McAfee Web Gateway

Overview

Nevelex Labs provides a McAfee Web Gateway plugin to expose list management capabilities within the McAfee Web Gateway.

Functionality

The plugin provides the following functionality:

Add entries to a list
Remove entries from a list
Send broadcast block/unblock domain events to any plugin configured to listen for the broadcast

Instance Configuration Parameters

Property

Description

Instance Name

Name for the McAfee Web Gateway instance.

Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.

Use TLS

Requires TLS communication between the plugin instance and the McAfee Web Gateway REST API. If enabled, the port number is typically 4712. If disabled, the port number is typically 4711.

Server

IP or host name of the McAfee Web Gateway.

Server Port

The port number for connecting to the McAfee Web Gateway. Without TLS, the port is typically 4711. With TLS enabled, the port it typically 4712.

Username

The McAfee Web Gateway username with REST API role capabilities enabled.

Password

The password for the McAfee Web Gateway username.

Broadcast Settings

Listen for Domain Block broadcast events

Listen for Domain Block broadcast events. This means the domain and, for Wildcard Expression lists, domain variants are added to the list. The domain variants are:

domain.tld
domain.tld/*
*.domain.tld
*.domain.tld/*

Listen for Domain Unblock broadcast events

Listen for Domain Unblock broadcast events. This means the domain and, for Wildcard Expression lists, domain variants are removed from a list. The domain variants are:

domain.tld
domain.tld/*
*.domain.tld
*.domain.tld/*

Domain Broadcast Block List

Block list which is the target for broadcast domain block/unblock events. If the list doesn’t exist and the Domain Broadcast Block List Type is String, the plugin will create it under Lists->Custom Lists->String. If the list doesn’t exist and Domain Broadcast Block List Type is Wildcard Expression, the plugin will create it under Lists->Custom Lists->Wildcard Expression.

Domain Broadcast Block List Type

If the Domain Broadcast Block List needs to be created, this is the type of the list. If not selected, String is assumed. String should be selected when the intent is define a rule set using a URL.SmartList. Wildcard Expression ensures a number of variations of the domain are added with wildcards.

Listen for URL Block broadcast events

Listen for URL Block broadcast events. This means the URL is added to the list.

Listen for URL Unblock broadcast events

Listen for URL Unblock broadcast events. This means the URL is removed from the list.

URL Broadcast Block List

Block list which is the target for broadcast URL block/unblock events. If the list doesn’t exist and the URL Broadcast Block List Type is String, the plugin will create it under Lists->Custom Lists->String. If the list doesn’t exist and URL Broadcast Block List Type is Wildcard Expression, the plugin will create it under Lists->Custom Lists->Wildcard Expression.

URL Broadcast Block List Type

If the URL Broadcast Block List needs to be created, this is the type of the list. If not selected, String is assumed. String should be selected when the intent is define a rule set using a URL.SmartList.

Listen for IP Block broadcast events

Listen for IP Block broadcast events. This means the IP address is added to the list.

Listen for IP Unblock broadcast events

Listen for IP Unblock broadcast events. This means the IP address is removed from the list.

IP Broadcast Block List

Block list to use for broadcast IP block/unblock events. If the list doesn’t exist, the plugin will create it under Lists->Custom Lists->IP.

Comment Template for Broadcast Events

A comment template using mustache format notation for defining the comment set for broadcast events. Only {{ sfMwgListEntry }} is available for substitution within this template.

Flow Nodes

Node to manage lists within McAfee Web Gateway.

Property

Description

Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Action

The following actions are supported:

Block (Add to List) Within
Unblock (Remove from List) Within
Block (Add to List) Domain
Block (Add to List) URL
Block (Add to List) IP
Unblock (Remove from List) Domain
Unblock (Remove from List) URL
Unblock (Remove from List) IP

Domain / URL / IP List

The McAfee Web Gateway list to add or removed items from. If the list does not exist, it will be created as an IP, String, or Wildcard Express custom list. This field is editable, so any value may be entered into it. This field is seeded with a default set of list names.

URL / Domain List Type

URL / Domain List Type defines the type of list to create if the designated domain or URL list does not exist. Select a String list type when the intent is to define a rule set using a URL.SmartMatch rule. If Wildcard Expression list type is selected, domains are transformed into the following four entries:

domain.tld
domain.tld/*
*.domain.tld
*.domain.tld/*

Block / Unblock Within

The location within the incoming message to search for list elements. Defaults to msg.payload.ioc.

Domain / IP Address / URL

The location within the incoming message to search for list element. Defaults to msg.payload.ioc.domain, msg.payload.ioc.ip, or msg.payload.ioc.url depending on the selected Action.

Behavior

When the Action is Block (Add to List) Within or Unblock (Remove from List) Within, the following behavior is defined for URLs and domains based on the selection.

URL: Only URLs are processed while domains are ignored
Domain: Only domains are processed while URLs are ignored
URL And Domain: Both URLs and domains are processed

Convert to Domain

When looking at URLs, this setting enables converts a URL to a domain.tld format prior to adding it to a list.

Learn More

Link: Setting up McAfee Web Gateway

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

Contact Us

EULA