reset Resets a counter. String: Counter name

Stopwatch.Reset Sets an internal watch that measures processingtime String: Rule set name
for rule sets to zero.

Stopwatch.Start Starts an internal watch that measures processing String: Rule set name
time for rule sets.

Stopwatch.Stop Stops an internal watch that measures processing String: Rule set name
time for rule sets.

Syslog Writes an entry into syslog.

1. Number: Log level

McAfee Web Gateway 8.0.x Interface Reference Guide 219

 Name Description Parameters
◦ 0 – Emergency
◦ 1 – Alert
◦ 2 – Critical
◦ 3 – Error
◦ 4 – Warning
◦ 5 – Notice
◦ 6 – Info
◦ 7 – Debugging
2. String: Log entry

Throttle.Client Limits the speed (in Kbps) of data transfer from a Number: Speed limit
client to the appliance.

Throttle.Server Limits the speed (in Kbps) of data transfer from a web Number: Speed limit
server to the appliance.

TIE: Report File Reputation Sends a file reputation score to a TIE server. Number: File reputation score

List of incident IDs

The following table provides a list of the incident IDs you can use in rules.
The incident IDs are grouped in numerical ranges as follows.

1-199 Incidents related to the appliance system

200-299 Core subsystem incidents

300-399 Update module incidents

400-499 Virus and malware filtering incidents

500-599 Log File Manager incidents

600-699 sysconfd daemon incidents

700-799 Proxy module incidents

800-899 Virus and malware filtering incidents

900-999 Authentication incidents

1000-1099 URL filtering incidents

1100-1199 Quota management incidents

1200-1299 SSL certificate incidents

1300-1399 ICAP client incidents

1400-1499 Media type filtering incidents

1500-1599 Opener incidents

1600-1699 SSL certificate chain incidents

1700-1799 User interface incidents

220 McAfee Web Gateway 8.0.x Interface Reference Guide

 1800-1849 External lists incidents

1850-1899 Application filtering incidents

1900-1999 Data Loss Prevention (DLP) incidents

2000-2099 Streaming media filtering incidents

2100-2199 Media type filtering incidents

2200-2299 Dynamic Content Classifier incidents

2300-2399 Single sign-on service incidents

2400-2499 Cloud storage encryption incidents

2500-2549 Credential store incidents

2550-2599 Single Sign On (SSO) incidents

2650-2699 Cloud Access Security Broker (CASB) catalog incidents

2800-2899 Update Server Certificate Authority (CA) incidents

3000-3200 Central Management incidents

3200-3399 Web Hybrid incidents

3400-3499 Web SaaS connector incidents

3500-3599 Protocol Detector incidents

List of incident IDs

Origin number and

Incident ID Description name Severity

5 A rule that uses an incident property was executed. 1 System 7

20 RAID monitoring reported critical status or failure of one or more 1 Health Monitor 4 (or 3 for
hard disks. hard-disk
failure)

21 S.M.A.R.T health check reported an error on an HDD hard disk. 1 Health Monitor 4

22 File system usage has exceeded a configured limit. 1 Health Monitor 4

23 Memory usage has exceeded a configured limit. 1 Health monitor 4

24 System load has exceeded a configured limit. 1 Health Monitor 4

26 A check has been executed to detect a BBU RAID error. The checking 1 Health Monitor 4
interval is 30 minutes.

200 The license expiration date has been checked. 2 Core 6

201 The appliance has successfully completed all FIPS 140-2 self-tests. 2 Core 6

211 The maximum number of entries in dashboard report x has been 2 Statistics 4
exceeded.

McAfee Web Gateway 8.0.x Interface Reference Guide 221

 Origin number and
Incident ID Description name Severity

298 Update of product x succeeded. 2 Core 6

299 Update of product x failed. 2 Core 3

250 An entry in a list is invalid and will be ignored. 2 Core 3

301 Download of update files was stopped because there is not enough 3 Updater 3
disk space.

302 Download of product x failed on node y. 3 Updater 3

303 Update of product x failed on node y. 3 Updater 3

304 Status of product x on node y is up to date. 3 Updater 3

305 The update module could not connect to an update server. 3 Updater 3

321 Download of product x succeeded on node y. 3 Updater 6

322 Download of product x succeeded on node y. 3 Updater 6

323 Update of customer subscribed list x succeeded on node y. 3 Customer 6

Subscribed List
Manager

324 Update of customer subscribed list x failed on nodes y, z, ... 3 Customer 3

Subscribed List
Manager

325 Status of customer subscribed list x on node y is up to date. 3 Customer 6

Subscribed List
Manager

326 Download of customer subscribed list x failed on nodes y, z, ... 3 Customer 3

Subscribed List
Manager

327 Download of McAfee subscribed list x failed on nodes y, z, ... 3 Updater 3

328 Update of McAfee subscribed list x failed on nodes y, z, ... 3 Updater 3

329 Status of McAfee subscribed list x on nodes y, z, ... is up to date. 3 Updater 6

330 Update of McAfee subscribed list x succeeded on node y. 3 Updater 6

331 Processing scheduled job x succeeded 3 Scheduled Job 6

Manager

332 Processing scheduled job x failed. 3 Scheduled Job 3

Manager

333 Update of updatable system lists failed on node y. 3 Central Updater 3

334 Update of updatable system lists succeeded on node y. 3 Central Updater 6

335 Status of updatable system lists on node y is up to date. 3 Central Updater 6

340-349 Migration failed for different reasons. 3 Migration 6

222 McAfee Web Gateway 8.0.x Interface Reference Guide

 Origin number and
Incident ID Description name Severity

500 The log manager experienced an unrecoverable internal error and 5 Log File Manager 2
will terminate.

501 Log File Manager failed to push log files. 5 Log File Manager 3

600 A yum update contained packages that require a restart of the 6 mwg-update 4
appliance to become effective.

601 A yum update was successfully completed. 6 mwg-update 5

602 A yum update failed. 6 mwg-update 3

620 A major distribution upgrade was successfully completed. 6 mwg-dist-upgrade 5

621 A major distribution upgrade is in progress. The appliance will restart 6 mwg-dist-upgrade 4
automatically.

622 A major distribution upgrade failed. Check the upgrade log file. 6 mwg-dist-upgrade 3

666 A FIPS 140-2 self-test failed on node y. The node is running in non- 1 FIPS 0
FIPS mode.

700 The number of concurrent connections has exceeded the configured 2 Proxy 2
overload limit. The appliance has entered overload status. Requests
sent to the appliance are accepted with delay.

701 The appliance is in overload status for more than 30 seconds. 2 Proxy 2
Requests sent to the appliance are accepted with delay.

702 The appliance has left overload status. Requests sent to the appliance 2 Proxy 4
are again accepted without delay.

703 The number of concurrent connections has exceeded the configured 2 Proxy 4
high-load limit. The appliance has entered high-load status. Requests
sent to the appliance are accepted with a delay.

704 The appliance is in high-load status for more than 30 seconds. 2 Proxy 4
Requests sent to the appliance are accepted with a delay.

705 The number of concurrent connections has dropped below 85 % of 2 Proxy 6

the configured high-load limit. The appliance is still in high-load
status. Requests sent to the appliance are accepted with a delay.

710 A next-hop proxy server is down and will not be available for n 2 Proxy 4
seconds.

711 The appliance could not connect to a next-hop proxy server. 2 Proxy 4

712 A next-hop proxy server has moved back from error status to normal 2 Proxy 6
operation.

720 The listener on IP address x, port y could not be opened. 2 Proxy 2

730 A changed proxy mode configuration requires a restart of the 2 Proxy 2

appliance.

McAfee Web Gateway 8.0.x Interface Reference Guide 223

 Origin number and
Incident ID Description name Severity

740 The number of concurrent connections has exceeded the overload 2 Proxy 2
limit that is configured for an IFP proxy. Overload status has been
entered. New requests are not processed.

741 Overload status lasts more than 30 seconds for an IFP proxy. New 2 Proxy 2
requests are not processed.

742 Overload status has been left for an IFP proxy. Requests are again 2 Proxy 4
accepted without delay.

743 The number of concurrent connections has exceeded the high-load 2 Proxy 4
limit that is configured for an IFP proxy. High-load status has been
entered. New requests are not processed.

744 High-load status lasts more than 30 seconds for an IFP proxy. New 2 Proxy 4
requests are not processed.

745 The number of concurrent connections has dropped below 85 % of 2 Proxy 6

the high-load limit that is configured for an IFP proxy. High-load
status is still on. Requests are accepted with a delay.

750 A key for the HSM Agent could not be loaded due to an error on the 2 Proxy 2
appliance side.

751 A key for the HSM Agent could not be loaded due to an error on the 2 Proxy 2
agent side.

752 The ID of a key for an HSM Agent could not be retrieved due to an 2 Proxy 2
error on the appliance side.

753 The ID of a key for an HSM Agent could not be retrieved due to an 2 Proxy 2
error on the agent side.

760 The WCCP listener could not be started. 2 Proxy 2

761 WCCP could not start send and listerner threads. 2 Proxy 2

762 WCCP could not resolve the router address <host> 2 Proxy 3

763 WCCP could not join the multicast group <host> 2 Proxy 3

764 An error occurred when reading WCCP sockets or writing to them. 2 Proxy 3

765 Authentication with the WCCP router <host> failed. 2 Proxy 3

766 WCCP message parsing failed and malformed packets were created. 2 Proxy 3

767 The WCCP service ID or group could not be found 2 Proxy 3

768 A WCCP router for a service ID was added. 2 Proxy 6

769 A WCCP router for a service ID was removed. 2 Proxy 6

850 An update of the MGAM module for virus and malware filtering was 2 Anti-Malware Filter 6
successfully completed.

224 McAfee Web Gateway 8.0.x Interface Reference Guide

 Origin number and
Incident ID Description name Severity

851 An update of the MGAM module for virus and malware filtering 2 Anti-Malware Filter 3
failed.

852 Download or verification of the update files for the MGAM module 2 Anti-Malware Filter 3
failed.

853 The version of the MGAM module for virus and malware filtering is up 2 Anti-Malware Filter 6
to date.

854 An update of the Avira module for virus and malware filtering was 2 Anti-Malware Filter 6
successfully completed.

855 An update of the Avira module for virus and malware filtering failed. 2 Anti-Malware Filter 3

856 Download or verification of the update files for the Avira module 2 Anti-Malware Filter 3
failed.

857 The version of the Avira module for virus and malware filtering is up 2 Anti-Malware Filter 6
to date.

901 The appliance is connected to n servers for NTML authentication in 2 NTLM 6

Windows domain x. Authentication Filter

902 The appliance could not connect to n servers for NTML 2 NTLM 4
authentication in Windows domain x. Authentication Filter

903 The appliance could not contact Windows domain x for NTLM 2 NTLM 3
authentication. Authentication Filter

910 The appliance is connected to the LDAP server with configuration ID 2 LDAP 6
n. Authentication Filter

912 The appliance was disconnected from the LDAP server with 2 LDAP 4
configuration ID n. Authentication Filter

913 The appliance could not connect to any LDAP server with 2 LDAP 3
configuration ID n. Authentication Filter

920 A response has been received from RADIUS server x after attempting 2 RADIUS 6
to start communication to retrieve information for authenticating Authentication Filter
users.

921 A response has again been received from RADIUS server x after 2 RADIUS 6
communication had been interrupted. Authentication Filter

923 An authentication request sent to RADIUS server x has led to a 2 RADIUS 3

timeout. Authentication Filter

931 The appliance is connected to NTLM-Agent server x. 2 NTLM-Agent 6

Authentication Filter

932 The appliance has been disconnected from NTLM-Agent server x. 2 NTLM-Agent 3
Authentication Filter

933 The appliance could not connect to NTLM-Agent server x. 2 NTLM-Agent 3

Authentication Filter

McAfee Web Gateway 8.0.x Interface Reference Guide 225

 Origin number and
Incident ID Description name Severity

940 An update of a Certificate Revocation List was successfully completed. 2 Authentication 6

Filter

941 An update of a Certificate Revocation List failed. 2 Authentication 4

Filter

942 A download of a Certificate Revocation List failed. 2 Authentication 4

Filter

943 The status of a Certificate Revocation List is up to date. 2 Authentication 6

Filter

1050 An update of the URL Filter module was successfully completed. 2 URL Filter 6

1051 An update of the URL Filter module failed. 2 URL Filter 3

1052 Download or verification of update files for the URL Filter module 2 URL Filter 3
failed.

1053 Status of the URL Filter module is up to date. 2 URL Filter 6

1650 An updated Certificate Revocation List was downloaded and loaded 2 Certificate Chain 6
successfully. Filter

1651 An updated Certificate Revocation List was downloaded, but could 2 Certificate Chain 4
not be loaded. Filter

1652 An updated Certificate Revocation List could not be downloaded. 2 Certificate Chain 3
Filter

1653 Status of all Certificate Revocation Lists is up to date. 2 Certificate Chain 6

Filter

1700 An admin user logged on successfully to the user interface. 7 User interface 4

1701 Logon of an admin user to the user interface failed. 7 User interface 3

1702 The IP address of a client that an end user sent a request from 7 User interface 4
changed.

1703 An admin user logged off successfully from the user interface. 7 User interface 6

1704 A logoff from the user interface was forced upon an admin user after 7 User interface 6
a restart of an appliance, a timeout, or a similar incident had
occurred.

1710 An admin user saved changes successfully. 7 User interface 6

1711 An attempt by an admin user to save changes failed. 7 User interface 3

1800 The number of entries that can be retrieved from an external list has 2 External Lists Filter 4
exceeded the configured limit.

1801 The amount of data of entries that can be retrieved from an external 2 External Lists Filter 4
list has exceeded the configured limit.

1802 An error occurred when data was retrieved from an external list. 2 External Lists Filter 4

226 McAfee Web Gateway 8.0.x Interface Reference Guide

 Origin number and
Incident ID Description name Severity

1803 An error occurred when data that had been retrieved from an 2 External Lists Filter 4
external list was converted.

1804 A time-out occurred when data was retrieved from an external list. 2 External Lists Filter 4

1805 Permission to retrieve data from an external list was denied. 2 External Lists Filter 4

1806 A resource for retrieving external list data could not be found. 2 External Lists Filter 4

1850 An update of the database for application filtering was successfully 2 Application Control 6
completed.

1851 An update of the database for application filtering failed. 2 Application Control 3

1852 A download of the database for application filtering failed. 2 Application Control 3

1853 Status of the database for application filtering is up to date. 2 Application Control 6

1854 Loading the database for application filtering failed. 2 Application Control 3

1855 Loading the database for application filtering was successfully 2 Application Control 6
completed.

1950 An update of the Data Loss Prevention (DLP) module was successfully 2 Data Loss 6
completed. Prevention

1951 An update of the Data Loss Prevention (DLP) module failed. 2 Data Loss 3
Prevention

1952 Download or verification of the update files for the Data Loss 2 Data Loss 3
Prevention (DLP) module failed. Prevention

1953 Status of the Data Loss Prevention (DLP) is up to date. 2 Data Loss 6
Prevention

2001 An error occurred with the Stream Detector module. 2 Stream Detector 2

2101 The database for media type filtering could not be loaded. 2 Media Type Filter 2

2200 An update of the Dynamic Content Classifier was successfully 2 Dynamic Content 6
completed. Classifier

2201 An update of the Dynamic Content Classifier failed. 2 Dynamic Content 3

Classifier

2202 A download or verification of the update files for the Dynamic 2 Dynamic Content 3
Content Classifier failed. Classifier

2203 Status of the Dynamic Content Classifier is up to date. 2 Dynamic Content 6

Classifier

2350 An update of the files for the single sign-on process was successfully 3 Single Sign On 6
completed. Service

2351 An update of the files for the single sign-on process failed. 3 Single Sign On 3
Service

McAfee Web Gateway 8.0.x Interface Reference Guide 227

 Origin number and
Incident ID Description name Severity

2352 A download or verification of the updated files for the single sign-on 3 Single Sign On 3
process failed. Service

2353 Status oft he files for the single sign-on process are up to date. 3 Single Sign On
Service

2401 Failed to load services database. 3 Cloud Storage 2

This incident is reported when the Cloud Storage Encryption module Encryption
cannot load files with a description of supported cloud storage
services.

2502 Credential store export incident

Export of data from the credential store failed.

2503 Credential store import incident

Import of data into the credential store failed.

2510 Credential store incident

A credential store error occurred. See the message in the incident
report and more details in the error log.

2550 SSO update success

The SSO module was successfully updated.

2551 SSO update failure

The SSO module could not successfully be updated.
See the errors log for more details.

2552 SSO download failed

Files could not successfully be downloaded from the SSO server.

2553 SSO catalog up to date

There is no new version of the SSO files on the update server.

2650 SSO catalog update success

The SSO connector catalog was successfully updated.

2651 SSO catalog update failure

The SSO connector catalog could not successfully be updated.
See the errors log for more details.

2652 SSO catalog download failed

SSO connector catalog files could not successfully be downloaded
from the update server.

2653 SSO catalog up to date

There is no new version of the SSO connector catalog files on the
update server.

2800 The Update Certificate Authorities (CAs) are up to date. 2 Update CA plugin 6

2801 A download of the Update Certificate Authorities (CAs) failed. 2 Update CA plugin 3

2802 The Update Certificate Authorities (CAs) were succesfully updated. 2 Update CA plugin 6

2803 An update of the Update Certificate Authorities (CAs) failed. 2 Update CA plugin 3

228 McAfee Web Gateway 8.0.x Interface Reference Guide

 Origin number and
Incident ID Description name Severity

3000 At least one node in a Central Management configuration is not in 3 Central 3

synchronized status (with regard to storage and configuration). Management
The number of unsynchronized nodes changes.
This incident is only recorded on the root node.

3001 After incident 3000 occurred, all nodes in a Central Management 3 Central 6
configuration are again in synchronized status (with regard to storage Management
and configuration).

3005 At least one node in a Central Management configuration did not 3 Central 3
respond properly after shared data had been sent out. Management
The number of nodes not properly responding changes.
This incident is only recorded on the root node and only if the shared
data was intended for all nodes.

3006 After incident 3004 occurred, all nodes in a Central Management 3 Central 6
configuration responded properly again to the sending of shared Management
data.

3200 Sending lists to McAfee Web Gateway Cloud Service was successfully 3 Web Hybrid 6
completed.

3201 Sending lists to McAfee Web Gateway Cloud Service failed. 3 Web Hybrid 3

3205 Lists were successfully downloaded from McAfee Web Gateway Cloud 3 Web Hybrid 6
Service and stored.

3206 Lists could not be downloaded from McAfee Web Gateway Cloud 3 Web Hybrid 3
Service and stored.

3210 Synchronization status could not be determined. 3 Web Hybrid 3

3211 An error occurred with the API for McAfee Web Gateway Cloud 3 Web Hybrid 3
Service, for example, a mismatch of the API version.

3250 Status of synchronization with McAfee Web Gateway Cloud Service is 3 Web Hybrid 6
OK.

3300 The list for Web Service Access is not available for an unknown 2 Web Hybrid 2
reason.

3301 The list for Web Service Access does not exist. 2 Web Hybrid 2

3302 The settings for Web Service Access are not available for an unknown 2 Web Hybrid 2
reason.

3303 The settings for Web Service Access do not exist. 2 Web Hybrid 2

3400 A policy could not be synchronized to McAfee Web Gateway Cloud 8 SaaS Connector 3
Service.

3500 The Protocol Detector rule set could not be found and loaded. 2 Protocol Detector 2
Filter

3501 The Protocol Detector rule set was broken or corrupt and could not 2 Protocol Detector 2
be loaded. Filter

McAfee Web Gateway 8.0.x Interface Reference Guide 229

List of operators
The following table provides a list of the operators that you can use in rules.
The operators are listed in alphabetical order.
The part that precedes the operator in the criteria of a rule is referred to as property and the part that follows it as operand.
Note: Some properties are of the list type, which means they can have more than one value at the same time.

