Secure Web Gateway Management Console Reference Guide
Release 10.0 • Manual Version 1.01 M86 SECURITY SETUP AND CONFIGURATION GUIDE
© 2010 M86 Security All rights reserved. 828 W. Taft Ave., Orange, CA 92865, USA
Version 1.01, published November 2010 for SWG software release 10.0
This document may not, in whole or in part, be copied, photo- copied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written con- sent from M86 Security.
Every effort has been made to ensure the accuracy of this document. However, M86 Security makes no warranties with respect to this documentation and disclaims any implied war- ranties of merchantability and fitness for a particular purpose. M86 Security shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. Due to future enhancements and modifications of this product, the information described in this documentation is subject to change without notice.
Trademarks
Other product names mentioned in this manual may be trade- marks or registered trademarks of their respective companies and are the sole property of their respective manufacturers.
II M86 SECURITY, Management Console Reference Guide CONTENT
INTRODUCTION TO THE SECURE WEB GATEWAY MANAGEMENT CONSOLE ...... 1
WORKING WITH THE MANAGEMENT CONSOLE...... 3
Management Console ...... 3 Main Menu ...... 4 Using the Management Console ...... 6 Management Wizard ...... 10 User Groups Wizard ...... 11 Log Entry Wizard ...... 28
DASHBOARD...... 33
Dashboard Console ...... 33 Functionality...... 34 Device Gauges ...... 35 Performance Graphs ...... 38 Messages (SNMP)...... 40 Device Utilization Graphs...... 41
USERS ...... 47
Users ...... 47 Users/User Groups ...... 47 User Group Details Screen ...... 49 Blocked and Revoked Cloud Users ...... 52 Unknown Users ...... 55 Independent Users...... 57 Creating a New User Group...... 60 Adding a User to a User Group ...... 63 Moving Users...... 64 The Importance of User/User Group Identifiers ...... 66 Cloud User Certificate Management ...... 67 LDAP ...... 70 General ...... 72 Advanced Settings...... 76 Example for Adding an LDAP Directory...... 80
M86 SECURITY, SECURE WEB GATEWAY 10.01
Import Groups ...... 83 Populating the LDAP Groups with Users...... 85 Settings and Defaults...... 87 Scheduled Settings ...... 88 Unassigned LDAP Groups...... 89 Assigning Policies ...... 91 Moving LDAP Groups ...... 92 Active Directory...... 95 Authentication Server...... 95
ADMINISTRATION ...... 99
Administrators...... 100 Default Permissions...... 102 Administrator Group Details...... 106 Administrator Details ...... 107 Creating a new Administrators Group ...... 109 Adding an Administrator to an Administrators Group...... 111 Permissions ...... 112 System Settings ...... 116 M86 Devices ...... 118 Available Device Tree Options...... 120 Device IP ...... 122 Network Roles ...... 130 Log Server ...... 131 Scanning Server ...... 142 Integrated SSL Scanning...... 160 Default Values ...... 200 Policy Server ...... 203 Scanning Options...... 213 Mail Server...... 217 Scanning Engines ...... 219 Administrative Settings ...... 226 Digital Certificates ...... 228 License...... 234 Debug Logs ...... 236 GUI Log Level ...... 237 Cloud ...... 239 Cloud Configuration ...... 240 Certificate Management Mode...... 240 Configuration ...... 241 Email Template ...... 264 Rollback ...... 266 Rollback Settings ...... 268
2M86 SECURITY, SECURE WEB GATEWAY 10.0 Backup Now...... 270 Restore (Rollback) ...... 271 Reports Settings ...... 272 Database Settings ...... 273 Database Restore ...... 276 Export/Import...... 277 Export...... 277 Import...... 279 Updates ...... 308 Updates Management ...... 310 Updates Configuration ...... 317 Alerts ...... 320 Alert Settings ...... 320 SNMP...... 325 Security ...... 330 System Information...... 332 General ...... 333 Licensed Modules ...... 334 Installed Components ...... 334 Change Password ...... 335
POLICIES ...... 337
Working with Policies ...... 337 Security Policies - Simplified ...... 339 URL Lists ...... 342 File Extensions...... 343 True Content Type...... 345 URL Categorization ...... 346 Assigned User Groups ...... 348 Add/Edit User Group ...... 349 Security Policies - Advanced ...... 351 Security Policies Tree ...... 353 Available Policies Tree Options ...... 356 Security Policy Details ...... 359 Security Rule Details ...... 361 Condition Details for Security Policy Rules ...... 365 Example for Creating a Security Rule ...... 413
M86 SECURITY, SECURE WEB GATEWAY 10.03
Master Security Policy ...... 416 Assigning a Master Policy ...... 418 Default Master Policy...... 420 Master Policy Log Events ...... 421 HTTPS Policies ...... 423 HTTPS Policies Tree ...... 425 HTTPS Policy Details...... 426 HTTPS Rule Details...... 428 Condition Details for HTTPS Policy Rules ...... 431 Certificate Validation Errors ...... 433 Location ...... 434 URL Filtering (IBM/Websense) ...... 435 URL Lists ...... 436 Example for Creating an HTTPS Rule...... 438 Logging Policies ...... 440 Logging Policies Tree ...... 442 Logging Policy Details ...... 446 Logging Rule Details ...... 447 Conditions for Logging Policy Rules ...... 449 Example for Creating a Logging Rule ...... 453 Identification Policies ...... 456 Identification Policies Tree ...... 457 Identification Policy Details ...... 459 Identification Rule Details ...... 460 Identification Policy Rules Condition Details ...... 463 Device Logging Policies...... 471 Identification Logging Policies Tree ...... 472 Identification Logging Policy Details ...... 473 Identification Logging Rule Details...... 474 Identification Logging Policy Rule Conditions ...... 475 Upstream Proxy...... 490 Default Policy Settings ...... 492 Condition Settings ...... 495 Available Condition Settings Tree Options ...... 497 Condition Settings: Active Content List ...... 500 Condition Settings: Archives ...... 505 Condition Settings: Binary Behavior ...... 506 Condition Settings: Content Size ...... 521 Condition Settings: Data Leakage Prevention ...... 524 Condition Settings: Destination Port Range...... 529 Condition Settings: File Extensions ...... 532 Condition Settings: Header Fields ...... 534
4M86 SECURITY, SECURE WEB GATEWAY 10.0 Condition Settings: HTTPS Certificate Validation ...... 537 Condition Settings: IP Range...... 544 Condition Settings: Pre Authenticated Headers...... 546 Condition Settings: Script Behavior ...... 548 Condition Settings: Time Frame ...... 560 Condition Settings: Upstream Proxy ...... 562 Condition Settings: URL Lists ...... 564 Condition Settings: Vulnerability Anti.dote...... 571 Caching Policy ...... 607 Caching Policy Details ...... 609 Caching Policy Rule Details...... 610 Caching Policy Rule Condition Details...... 612 End User Messages ...... 614 Block/Warn Messages ...... 616 Block/Warn Message Details...... 617 Creating a Block/Warn Message ...... 621 Message Template ...... 623
LOGS AND REPORTS...... 625
View Web Logs ...... 626 Add to URL List ...... 628 Web Logs Profile Settings ...... 629 Transaction Entry Details...... 635 View System Logs...... 646 System Logs Profile Settings...... 647 View Audit Logs ...... 651 Audit Logs Profile Settings...... 653 Log Profiles:...... 658 Web Log Profiles ...... 658 System Log Profiles...... 658 Audit Log Profiles...... 658 Reporting Tool...... 658 Reports ...... 659 Reports Categories ...... 664 Exported Reports Location ...... 676
HELP ...... 679
Help Menu ...... 679 Online Help ...... 679 Manuals ...... 680
M86 SECURITY, SECURE WEB GATEWAY 10.05
External Links ...... 680 About ...... 681
REPORTS ...... 683
END USER MESSAGES ...... 689
6M86 SECURITY, SECURE WEB GATEWAY 10.0 INTRODUCTION TO THE SECURE WEB GATEWAY MANAGEMENT CONSOLE
Chapter 1: Introduction to the Secure Web Gateway Management Console
NOTES: This Management Console Reference Guide is based on Software Version 10.0 The Secure Web Gateway Management Console provides administrators with a tool for managing the entire Secure Web Gateway deployment from the Policy Server. This capability is provided via a Web based, user-friendly interface accessible via Microsoft Internet Explorer 7.0+, Firefox 3.0+, and higher. The Secure Web Gateway Management Console provides administrators with the following functionality: • Security Management – Administrators can define Security Policies, the rules they are based on, and lists and behavior profiles that are the basis for the rules. • User Management – Administrators can define User Groups and Users, and associate Security, HTTPS, Authentication and Logging Policies with these users and groups. Importing user data from external repositories is also managed from the Management Console. • Monitoring –The Management Console enables monitoring the transactions in the system based on the Log Server stored data. Various filtering and sorting capabilities enable, for example, help desk operators to check the Web traffic and the results of the Security Policy. • Reporting -The Management Console enables deep analysis of the transactions in the system based on the Report Server stored data. The Management Console provides built-in reports. • Configuration Management – The Management Console provides the interface for updating parameters related to the actual deployment of the system.
M86 SECURITY, CONSOLE INTRODUCTION 1 INTRODUCTION TO THE SECURE WEB GATEWAY MANAGEMENT CONSOLE
• Update Management – The administrator can automatically or manually install both Software versions and Security updates for the Secure Web Gateway system.