List of operators

Operator Description

all in list All values of the property must be entries in the list of the
operand.
Note: This operator is for use with values of the string type
only.
Example:
URL.Categories<Default> all in list Category Blocklist
The criteria matches if, for example, the values of
URL.Categories are Entertainment, Media Downloads, and Streaming
Media, and all of them are entries in the list Category Blocklist.

at least one in list One of the values of the property must be an entry in the list
of the operand.
Note: This operator is for use with values of the string type
only.
Example:
URL.Categories<Default> at least one in list Category Blocklist
The criteria matches if, for example, one of the values of
URL.Categories is Nudity and this is also an entry in the list Category
Blocklist.

contains The value of the operand must be a part of the value of the
property.
Note: This operator is for use with values of the string type
only. The string for the operand is submitted by typing it in a
suitable field of the user interface.
Example:
Authentication.UserGroups contains "Domain Users"
The criteria matches if the string "Domain Users" can be found in
the list of strings that are the values of Authentication.UserGroups.

does not contain The value of the operand must not be a part of the value of
the property.
Note: This operator is for use with values of the string type
only. The string for the operand is submitted by typing it in a
suitable field of the user interface.
Example:
Authentication.UserGroups does not contain "Domain Users"
The criteria matches if the string "Domain Users" cannot be
found in the list of strings that are the values of
Authentication.UserGroups.

does not equal The value of the property must not be the same as the value
of the operand.

230 McAfee Web Gateway 8.0.x Interface Reference Guide

 Operator Description
Example:
Antimalware.Infected<Gateway Anti-Malware> does not equal false
The criteria matches if the value of Antimalware.Infected is true.
Or:
Cycle.TopName does not equal "Response"
The criteria matches, for example, if the value of Cycle.TopName
is "Request".
Note: Wildcards are not allowed as operands when this
operator is used. Even using a blank at the beginning or end
of an operand will prevent this operator from working
properly.

does not match The value of the property must not be:
• the same as the value of the operand
• or: covered by the wildcard (regular or glob expression) that
is the value of the operand
Example:
URL.Host does not match *.mcafee.com
The criteria matches if the value of URL.Host is, for example,
www.cisco.com.

does not match in list The value of the property must not be:
• the same as one of the entries in the list of the operand
• or: covered by one of the wildcards (regular or glob
expressions) in the list of the operand
Example:
URL.Host matches in list URL.Whitelist
The criteria matches, for example, if the value of URL.Host is
www.mcafee.com, and this is not an entry in the list URL.Whitelist.
The criteria also matches if the value of URL.Host is
www.mcafee.com and no regular or glob expression that would
cover this value is found in the list URL.Whitelist.

equals The value of the property must be the same as the value of
the operand.
Example:
Antimalware.Infected<Gateway Anti-Malware> equals true
The criteria matches if the value of Antimalware.Infected is true.
Or:
Cycle.TopName equals "Request"
The criteria matches if the value of Cycle.TopName is "Request".
Note: Wildcards are not allowed as operands when this
operator is used. Even using a blank at the beginning or end
of an operand will prevent this operator from working
properly.

greater than The value of the property must be above the value of the
operand.
Example:
Body.Size greater than 20000000
The criteria matches if the value of Body.Size is, for example,
20000001 bytes.

McAfee Web Gateway 8.0.x Interface Reference Guide 231

 Operator Description

greater than or equals The value of the property must be above or the same as the
value of the operand.
Example:
Body.Size greater than or equals 20000000
The criteria matches if the value of Body.Size is, for example,
20000001 or 20000000 bytes.

is in list The value of the property must be an entry in the list of the
operand.
Note: This operator is for use with values of the string type
only.
Example:
Client.IP is in list Allowed Clients
The criteria matches if, for example, the client IP address is
181.153.30.0 and this is an entry in the list Allowed Clients.

is in range list The value of the property must be within one of the ranges of
values that are entries in the list of the operand.
Note: This operator is for use with values of the string type
only.
Example:
Client.IP is in range list Anti-Malware Quarantine IPRange
The criteria matches if, for example, the client IP address is
207.183.100.0 and this value can be found within one of the
ranges of values in the list Anti-Malware Quarantine IPRange.

is not in list The value of the property must not be an entry in the list of
the operand.
Note: This operator is for use with values of the string type
only.
Example:
Client.IP is not in list Allowed Clients
The criteria matches if, for example, the client IP address is
174.199.0.0 and this is not an entry in the list Allowed Clients.

is not in range list The value of the property must not be within one of the
ranges of values that are entries in the list of the operand.
Note: This operator is for use with values of the string type
only.
Example:
Client.IP is not in range list Anti-Malware Quarantine IPRange
The criteria matches if, for example, the client IP address is
207.183.100.0 and this value is not found within any of the
ranges of values in the list Anti-Malware Quarantine IPRange.

less than The value of the property must be below the value of the
operand.
Example:
Body.Size less than 20000000
The criteria matches if the value of Body.Size is, for example,
19999999 bytes.

232 McAfee Web Gateway 8.0.x Interface Reference Guide

 Operator Description

less than or equals The value of the property must be below or the same as the
value of the operand.
Example:
Body.Size less than or equals 20000000
The criteria matches if the value of Body.Size is, for example,
19999999 or 20000000 bytes.

matches The value of the property must be:

• the same as the value of the operand
• or: covered by the wildcard (regular or glob expression) that
is the value of the operand
Example:
URL.Host matches *.mcafee.com
The criteria matches if the value of URL.Host is, for example,
www.mcafee.com.

matches in list The value of the property must be:

• the same as one of the entries in the list of the operand
• or: covered by one of the wildcard (regular or glob
expressions) in the list of the operand
Example:
URL.Host matches in URL.Whitelist
The criteria matches if the value of URL.Host is, for example,
www.mcafee.com, and this is an entry in the list URL.Whitelist.
The criteria also matches if the value of URL.Host is
www.mcafee.com, and, for example, regex(www.mcafee.*) is
an entry in the list URL.Whitelist.

none in list None of the values of the property must be entries in the list
of the operand.
Note: This operator is for use with values of the string type
only.
Example:
URL.Categories<Default> none in list Category Blocklist
The criteria matches if, for example, the values of
URL.Categories are Entertainment, Media Downloads, and Streaming
Media, and none of them can be found in the list Category
Blocklist.

List of properties
The following tables provides a list of the properties you can use in rules.

Order of properties
The properties are listed in alphabetical order. However, the listing takes into consideration the parts of the property names.
Name parts begin with a capital letter, in many cases they are also separated by periods.
For example, Body.HasMimeHeaderParameter is listed before Body.Hash.
Note: There are no properties with names that begin with K, O, V, X, Y, or Z.

McAfee Web Gateway 8.0.x Interface Reference Guide 233

SaaS compatibility
Properties that are SaaS-compatible can be used when creating security rules for the web usage of on-premise users as well as
of cloud users. Most properties are actually SaaS-compatible, however, some are not, which means they can only be used in rules
for on-premise users.
Note: More properties will be made available as SaaS-compatible items in future releases of Web Gateway.
If you use a property that is not SaaS-compatible in a rule that you create on Web Gateway, you are informed on the user
interface that you cannot synchronize this rule for use in the cloud.
For a few properties, synchronization can be performed, but when the rules that contain them are executed for use in the cloud,
only default values are retrieved for these properties.
These default values are usually meaningless with regard to web security purposes. For example, for the Proxy.Port property, 0 is
retrieved as a value instead of a real port number when this property is processed within a rule for use in the cloud.
In the following list, a note is added to the description of a property if it is not SaaS-compatible. If a property can be synchronized
together with the rule that contains it, but only a default value is retrieved, this is also indicated.

Properties in context
You can easily find out about the rules and rule sets that use a property.

1. On the user interface, click Search, and under Search for objects referring to, select Property and the property you are interested in.
The rules that use the property are shown. For example, for Antimalware.Infected, the rule Block if virus was found is shown.
2. Select a rule and click Show in context.
The rule and the property are shown within in its rule set. For example, the rule for Antimalware.Infected is shown within the
Gateway Anti-Malware rule set.

Properties - A
The following table describes the properties that have names beginning with A.

Properties – A

Name Type Description Parameters

Action.Names List of String List with names of the actions that were performed
when processing a request, including the response
received upon the request

Antimalware.Avira.VersionString String Version of the Avira engine that was used to perform
a scanning job

Antimalware.Infected Boolean If true, a web object has been found to be infected.

Antimalware.Proactive.Probability Number Probability that a web object is malware

The probability is a percentage, indicated by a
number from 1 to 100.

Antimalware.MATD.GetReport Boolean If true, a scanning report exists already for a web

object that is to be scanned by Advanced Threat
Defense.
Note: This property is not SaaS-compatible.

Antimalware.MATD.Hash String Hash value used to identify a file that was received
from a web server in response to a download request
and scanned by Advanced Threat Defense.

Antimalware.MATD.InitBackgroundScan
Boolean If true, data for the current transaction is recorded, Number:
including data that is related to a request for web Maximum
access and the response from the web server. number of

234 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
The data is recorded in preparation of the scanning seconds that
that is performed by Advanced Threat Defense when can elapse
the web object that should be scanned has already before an
been forwarded to the user who requested it. internal
An internal request is also sent to initiate the request to
scanning. initiate
If this request is not accepted before the timeout (in scanning is
seconds) has elapsed that is configured as a accepted
parameter of the property, the attempt to let
additional scanning be performed by Advanced
Threat Defense has failed.
Note: This property is not SaaS-compatible.

Antimalware.MATD.IsBackgroundScanBoolean If true, the data that was recorded in preparation of

the additional scanning is used by Advanced Threat
Defense to scan the web object specified by the data.
Note: This property is not SaaS-compatible.

Antimalware.MATD.Probability Number Severity grade indicating how malicious a web object

is on a scale from 1 (low severity grade) to 5
The severity grade is found when an object is scanned
by Advanced Threat Defense.

Antimalware.MATD.Report String Report for a web object that was scanned by

Advanced Threat Defense
The report is provided in JSON data format.

Antimalware.MATD.Server String Server that Advanced Threat Defense was running on

when scanning a web object
The server is identified by a URL, for example, http://
matdserver300.

Antimalware.MATD.TaskID String Identifier for the task that was performed by

Advanced Threat Defense when scanning a web
object

Antimalware.MATD.VersionString String Version of Advanced Threat Defense that was used to

perform a scanning job

Antimalware.MGAM.VersionString String Version of the McAfee Gateway Anti-Malware engine

that was used to perform a scanning job

Antimalware.VersionString String Version information referring to all engines for virus

and malware filtering that were used by Web Gateway
to perform a scanning job

Antimalware.VirusNames List of String List with names of the viruses that a web object has
been found to be infected with

AnyText.Language String Name of the language that a given text is written in String: Text to
The languages are identified according to ISO-639-1. find language
name for

Application.IsHighRisk Boolean If true, access to an application is considered to be a

high risk for web security.

McAfee Web Gateway 8.0.x Interface Reference Guide 235

 Name Type Description Parameters

Application.IsMediumRisk Boolean If true, access to an application is considered to be a

medium risk for web security.

Application.IsMinimalRisk Boolean If true, access to an application is considered to be a

minimal risk for web security.

Application.IsUnverified Boolean If true, it has not been verified that access to an

application is a risk for web security

Application.Name Applcontrol Name of an application

Application.Reputation Number Reputation score for an application

Application.ToString String Name of an application converted into a string Applcontrol:

Application
name to
convert

Authentication.Authenticate Boolean If true, the authentication engine has been called to

apply the configured method, for example, NTLM, to
the credentials of a user and the user has been
authenticated successfully.
Values have also been set for the
Authentication.IsAuthenticated and
Authentication.UserName properties.
If false, it was not possible to apply the configured
authentication method successfully, for example,
because no credentials or incorrect credentials were
submitted.
Note: This property is not SaaS-compatible.

Authentication.CacheRemainingTime Number Time (in seconds) that remains until authentication

credentials are cleared from the cache

Authentication.Failed Boolean If true, credentials were provided by a user, but

authentication has failed.

Authentication.FailureReason.ID Number Number identifying the reason why authentication

has failed for a user

Authentication.FailureReason.Message
String Message text explaining the reason why
authentication has failed for a user

Authentication.GetAzureUserGroups List of String List of user groups that the authentication process is String: User
applied to, which is retrieved from an Azure AD. name
Note: This property is not SaaS-compatible. submitted by
Web Gateway
when
connecting to
an Azure AD
server

Authentication.GetUserGroups List of String List of user groups that the authentication process is
applied to
Note: This property is not SaaS-compatible.

236 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

Authentication.GetUserGroups.JSON JSON List of user groups that the authentication process is

applied to provided as a JSON object
Note: This property is not SaaS-compatible.

Authentication.ICEToken.Attributes List List of additional attributes that are retrieved from an

ICE token

Authentication.ICEToken.Audiences List List of audiences that are retrieved from an ICE token

Authentication.ICEToken.Subject String Subject that is retrieved from an ICE token

Authentication.IsAuthenticated Boolean If true, a user has been successfully authenticated.

Authentication.IsLandingOnServer Boolean If true, cookie authentication has been applied for a

user.

Authentication.IsServerRequest Boolean If true, authentication has been requested for a user

under the Authentication Server method.

Authentication.Method String Method used for authenticating a user, for example,

LDAP

Authentication.OTP.Context String Information required for verifying a one-time

password user in encrypted format
The property is set to this value when the
Authentication.SendOTP event is executed.
When the rules of the Authentication Server (Time/IP
Based Session or Authorized Override with OTP
library rule sets are processed, the information is sent
in the header of a response under the HTTP protocol.
Note: This property is not SaaS-compatible.

Authentication.RawCredentials String Credentials of a user in the format originally received

on the appliance from a client or other instances of
the network
Using this property for rule configuration will speed
up processing because it saves the time used for
converting user credentials to a human readable
format, as it is done for the simple
Authentication.UserName property.

Authentication.RawUserName String Name of a user in the format originally received on

the appliance from a client or other instances of the
network
Using this property for rule configuration will speed
up processing because it saves the time used for
converting the user name to a human readable
format, as it is done for the simple
Authentication.UserName property.

Authentication.Realm String Authentication realm, for example, a Windows

domain

Authentication.SAML.Attributes List of String Stores a list of attribute name-value pairs extracted

from the <saml2:Attribute> tag in the SAML response.

McAfee Web Gateway 8.0.x Interface Reference Guide 237

 Name Type Description Parameters
When there are multiple values for one attribute
name, the values are separated by commas.
Note: This property is not SaaS-compatible.

Authentication.SAML.CreateAuthnRequest

see above HTTP POST Creates the SAML authentication request which is
form sent to the external Identity Provider and sets the
Authentication.SAML.IDPSSOEndpoint property to the
URL of the external Identity Provider.
Note: This property is not SaaS-compatible.

Authentication.SAML.Error String Describes the error that occurred when the

authentication server failed to validate the SAML
response.
Note: Errors messages are provided by the
OpenSAML library.

Authentication.SAML.IDPSSOEndpointString Specifies the SSO URL of the external Identity

Provider. If an error occurs, the user is redirected to
this URL.
Note: This property is not SaaS-compatible.

Authentication.SAML.ParseAuthnResponse

see above String Parses the SAML authentication response that is

received from the external Identity Provider. If the
response is valid, this property returns a list of
attribute name-value pairs in the
Authentication.SAML.Attributes property. If the
response is invalid, this property returns an error in
the property Authentication.SAML.Error.
Note: This property is not SaaS-compatible.

Authentication.SAML.RelayState
String Stores the value of the ACS URL at the time that the
authentication server creates the SAML
authentication request. The authentication server
sends the RelayState parameter to the external
Identity Provider in the authentication request. The
Identity Provider returns the parameter unchanged in
the authentication response. The proxy can use the
value stored in the RelayState to construct the ACS
URL when the external Identity Provider does not
support dynamic URLs.
Note: This property is not SaaS-compatible.

Authentication.SOCKSKerberosProtectionLevel

see above Number Number representing the protection level that is used
when the SOCKS Kerberos authentication method is
configured

238 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

Authentication.Token String Stores the SAML assertion returned by the external

Identity Provider.

Authentication.UserGroups List of string List of user groups that the authentication process is
applied to

Authentication.UserName String Name of a user that the authentication process is

applied to

Properties - B
The following table describes the properties that have names beginning with B.

Properties – B

Name Type Description Parameters

Block.ID Number ID of an action that blocked a request

Block.Reason String Name of the reason for an action that blocked a

request

BlockingSession.IsBlocked Boolean If true, a blocking session has been activated for a

user.
Note: This property is not SaaS-compatible.

BlockingSession.RemainingSession Number Remaining time of a blocking session (in minutes)

Note: This property is not SaaS-compatible.

BlockingSession.SessionLength Number Time length of a blocking session (in minutes)

Note: This property is not SaaS-compatible.

Body.ChangeHeaderMime Boolean If true, the header sent in MIME format with the body
of a web object has been changed.

Body.ClassID String ID for a class of web objects

Body.Equals Boolean If true, the body of a web object matches the pattern
specified by the property parameters. 1. Number:
Position of
byte where
pattern
begins
2. String:
Pattern
a. String
embedded
in double
quotes (“ ...”,
can also
contain hex
values
preceded by
\)
or:

McAfee Web Gateway 8.0.x Interface Reference Guide 239

 Name Type Description Parameters
b. Sequence
of hex
values

Body.FileName String Name of a file that is embedded in the body of a web

object, for example, an archived file

Body.FullFileName String Name of a file that is embedded in the body of a web

object, including also the names of the embedding
entities, such as documents or archives
Name parts are separated by the | (pipe) symbol, for
example, test.zip|test.doc.

Body.HasMimeHeader Boolean If true, the body of an extracted multi-part object sent String: Header
in MIME format has a specified header. name

Body.HasMimeHeaderParameter Boolean If true, the body of an extracted multi-part object sent

in MIME format has a specified header parameter. 1. String:
Header
name
2. String:
Header
parameter
name

Body.Hash String Hash value of the type specified by the property String: Hash
parameter for the body of a web object type
Hash types can be md5, sha1, sha256, sha512, and
others.

Body.HashSHA1 String Hash value of the SHA1 type for the body of a web
object

Body.IsAboveSizeLimit Boolean If true, the body of a web object is above a size limit.

Body.IsCompleteWithTimeout Boolean If true, the body of a web object has been completely Number: Time
sent to the appliance before the time (in milliseconds) allowed to
specified by the property parameter has elapsed. send object
completely)

Body.IsCorruptedObject Boolean If true, an archive contained in the body of a web

object is corrupted.

Body.IsEncryptedObject Boolean If true, an archive contained in the body of a web

object is encrypted.

Body.IsMultiPartObject Boolean If true, an archive contained in the body of a web

object is complex, including multiple parts.

Body.IsSupportedByOpener Boolean If true, an opener device is available on the appliance

for the body of a web object that is composite, for
example,the body of an archive.

240 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

Body.MimeHeaderParameterlValue String Value of a header parameter in the body of a web

object sent in MIME format 1. String:
Header
name
2. String:
Header
parameter
value

Body.MimeHeaderValue String Value of a header in the body of a web object sent in String: Header
MIME format value

Body.Modified Boolean If true, an appliance module has modified the body of

a web object.

Body.NestedArchive Level Number Current level of an archive part in an archive

Body.NotEquals Boolean If false, the body of a web object matches the pattern
specified by the property parameters. 1. Number:
Position of
byte where
pattern
begins
2. String:
Pattern
a. String
embedded
in double
quotes (“ ...”,
can also
contain hex
values
preceded by
\)
or:
b. Sequence
of hex
values

Body.NumberOfChildren Number Number of objects embedded in the body of a web

object

Body.PositionOfPattern Number Position of the byte where the search for a pattern in
the body of a web object begins 1. String:
Returns -1 if the pattern is not found. Pattern to
search for
a. String
embedded
in double
quotes (“ ...”,
can also
contain hex
values

McAfee Web Gateway 8.0.x Interface Reference Guide 241

 Name Type Description Parameters
preceded by
\)
or:
b. Sequence
of hex
values
2. Number:
Position of
byte where
search for
pattern
begins
3. Number:
Search
length (in
bytes, 0
means
search from
offset to end
of object)

Body.Size Number Size of the body of a web object (in bytes)

Body.Text String Text in the body of a web object

Body.ToNumber Number Part of the body of a web object converted into a

number (maximum 8 bytes beginning at a specified 1. Number:
position) Position of
The big-endian or little-endian format can be used for byte where
the conversion. converted
part begins
2. Number:
Length of
converted
part (in
bytes,
maximum 8)
0 for the
first
parameter
and the
respective
value of the
Body.Size
property for
the second
means the
whole body
is converted.
3. Boolean: If
true, little-
endian
format is

242 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
used for
conversion,otherwise
big-endian

Body.ToString String Part of the body of a web object converted into a

string 1. Number:
Position of
byte where
converted
part begins
2. Number:
Length of
converted
part (in
bytes)
0 for the
first
parameter
and the
respective
value of the
Body.Size
property for
the second
means the
whole body
is converted.

Body.UncompressedSize Number Size of the body of an archived web object (in bytes)
after having been extracted from the archive

BooleanToString String Boolean value converted into a string Boolean:

Boolean value
to convert

BytesFromClient Number Number of bytes received in a request from a client

BytesFromServer Number Number of bytes received in a response from a web

server

BytesToClient Number Number of bytes in a web server response that is

forwarded to a client

BytesToServer Number Number of bytes in a client request that is forwarded

to a web server

Properties - C
The following table describes the properties that have names beginning with C.

McAfee Web Gateway 8.0.x Interface Reference Guide 243

Properties – C

Name Type Description Parameters

Cache.AdditionalKey String Key that can be used in addition to the default key for
web caching

Cache.IsCacheable Boolean If true, an object sent in response from a web server

can be stored in the web cache.

Cache.IsFresh Boolean If true, an object stored in the web cache has either
been downloaded from the web or has been verified.

Cache.Status String Cache status for a web object

Values:
• TCP_HIT – A web object was requested by a user and
found in the cache.
• TCP_MISS – A web object was requested by a user
and not found in the cache.
• TCP_MISS_RELOAD – A web object was requested by a
user, but was not taken from the cache because the
user required it to be fetched directly from the web
server in question by clicking the Refresh button.
The object was then entered into the cache again.
• TCP_MISS_VERIFY – A web object was requested by a
user and existed in the cache, but verification
information from the web server in question
showed it was outdated.
An updated version of the object was received from
the server and entered into the cache.

Category.ToShortString String URL category converted into a string that is the Category:
category abbreviation Category to
convert

Category.ToString String URL category converted into a string Category:

Category to
convert

Client.IM.Login String ID used by a client to log on to the appliance under an

instant messaging protocol

Client.IM.ScreenName String Screen name of a client communicating with the

appliance under an instant messaging protocol

Client.IP IP IP address of a client

Client.NumberOfConnections Number Number of connections from a client to the appliance

that are open at the same time

CloudEncryption.IsEncryptionSupported
Boolean
If true, encryption can be performed for the data that
is uploaded to a cloud storage service with the
request that is currently processed.
The Cloud Storage Encryption module finds out whether
this is true by evaluating service description files for
cloud storage services and the settings that are
configured on Web Gateway, for example, the Cloud

244 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name
CloudEncryption.IsDecryptionSupported
Boolean
CloudEncryption.ServiceName
CloudEncryption.CipherName
Command.Categories
Command.Name
Command.Parameter
Connection.Aborted
Connection.IP
Connection.IPSec
Connection.IPSec.Device
McAfee Web Gateway 8.0.x Interface Reference Guide
Type Description Parameters
Storage Encryption Support settings, which specify the
supported cloud storage services.
If true, decryption can be performed for the data that
is downloaded from a cloud storage service with the
request that is currently processed.
For the method of finding out whether this is true,
see the description of the
CloudEncryption.IsEncryptionSupported property.
String Name of the cloud storage service that data is
uploaded to or downloaded from with the request
that is currently processed.
The property is always filled with a value when
request are received on Web Gateway for uploading
or downloading cloud storage data.
However, the property should not be used in rule
criteria to trigger an encryption or decryption event
upon a match of the criteria.
For this purpose, the CloudEncryption.IsEncryptionSupported
and CloudEncryption.IsDecryptionSupported properties are
provided.
String Name of the algorithm (cipher) used for encrypting or
decrypting the cloud storage data that is uploaded or
downloaded with the request that is currently
processed.
List of String List of categories that a command belongs to, for
example, to the FTP command category
String Name of a command
String Parameter of a command
Boolean If true, communication on a connection has finally
failed and the connection is closed.
IP IP address used on a connection
Boolean If true, an IPsec VPN tunnel is enabled and configured
between McAfee WGCS and an IPsec device on your
network.
Note: You can use this property when writing policy
rules for a hybrid deployment. For on-premise
deployments, this property retains its default value of
false.
String Name that you assign to the location of the IPsec
device on your network in the McAfee WGCS interface
Note: You can use this property when writing policy
rules for a hybrid deployment. For on-premise
deployments, this property retains its default value,
an empty string.
245
 Name
Connection.OriginalDestinationIP
Connection.OriginalSourceIP
Connection.Port
Connection.Protocol
Connection.Protocol.IsIM
Connection.Protocol.Parent
Connection.RunTime
Connection.SSL.TransparentCNHandling
Boolean
Connection.Socketmark
246
Type Description Parameters
IP IP address of the destination that a request was
originally sent to over a given connection
The default value is 0.
Note:
This property is not SaaS-compatible.
A rule with this property can, however, be
synchronized for use in the cloud, but only the default
value is then retrieved for this property.
IP IP address of the connection with your network
having one of these values:
• IP address of a firewall or other device between
your network and the cloud — The property has the
same value as Connection.IP.
• IP address of the endpoint where the web request
originated — The endpoint IP address is available
when the deployment is hybrid and Client Proxy or
IPsec site-to-site authentication is configured in
McAfee WGCS.
Endpoint is the term used for the client or user
computers in your organization that are managed
with McAfee ePO or McAfee ePO Cloud.
Note: You can use this property to write policy rules
that apply to particular endpoints in a hybrid
deployment. For on-premise deployments, this
property retains its default value.
Number Port number of the port that a request sent by a
client over a given connection is received on
String Protocol used for communication on a connection,
for example, HTTP
Boolean If true, communication on a connection uses an
instant messaging protocol.
String The embedding protocol for the protocols that are
used in communication with the clients when Web
Gateway runs as a proxy under the SOCKS protocol.
This protocol is the SOCKS protocol, while various
protocols can be embedded, for example, HTTP or
HTTPS.
Number Time (in seconds) that a connection has been running
since it was opened until the current second
If true, communication on a connection is SSL-
secured and runs in transparent mode.
Number Numerical value, which is the socket mark for the
socket of a connected client
McAfee Web Gateway 8.0.x Interface Reference Guide
 Name Type Description Parameters

Connection.Variables.GetStringValue String Object in string format, which is stored on Web String: Key to
Gateway as long as a given connection to a client identify stored
persists. string
The stored string can, for example, be the value of
another string-formatted property.

Connection.Variables.HasString Boolean If true, an object in string format is stored on Web String: Key to
Gateway as long as a given connection to a client identify stored
persists. string
The stored string can, for example, be the value of
another string-formatted property.

Connection.VlanID Number VLAN ID of the network that a client uses to

communicate with Web Gateway

Cycle.LastCall Boolean If true, processing of data is complete for a cycle.

Cycle.Name String Name of a processing cycle

Cycle.TopName String Name of a cycle (Requests or Responses) that is

processed before a web object is processed in the
Embedded Objects cycle

Properties - D
The following table describes the properties that have names beginning with D.

Properties – D

Name Type Description Parameters

DataTrickling.Enabled Boolean If true, data trickling is used for downloading web

objects.

DateTime.Date.MonthDayNumber Number Number of day in month

DateTime.Date.MonthNumber Number Number of month

DateTime.Date.ToString String String representing current date (in the format String including
specified by the property parameters) the following
three parts:

1. %YYYY (for
the year)
or:
%YY (last
two digits)
or:
%Y (last two
digits, but
only one
digit if the
last two
digits begin
with 0, for

McAfee Web Gateway 8.0.x Interface Reference Guide 247

 Name Type Description Parameters
example, 9
for 2009)
2. %MM (for
the month
number
with 0
inserted
before one-
digit
numbers)
or:
%M (0 is not
inserted, for
example, 3
for March
and 12 for
December)
3. %DD (for the
day)
or:
%D

If no
parameter is
specified, the
format is:
%YYYY/
%MM /%DD

DateTime.Date.WeekDayNumber Number Number of day in week (1 is Sunday)

DateTime.Date.Year Number Year (four digits)

DateTime.Date.YearTwoDigits Number Year (last two digits)

DateTime.GMTString.FromEpoch
String String representing current time (in GMT format, Number:
converted from number of UNIX epoch seconds Current time in
specified by the property parameter) UNIX epoch
The property can be used with the seconds
DateTime.IsInRangeGMT property in a rule that checks
whether a time range has expired, for example, the
time range set for cookie expiration.

DateTime.IsInRangeGMT Boolean If true, the current time is in the range specified by

one string in GMT format for the beginning of the 1. String: Date
range and another for the end. and time in
The strings can be provided using the GMT format
DateTime.GMTString.FromEpoch property with different 2. String: Date
values. and time in
When an irregular time value is specified in a GMT format
parameter, it is corrected as follows.
An irregular value for a day, such as Feb 31, is
corrected to the regular value that matches it.
For example:

248 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
Feb 31 00:00:00 GMT 2018
is corrected to:
Mar 3 00:00:00 GMT 2018
Irregular values for hours and minutes are rejected as
invalid.
Irregular values for seconds are handled as follows.
• 61 is corrected to 1:01
• 62 to 69 are rejected as invalid.
• 70 and higher are corrected by deleting the last digit
or digits, so that a regular value is created.
70 becomes 7 this way, 96 becomes 9, 100 becomes
10, and so on.
So, for example:
Jun 15 00:00:61 GMT 2018
is corrected to:
Jun 15 00:01:01 GMT 2018
And:
Jun 15 00:00:96 GMT 2018
is corrected to:
Jun 15 00:00:09 GMT 2018

DateTime.IsInRangeISO Boolean If true, the current time is in the range specified by

one string in ISO format for the beginning of the 1. String: Date
range and another for the end and time in
The strings can be provided using the ISO format
DateTime.ISOString.FromEpoch property with different 2. String: Date
values. and time in
When an irregular time value is specified in a ISO format
parameter, is corrected as follows.
An irregular value for a day, such as Feb 31, is
corrected to the regular value that matches it.
For example:
2018-02-31 00:00:00
is corrected to:
2018-03-03 00:00:00
Irregular values for hours and minutes are rejected as
invalid.
Irregular values for seconds are handled as follows.
• 61 is corrected to 1:01
• 62 to 69 are rejected as invalid.
• 70 and higher are corrected by deleting the last digit
or digits, so that regular values are created.
70 becomes 7 this way, 96 becomes 9, 100 becomes
10, and so on.
So, for example:
2018-06-15 00:00:61
is corrected to:
2018-06-15 00:01:01
And:
2018-06-15 00:00:96
is corrected to:
2018-06-15 00:00:09

McAfee Web Gateway 8.0.x Interface Reference Guide 249

 Name Type Description Parameters

DateTime.ISOString.FromEpoch
String String representing current time (in ISO format, Number:
converted from number of UNIX epoch seconds Current time in
specified by the property parameter) UNIX epoch
The property can be used with the seconds
DateTime.IsInRangeISO property in a rule that checks
whether a time range has expired, for example, the
time range set for cookie expiration.

DateTime.Time.Hour Number Hour (in 24-hours format, for example, 1 p. m. is 13)

DateTime.Time.Minute Number Minute in hour

DateTime.Time.Second Number Second in minute

DateTime.Time.ToString String String representing current time (in the format String including
specified by the property parameters) the following
three parts:

1. %h (for the
hour)
or:
%hh (with 0
inserted
before a
one-digit
hour)
2. %m (for the
minute)
or:
%mm
3. %s (for the
second)
or:
%ss

If no
parameter is
specified, the
format is:
%hh:%mm:%ss

DateTime.ToGMTString String String representing current date and time in

Greenwich Mean Time format
For example, “Mon, 22 March 2012 11:45:36 GMT”

DateTime.ToISOString String String representating current date and time in ISO

format
For example, "2012-03-22 11:45:12"

DateTime.ToNumber Number Current time in number of seconds since beginning of

1/1/1970 (UNIX epoch time)

DateTime.ToString String String representing current date and time (in the String including
format specified by the property parameters) the part of the
DateTime.Date.ToString

250 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
and
DateTime.Time.
ToString
properties
If no
parameter is
specified, the
format is:
%YYYY/
%MM /%DD
%hh:%mm:%ss

DateTime.ToWebReporterString String String representing current date and time in Web

Reporter format
For example, “29/Oct/2012:14:28:15 +0000”

DecimalNumber.ToString String Decimal number converted to a string

The string is truncated according to a parameter. 1. Number:
For example, 10.12345 is truncated to 10.12 if this Decimal
parameter is 2. number to
convert
2. Number:
Number of
places after
the decimal
point

Dimension.ToString String Dimension converted into a string Dimension:Dimension

to convert

DLP.Classification.AnyText.Matched Boolean If true, a given text string is specified as sensitive or String: Text
inappropriate content by one or more entries in checked for
classification lists. being sensitive
or
inappropriate

DLP.Classification.AnyText.MatchedClassifications

see above List of String List of entries in classification lists that specify a given String: Text
text string as sensitive or inappropriate checked for
The list is filled when being sensitive
DLP.Classification.AnyText.Matched has been set to true. or
inappropriate

DLP.Classification.AnyText.MatchedTerms

see above List of String List of terms including a given text string that is String: Text
specified as sensitive or inappropriate by one or more checked for
entries in classification lists being sensitive
The list is filled when or
DLP.Classification.AnyText.Matched has been set to true. inappropriate

DLP.Classification.BodyText.Matched Boolean If true, the text of a request or response body

includes content that is specified as sensitive or

McAfee Web Gateway 8.0.x Interface Reference Guide 251

 Name Type Description Parameters
inappropriate by one or more entries in classification
lists.

DLP.Classification.BodyText.MatchedClassifications

see above List of String List of entries in classification lists that specify the
sensitive or inappropriate content found in the body
text of requests or responses
The list is filled when
DLP.Classification.BodyText.Matched has been set to
true .

DLP.Classification.BodyText.MatchedTerms

see above List of String List of terms in request or response body text that are
sensitive or inappropriate content according to one
or more entries in classification lists.
The list is filled when
DLP.Classification.BodyText.Matched has been set to
true.

DLP.Dictionary.AnyText.Matched Boolean If true, a given text string is specified as sensitive or String: Text
inappropriate content on a dictionary list. checked for
being sensitive
or
inappropriate

DLP.Dictionary.AnyText.MatchedTerms

see above List of String List of terms including a given text string that is String: Text
specified as sensitive or inappropriate on a dictionary checked for
list being sensitive
The list is filled when DLP.Dictionary .AnyText.Matched or
has been set to true. inappropriate

DLP.Dictionary.BodyText.Matched Boolean If true, the text of a request or response body

includes content that is specified as sensitive or
inappropriate by an entry you made in a dictionary
list.

DLP.Dictionary.BodyText.MatchedTerms

see above List of String List of the terms in request or response body text
that are sensitive or inappropriate content according
to the entries you made in a dictionary list
The list is filled when DLP.Dictionary.BodyText.Matched
has been set to true.

DNS.Lookup List of IP List of IP addresses found in a DNS lookup for a host String: Host
name name

DNS.Lookup.Reverse List of String List of host names found in a reverse DNS lookup for IP: IP address
an IP address

DXL.Query String Information retrieved about a topic by sending a DXL

query to a service 1. String: Topic
that the

252 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
query is
about
2. String:
Information
about the
topic that
the query
retrieves as
response

Properties - E
The following table describes the properties that have names beginning with E.

Properties – E

Name Type Description Parameters

Error.ID Number ID of an error

Error.Message String Message text describing an error

ExtLists.Boolean Boolean Boolean value

1. String: Value
Note: This property is not SaaS-compatible.
holding the
place of a
term that
identifies an
external list
source, for
example, in
a URL
2. String: as
above
3. String: as
above

ExtLists.Category Category URL category as above

Note: This property is not SaaS-compatible.

ExtLists.CategoryList List of Category List of URL categories as above

Note: This property is not SaaS-compatible.

ExtLists.Double Double Double value as above

Note: This property is not SaaS-compatible.

ExtLists.DoubleList List of Double List of Double values as above

Note: This property is not SaaS-compatible.

ExtLists.Integer Integer Integer as above

Note: This property is not SaaS-compatible.

ExtLists.IntegerList List of Integer List of integers as above

McAfee Web Gateway 8.0.x Interface Reference Guide 253

 Name Type Description Parameters
Note: This property is not SaaS-compatible.

ExtLists.IP IP IP address as above

Note: This property is not SaaS-compatible.

ExtLists.IPList List of IP List of IP addresses as above

Note: This property is not SaaS-compatible.

ExtLists.IPRange IPRange IP address range as above

Note: This property is not SaaS-compatible.

ExtLists.IPRangeList List of IPRange List of IP address ranges as above

Note: This property is not SaaS-compatible.

ExtLists.JSON JSON List of JSON elements as above

Note: This property is not SaaS-compatible.

ExtLists.LastUsedListName String String representing name of settings for the External

Lists module that were used last

ExtLists.MediaType MediaType Media type as above

Note: This property is not SaaS-compatible.

ExtLists.MediaTypeList List of List of media types as above

MediaType Note: This property is not SaaS-compatible.

ExtLists.String String String as above

Note: This property is not SaaS-compatible.

ExtLists.StringList List of String List of strings as above

Note: This property is not SaaS-compatible.

ExtLists.StringMap List of String List of strings representing map type pairs of keys as above
and values
Note: This property is not SaaS-compatible.

ExtLists.Wildcard Wildcard Wildcard (regular) expression as above

Expression Note: This property is not SaaS-compatible.

ExtLists.WildcardList List of Wildcard List of wildcard (regular) expressions as above

Expression Note: This property is not SaaS-compatible.

Properties - F
The following table describes the properties that have names beginning with F.

Properties – F

Name Type Description Parameters

FileSystemLogging.MakeAnonymous String String made anonymous by encryption String: String to

The default values is an empty string. encrypt
Note:
This property is not SaaS-compatible.

254 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
A rule with this property can, however, be
synchronized for use in the cloud, but only the default
value is then retrieved for this property.

Properties - G
The following table describes the properties that have names beginning with G.

Properties – G

Name Type Description Parameters

GTI.RequestSentToCloud Boolean If true, a lookup request for URL category information

was sent to the Global Threat Intelligence server.

Properties - H
The following table describes the properties that have names beginning with H.

Properties – H

Name Type Description Parameters

Header.Block.Exists Boolean If true, a specified block header exists. String: Header

name

Header.Block.Get String First value found for a specified block header String: Header
name

Header.Block.GetMultiple List of String List of values found for a specified block header String: Header
name

Header.Exists Boolean If true, a specified header is contained in a request or String: Header

response that is processed on the appliance. name
It depends on the current processing cycle whether it
is actually a request or response that contains the
header.

Header.Get String First value found for the specified header in a request String: Header
or response that is processed on the appliance name
It depends on the current processing cycle whether it
is actually a request or response that contains the
header.

Header.GetMultiple List of String List of values found for a specified header in a String: Header
request or response that is processed on the name
appliance
It depends on the current processing cycle whether it
is actually a request or response that contains the
header.

Header.ICAP.Request.Exists Boolean If true, a specified header is contained in a request String: Header

sent in ICAP communication. name
Note: This property is not SaaS-compatible.

McAfee Web Gateway 8.0.x Interface Reference Guide 255

 Name Type Description Parameters

Header.ICAP.Request.ExistsMatching Boolean If true, a specified header is contained in a request

sent in ICAP communication and matches a given 1. String:
wildcard expression. Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

Header.ICAP.Request.Get String First value found for a specified header in a request String: Header
sent in ICAP communication name
Note: This property is not SaaS-compatible.

Header.ICAP.Request.GetMatching String First value found for a specified header in a request

sent in ICAP communication that also matches a 1. String:
given wildcard expression Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

Header.ICAP.Response.Exists Boolean If true, a specified header is contained in a response String: Header

received in ICAP communication. name
Note: This property is not SaaS-compatible.

Header.ICAP.Response.ExistsMatchingBoolean If true, a specified header is contained in a response

received in ICAP communication and matches a given 1. String:
wildcard expression. Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

Header.ICAP.Response.Get String First value found for a specified header in a response String: Header
received in ICAP communication name
Note: This property is not SaaS-compatible.

Header.ICAP.Response.GetMatching String First value found for a specified header in a response

received in ICAP communication that also matches a 1. String:
given wildcard expression Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

Header.Request.Exists Boolean If true, a specified header is contained in a request. String: Header

name

Header.Request.Get String First value found for a specified header in a request String: Header
name

Header.Request.GetMultiple List of String List of values found for a specified header in a String: Header
request name

Header.Response.Exists Boolean If true, a specified header is contained in a response. String: Header

name

256 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

Header.Response.Get String First value found for a specified header in a response String: Header
name

Header.Response.GetMultiple List of String List of values found for a specified header in a String: Header
response name

Hex.ToString String Hex value converted into a string Hex: Hex value
to convert

HTML.Element.Attribute String String representing an attribute of an HTML element

HTML.Element.Dimension Dimension Dimension of an HTML element (width and height)

HTML.Element.HasAttribute Boolean If true, an HTML element has a specified attribute. String:

Attribute name

HTML.Element.Name String Name of an HTML element

HTML.Element.ScriptType String Script type of an HTML element, for example,

JavaScript or Visual Basic Script

Properties - I
The following table describes the properties that have names beginning with I.

Properties – I

Name Type Description Parameters

ICAP.Policy String Name of a policy included in an ICAP request for a

URL

ICAP.ReqMod.ResponseHeader.ExistsBoolean If true, a response sent from an ICAP server in String: Header

REQMOD mode contains a specified header. name
Note: This property is not SaaS-compatible.

ICAP.ReqMod.ResponseHeader.ExistsMatching
Boolean If true, a response sent from an ICAP server in
REQMOD mode contains a specified header and 1. String:
matches a given wildcard expression. Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

ICAP.ReqMod.ResponseHeader.Get String First value found for a specified header in a REQMOD String: Header
response name
Note: This property is not SaaS-compatible.

ICAP.ReqMod.ResponseHeader.GetMatching
String First value found for a specified header in a REQMOD
response that also matches a given wildcard 1. String:
expression Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

McAfee Web Gateway 8.0.x Interface Reference Guide 257

 Name Type Description Parameters

ICAP.ReqMod.ResponseHeader.GetMultiple
List of String List of values found for a specified header in a String: Header
REQMOD response name
Note: This property is not SaaS-compatible.

ICAP.ReqMod.ResponseHeader.GetMultipleMatching
List of String List of values found for a specified header in a
REQMOD response that also match a given wildcard 1. String:
expression Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

ICAP.ReqMod.Satisfaction Boolean If true, an ICAP server has replaced a request with a

response.
The ICAP server does this after sending a message
that a particular request is blocked.
Note: This property is not SaaS-compatible.

ICAP.RespMod.EncapsulatedHTTPChanged
Boolean If true, an ICAP server has changed the HTTP state for
a response sent in RESPMOD mode.
Note: This property is not SaaS-compatible.

ICAP.RespMod.ResponseHeader.Exists
Boolean If true, a response sent from an ICAP server in String: Header
RESPMOD mode contains a specified header. name
Note: This property is not SaaS-compatible.

ICAP.RespMod.ResponseHeader.ExistsMatching
Boolean If true, a response sent from an ICAP server in
RESPMOD mode contains a specified header that also 1. String:
matches a given wildcard expression. Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

ICAP.RespMod.ResponseHeader.Get String First value found for a specified header in a String: Header
RESPMOD response name
Note: This property is not SaaS-compatible.

ICAP.RespMod.ResponseHeader.GetMatching
String First value found in a RESPMOD response for a
specified header that also matches a given wildcard 1. String:
expression Header
name
Note: This property is not SaaS-compatible.
2. Wildcard
expression

ICAP.RespMod.ResponseHeader.GetMultiple
List of String List of values found for a specified header in a String: Header
RESPMOD response name
Note: This property is not SaaS-compatible.

ICAP.RespMod.ResponseHeader.GetMultipleMatching
List of String List of values found in a RESPMOD response for a
specified header that also matches a given wildcard 1. String:
expression Header
name
Note: This property is not SaaS-compatible.

258 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
2. Wildcard
expression

IM.Direction String Direction of a chat message sent or a file transferred

under an instant messaging protocol and processed
on the appliance
For a chat message sent from a client to the
appliance, the direction could, for example, be
specified as out, for a message sent from a server to
the appliance it could be specified as in.
Note: This property is not SaaS-compatible.

IM.FileName String Name of a file transferred under an instant

messaging protocol
Note: This property is not SaaS-compatible.

IM.FileSize Number Size of a file transferred under an instant messaging

protocol (in bytes)
Note: This property is not SaaS-compatible.

IM.MessageCanSendBack Boolean If true, a block message or other message can be sent

from the appliance to a user of an instant messaging
service.
A block message is, for example, sent back to a user
who submitted a chat message during a time interval
that is not allowed for chatting.
A message can typically not be sent before a user has
completed the procedure for logging on to the instant
messaging service.
Note: This property is not SaaS-compatible.

IM.Notification String Name of a template used for sending a notification

from the appliance to a user of an instant messaging
service, for example, a block message
Note: This property is not SaaS-compatible.

IM.Recipient String Name of a client that receives a chat message or file

under an instant messaging protocol
This name can also be a group name (group ID) when
a chat message is sent to a group of recipients.
Note: This property is not SaaS-compatible.

IM.Sender String Name of a client that sends a chat message or file

under an instant messaging protocol
Note: This property is not SaaS-compatible.

Incident.AffectedHost IP IP address of a host that is involved in an incident, for

example, a web server that the appliance cannot
connect to
Note: This property is not SaaS-compatible.

McAfee Web Gateway 8.0.x Interface Reference Guide 259

 Name Type Description Parameters

Incident.Description String Plain-text description of an incident

Note: This property is not SaaS-compatible.

Incident.ID Number ID of an incident

For a list of these IDs, refer to the List of incident IDs.
Note: This property is not SaaS-compatible.

Incident.Origin Number Number specifying the appliance component that is

the origin of an incident
• 1 – Appliance system
• 2 – Core subsystem
• 3 – Coordinator subsystem
• 4 – Anti-Malware process
• 5 – Log File Manager
• 6 – sysconf daemon
• 7 – User interface
• 8 – SaaS connector
• 9 – Unidentified origin
The origin of an incident is further specified by the
Incident.OriginName property.
For the origin of an incident with a particular ID, refer
to the List of incident IDs.
Note: This property is not SaaS-compatible.

Incident.OriginName String Name of an appliance component that is the origin of

an incident, for example, Core or Log File Manager
The name can be that of one of the main components
that are listed under Incident.Origin.
It can also be the name of a subcomponent, which
appears together with the Incident.Origin number for
the related main component.
For example, the value of Incident.OriginName could
be 2 Proxy.
For the origin name of an incident with a particular ID,
refer to the List of incident IDs.
Note: This property is not SaaS-compatible.

Incident.Severity Number Severity of an incident

Severity levels:
• 0 – Emergency
• 1 – Alert
• 2 – Critical
• 3 – Error
• 4 – Warning
• 5 – Notice
• 6 – Informational
• 7 – Debug
These levels are the same as those used in syslog
entries.
For the severity level of an incident with a particular
ID, refer to the List of incident IDs.

260 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
Note: This property is not SaaS-compatible.

InTheCloud Boolean if true, a rule that is currently processed is executed

in the cloud

IP.ToString String IP address converted into a string IP: IP address

to convert

IPRange.ToString String Range of IP addresses converted into a string IPRange: Range

of IP addresses
to convert

Properties - J
The following table describes the properties that have names beginning with J.

Properties – J

Name Type Description Parameters

JSON.ArrayAppend JSON JSON array with specified element appended

1. JSON: Array
2. JSON:
Element to
append

JSON.AsBool Boolean Value of specified JSON element returned as Boolean JSON: Element
value
Note: The element value must be a Boolean value.

JSON.AsNumber Number Value of specified JSON element returned as number JSON: Element
Note: The element value must be a number in Long,
Double, or Hexadecimal format.

JSON.AsString String Value of specified JSON element returned as string JSON: Element
Note: The element value must be a string.

JSON.CreateArray JSON New empty JSON array

JSON.CreateObject JSON New empty JSON object

JSON.CreateNull JSON JSON element value null

JSON.FromBool JSON JSON element value created from Boolean value Boolean:
Boolean value
to create JSON
element value
from

JSON.FromNumber JSON JSON element value created from number Number:

Number to
create JSON
element value
from

McAfee Web Gateway 8.0.x Interface Reference Guide 261

 Name Type Description Parameters

JSON.FromNumberList String JSON element value created from number list List of Number:
Number list to
create JSON
element value
from

JSON.FromString JSON JSON element value created from string String: String to
create JSON
element value
from

JSON.FromStringList JSON JSON element value created from string list List of String:
String list to
create JSON
element value
from

JSON.GetAt JSON JSON element value retrieved from specified position

in specified array 1. JSON: Array
2. Number:
Position of
element

JSON.GetByName JSON JSON element identified by key retrieved from

specified object 1. JSON: Object
2. String:
Element key

JSON.GetType String Type of specified JSON element JSON: Element

JSON.PutAt JSON JSON array with element inserted in specified position

1. JSON: Array
2. Number:
Position of
element
3. JSON:
Element

JSON.ReadFromString JSON JSON element created from specified string String: String to
create element
from

JSON.RemoveAt JSON JSON array with element at specified position

removed 1. JSON: Array:
2. Number:
Position of
element

JSON.RemoveByName JSON JSON object with element identified by specified key

removed 1. JSON: Object
2. String:
Element key

262 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

JSON.Size Number Number of elements in specified JSON object or array JSON: Object or
array

JSON.StoreByName JSON JSON object with element value stored under

specified key 1. JSON: Object
If the object does not exist yet, it is created under the 2. String:
name that is specified for the object. Element key
3. JSON:
Element
value

JSON.ToString String JSON element value converted into a string JSON: Element
Note: The element value can be a string or in any of value to
the other data formats for element values. convert

Properties - L
The following table describes the properties that have names beginning with L.

Properties – L

Name Type Description Parameters

License.RemainingDays Number Remaining time until a license expires (in days)

List.LastMatches String String containing all elements that have been found
to match when two lists are compared using an
operator such as at least one in list or all in list
Matches are only added to the list as long it has not
yet been decided whether the relationship between
the lists that the operator evaluates exists or not.
For example, list A contains the elements 1, 2, 3,
whereas list B contains 1, 2, 4.
Both lists are compared using the at least one in list
operator.
To find out that list A actually contains at least one
element of list B, the operator only needs to compare
element 1 in both lists and detect that they match.
List.LastMatches then contains 1 because it has been
found to be a match.
2 is also a match in the two lists, but is not contained
in List.LastMatches because it was not evaluated by
the operator and found to be a match.
It was not evaluated because the operator had
already found out after evaluating the 1 in both lists
that at least one element of list A was also in list B.
If the property String.BelongsToDomains has "true" as
its value, the string that is specified as its first
parameter is set as the value of List.LastMatches.
This means List.LastMatches then provides a string
that matched in a list of domain names, being either
the name of a domain or a subdomain.

McAfee Web Gateway 8.0.x Interface Reference Guide 263

 Name Type Description Parameters
The same applies for the property
URL.Host.BelongsToDomains and List.LastMatches.

List.OfCategory.Append List of Category List of URL categories that a category is appended to

1. List of
Category:
List to
append
category to
2. Category:
Category to
append

List.OfCategory.ByName List of Category List of URL categories (specified by its name) String: List
name

List.OfCategory.Erase List of Category List of URL categories with specified category erased
1. List of
Category:
List with
category to
erase
2. Number:
Position of
category to
erase

List.OfCategory.EraseElementRange List of Category List of URL categories with specified range of

categories erased 1. List of
Category:
List with
categories
to erase
2. Number:
Position of
first
category to
erase
3. Number:
Position of
last category
to erase

List.OfCategory.EraseList List of Category List of URL categories with categories that are also on
other list erased 1. List of
Category:
List with
categories
to erase
2. List of
Category:
List of

264 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
categories
to erase on
first list

List.OfCategory.Find Number Position of a URL category on a list

1. List of
Category:
List with
category to
find position
for
2. Category:
Category to
find position
for

List.OfCategory.Get Category URL category specified by its position on a list

1. List of
Category:
List
containing
category
2. Number:
Position of
category on
list

List.OfCategory.GetElementRange List of Category List of URL categories extracted from other list
1. List of
Category:
List with
categories
to extract
2. Number:
Position of
first
category to
extract
3. Number:
Position of
last category
to extract

List.OfCategory.Insert List of Category List of URL categories with specified category inserted
1. List of
Category:
List to insert
category in

McAfee Web Gateway 8.0.x Interface Reference Guide 265

 Name Type Description Parameters
2. Category:
Category to
insert

List.OfCategory.IsEmpty Boolean If true, the specified list is empty. List of

Category: List
to check for
being empty

List.OfCategory.Join List of Category List of URL categories created by joining two lists
1. List of
Category:
First list to
join
2. List of
Category:
Second list
to join

List.OfCategory.Reverse List of Category List of URL categories that has its original order List of
reverted Category: List
in original
order

List.OfCategory.Size Number Number of URL categories on a list List of

Category: List
to provide
number of
categories for

List.OfCategory.Sort List of Category List of URL categories sorted in alphabetical order List of
Category: List
to sort

List.OfCategory.ToShortString String List of URL categories converted into a list of their List of
abbreviated name forms Category: List
to convert

List.OfCategory.ToString String List of URL categories converted into a string List of

Category: List
to convert

List.OfDimension.Append List of List of dimensions that a dimension is appended to

Dimension 1. List of
Dimension:
List to
append
dimension
to
2. Dimension:
Dimension
to append

266 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

List.OfDimension.ByName List of List of dimensions specified by its name String: List

Dimension name

List.OfDimension.Erase List of List of dimensions with specified dimension erased

Dimension 1. List of
Dimension:
List with
dimension
to erase
2. Number:
Position of
dimension
to erase

List.OfDimension.EraseElementRangeList of List of dimensions with specified range of dimensions

Dimension erased 1. List of
Dimension:
List with
dimension
range to
erase
2. Number:
Position of
first
dimension
to erase
3. Number:
Position of
last
dimension
to erase

List.OfDimension.EraseList List of List of dimensions with dimensions that are also on

Dimension other list erased 1. List of
Dimension:
List with
dimensions
to erase
2. List of
Dimension:
List of
dimensions
to erase on
first list

List.OfDimension.Find Number Position of a dimension on a list

1. List of
Dimension:
List with
dimension
to find
position for

McAfee Web Gateway 8.0.x Interface Reference Guide 267

 Name Type Description Parameters
2. Dimension:
Dimension
to find
position for

List.OfDimension.Get Dimension Dimension specified by its position on a list

1. List of
Dimension:
List
containing
dimension
2. Number:
Position of
dimension
on list

List.OfDimension.GetElementRange List of List of dimensions extracted from other list

Dimension 1. List of
Dimension:
List with
dimensions
to extract
2. Number:
Position of
first
dimension
to extract
3. Number:
Position of
last
dimension
to extract
4. Dimension:
Dimension
to insert

List.OfDimension.Insert List of List of dimensions with specified dimension inserted

Dimension 1. List of
Dimension:
List to insert
dimension
in
2. Dimension:
Dimension
to insert

List.OfDimension.IsEmpty Boolean If true, the specified list is empty. List of

Dimension: List
to check for
being empty

268 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

List.OfDimension.Join List of List of dimensions created by joining two lists

Dimension 1. List of
Dimension:
First list to
join
2. List of
Dimension:
Second list
to join

List.OfDimension.Reverse List of List of dimensions that has its original order reverted List of
Dimension Dimension: List
in original
order

List.OfDimension.Size Number Number of dimensions on a list List of

Dimension: List
to provide
number of
dimensions for

List.OfDimension.Sort List of List of dimensions sorted in alphabetical order List of

Dimension Dimension: List
to sort

List.OfDimension.ToString String List of dimensions converted into a string List of

Dimension: List
to convert

List.OfHex.Append List of Hex List of hex values that a hex value is appended to
1. List of Hex:
List to
append Hex
value to
2. Hex: Hex
value to
append

List.OfHex.ByName List of Hex List of hex values specified by its name String: List
name

List.OfHex.Erase List of Hex List of hex values with specified value erased
1. List of Hex:
List with hex
value to
erase
2. Number:
Position of
hex value to
erase

McAfee Web Gateway 8.0.x Interface Reference Guide 269

 Name Type Description Parameters

List.OfHex.EraseElementRange List of Hex List of hex values with specified range of values
erased 1. List of Hex:
List with hex
values to
erase
2. Number:
Position of
first hex
value to
erase
3. Number:
Position of
last hex
value to
erase

List.OfHex.EraseList List of Hex List of hex values with values that are also on other
list erased 1. List of Hex:
List with hex
values to
erase
2. List of Hex:
List of hex
values to
erase on
first list

List.OfHex.Find Number Position of a hex value on a list

1. List of Hex:
List with hex
value to find
position for
2. Hex: Hex
value to find
position for

List.OfHex.Get Hex Hex value specified by its position on a list

1. List of Hex:
List
containing
hex value
2. Number:
Position of
hex value on
list

List.OfHex.GetElementRange List of Hex List of hex values extracted from other list
1. List of Hex:
List with hex
values to
extract

270 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
2. Number:
Position of
first hex
value to
extract
3. Number:
Position of
last hex
value to
extract

List.OfHex.Insert List of Hex List of hex values with specified value inserted
1. List of Hex:
List to insert
hex value in
2. Hex: Hex
value to
insert

List.OfHex.IsEmpty Boolean If true, the specified list is empty. List of Hex: List
to check for
being empty

List.OfHex.Join List of Hex List of hex values created by joining two lists
1. List of Hex:
First list to
join
2. List of Hex:
Second list
to join

List.OfHex.Reverse List of Hex List of hex values that has its original order reverted List of Hex: List
in original
order

List.OfHex.Size Number Number of hex values on a list List of Hex: List

to provide
number of hex
values for

List.OfHex.Sort List of Hex List of sorted hex values List of Hex: List
to sort

List.OfHex.ToString String List of hex values converted into a string List of Hex: List
to convert

List.OfIP.Append List of IP List of IP addresses that an IP address is appended to

1. List of IP:
List to
append IP
address to

McAfee Web Gateway 8.0.x Interface Reference Guide 271

 Name Type Description Parameters
2. IP: IP
address to
append

List.OfIP.ByName List of IP List of IP addresses (specified by its name) String: List

name

List.OfIP.Erase List of IP List of IP addresses with specified address erased

1. List of IP:
List with IP
address to
erase
2. Number:
Position of
IP address
to erase

List.OfIP.EraseElementRange List of IP List of IP addresses with specified range of addresses

erased 1. List of IP:
List with IP
addresses to
erase
2. Number:
Position of
first IP
address to
erase
3. Number:
Position of
last IP
address to
erase

List.OfIP.EraseList List of IP List of IP addresses with addresses that are also on

other list erased 1. List of IP:
List with IP
addresses to
erase
2. List of IP:
List of IP
addresses to
erase on
first list

List.OfIP.Find Number Position of an IP address on a list

1. List of IP:
List with IP
address to
find position
for
2. IP: IP
address to

272 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
find position
for

List.OfIP.Get IP IP address specified by its position on a list

1. List of IP:
List
containing
IP address
2. Number:
Position of
IP address
on list

List.OfIP.GetElementRange List of IP List of IP addresses extracted from another list

1. List of IP:
List with IP
addresses to
extract
2. Number:
Position of
first IP
address to
extract
3. Number:
Position of
last IP
address to
extract

List.OfIP.Insert List of IP List of IP addresses with specified address inserted

1. List of IP:
List to insert
IP address in
2. IP: IP
address to
insert

List.OfIP.IsEmpty Boolean If true, the specified list is empty. List of IP: List
to check for
being empty

List.OfIP.Join List of IP List of IP addresses created by joining two lists

1. List of IP:
First list to
join
2. List of IP:
Second list
to join

List.OfIP.Reverse List of IP List of IP addresses that has its original order reverted List of IP: List in
original order

McAfee Web Gateway 8.0.x Interface Reference Guide 273

 Name Type Description Parameters

List.OfIP.Size Number Number of IP addresses on a list List of IP: List

to provide
number of IP
addresses for

List.OfIP.Sort List of IP List of sorted IP addresses List of IP: List

to sort

List.OfIP.ToString String List of IP addresses converted into a string List of IP: List
to convert

List.OfIPRange.Append List of IPRange List of IP address ranges that an IP address range is

appended to 1. List of
IPRange: List
to append IP
address
range to
2. IPRange: IP
address
range to
append

List.OfIPRange.ByName List of IPRange List of IP address ranges specified by its name String: List
name

List.OfIPRange.Erase List of IPRange List of IP address ranges with specified range erased
1. List of
IPRange: List
with IP
address
range to
erase
2. Number:
Position of
IP address
range to
erase

List.OfIPRange.EraseElementRange List of IPRange List of IP address ranges with specified ranges erased
1. List of
IPRange: List
with IP
address
ranges to
erase
2. Number:
Position of
first IP
address
range to
erase
3. Number:
Position of

274 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
last IP
address
range to
erase

List.OfIPRange.EraseList List of IPRange List of IP address ranges with ranges that are also on
other list erased 1. List of
IPRange: List
with IP
address
ranges to
erase
2. List of
IPRange: List
of IP
address
ranges to
erase on
first list

List.OfIPRange.Find Number Position of an IP address range on a list

1. List of
IPRange: List
with IP
address
range to find
position for
2. IPRange: IP
address
range to find
position for

List.OfIPRange.Get IPRange IP address range specified by its position on a list

1. List of
IPRange: List
containing
IP address
range
2. Number:
Position of
IP address
range on list

List.OfIPRange.GetElementRange List of IPRange List of IP address ranges extracted from other list
1. List of
IPRange: List
with IP
address
ranges to
extract

McAfee Web Gateway 8.0.x Interface Reference Guide 275

 Name Type Description Parameters
2. Number:
Position of
first IP
address
range to
extract
3. Number:
Position of
last IP
address
range to
extract

List.OfIPRange.Insert List of IPRange List of IP address ranges with specified range inserted
1. List of
IPRange: List
to insert IP
address
range in
2. IPRange: IP
address
range to
insert

List.OfIPRange.IsEmpty Boolean If true, the specified list is empty. List of IPRange:

List to check
for being
empty

List.OfIPRange.Join List of IPRange List of IP address ranges created by joining two lists
1. List of
IPRange:
First list to
join
2. List of
IPRange:
Second list
to join

List.OfIPRange.Reverse List of IPRange List of IP address rangess that has its original order List of IPRange:
reverted List in original
order

List.OfIPRange.Size Number Number of IP address ranges on a list List of IPRange:

List to provide
number of IP
address ranges
for

List.OfIPRange.Sort List of IPRange List of sorted IP address ranges List of IPRange:

List to sort

276 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

List.OfIPRange.ToString String List of IP address ranges converted into a string List of IPRange:
List to convert

List.OfMediaType.Append List of List of media types that a media type is appended to

MediaType 1. List of
MediaType:
List to
append
media type
to
2. MediaType:
Media type
to append

List.OfMediaType.ByName List of List of media types specified by its name String: List
MediaType name

List.OfMediaType.Erase List of List of media types with specified type erased

MediaType 1. List of
MediaType:
List with
media type
to erase
2. Number:
Position of
media type
to erase

List.OfMediaType.EraseElementRangeList of List of media types with specified range of types

MediaType erased 1. List of
MediaType:
List with
media types
to erase
2. Number:
Position of
first media
type to
erase
3. Number:
Position of
last media
type to
erase

List.OfMediaType.EraseList List of List of media types with types that are also on other
MediaType list erased 1. List of
MediaType:
List with
media types
to erase

McAfee Web Gateway 8.0.x Interface Reference Guide 277

 Name Type Description Parameters
2. List of
MediaType:
List of media
types to
erase on
first list

List.OfMediaType.Find Number Position of a media type on a list

1. List of
MediaType:
List with
media type
to find
position for
2. MediaType:
Media type
to find
position for

List.OfMediaType.Get MediaType Media type specified by its position on a list

1. List of
MediaType:
List
containing
media type
2. Number:
Position of
media type
on list

List.OfMediaType.GetElems List of List of media types extracted from other list

MediaType 1. List of
MediaType:
List with
media types
to extract
2. Number:
Position of
first media
type to
extract
3. Number:
Position of
last media
type to
extract

List.OfMediaType.Insert List of List of media types with specified type inserted

MediaType 1. List of
MediaType:
List to insert

278 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
media type
in
2. MediaType:
Media type
to insert

List.OfMediaType.IsEmpty Boolean If true, the specified list is empty. List of

MediaType: List
to check for
being empty

List.OfMediaType.Join List of List of media types created by joining two lists

MediaType 1. List of
MediaType:
First list to
join
2. List of
MediaType:
Second list
to join

List.OfMediaType.Reverse List of List of media types that has its original order reverted List of
MediaType MediaType: List
in original
order

List.OfMediaType.Size Number Number of media types on a list List of

MediaType: List
to provide
number of
media types
for

List.OfMediaType.Sort List of List of media types sorted in alphabetical order List of

MediaType MediaType: List
to sort

List.OfMediaType.ToString String List of media types converted into a string List of

MediaType: List
to convert

List.OfNumber.Append List of Number List of numbers that a number is appended to

1. List of
Number:
List to
append
number to
2. Number:
Number to
append

List.OfNumber.ByName List of Number List of numbers specified by its name String: List
name

McAfee Web Gateway 8.0.x Interface Reference Guide 279

 Name Type Description Parameters

List.OfNumber.Erase List of Number List of numbers with specified number erased

1. List of
Number:
List with
number to
erase
2. Number:
Position of
number to
erase

List.OfNumber.EraseElementRange List of Number List of numbers with specified range of numbers

erased 1. List of
Number:
List with
numbers to
erase
2. Number:
Position of
first number
to erase
3. Number:
Position of
last number
to erase

List.OfNumber.EraseList List of Number List of numbers with numbers that are also on other
list erased 1. List of
Number:
List with
numbers to
erase
2. List of
Number:
List of
numbers to
erase on
first list

List.OfNumber.Find Number Position of a number on a list

1. List of
Number:
List with
number to
find position
for
2. Number:
Number to
find position
for

280 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

List.OfNumber.Get Number Number specified by its position on a list

1. List of
Number:
List
containing
number
2. Number:
Position of
number on
list

List.OfNumber.GetElementRange List of Number List of numbers extracted from other list

1. List of
Number:
List with
numbers to
extract
2. Number:
Position of
first number
to extract
3. Number:
Position of
last number
to extract

List.OfNumber.Insert List of Number List of numbers with specified number inserted

1. List of
Number:
List to insert
number in
2. Number:
Number to
insert

List.OfNumber.IsEmpty Boolean If true, the specified list is empty. List of Number:

List to check
for being
empty

List.OfNumber.Join List of Number List of numbers created by joining two lists

1. List of
Number:
First list to
join
2. List of
Number:
Second list
to join

McAfee Web Gateway 8.0.x Interface Reference Guide 281

 Name Type Description Parameters

List.OfNumber.Reverse List of Number List of numbers that has its original order reverted List of Number:
List in original
order

List.OfNumber.Size Number Number of numbers on a list List of Number:

List to provide
number of
numbers for

List.OfNumber.Sort List of Number List of sorted numbers List of Number:

List to sort

List.OfNumber.ToString String List of numbers converted into a string List of Number:

List to convert

List.OfSSOConnectors.Append List of List of cloud connectors with specified cloud

SSOConnector connector appended 1. List of
SSOConnec:
List to
append
cloud
connector to
2. SSO
Connector:
Cloud
connector to
append

List.OfSSOConnectors.ByName List of List of cloud connectors specified by its name String: List
SSOConnector name

List.OfSSOConnectors.Erase List of List of cloud connectors with specified connector

SSOConnector erased 1. List of
SSOConnector:
List with
cloud
connector to
erase
2. Number:
Position of
cloud
connector to
erase

List.OfSSOConnectors.EraseElementRange
List of List of cloud connectors with specified range of
SSOConnector connectors erased 1. List of
SSOConnector:
List with
range of
cloud
connectors
to erase

282 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
2. Number:
Position of
first cloud
connector to
erase
3. Number:
Position of
last cloud
connector to
erase

List.OfSSOConnectors.EraseList List of List of cloud connectors with connectors that are also
SSOConnector on other list erased 1. List of
SSOConnector:
List with
cloud
connectors
to erase
2. List of
SSOConnector:
List of cloud
connectors
to erase on
first list

List.OfSSOConnectors.Exists Boolean If true, the list of cloud connectors with the specified String: List
name exists. name

List.OfSSOConnectors.Find Number Position of cloud connector in a list

1. List of
SSOConnector:
List
containing
cloud
connector
2.
SSOConnector:
Cloud
connector to
find position
for

List.OfSSOConnectors.Get SSOConnector Cloud connector specified by its position on a list

1. List of
SSOConnector:
List
containing
cloud
connector
2. Number:
Position of
cloud

McAfee Web Gateway 8.0.x Interface Reference Guide 283

 Name Type Description Parameters
connector
on list

List.OfSSOConnectors.GetElementRange
List of List of cloud connectors extracted from other list
SSOConnector 1. List of
SSOConnector:
List with
cloud
connectors
to extract
2. Number:
Position of
first cloud
connector to
extract
3. Number:
Position of
last cloud
connector to
extract

List.OfSSOConnectors.Insert List of List of cloud connectors with specified connector

SSOConnector inserted 1. List of SSO
Connect or:
List to insert
cloud
connecto in
2. SSO
Connector:
Cloud
connector to
insert
3. Number:
Position to
insert cloud
connector in

List.OfSSOConnectors.IsEmpty Boolean If true, the specified list is empty. List of

SSOConnector:
List to check
for being
empty

List.OfSSOConnectors.Join List of List of single sign-on connectors created by joining

SSOConnector two lists 1. List of
SSOConnector:
First list to
join
2. List of
SSOConnector:

284 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
Second list
to join

List.OfSSOConnectors.Reverse List of List of cloud connectors that has its original order List of
SSOConnector reverted SSOConnector:
List in original
order

List.OfSSOConnectors.Set List of List of cloud connectors with specified connector set

SSOConnector 1. List of
SSOConnector:
List to set
cloud
connector
on
2.
SSOConnector:
Cloud
connector to
set
3. Number:
Position to
set cloud
connector
on

List.OfSSOConnectors.Size Number Number of cloud connectors on a list List of

SSOConnector:
List to provide
number of
cloud
connectors for

List.OfSSOConnectors.Sort List of List of cloud connectors sorted in alphabetical order List of

SSOConnector of names SSOConnector:
List to sort

List.OfSSOConnectors.ToString String List of cloud connectors converted into a string List of

SSOConnector:
List to convert

List.OfString.Append List of String List of strings that a string is appended to

1. List of
String: List
to append
string to
2. String: String
to append

List.OfString.ByName List of String List of strings specified by its name String: List
name

McAfee Web Gateway 8.0.x Interface Reference Guide 285

 Name Type Description Parameters

List.OfString.Erase List of String List of strings with specified string erased

1. List of
String: List
with string
to erase
2. Number:
Position of
string to
erase

List.OfString.EraseElementRange List of String List of strings with specified range of strings erased
1. List of
String: List
with strings
to erase
2. Number:
Position of
first string to
erase
3. Number:
Position of
last string to
erase

List.OfString.EraseList List of String List of strings with strings that are also on other list
erased 1. List of
String: List
with strings
to erase
2. List of
String: List
of strings to
erase on
first list

List.OfString.Find Number Position of a string on a list

1. List of
String: List
with string
to find
position for
2. String: String
to find
position for

List.OfString.Get String String specified by its position on a list

1. List of
String: List
containing
string

286 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
2. Number:
Position of
string on list

List.OfString.GetElementRange List of String List of strings extracted from other list

1. List of
String: List
with strings
to extract
2. Number:
Position of
first string to
extract
3. Number:
Position of
last string to
extract

List.OfString.Insert List of String List of strings with specified string inserted

1. List of
String: List
to insert
string in
2. String: String
to insert

List.OfString.IsEmpty Boolean If true, the specified list is empty. List of String:

List to check
for being
empty

List.OfString.Join List of String List of strings created by joining two lists

1. List of
String: First
list to join
2. List of
String:
Second list
to join

List.OfString.JSON.AsStringList List of String List of strings created from the element values of a JSON: Array
JSON array
If a value is null, an empty string is created.

List.OfStringMapInList List of String String specified by a parameter and contained in a list

with an index for the position this string has in 1. List of
another list String: First
If the specified string is not contained in the first list list
or does not exist as a position in the second list, the containing
string is empty. string
2. List of
String:

McAfee Web Gateway 8.0.x Interface Reference Guide 287

 Name Type Description Parameters
Second list
containing
string
3. String: String
contained in
first and
second list
or empty
string

List.OfString.Reverse List of String List of strings that has its original order reverted List of String:
List in original
order

List.OfString.Size Number Number of strings on a specified list List of String:

List to provide
number of
strings for

List.OfString.Sort List of String List of strings sorted in alphabetical order List of String:
List to sort

List.OfString.ToString String List of strings converted into a string List of String:

List to convert

List.OfWildcard.Append List of Wildcard List of wildcard expressions that an expression is

Expression appended to 1. List of
Wildcard
Expression:
List to
append
wildcard
expression
to
2. Wildcard
Expression:
Wildcard
expression
to append

List.OfWildcard.ByName List of Wildcard List of wildcard expressions specified by its name String: List
Expression name

List.OfWildcard.Erase List of Wildcard List of wildcard expressions with specified expression

Expression erased 1. List of
Wildcard
Expression:
List with
wildcard
expression
to erase
2. Number:
Position of

288 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
wildcard
expression
to erase

List.OfWildcard.EraseElementRange List of Wildcard List of wildcard expressions with specified range of

Expression expressions erased 1. List of
Wildcard
Expression:
List with
wildcard
expressions
to erase
2. Number:
Position of
first
wildcard
expression
to erase
3. Number:
Position of
last wildcard
expression
to erase

List.OfWildcard.EraseList List of Wildcard List of wildcard expressions with expressions that are
Expression also on other list erased 1. List of
Wildcard
Expression:
List with
wildcard
expressions
to erase
2. List of
Wildcard
Expression:
List of
wildcard
expressions
to erase on
first list

List.OfWildcard.Find Number Position of a wildcard expression on a list

1. List of
Wildcard
expression:
List with
wildcard
expression
to find
position for
2. Wildcard
expression:

McAfee Web Gateway 8.0.x Interface Reference Guide 289

 Name Type Description Parameters
Wildcard
expression
to find
position for

List.OfWildcard.Get Wildcard Wildcard expression specified by its position on a list

Expression 1. List of
Wildcard
Expression:
List
containing
wildcard
expression
2. Number:
Position of
wildcard
expression
on list

List.OfWildcard.GetElementRange List of Wildcard List of wildcard expressions extracted from other list
Expression 1. List of
Wildcard
Expression:
List with
wildcard
expressions
to extract
2. Number:
Position of
first
wildcard
expression
to extract
3. Number:
Position of
last wildcard
expression
to extract

List.OfWildcard.Insert List of Wildcard List of wildcard expressions with specified expression

Expression inserted 1. List of
Wildcard
Expression:
List to insert
wildcard
expression
in
2. Wildcard
Expression:
Wildcard

290 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
expression
to insert

List.OfWildcard.IsEmpty Boolean If true, the specified list is empty. List of Wildcard

Expression: List
to check for
being empty

List.OfWildcard.Join List of Wildcard List of wildcard expressions created by joining two

Expression lists 1. List of
Wildcard
Expression:
First list to
join
2. List of
Wildcard
Expression:
Second list
to join

List.OfWildcard.Reverse List of Wildcard List of wildcard expressions that has its original order List of Wildcard
Expression reverted Expression: List
in original
order

List.OfWildcard.Size Number Number of wildcard expressions on a list List of Wildcard

Expression: List
to provide
number of
wildcard
expressions for

List.OfWildcard.Sort List of Wildcard List of sorted wildcard expressions List of Wildcard

Expression Expression: List
to sort

List.OfWildcard.ToString String List of wildcard expressions converted into a string - List of Wildcard
Expression: List
to convert

Location.Name String Name of a location or other source that requests for

web access are sent from
Names of locations where users reside or names of
users or user groups are usually set as values of this
property.
As no value is by default provided for this property,
you must set its value using a rule to work with it.
For example, if you know that a particular range of IP
addresses has been allotted to an office of your
organization, you can create this rule:
Client.IP is in range 10.140.226.173-10.140.226.183 —> Continue —
Set Location.Name ="Downtown Office"

McAfee Web Gateway 8.0.x Interface Reference Guide 291

 Name Type Description Parameters
Once the property has been set to a value, you can
use it, for example, in logging or blocking rules.
Web Gateway and McAfee WGCS share this property,
which is named Location in the McAfee WGCS
interface. For cloud-only deployments, Location
retains its default value, an empty string. For hybrid
deployments, Location has the same value as
Location.Name.

Properties - M
The following table describes the properties that have names beginning with M.

Properties – M

Name Type Description Parametersss

Map.ByName List of Already existing Map Type list that has the specified String: List
MapType name name

Map.CreateStringMap List of Newly created Map Type list

MapType The list is still empty.

Map.DeleteKey List of Map Type list, in which the specified key and the
MapType related value are deleted 1. List of
MapType:
Map Type
list
2. String: Key

Map.GetKeys List of List of keys that are contained in the specified Map List of
MapTYpe Type list MapType: Map
Type list

Map.GetStringValue String String that is the value for the specified key in the
specified Map Type list 1. List of
MapType:
Map Type
list
2. String: Key

Map.HasKey Boolean If true, the specified key exists in the specified Map
Type list 1. List of
MapType:
Map Type
list
2. String: Key

Map.SetStringValue List of Map Type list, in which the specified value is set for
MapType the specified key 1. List of
MapType:
Map Type
list
2. String: Key

292 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parametersss
3. String: Value

Map.Size Number Number of key-value pairs in the specified Map Type List of
list MapType: Map
Type list

Map.ToString String Map Type list converted into a string List of

MapType: Map
Type list

Math.Abs Number Absolute value of specified number Number:

Number that
absolute value
is provided for

Math.Modulo Number Integer that is the remainder after dividing integer a

by integer b when only an integer is accepted as the 1. Number:
resulting quotient. Value for a
For example, if a = 14 and b = 3, the value of 2. Number:
Math.Modulo is 2. Value for b
The integer that is the result of dividing 14 by 3 is 4
and, since 3 x 4 = 12, this leaves 2 as the remainder.

Math.Random Number Random number between specified minimum and

maximum values (including these values) 1. Number:
Minimum
value
2. Number:
Maximum
value

MediaStreamProbability Number Probability that the streaming media in question

matches the found media type (in percent)

MediaType.EnsuredTypes List of List of media types that are ensured for the
MediaType respective media with a probability of more than 50%

MediaType.FromFileExtension List of List of media types that are found using the file name
MediaType extension of the media

MediaType.FromHeader List of List of media types that are found using the content-
MediaType type header sent with the media

MediaType.HasOpener Boolean If true, an opener module is available on the

appliance for media of a given type.

MediaType.IsArchive Boolean If true, the media that is being processed is an

archive.

MediaType.IsAudio Boolean If true, the media that is being processed is of the

audio type.

MediaType.IsCompositeObject Boolean If true, the media that is being processed is a

composite object.

McAfee Web Gateway 8.0.x Interface Reference Guide 293

 Name Type Description Parametersss

MediaType.IsDatabase Boolean If true, the media that is being processed is a

database.

MediaType.IsDocument Boolean If true, the media that is being processed is a

document.

MediaType.IsExecutable Boolean If true, the media that is being processed is an

executable file.

MediaType.IsImage Boolean If true, the media that is being processed is an image.

MediaType.IsText Boolean If true, the media that is being processed is of the text
type.

MediaType.IsVideo Boolean If true, the media that is being processed is of the

video type.

MediaType.MagicBytesMismatch Boolean If true, the media type specified in the header sent
with the media does not match the type that was
found on the appliance by examining the magic bytes
actually contained in the media.

MediaType.NotEnsuredTypes List of List of media types that are ensured for the
MediaType respective media with a probability of less than 50%

MediaType.ToString String Media type converted into a string MediaType:

Media type to
convert

Message.Language String Name of language for messages sent to users in short

form, for example, en, de, ja

Message.TemplateName String Name of a template for messages sent to users

Properties - N
The following table describes the properties that have names beginning with N.

Properties – N

Name Type Description Parameters

NextHopProxy.StickinessAttribute String Part of a request that qualifies it for being handled in

next-hop proxy stickiness mode
Note: This property is not SaaS-compatible.

Number.ToDecimalNumber Number Integer converted into decimal format Number:

For example, 10 is converted to 10.0. Integer to
convert

Number.ToString String Number converted into a string Number:

Number to
convert

Number.ToVolumeString String Number of bytes that a volume amounts to converted Number:

into a string Number of

294 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
bytes to
convert

NumberOfClientConnections Number Number of connections to clients that are open on an

appliance at the same time
Note: This property is not SaaS-compatible.

Properties - P
The following table describes the properties that have names beginning with P.

Properties – P

Name Type Description Parameters

PDStorage.GetAllData List of String List containing all permanently stored data in string
format
Note: This property is not SaaS-compatible.

PDStorage.GetAllGlobalData List of String List containing all permanently stored global data in
string format
Note: This property is not SaaS-compatible.

PDStorage.GetAllUserData List of String List containing all permanently stored user data in
string format
Note: This property is not SaaS-compatible.

PDStorage.GetGlobalData.Bool Boolean Global variable of type Boolean String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.Category Category Global variable of type Category String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.DimensionDimension Global variable of type Dimension String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.Hex Hex Global variable of type Hex String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.IP IP Global variable of type IP String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.IPRange IPRange Global variable of type IPRange String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.Category
List of Category Global variable of type List of Category String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.Dimension
List of Global variable of type List of Dimension String: Variable
Dimension Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.Hex List of Hex Global variable of type List of Hex String: Variable
Note: This property is not SaaS-compatible. key

McAfee Web Gateway 8.0.x Interface Reference Guide 295

 Name Type Description Parameters

PDStorage.GetGlobalData.List.IP List of IP Global variable of type List of IP String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.IPRange
List of IPRange Global variable of type List of IPRange String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.MediaType
List of Global variable of type List of MediaType String: Variable
MediaType Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.Number
List of Number Global variable of type List of Number String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.String List of String Global variable of type List of String String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.List.WildcardExpression
List of Wildcard Global variable of type List of WildcardExpression String: Variable
Expression Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.MediaTypeMediaType Global variable of type MediaType String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.Number Number Global variable of type Number String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.String String Global variable of type String String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetGlobalData.WildcardExpression
Wildcard Global variable of type WildcardExpression String: Variable
Expression Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.Bool Boolean User variable of type Boolean String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.Category Category User variable of type Category String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.Dimension Dimension User variable of type Dimension String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.Hex Hex User variable of type Hex String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.IP IP User variable of type IP String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.IPRange IPRange User variable of type IPRange String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.CategoryList of Category User variable of type List of Category String: Variable

Note: This property is not SaaS-compatible. key

296 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

PDStorage.GetUserData.List.Dimension
List of User variable of type List of Dimension String: Variable
Dimension Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.Hex List of Hex User variable of type List of Hex String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.IP List of IP User variable of type List of IP String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.IPRange List of IPRange User variable of type List of IPRange String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.MediaType
List of User variable of type List of MediaType String: Variable
MediaType Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.Number List of Number User variable of type List of Number String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.String List of String User variable of type List of String String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.List.WildcardExpression
List of Wildcard User variable of type List of WildcardExpression String: Variable
Expression Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.MediaType MediaType User variable of type MediaType String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.Number Number User variable of type Number String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.String String User variable of type String String: Variable

Note: This property is not SaaS-compatible. key

PDStorage.GetUserData.WildcardExpression
Wildcard User variable of type WildcardExpression String: Variable
Expression Note: This property is not SaaS-compatible. key

PDStorage.HasGlobalData Boolean If true, permanently stored global data is available. String: Variable
Note: This property is not SaaS-compatible. key

PDStorage.HasGlobalDataWait Boolean If true, a request is kept waiting until the requested

global variable exists in the storage or the specified 1. String:
time interval has elapsed. Variable key
The value of the property is then set to false. It is true 2. Number:
by default. Timeout (in
seconds)
Note: This property is not SaaS-compatible.

PDStorage.HasUserData Boolean If true, permanently stored user data is available. String: Variable
Note: This property is not SaaS-compatible. key

ProgressPage.Enabled Boolean If true, download progress is indicated to the user by

a progress page.

McAfee Web Gateway 8.0.x Interface Reference Guide 297

 Name Type Description Parameters

ProgressPage.Sent Boolean f true, a progress page is displayed when a requested

web object is downloaded.

ProtocolDetector.DetectedProtocol String String containing name of a protocol that has been

detected as being used for traffic on a connection
between Web Gateway and a client

ProtocolDetector.ProtocolFilterable Boolean If true, filtering is supported for a protocol that has

been detected as being used for web traffic

Protocol.FailureDescription String String containing description of a connection error

under the current protocol

Proxy.EndUserURL String String representing URL for display to a user

Proxy.IP IP IP address of Web Gateway

The default value is 0.
Note:
This property is not SaaS-compatible.
A rule with this property can, however, be
synchronized for use in the cloud, but only the default
value is then retrieved for this property.

Proxy.Outbound.IP IP Source IP address that Web Gateway uses when

connecting to web servers or next-hop proxies
Note: Do not confuse this property with the
Proxy.OutboundIP property, which has no dot before
IP.

Proxy.Outbound.IPList List of IP List of source IP addresses that Web Gateway selects

an address from when connecting to web servers or
next-hop proxies.
Note: This property is not SaaS-compatible.

Proxy.Outbound.Port Number Number of source port that Web Gateway uses when
connecting to web servers or next-hop proxies

Proxy.OutboundIP IP Source IP address for replacing multiple source IP Number:

addresses that Web Gateway might use when Position of
connecting to web servers or next-hop proxies source IP
The address is selected from a list, using a number address in list
parameter to identify its position in the list.
Note:
This property is not SaaS-compatible.
Do not confuse it with the Proxy.Outbound.IP property,
which has a dot before IP.

Proxy.Port Number Number of a port used by Web Gateway

The default value is 0.
Note:
This property is not SaaS-compatible.

298 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
A rule with this property can, however, be
synchronized for use in the cloud, but only the default
value is then retrieved for this property.

Properties - Q
The following table describes the properties that have names beginning with Q.

Properties – Q

Name Type Description Parameters

Quota.AuthorizedOverride.GetLogin String User name submitted for performing an authorized

override
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.IsActivationRequest
Boolean If true, an authorized user has chosen to continue
with a authorized override session after session time
has been exceeded.
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.IsActivationRequest.Strict
Boolean
If true, an authorized user has chosen to continue
with an Authorized Override session and the request
for continuing the session applies to the current
settings.
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.JS.ActivateSession
String String in JavaScript code calling the function that is
executed when an authorized user chooses to start a
new session by clicking the appropriate button in the
authorized override template.
The code is provided when the template is created
and displayed to the user.
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.LastAuthorizedPerson
String User name of the last person who performed an
authorized override to provide additional session
time for a user
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.RemainingSession
Number Remaining time (in seconds) for an authorized
override session
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.SessionExceeded
Boolean If true, the time allowed for an authorized override
session has been exceeded.
Note: This property is not SaaS-compatible.

Quota.AuthorizedOverride.SessionLength
Number Time length (in seconds) for an authorized override
session
Note: This property is not SaaS-compatible.

McAfee Web Gateway 8.0.x Interface Reference Guide 299

 Name
Quota.Coaching.IsActivationRequest Boolean
Quota.Coaching.IsActivationRequest.Strict
Boolean
Quota.Coaching.JS.ActivateSession
Quota.Coaching.RemainingSession
Quota.Coaching.SessionExceeded
Quota.Coaching.SessionLength
Quota.Time.Exceeded
Quota.Time.IsActivationRequest
Quota.Time.IsActivationRequest.StrictBoolean
Quota.Time.JS.ActivateSession
Quota.Time.RemainingDay
300
Type Description Parameters
If true, a user has chosen to continue with a new
coaching session after session time has been
exceeded.
Note: This property is not SaaS-compatible.
If true, a user has chosen to continue with a Coaching
session and the request for continuing the session
applies to the current settings.
Note: This property is not SaaS-compatible.
String String in JavaScript code calling the function that is
executed when a user chooses to start a new session
by clicking the appropriate button in the coaching
session template.
The code is provided when the template is created
and displayed to the user.
Note: This property is not SaaS-compatible.
Number Remaining time (in seconds) for a coaching session
Note: This property is not SaaS-compatible.
Boolean If true, the time allowed for a coaching session has
been exceeded.
Note: This property is not SaaS-compatible.
Number Time length (in seconds) for a coaching session
Note: This property is not SaaS-compatible.
Boolean If true, the time quota has been exceeded.
Note: This property is not SaaS-compatible.
Boolean If true, a user has chosen to continue with a new time
session after session time has been exceeded.
Note: This property is not SaaS-compatible.
If true, a user has chosen to continue with a new Time
session and the request for continuing the session
applies to the current settings.
Note: This property is not SaaS-compatible.
String String in JavaScript code calling the function that is
executed when a user chooses to start a new session
by clicking the appropriate button in the time session
template.
The code is provided when the template is created
and displayed to the user.
Note: This property is not SaaS-compatible.
Number Time (in seconds) remaining from the configured time
quota for the current day
Note: This property is not SaaS-compatible.
McAfee Web Gateway 8.0.x Interface Reference Guide
 Name Type Description Parameters

Quota.Time.RemainingDay.ReducedAtActivation
Number Time (in seconds) remaining from the configured time
quota for the current day when a user has just
started a session
Note: This property is not SaaS-compatible.

Quota.Time.RemainingDay.ReducedAtDeactivation
Number Time (in seconds) remaining from the configured time
quota for the current day when a user has just closed
a session
Note: This property is not SaaS-compatible.

Quota.Time.RemainingMonth Number Time (in seconds) remaining from the configured time
quota for the current month
Note: This property is not SaaS-compatible.

Quota.Time.RemainingMonth.ReducedAtActivation
Number Time (in seconds) remaining from the configured time
quota for the current month when a user has just
started a session
Note: This property is not SaaS-compatible.

Quota.Time.RemainingMonth.ReducedAtDeactivation
Number
Time (in seconds) remaining from the configured time
quota for the current month when a user has just
closed a session
Note: This property is not SaaS-compatible.

Quota.Time.RemainingSession Number Remaining time (in seconds) for a time session

Note: This property is not SaaS-compatible.

Quota.Time.RemainingWeek Number Time (in seconds) remaining from the configured time
quota for the current week
Note: This property is not SaaS-compatible.

Quota.Time.RemainingWeek.ReducedAtActivation
Number Time (in seconds) remaining from the configured time
quota for the current week when a user has just
started a session
Note: This property is not SaaS-compatible.

Quota.Time.RemainingWeek.ReducedAtDeactivation
Number
Time (in seconds) remaining from the configured time
quota for the current week when a user has just
closed a session
Note: This property is not SaaS-compatible.

Quota.Time.SessionExceeded Boolean If true, the time allowed for a time session has been
exceeded.
Note: This property is not SaaS-compatible.

Quota.Time.SessionLength Number Time length (in seconds) for a time session

Note: This property is not SaaS-compatible.

Quota.Time.SizePerDay Number Time (in seconds) allowed per day under the
configured quota
Note: This property is not SaaS-compatible.

McAfee Web Gateway 8.0.x Interface Reference Guide 301

 Name
Quota.Time.SizePerMonth
Quota.Time.SizePerWeek
Quota.Volume.Exceeded
Quota.Volume.IsActivationRequest
Quota.Volume.IsActivationRequest.Strict
Quota.Volume.JS.ActivateSession
Quota.Volume.RemainingDay
Quota.Volume.RemainingMonth
Quota.Volume.RemainingSession
Quota.Volume.RemainingWeek
Quota.Volume.SessionExceeded
Quota.Volume.SessionLength
302
Type Description Parameters
Number Time (in seconds) allowed per month under the
configured quota
Note: This property is not SaaS-compatible.
Number Time (in seconds) allowed per week under the
configured quota
Note: This property is not SaaS-compatible.
Boolean If true, the volume quota has been exceeded.
Note: This property is not SaaS-compatible.
Boolean If true, a user has chosen to continue with a new
volume session after session time has been
exceeded.
Note: This property is not SaaS-compatible.
Boolean If true, a user has chosen to continue a session when
the configured volume has been exceeded and the
request for continuing the session applies to the
current settings.
Note: This property is not SaaS-compatible.
String String in JavaScript code calling the function that is
executed when a user chooses to start a new session
by clicking the appropriate button in the volume
session template.
The code is provided when the template is created
and displayed to the user.
Note: This property is not SaaS-compatible.
Number Volume (in bytes) remaining from the configured
volume quota for the current day
Note: This property is not SaaS-compatible.
Number Volume (in bytes) remaining from the configured
volume quota for the current month
Note: This property is not SaaS-compatible.
Number Remaining time (in seconds) for a volume session
Note: This property is not SaaS-compatible.
Number Volume (in bytes) remaining from the configured
volume quota for the current week
Note: This property is not SaaS-compatible.
Boolean If true, the time allowed for a volume session has
been exceeded.
Note: This property is not SaaS-compatible.
Number Time length (in seconds) for a volume session
Note: This property is not SaaS-compatible.
McAfee Web Gateway 8.0.x Interface Reference Guide
 Name Type Description Parameters

Quota.Volume.SizePerDay Number Volume (in bytes) allowed per day under the
configured quota
Note: This property is not SaaS-compatible.

Quota.Volume.SizePerMonth Number Volume (in bytes) allowed per month under the
configured quota
Note: This property is not SaaS-compatible.

Quota.Volume.SizePerWeek Number Volume (in bytes) allowed per week under the
configured quota
Note: This property is not SaaS-compatible.

Properties - R
The following table describes the properties that have names beginning with R.

Properties – R

Name Type Description Parameters

Redirect.URL String String representing a URL that a user is redirected to

by an authentication or quota rule

Reporting.URL.Categories List of Category List of all URL categories used on the appliance

Reporting.URL.Reputation List of Number List of all reputation score values used on the
appliance

Request.Header.FirstLine String First line of a header sent with a request

Request.POSTForm.Get String Retrieves URL encoded data in the POST form sent by
the external Identity Provider.

Request.ProtocolAndVersion String Protocol and protocol version used when a request is

sent

Response.ProtocolandVersion String Protocol and protocol version used when a response

is sent

Response.Redirect.URL String URL that a user is redirected to when a response is

sent

Response.StatusCode String Status code of a response

Rules.CurrentRuleID String ID of the rule that is currently processed

Rules.CurrentRuleName String Name of the rule that is currently processed

Rules.CurrentRuleSetName String Name of the rule set that is currently processed

Rules.EvaluatedRules List of String List of all rules that have been processed

Rules.EvaluatedRules.Names List of String List with names of all rules that have been processed

Rules.FiredRules List of String List of all rules that have applied

Rules.FiredRules.Names List of String List with names of all rules that have applied

McAfee Web Gateway 8.0.x Interface Reference Guide 303

Properties - S
The following table describes the properties that have names beginning with S.

Properties – S

Name Type Description Parameters

SecureReverseProxy.EmbeddedHost String Host name of a URL in an HTTP request that is

embedded in an HTTPS request
Note: This property is not SaaS-compatible

SecureReverseProxy.EmbeddedProtocol
String Protocol of a URL in an HTTP request that is
embedded in an HTTPS request
Note: This property is not SaaS-compatible

SecureReverseProxy.EmbeddedURL String
URL in an HTTP request that is embedded in an String: Host name of
HTTPS request the URL
This is the URL for the host specified by the value of
the SecureReverseProxy.EmbeddedHost property.
Note: This property is not SaaS-compatible

SecureReverseProxy.GetDomain String Domain specified in the settings for the

SecureReverseProxy module
Note: This property is not SaaS-compatible

SecureReverseProxy.IsValidReverseProxyRequest

see above Boolean If true, the URL submitted in a request has the format
required in a SecureReverseProxy configuration.
Note: This property is not SaaS-compatible

SecureReverseProxy.URLToEmbed String URL submitted in a HTTP request that is embedded in

an HTTPS request
Note: This property is not SaaS-compatible

SecureToken.CreateToken String Encrypted string String: String to

This string serves as a token for securing an IP encrypt
address. An AES-128-bit algorithm is used to create
the token.
Depending on the value of a parameter in the
settings of the SecureReverseProxy module, the string
includes a time stamp.

SecureToken.IsValid
Boolean If true, the specified token is valid and has not
expired. 1. String: Token to
Depending on the on the value of a parameter in the be checked
settings of the SecureReverse Proxy module, the 2. Number: Time (in
token string includes no time stamp. seconds) to
Expiration of the token is then not checked. elapse until the
token expires

SecureToken.GetString String String serving as a token for securing an IP address

If the token is invalid or has expired, the string is 1. String: Token to
empty. be checked

304 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
2. Number: Time (in
seconds) to
elapse until the
token expires

Server.DownloadBandwidth Number Bandwidth (in bytes per second) consumed for

downloads from web servers

Server.UploadBandwidth Number Bandwidth (in bytes per second) consumed for

uploads to web servers

SNMP.Trap.Additional String Additional message sent to a trap under the SNMP

protocol

SOCKS.Version String Version of the SOCKS protocol that is used when a

client requests access to a web object under this
protocol

SSL.Certificate.CN.ToWildcard Wildcard Common name in an SSL certificate converted into a String: Common
Expression wildcard expression name to convert

SSL.Client.Certificate.Serial String Serial of a client certificate

SSL.ClientContext.IsApplied Boolean If true, parameters for setting the client context in

SSL-secured communication have been configured.

SSL.Server.Certificate.AlternativeCNs

see above List of Wildcard List of alternative common names for a web server as
Expression used in SSL certificates

SSL.Server.Certificate.CN String Common name of a web server provided in a

certificate for SSL-secured communication

SSL.Server.Certificate.CN.HasWildcards

see above Boolean If true, the common name for a web server in an SSL
certificate includes wildcards.

SSL.Server.Certificate.DaysExpired Number Number of days that an SSL certificate for a web

server has expired

SSL.Server.Certificate.HostAndCertificate

see above HostAnd Host name and certificate for connecting to web
Certificate server in SSL-secured communication

SSL.Server.Certificate.OnlyCertificate

see above HostAnd Certificate for connecting to a web server in SSL-

Certificate secured communication

SSL.Server.Certificate.SelfSigned Boolean If true, an SSL certificate for a web server is self-

signed.

SSL.Server.Certificate.SHA1Digest String String representing an SHA1Digest of a SSL certificate

for a web server

McAfee Web Gateway 8.0.x Interface Reference Guide 305

 Name Type Description Parameters

SSL.Server.Certificate.SignatureMethod

see above String Text describing the method used for signing the
certificate

SSL.Server.CertificateChain.AllRevocationStatusesKnown

see above Boolean If true, it is known of all SSL certificates in a certificate

chain for a web server whether they are revoked or
not.

SSL.Server.CertificateChain.ContainsExpiredCA

see above Boolean If true, an SSL certificate in a certificate chain for a

web server has expired.

SSL.Server.CertificateChain.ContainsRevoked

see above Boolean If true, an SSL certificate in a certificate chain for a

web server has been revoked.

SSL.Server.CertificateChain.FirstKnownCAIsTrusted

see above Boolean If true, a the certificate authority for issuing SSL
certificates that has been found first in a certificate
chain for a web server is trusted.

SSL.Server.CertificateChain.FoundKnownCA

see above Boolean If true, a known certificate authority for issuing SSL
certificates has been found in a certificate chain for a
web server.

SSL.Server.CertificateChain.IsComplete
Boolean If true, the chain of SSL certificates for a web server is
complete.

SSL.Server.CertificateChain.Issuer.CNsList of String
List of common names for the issuers that issued an
SSL certificate in a certificate chain for a web server
The list is sorted in bottom-up order. It ends with the
common name of the issuer that issued the
certificate for the self-signed root certificate authority
(CA).

SSL.Server.CertificateChain.Length Number Number of SSL certificates in a certificate chain for a

web server

SSL.Server.CertificateChain.PathLengthExceeded

see above Boolean If true, the chain of SSL certificates for a web server
exceeds the allowed length.

SSL.Server.CertificateChain.SignatureMethods

see above List of String List of texts describing the methods used for signing
the certificates in the chain

306 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

SSL.Server.Cipher.KeyExchangeBits Number Normalized strength of the weakest link involved in a

key exchange performed in SSL-secured
communication

SSL.Server.Handshake.CertificateIsRequested

see above Boolean If true, a handshake is requested for setting up a

connection to a web server in SSL-secured
communication.

SSO.Action String Returns the name of an internal action performed in

response to an SSO request.
Note: This property is not SaaS-compatible

SSO.Config String Returns the name of the settings used by an internal

action performed in response to an SSO request.
Note: This property is not SaaS-compatible

SSO.Debug String Returns an SSO debug message.

Note: This property is not SaaS-compatible

SSO.GetConnectorInfo
Variable Returns information about the SSO connector to the String: Service ID
service the user is requesting. This information is
stored as a JSON object in a local variable named sso-
conn-info.
Note: This property is not SaaS-compatible

SSO.GetData JSON object Returns additional information needed for SAML

single sign-on.
Note: This property is not SaaS-compatible

SSO.GetDatFile String Retrieves the specified DAT file from the update String: Name of the
server and returns the contents of the file in a string. SSO DAT file
The Single Sign On module uses the collection of SSO
DAT files to create the launchpad.
Note: This property is not SaaS-compatible

SSO.GetIceTokenLoginAction String Returns the user information needed to complete

single sign-on to the requested service or application. 1. String: Service ID
2. Variable: sso-
Note: This property is not SaaS-compatible
user-data

SSO.GetPostLoginAction String Returns the information needed to complete single

sign-on to the requested HTTP service or application. 1. String: Identity
Provider
Note: This property is not SaaS-compatible
2. String: User name
3. String: Service ID
4. String: User
account

McAfee Web Gateway 8.0.x Interface Reference Guide 307

 Name Type Description Parameters

SSO.GetSAMLLoginAction String Returns the user information needed to complete

single sign-on to the requested SAML service or 1. String: Service ID
application. 2. Variable: sso-
user-data
Note: This property is not SaaS-compatible

SSO.GetServices JSON object Returns all information about the current user added Variable:
by the SSO Select Services rule set. This information is "conditions"
returned in JSON format and includes the names of
cloud services the user is allowed to access and all
account information.
Note: This property is not SaaS-compatible

SSO.GetTools String Returns a string of JavaScript tools.

Note: This property is not SaaS-compatible

SSO.IsManagementRequest Boolean Returns a true value if the current request is an SSO

request and one or both of the following conditions
are met:
• Web Gateway has received an SSO request.
• The SSO.Action property is processed with valid
settings.
Note: This property is not SaaS-compatible

SSO.LogProperties JSON object Stores information about each SSO request that is
used to generate the SSO access and SSO trace logs.
Note: This property is not SaaS-compatible

SSO.ManagementHost String Returns the host name of the SSO service specified in
the configuration. Typically, this value is the name of
the server hosting the SSO service provided by Web
Gateway.
Note: This property is not SaaS-compatible

SSO.OTPRequired Boolean Returns a true value if the SSO action requires OTP
authentication.
Note: This property is not SaaS-compatible

SSO.ProcessTask Boolean Processes common SSO tasks, such as credential Note: The
management, using the Single Sign On settings. If the parameters are
SSO tasks are processed successfully, this property passed in URLs.
returns a true value.
Note: This property is not SaaS-compatible

SSO.UserHasAccessToService Boolean Returns a true value if the user is allowed to access

the cloud service or manage the account.
Note: This property is not SaaS-compatible

SSOConnector.ToString String Converts the name of a cloud connector to the String: Name of
Service ID that identifies the corresponding cloud cloud connector
service or application.

308 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

Statistics.Counter.Get Number Number of occurrences of an activity or situation String: Name of

recorded on a counter counter
Note: This property is not SaaS-compatible

Statistics.Counter.GetCurrent Number Number of occurrences of an activity or situation String: Name of

recorded on a counter (fully completed) during the counter
last minute
Note: This property is not SaaS-compatible

Stopwatch.GetMicroSeconds Number Time measured for rule set processing in String: Name of rule
microseconds set

Stopwatch.GetMilliSeconds Number Time measured for rule set processing in milliseconds String: Name of rule
set

StreamDetector.IsMediaStream Boolean If true, a requested web object is streaming media.

This is the basic property used in streaming media
filtering.

StreamDetector.MatchedRule String Name of a streaming media filtering rule that has

matched
This property is given a value if the
StreamDetector.IsMediaStream property is set to true.

StreamDetector.Probability Number Probability for a web object that it is streaming media

Values range from 1 to 100.
This property is given a value if the
StreamDetector.IsMediaStream property is set to true.

String.BackwardFind Number Position where a substring begins that is found in a

string by a backward search 1. String: String
Returns -1 if the substring is not found. containing
substring
2. String: Substring
3. Number: Position
where backward
search for
substring begins

String.Base64DecodeAsBinary String String of binary digits that is the result of decoding a String: String in
base-64 encoded string encoded format

String.Base64DecodeAsText String Text string that is the result of decoding a base-64 String: String in
encoded string encoded format

String.Base64Encode String String that is the result of using the base-64 encoding String: String to
method to encode a string encode

String.BelongsToDomains Boolean If true, a specified string is found in a list of domain

names 1. String: String to
The value of the property is "true" if the string be found in list
matches a list entry, which means it is a domain 2. List of string: List
name. of domain names

McAfee Web Gateway 8.0.x Interface Reference Guide 309

 Name Type Description Parameters
The value of the property is also "true" if the string is
a character or sequence of characters followed by a
dot and a substring that matches a list entry (*.<list
entry>), which means it is the name for a subdomain
of a domain in the list.
In both cases the string is set as the value of the
List.LastMatches property.

String.Concat String Concatenation of two specified strings

1. String: First string
to concatenate
2. String: Second
string to
concatenate

String.CRLF String Carriage-return line-feed

String.Find Number Position where a substring begins that is found in a

string by a forward search 1. String: String
Returns -1 if the substring is not found. containing
substring
2. String: Substring
3. Number: Position
where forward
search for
substring begins

String.FindFirstOf Number Position of the first character of a substring found in a

string 1. String: String
Returns -1 if the substring is not found. containing
substring
2. String: Substring
3. Number: Position
where search for
substring begins

String.FindLastOf Number Position of the last character of a substring found in a

string 1. String: String
Returns -1 if the substring is not found. containing
substring
2. String: Substring
3. Number: Position
where search for
substring begins

String.GetWordCount Number Number of words in a string String: String to get

number of words for

String.Hash String Hash value of a particular type for a given string

1. String: String to
find hash value
for

310 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
2. String: Hash type

String.IsEmpty Boolean If true, the specified string is empty. String: String

checked for being
empty

String.Length Number Number of characters in a string String: String to

count characters for

String.LF String Line-feed

String.MakeAnonymous
String String that has been made anonymous and requires String: String to
one or two passwords for reverting anonymization anonymize
The string that is to be anonymized is specified as a
parameter of the property.
The passwords are set within the Anonymization settings,
which are provided as settings of the property.
You can use the property in a rule to anonymize
sensitive data, for example, the user name that is
retrieved as the value of the Authentication.UserName
property.
An event in this rule sets the authentication property
to the value of String.MakeAnonymous, which takes the
authentication property as its parameter, so its value
is the anonymized user name.
After the set event has been executed, the
anonymized user name is also the value of
Authentication.UserName. Sensitive information is
protected this way.
For the rule to work, a rule with the authentication
property must have been processed before.
Otherwise the string that is to be anonymized would
not be known.

String.MatchWildcard List of String List of terms in a string that match a wildcard

expression 1. String: String with
matching terms
2. Wildcard
Expression:
Wildcard
expression to
match
3. Number: Position
where search for
substring begins

String.Replace String String having a substring replaced by a string as

specified 1. String: String
containing
substring to
replace
2. Number: Position
where

McAfee Web Gateway 8.0.x Interface Reference Guide 311

 Name Type Description Parameters
replacement
begins
3. Number: Number
of characters to
replace
4. String: Replacing
string

String.ReplaceAll String String having each occurrence of a substring replaced

by string as specified 1. String: String
containing
substring to
replace
2. String: Replacing
substring
3. String: Substring
to replace

String.ReplaceAllMatches String String having each occurrence of a substring that

matches a wildcard expression replaced by a string as 1. String: String
specified containing
substring to
replace
2. Wildcard
Expression:
Wildcard
expression to
match
3. String: Substring
to replace

String.ReplaceFirst String String having first occurrence of a substring replaced

by a string as specified 1. String: String
containing
substring to
replace
2. String: Substring
to replace
3. String: Replacing
string

String.ReplaceFirstMatch String String having first occurrence of a substring that

matches a wildcard expression replaced by a string as 1. String: String
specified containing
substring to
replace
2. Wildcard
Expression:
Wildcard
expression to
match

312 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
3. String: Replacing
substring

String.ReplaceIfEquals String String having every occurrence of a substring

replaced by a string as specified 1. String: String
containing
substring to
replace
2. String: Substring
to replace
3. String: Replacing
string

String.SubString String Substring contained in a string specified by start

position and length 1. String: String
containing
substring
2. Number: Position
where substring
begins
3. Number: Number
of characters in
substring

If no number is
specified, the
substring extends to
the end of the
original string

String.SubStringBetween String Substring of string extending between two other

substrings of this string 1. String: String
The search for this substring begins with looking for containing
the first of the other substrings. If this string is found, substrings
the search is continued with looking for the second 2. String: Substring
substring. ending
If the first substring is not found, the search has no immediately
result. If the second substring is not found, the before the
wanted substring extends from the end of the first wanted substring
substring to the end of the main string. 3. String: Substring
beginning
immediately after
the wanted
substring

String.ToCategory Category String converted into a category String: String to

convert

String.ToDimension Dimension String converted into a dimension String: String to

convert

McAfee Web Gateway 8.0.x Interface Reference Guide 313

 Name Type Description Parameters

String.ToHex Hex String converted into a hex value String: String to

convert

String.ToIP IP String converted into an IP address String: String to

convert

String.ToIPRange PRange String converted into a range of IP addresses String: String to

convert

String.ToMediaType MediaType String converted into a media type String: String to

convert

String.ToNumber Number String converted into a number String: String to

convert

String.ToSSOConnector String Converts the Service ID that identifies a cloud service String: Service ID
or application to the name of the corresponding
cloud connector.

String.ToStringList List of String String converted into a string list

The string list is a list of the elements in the string to 1. String: String to
convert. For example, the string to convert can be a convert
text and the string list a list of the words in this text. 2. String: Delimiter
The delimiter is a substring that separates elements 3. String: Substring
in the string to convert. For example, in a normal text, beginning
the delimiter is the whitespace. The substring can be immediately after
a single character, such as the whitespace, or multiple the wanted
characters. To specify the whitespace, hit the space substring
bar.
A trim character is a character that appears at the
beginning or end of an element in the string to
convert, but not in the string list. A trim character can,
for example, be a comma, a period, or a single
quotation mark. It can also be an “invisible” character,
such as a tab stop or a line feed.
To specify trim characters, type them in the input field
that is provided on the user interface without
separating them from each other.
Use the following combinations to type invisible
characters:
\t – tab stop
\r – carriage return
\n – line feed
\b – backspace
\\ – backslash
If you specify a character as a delimiter, it is also
deleted from the resulting string list, so you need not
specify it as a trim character.

String.ToWildcard Wildcard String converted into a wildcard expression String: String to

Expression convert

String.URLDecode String Standard format of a URL that was specified in String: URL in
encoded format encoded format

314 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

String.URLEncode String Encoded format of a URL String: URL to

encode

System.HostName String Host name of an appliance

System.UUID String UUID (Universal Unique Identifier) of an appliance

Properties - T
The following table describes the properties that have names beginning with T.

Properties – T

Name Type Description Parameters

TIE.Filereputation Number File reputation score that has been retrieved from a
TIE server
Note: This property is not SaaS-compatible.

Timer.FirstReceivedFirstSentClient Number Processing time consumed between receiving the first

byte from a client on the appliance and sending the
first byte to this client within a transaction
Using this property is only supported when HTTP or
HTTPS connections are involved, but not for FTP
connections.

Timer.FirstSentFirstReceivedServer Number Processing time consumed between sending the first

byte from the appliance to a web server and receiving
the first byte from this server within a transaction
Using this property is only supported when HTTP or
HTTPS connections are involved, but not for FTP
connections.

Timer.HandleConnectToServer Number Processing time consumed for connecting to a web

server within a transaction

Timer.LastReceivedLastSentClient Number Processing time consumed between receiving the last

byte from a client on the appliance and sending the
last byte to this client within a transaction
Using this property is only supported when HTTP or
HTTPS connections are involved, but not for FTP
connections.

Timer.LastSentLastReceivedServer Number Processing time consumed between sending the last

byte from the appliance to a web server and receiving
the last byte from this server within a transaction
Using this property is only supported when HTTP or
HTTPS connections are involved, but not for FTP
connections.

Timer.ResolveHostNameViaDNS Number Processing time consumed for looking up a host

name on a DNS server within a transaction
Only lookups on external servers are considered.
Cache lookups are disregarded.

McAfee Web Gateway 8.0.x Interface Reference Guide 315

 Name Type Description Parameters

Timer.TimeInExternals Number Time (in milliseconds) consumed when processing a

request in waiting for responses by components
other than the rule engine that are involved in the
process, for example, domain controllers or anti-
malware scanning engines.
This time is the time that has already been consumed
in waiting when the property is evaluated.
Waiting periods in all relevant processing cycles are
considered when calculating this time.

Timer.TimeInRuleEngine Number Time (in milliseconds) consumed by the rule engine

for processing a request, including activities in all
relevant processing cycles, at the time when the
property is evaluated.
Processing a request through all relevant processing
cycles is also referred to as a transaction.
When the property is evaluated within a rule for log
handling, its value is the time that was used by the
rule engine for the complete transaction.

Timer.TimeInTransaction Number Time (in milliseconds) consumed for processing a

request, including activities in all relevant processing
cycles, at the time when the property is evaluated.
Time used for rule engine activities and waiting times
are summed up in this property value.
Processing a request through all relevant processing
cycles is also referred to as a transaction.
When the property is evaluated within a rule for log
handling, its value is the time that was used for the
complete transaction.

Tunnel.Enabled Boolean If true, an HTTP or HTTPS tunnel is enabled

Properties - U
The following table describes the properties that have names beginning with U.

Properties – U

Name Type Description Parameters

URL String URL of a web object

URL.Categories List of Category List of URL categories that a URL belongs to

URL.CategoriesForURL List of Category List of URL categories that a specified URL belongs to String: URL in
string format

URL.CategorySetVersion Number Version number of the category set that is used for
URL filtering

URL.CloudLookupLedToResult If true, the rating for a URL was retrieved by a cloud

lookup that was performed using the Global Threat
Intelligence service.

URL.DestinationIP IP IP address for a URL as found in a DNS lookup

316 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

URL.DiscardedHost String Name of a host that was discarded when conflicting

host names occurred in a request sent in HTTP(S) or
SSL communication.
A conflict of this kind is also known as domain
fronting. It is resolved by the proxy on Web Gateway,
which prefers one of the conflicting host names over
the other, depending on what is configured.
By querying the value of this property in the criteria
of a rule or by logging it, you can detect a host name
conflict. If no conflict arises, the value of the property
is an empty string.
Conflicting host names might occur in the following
scenarios:
• Under HTTP(S): The first-line part of the
communication does not match the host header
that is sent with a request.
This conflict does not arise under HTTPS2, where no
first-line part is sent in any single stream.
• Under SSL: The host name sent in a CONNECT
request does not match the host information read
from a client hello.

URL.Domain String Name of the domain that access was requested to

URL.DomainSuffix String Suffix appended to the name of the domain that

access was requested to

URL.FileExtension String Extension of the file name for a requested file

URL.FileName String Name of a file that can be accessed through a URL

URL.ForwardDNSLedToResult Boolean If true, the rating for a URL was retrieved by

performing a forward DNS lookup.

URL.Geolocation String ISO 3166 code for the country where the host that a
URL belongs to is located
If a value is to be assigned to this property, the
following option of the settings for the URL Filter
module must be enabled:
Only use online GTI web reputation and categorization
services.

URL.Geolocation String Name of the country where the host that a given URL
belongs to is located
The URL is the URL that was sent with the request
that is currently processed.
The country is identified according to ISO 3166.
Note: The name can only be found if the following
option of the settings for URL filtering is selected:
Disable local GTI database

URL.GeolocationForURL String Name of the country where the host that a given URL String: URL that
belongs to is located country name
The URL is specified as a parameter of the property.

McAfee Web Gateway 8.0.x Interface Reference Guide 317

 Name Type Description Parameters
The country is identified according to ISO 3166. is to be found
Note: The name can only be found if the following for
option of the settings for URL filtering is selected:
Disable local GTI database

URL.GetParameter String Parameter of a URL in string format String:

Parameter
name

URL.HasParameter Boolean If true, a specified parameter belongs to the String:

parameters of a URL. Parameter
name

URL.Host String Host that a URL belongs to

URL.Host.BelongsToDomains Boolean If true, a host that access was requested to by List of string:
submitting a particular URL belongs to one of the List of domain
domains in a list. names
The name of a host that was found to belong to one
of the domains is set as the value of the
List:LastMatches property.
You can use the URL.Host.BelongsToDomains property
to match anything to the domain name in a URL or
anything to the left of a dot of a domain name
(*.domain.com). Terms including the domain name
(*domain.com) are not counted as matches.
Example:
Domain List is the string list specified as the property
parameter. It contains the following entries (dots
preceding a domain name in a URL are omitted):
twitter.com
mcafee.com
dell.com
k12.ga.us
xxx
Then the criteria:
URL.Host.BelongsToDomains("Domain List") equals true
matches for the following URLs:
http://twitter.com
http://www.twitter.com
http://my.mcafee.com
http://my.support.dell.com
http://www.dekalb.k12.ga.us
any.site.xxx
but not for:
http://malicioustwitter.com
http://www.mymcafee.com
http://www.treasury.ga.us
Using this property avoids the effort of creating more
complicated solutions to accomplish the same, for
example:
• Using two entries in a list of wildcard expressions,
such as:

318 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters
twitter.com and *twitter.com
• Using a single, complex entry in a list of wildcard
expressions, such as:
regex((.*\.|.?)twitter\.com)
If these entries were contained in the list Other
Domain List, the following criteria would match for the
twitter.com domain:
URL.Host matches in list "Other Domain List"

URL.HostIsIP Boolean If true, the URL that is submitted for access to a host
is an IP address.

URL.IsHighRisk Boolean If true, the reputation score of a URL falls in the high
risk range.

URL.IsMediumRisk Boolean If true, the reputation score of a URL falls in the

medium risk range.

URL.IsMinimalRisk Boolean If true, the reputation score of a URL falls in the

minimal risk range.

URL.IsUnverified Boolean If true, the reputation score of a URL falls in the

unverified risk range.

URL.Parameters List of String List of URL parameters

URL.ParametersString String String containing the parameters of a URL

If the URL has parameters, the string begins with the ?
character.

URL.Path String Path name for a URL

URL.Port Number Number of a port for a URL

URL.Protocol String Protocol for a URL

URL.Raw String URL in the format originally received on the appliance

from a client or other network components
Using this property for rule configuration will speed
up processing because it saves the time used for
converting URL code to a human readable format, as
it is done for the simple URL property.

URL.Reputation Number Reputation score for a given URL

The URL is the URL sent with the request that is
currently processed.

URL.ReputationForURL Number Reputation score for a given URL String: URL that
The URL is specified as a parameter of the property. reputation
score is to be
found for

URL.ReputationString String Reputation score for a given URL in string format

The URL is the URL sent with the request that is
currently processed.

McAfee Web Gateway 8.0.x Interface Reference Guide 319

 Name Type Description Parameters

URL.ReputationStringForURL String Reputation score for a given URL String: URL that
The URL is specified as a parameter of the property. reputation
score is to be
found for

URL.ReverseDNSLedToResult Boolean If true, the rating for a URL was retrieved by

performing a reverse DNS lookup.

URL.SmartMatch Boolean If true, a URL matches one or more of the URL parts List of String:
that are specified in string format in any of the entries List with parts
in the list of URL parts that is given as the parameter of URLs in
of this property string format
Note: Use of a very long string list here can impact
performance.
An entry in this string list must specify at least the
domain or the path part of a URL as a substring. It can
specify both.
The domain part matches also if a URL only contains
a subdomain of the specified domain.
For the path part, it is sufficient if the beginning of the
path in a URL matches it.
Additionally, a list entry can specify the protocol and
port of a URL.
The value of the property is true if a URL matches the
domain or the path part (or both) in an entry of the
string list and also matches the protocol part (if
specified) and the port part (if specified).
If a port is specified in an entry of the string list, but
not in the URL, there is no match.
For example, with the following URL:
http://www.mycompany.com/samplepath/xyz
The below list entries will produce matches or not as
follows:
mycompany.com (match)
http://mycompany.com (match)
https://mycompany.com (no match)
http://www.mycompany.com/ (match)
host.mycompany.com (no match)
http://www.mycompany.com:8080/ (no match)
http://www.mycompany.com/samplepath/ (match)
/samplepath/ (match)
mycompany.com/samplepath/ (match)
com (match)
You can use this property to search for matches in a
complex URL whitelist or blocklist, for example, in a
list that contains both entries for URL hosts and for
complete URLs.

URLFilter.DatabaseVersion Number Version number of the database on an appliance

URLFilter.EngineVersion String String identifying the version of the URL filtering

module (engine)

320 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Type Description Parameters

User-Defined.cacheMessage String Message text providing information on web cache

usage

User-Defined.eventMessage String Message text providing information on an event

User-Defined.loadMessage String Message text providing information on CPU overload

User-Defined.logLine String Entry written into a log file

User-Defined.monitorLogMessage String Entry written into a log file

User-Defined.notificationMessage String Text of a notification message

User-Defined.requestLoadMessage String Message text providing information on request

overload

User-Defined.requestsPerSecond Number Number of requests processed on an appliance per

second

Properties - W
The following table describes the properties that have names beginning with W.

Properties – W

Name Type Description Parameters

Wildcard.ToString String Wildcard expression converted into a string Wildcard

Expression:
Wildcard
expression to
convert

List of statistics counters

The following table provides a list of the statistics counters that you can use in rules.
You can implement each of these counters by configuring it as a parameter of a particular rule event. Some of them are already
implemented in rules of the default rule set system.

List of statistics counters

Name Description

AMLoad Percentage of CPU resources that is currently used by anti-

malware filtering

AMUsed Number of bytes in the virtual memory that are currently

used by anti-malware filtering

AMUsedPhys Number of bytes in the physical memory that are currently

used by anti-malware filtering

AMJobQueueLength Number of jobs in the anti-malware job queue by applications

running on Web Gateway

ApplHighRisk Number of applications that are considered a high risk

ApplMediumRisk Number of applications that are considered a medium risk

McAfee Web Gateway 8.0.x Interface Reference Guide 321

 Name Description

ApplMinimalRisk Number of applications that are considered a minimal risk

ApplUnverified Number of applications that no risk level could be verified for

ApplicationMemoryUsage Percentage of memory that is currently in use

AuthNTLMCacheRequests Number of NTLM authentication requests that were granted

based on user information in the cache

AuthUserCacheRequests Number of authentication requests that were granted based

on user information in the cache

BlockedByAntiMalware Number of requests blocked by anti-malware filtering

BlockedByApplControl Number of requests blocked by application filtering

BlockedByDLPMatch Number of requests blocked by the DLP process

BlockedByMediaFilter Number of requests blocked by media type filtering

BlockedByURLFilter Number of requests blocked by URL filtering

Categories Number of URLs that were processed in each of the

categories used in URL filtering

CertNameMismatch Number of mismatches that occurred in certificate

verification

CertNameWildCardMatch Number of matches that occurred in certificate verification

when wildcards had been submitted

CertExpired Number of expired certificates

CertRevoked Number of revoked certificates

CertSelfSigned Number of self-signed certificates

CertUnresolvable Number of certificates that could not be resolved

ClientCount Number of clients that are currently communicating with Web

Gateway

CloudEnc.DecryptionBytesAll Number of bytes for all web objects that cloud decryption
was applied to

CloudEnc.DecryptionErrorsAll Number of bytes for all web objects that had cloud decryption
resulting in an error

CloudEnc.DecryptionHitsAll Number of bytes for all web objects that cloud decryption
was successfully applied to

CloudEnc.EncryptionBytesAll Number of bytes for all web objects that cloud encryption
was applied to

CloudEnc.EncryptionErrorsAll Number of bytes for all web objects that had cloud encryption
resulting in an error

CloudEnc.EncryptionHitsAll Number of bytes for all web objects that cloud encryption
was successfully applied to

322 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description

CloseWaits Number of sockets that are in CLOSE WAIT status

ConnectedSockets Number of sockets that are connected to Web Gateway

ConnectionsBlocked Number of blocked connections

ConnectionsLegitimate Number of legitimate connections

CoreLoad Percentage of CPU resources that is currently used by the

core process

CoreUsed Number of bytes in the virtual memory that are currently

used by the core process

CoreUsedPhys Number of bytes in the physical memory that are currently

used by the core process

CoreThreads Number of threats that currently processed in the core

CoordLoad Percentage of CPU resources that is currently used by the

Coordinator subsystem

CoordUsed Number of bytes in the virtual memory that are currently

used by the Coordinator subsystem

CoordUsedPhys Number of bytes in the physical memory that are currently

used by the Coordinator subsystem

CPULoad Percentage of CPU resources that are currently in use

CPUIdle Percentage of CPU resources that are currently not in use

CPUUser Percentage of CPU resources that are currently used by user-

related functions

CPUSystem Percentage of CPU resources that are currently used by

system functions

DLPMatches Number of matches that were achieved in DLP filtering

FilesystemUsage Percentage of the opt system partition that is currently in use

FtpBytesFromServer Number of bytes for all web objects that were received from a
web server under FTP

FtpBytesToServer Number of bytes for all web objects sent to a web server
under FTP

FtpRequests Number of requests received under FTP

FtpTraffic Number of bytes for all web objects sent and received under
FTP

GTICloudTimedOut Number of timeouts that occurred on the Global Threat

Intelligence server when cloud lookups were performed in
URL filtering

McAfee Web Gateway 8.0.x Interface Reference Guide 323

 Name Description

GTIFileRepCloudLookupDone Number of cloud lookups that were performed by Global

Threat Intelligence to retrieve file reputations

GTIRequestSentToCloud Number of requests that were sent to Global Threat

Intelligence to retrieve URL category information (not file
reputations)

HarddiskUsage Percentage of hard-disk space that is currently available

HttpBytesFromClient Number of bytes for all web objects that were received from a
client under HTTP

HttpBytesFromServer Number of bytes for all web objects that were received from a
web server under HTTP

HttpBytesToClient Number of bytes for all web objects that were sent to a client
under HTTP

HttpBytesToServer Number of bytes for all web objects that were sent to a web
server under HTTP

HttpRequests Number of requests received under HTTP

HttpTraffic Number of bytes for all web objects sent and received under
HTTP

HttpsBytesFromClient Number of bytes for all web objects that were received from a
client under HTTPS

HttpsBytesFromServer Number of bytes for all web objects that were received from a
web server under HTTPS

HttpsBytesToClient Number of bytes for all web objects sent to a client under
HTTPS

HttpsBytesToServer Number of bytes for all web objects sent to a web server
under HTTPS

HttpsRequests Number of requests received under HTTPS

HttpsTraffic Number of bytes for all web objects sent and received under
HTTPS

ICAPReqmodRequests Number of requests received in the Reqmod mode of ICAP

ICAPReqmodTraffic Number of bytes for all web objects sent and received in the
Reqmod mode of ICAP

ICAPRespmodRequests Number of requests received in the Respmod mode of ICAP

ICAPRespmodTraffic Number of bytes for all web objects sent and received in the
Respmod mode of ICAP

IfpRequests Number of requests received under IFP

KerberosRequests Number of requests for authentication using the Kerberos

method

324 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description

LDAPRequests Number of requests for authentication using the LDAP

method

LoadPerCPU Load on a Web Gateway appliance divided by number of CPU

cores (rounded integer)

MalwareDetected Number of malicious objects found by anti-malware filtering

MATDInfected Number of viruses found by Advanced Threat Defense

MATDRequests Number of requests sent to Advanced Threat Defense

MATDScanTime Number of seconds used by the Advanced Threat Defense

process

MemoryUsage Percentage of memory that is currently in use

MemUsed Number of bytes in the memory that are currently in use

system-wide

MemFree Number of bytes in the memory that are currently not in use
system-wide

MT.Archives Number of archives that are processed

MT.Audio Number of audio files that are processed

MT.Database Number of database files that are processed

MT.Document Number of documents that are processed

MT.Executable Number of executable files that are processed

MT.Image Number of images that are processed

MT.Stream Number of data streams that are processed

MT.Text Number of text files that are processed

MT.Video Number of video files that are processed

NetworkBytesReceived Number of bytes received in network communication

NetworkBytesSent Number of bytes sent in network communication

NTLMAgentRequests Number of requests for authentication using an agent system

to apply the NTLM method

NTLMAgentRequestProcTime Average time (in milliseconds) for processing an NTLM Agent

request

NTLMRequests Number of requests for authentication using the NTLM

method

NTLMRequestsProcTime Average time (in milliseconds) for processing an NTLM

request

OTPSendProcTime Average time (in milliseconds) for processing an OTP request

McAfee Web Gateway 8.0.x Interface Reference Guide 325

 Name Description

OTPSendRequests Number of requests received submitting a One-Time

Password (OTP)

OTPVerifyProcTim Average time (in milliseconds) for OTP verification

OTPVerifyRequests Number of requests received in OTP verification

RADIUSRequests Number of requests for authentication using the RADIUS

method

RADIUSRequestsProcTime Average time (in milliseconds) for processing a RADIUS

request

RepHighRisk Number of URLs with a reputation that is considered a high

risk

RepMediumRisk Number of URLs with a reputation that is considered a

medium risk

RepMinimalRisk Number of URLs with a reputation that is considered a

minimal risk

RepUnverified Number of URLs with a reputation that could not be verified

ReputationMalicious Number of URLs with a reputation of being malicious

ReputationNeutral Number of URLs with a reputation that is considered neutral

regarding its risk level

ReputationTrusted Number of URLs with a reputation that is trusted

ReputationUnverified Number of URLs with a reputation that could not be verified

SOCKSRequests Number of requests received under SOCKS

SOCKSTraffic Number of bytes for all web objects sent and received under
SOCKS

SOCKSv4Requests Number of requests received under SOCKS version 4

SOCKSv4Traffic Number of bytes for all web objects sent and received under
SOCKS version 4

SOCKSv5Requests Number of requests received under SOCKS version 5

SOCKSv5Traffic Number of bytes for all web objects sent and received under
SOCKS version 5

SSO.AllLogins Number of logons performed using cloud single sign-on

SSO.IncorrectTokens Number of invalid tokens submitted when logon was

performed using cloud single sign-on

StatDBSize Number of bytes stored in the statistics database

SwapUsed Number of bytes in the swap space that are currently in use

SwapFree Number of bytes in the swap space that are currently not in
use

326 McAfee Web Gateway 8.0.x Interface Reference Guide

 Name Description

TimeConsumedByGTIFileRepCloudLookup Average time (in milliseconds) spent for a cloud lookup

performed by Global Threat Intelligence to retrieve a file
reputation

TimeConsumedByGTIURLCloudLookup Average time (in milliseconds) spent for a cloud lookup

performed by Global Threat Intelligence to retrieve category
information for a particular URL

WebCacheDiskUsage Percentage of disk space that is currently used by the web

cache

WebCacheHits Number of objects that were requested and found in the web
cache

WebCacheMisses Number of objects that were requested and not found in the
web cache

WebCacheObjectsCount Number of objects in the web cache

McAfee Web Gateway 8.0.x Interface Reference Guide 327

Wildcard expressions
When completing configuration activities on an appliance, you can use wildcard expressions for several purposes, for example, to
match URLs on blocking lists and whitelists.
There are two types of wildcard expressions you can use:
• Glob expressions — Using these is the default.
More information about this type of expressions is, for example, provided on the following Linux man page:
glob(7)
• Regular expressions (Regex) — If you want to use these, you need to type the term regex first and then include the regular
expression in parentheses, for example:
regex(a*b)
The regular expressions that are used on the McAfee Web Gateway appliance follow the Perl Regular Expression syntax.
Information on this syntax is, for example, provided on the following Linux man page:
perlre(1)

List of special glob characters

The following table provides a list of important special characters you can use to create glob-type wildcard expressions.

List of special glob characters

Character Description

? Matches any single character (if not between square brackets).

For example, ?est matches:
best
rest
test
and others

* Matches any string, including the empty string (if not between square brackets).
For example, b* matches:
b
best
binary
and others

[...] Matches any of the single characters included in the square brackets.
? and * are normal characters between square brackets.
For example, [a5?] matches:
a
5
?
Note: The first character must not be an ! (exclamation mark).

! Matches any single character except those following the exclamation mark.
For example, [!ab] matches:
c
S
%
but not:
a
b

328 McAfee Web Gateway 8.0.x Interface Reference Guide

 Character Description

- Is used to denote a range of characters.

For example, [a-f A-F 0-5] matches:
d
F
3
and others

/ Is not matched by ? or * and cannot be included in [...] or be part of a range.

This means, for example, that
http://linux.die.net/*
does not match the following pathname:
http://linux.die.net/man/7/glob
The pathname is, however, matched by:
http://linux.die.net/*/*/*

\ If preceding ?, *, or [, these are normal characters.

For example, [mn\*\[] matches:
m
n
*
[

. A . (dot) at the beginning of a file name must be matched explicitly.

For example, the command:
rm *
will not remove the file .profile.
However, the following command will:
rm .*

List of special regex characters

The following table provides a list of important special characters you can use to create regex-type wildcard expressions.

List of special regex characters

Character Description

. Matches any single character.

For example, regex(.est) matches:
best
rest
test
and others

* Matches the preceding character zero or more times

For example, regex(a*b) matches:
b
ab
aaaaab
and others

+ Matches the preceding character once or more times.

For example, regex(c+d) matches:
cd
ccccd

McAfee Web Gateway 8.0.x Interface Reference Guide 329

 Character Description
and others

? Matches the preceding character zero times or once.

For example, regex(m?n) matches:
n
mn

^ Matches the beginning of a line

$ Matches the end of a line

{...} Are used to match a character as many times as specified.

Options:
• a{n} — Matches a character n times
For example, regex(a{3}) matches:
aaa
• a{n,} — Matches a character n and more times
For example, regex(p{4,}) matches:
pppp
ppppp
and others
• a{n,m} — Matches between n and m times, including the limiting values
For example, regex(q{1,3}) matches:
q
qq
qqq

| Separates expressions that match alternatively.

For example, regex(abc|klm) matches:
abc
klm

(...) Delimits an alternative expression combined with another expression.

For example, regex(bi(n|rd)) matches:
bin
bird

[...] Matches any of the single characters included in the square brackets.
For example, regex([bc3]) matches:
b
c
3

- Is used to denote a range of characters in a bracketed expression.

For example, regex([c-f C-F 3-5]) matches:
d
F
4
and others

^ Matches any single character in a bracketed expression except those following the accent circonflexe.
For example, regex([^a-d]) matches:
e
7
&

330 McAfee Web Gateway 8.0.x Interface Reference Guide

 Character Description
and others, but not
a
b
c
d

\ If preceding a special character, turns it into a normal character.

For example, regex(mn\+) matches:
mn+
If preceding some normal characters, matches a particular class of characters.
For information on these classes, refer to the perlre man page or other documentation. The following
are examples of frequently used character classes.
regex(\d) matches numerical characters (digits), such as:
3
4
7
and others
regex(\w) matches alphabetical characters, such as:
a
F
s
and others
regex(\D) matches all characters that are not digits, such as:
c
T
%
and others

McAfee Web Gateway 8.0.x Interface Reference Guide 331

Rule sets change log
This reference guide for McAfee® Web Gateway (Web Gateway) provides a log that records changes to existing rule sets and
additions of new rule sets, listed by product version.
Product versions include major versions with three-digit numbers, for example, 7.7.0, and maintenance versions with four-digit
numbers, for example, 7.7.0.1. The log begins with version 7.6.2.

Log updates
The log is updated with every release of a major version of Web Gateway.
• Rule set changes and additions in major versions are announced in the release notes for those versions and included in the
log.
• Rule set changes and additions in maintenance versions are recorded in the release notes for those versions. They are included
in the log when it is updated at the next release of a major version.
For example, the update for version 7.7.1 includes changes and additions for version 7.7.1, as well as for versions 7.7.0.1, 7.7.0.2,
and so on.
Note: Changes and additions before version 7.6.2 are recorded in the release notes, but do not appear in the log.

Log entries
Log entries are listed by product version.
In the entries, rule sets are marked as default or library rule sets and as changed or new. Product versions are marked according
to whether they were originally provided as main or controlled releases.
Note: Rule set changes are only included in your version of Web Gateway if you have installed this version through completing a
new installation (clean install) or imported the respective rule set from the rule set library.

7.6.2 – Controlled release

These rule sets are new or have been changed in this version.

Gateway Anti-Malware with TIE (Library rule set) – New

This rule set provides rules for use in addition to the rules in the Gateway Anti-Malware default rule set.
These rules integrate the anti-malware filtering performed by the filtering functions of Web Gateway with information retrieved
from a TIE server. The TIE server is in turn notified of critical filtering results found on Web Gateway.
Note: The integrated filtering is only applied to files of the Executables media type.
Three rules query the TIE server for file reputation and execute different actions depending on whether the reputation of a file is
in the trusted range, unknown, or in the malicious range. The rule that handles malicious reputation blocks access to the file.
Four rules at the end of the rule set handle filtering based on the results of the Gateway Anti-Malware engine. Three of them also
notify the TIE server according to the level of probability that a file is malicious. The fourth rule handles filtering without notifying
the TIE server.

SSL Scanner (Default rule set) – Changed

The Verify Signature Algorithms embedded rule set has been added to this rule set with two rules that were moved from another
embedded rule set.
One of these rules is also named Verify Signature Algorithms. This rule was moved because in its old position, it caused an
inappropriate skipping of a following embedded rule set. Block Unsafe Algorithms was moved because it is related to the former rule.

7.6.2.6 - Main release

The following rule sets are new in this version.

Cloud Threat Detection (Library rule set) – New

This rule set forwards suspicious web objects on to Cloud Threat Detection for additional anti-malware scanning after they were
already scanned according to the rules in the Gateway Anti-Malware default rule set.

332 McAfee Web Gateway 8.0.x Interface Reference Guide

A web object is passed on to the requesting client depending on the scanning result only after the scanning process is
completed.
Note: To use this rule set, you must have subscribed to Cloud Theat Detection service. You must also import an activation key to
Web Gateway.

Cloud Threat Detection - Handle Offline Scan (Library rule set) – New
This rule set mainly performs the same tasks as the Cloud Threat Detection rule set.
It behaves differently, however, in that a web object is passed on to the requesting client immediately, without waiting until anti-
malware scanning by Cloud Threat Detection has completed.
You can add rules to make use of the scanning result. For example, you can send a notification to the administrator if a web
object that has been passed on was found to be infected by a virus.

7.6.2.7 - Main release

This rule set has been changed in this version.

Bypass Microsoft (Office 365) Services (Library rule set) – Changed

This rule set is available in the Common Rules section of the rule set library.
ln the Bypass Microsoft Office 365 Pro Plus rule of this rule set, the criteria was modified by replacing the URL property with URL.Host.
This enables proper use of the list referenced in the criteria by default, as the entries in this list are intended to match URL.Host
rather than the former property.

7.7.0 - Controlled release

This rule set has been changed in this version.

Web Cache (Default rule set) – Changed

This rule set contains the Write to Cache embedded rule set with a rule that skips caching for objects larger than 8 MB.
After the initial setup of Web Gateway, this rule is now disabled.

7.7.0.3 - Controlled release

The following rule sets are new in this version.

Cloud Threat Detection (Library rule set) – New

This rule set forwards suspicious web objects on to Cloud Threat Detection for additional anti-malware scanning after they were
already scanned according to the rules in the Gateway Anti-Malware default rule set.
A web object is passed on to the requesting client depending on the scanning result only after the scanning process is
completed.
Note: To use this rule set, you must have subscribed to Cloud Theat Detection service. You must also import an activation key to
Web Gateway.

Cloud Threat Detection - Handle Offline Scan (Library rule set) – New
This rule set mainly performs the same tasks as the Cloud Threat Detection rule set.
It behaves differently, however, in that a web object is passed on to the requesting client immediately, without waiting until anti-
malware scanning by Cloud Threat Detection has completed.
You can add rules to make use of the scanning result. For example, you can send a notification to the administrator if a web
object that has been passed on was found to be infected by a virus.

7.7.1 - Controlled release

These rule sets have been changed in this version.

HTML Filtering (Library rule set) – Changed

This rule set contains the Link Filter rule set, which is embedded under HTML Filtering → Advertising.
A rule has been added to this rule set, which removes an HTML element of the audio or video type if this type has been entered
on a filtering list that is used by the rule.

McAfee Web Gateway 8.0.x Interface Reference Guide 333

Bypass Microsoft (Office 365) Services (Library rule set) – Changed
This rule set is available in the Common Rules section of the rule set library.
ln the Bypass Microsoft Office 365 Pro Plus rule of this rule set, the criteria was modified by replacing the URL property with URL.Host.
This enables proper use of the list referenced in the criteria by default, as the entries in this list are intended to match URL.Host
rather than the former property.

7.7.2 - Controlled release

This rule set has been changed in this version.

SSL Scanner (Default rule set) – Changed

This rule set contains the Verify Signature Algorithms rule set, which is embedded in the Certificate Verification rule set.
In this embedded rule set, a rule blocks requests sent over SSL connections if a certificate is used to secure the connection that
has been signed with an unsafe signature algorithm.
The rule is now enabled by default.

7.8.1 - Controlled release

This rule set has been changed (renamed) in this version.

HTTPS Scanning (Default rule set) - Changed

This rule set has been renamed from SSL Scanner to its present name.
The rule set is available as a top-level rule set in the default system of rule sets after the initial setup of Web Gateway. It is not
enabled by default. Several nested rule sets are included in this rule set.

334 McAfee Web Gateway 8.0.x Interface Reference Guide

COPYRIGHT
Copyright © 2020 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.