NOTES: For information on the setting up your system, please refer to the Setup and Configuration Guide
2 M86 SECURITY, CONSOLE INTRODUCTION WORKING WITH THE MANAGEMENT CONSOLE
Chapter 2: Working with the Management Console
Management Console
The Management Console allows you to configure, update and maintain the day-to-day running of your organization’s security needs.
NOTES: Before accessing the Management Console, make sure to add the Policy Server IP to the Proxy Server Exceptions in your Internet settings. This will ensure optimum performance. Â To access the Management Console: 1. In your Internet browser, enter a URL containing the IP address assigned to your Policy Server (https://policyserverIP). 2. If you are using Internet Explorer 7 or 8, then the first time you log in, this screen will appear. Click Continue to this website.
Figure 2-1: Website's Security Certificate
M86 SECURITY, WORKING WITH THE CONSOLE 3 WORKING WITH THE MANAGEMENT CONSOLE
3. The SWG Management Console appears on your screen with the Login dialog box.
Main Menu The Main Menu of the Management Console appears as follows:
Figure 2-2: Main Menu The Main Menu drop-down options comprise the functionality of the SWG Appliance as follows: • Users: Provides options for the system administrator to import users, arrange them into groups, and assign them with Security and other Policies. • Policies: Provides simplified and advanced configuration options for Policies. Security Policies comprise the main rules of Internet behavior for the end-users in your organization. definition of secure behavior and addresses the constraints imposed on Internet traffic. HTTPS Policies also focus on securing Internet Content on HTTPS sites. Logging policies determines which actions are recorded for analysis and Authentication Policies concentrate on identifying the end- users. • Logs and Reports: Web Logs screen provides monitoring on the blocked or suspicious content that was not allowed through. Logs are also available for system monitoring and for administrator monitoring. • Administration: Provides the main bulk of administrative, monitoring and configuration on the SWG devices and other scanning abilities. You can also perform system backups and restore from here; set High Availability, set alerts for system administrators and retrieve Security and Maintenance Updates.
4 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
• Help: Provides links, manuals and other resources for M86 Secure Web Gateway. • Logout: Provides the user with the option to log out of the M86 Secure Web Gateway console. The following Management icons found within the console are explained in the table below:
Menu Bar Icons Description
Activates the Management Wizards.
Directs you to the Web Logs screen for monitoring transactions.
Directs you to the M86 Devices screen for device configurations.
Directs you to the Dashboard - the one-stop System Monitoring component of the Management Console allowing you to keep tabs on all the Devices in real time.
“Commit Changes”. After editing and saving any changes, click Commit Changes. An additional dialog screen will pop up for you to add a Note. This Note will be displayed in the Audit Log view.
Click this icon to collapse and expand the left tree pane.
Click this icon to refresh the current screen.
Icons in Edit Screen
Click this icon to add rows.
Click this icon to add or delete specific rows.
M86 SECURITY, WORKING WITH THE CONSOLE 5 WORKING WITH THE MANAGEMENT CONSOLE
See also: Using the Management Console
Management Wizard
Using the Management Console In addition to using the Menu bar and the icons there are several other important navigational aspects to the Management Console. See also: Management Console
Management Wizard
Understanding the Screens
General Navigational Points Understanding the Screens
Whenever there are several elements to be displayed within a category, the screen is divided into two: A tree in the left pane and an editing screen in the right. Left Pane Tree: Either click on options on the left side of the tree or Right-click on the folders in the tree to display further options. Depending on the folder your cursor is standing in, different options will be available.
6 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Right Screen Editing: You must click the Edit button to enable this screen for editing.
Figure 2-3: Understanding the Screens: Part One
M86 SECURITY, WORKING WITH THE CONSOLE 7 WORKING WITH THE MANAGEMENT CONSOLE
Figure 2-4: Understanding the Screen: Part Two See also: Management Console
General Navigational Points General Navigational Points
The following points are relevant for the Management Console: • Whenever any of the options are grayed out - such as the Edit button or a right-click option - it means the administrator does not have Update permissions for this object. • Right-hand screens can contain a single pane or several tabs - each containing information. • Fields appear in yellow when they are either missing data or have the wrong data inputted. In addition, when working on a
8 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
multi-tab screen, if there are mistakes in one tab, it will appear with an exclamation mark beside it. • Left tree panes contain a sidebar in which icons are available for performing actions that are relevant to the current node. Depending on the Update permissions of the user, these icons will either be enabled or disabled (grayed out).
Figure 2-5: Understanding the Screen: Part Three See also: Management Console
Understanding the Screens
M86 SECURITY, WORKING WITH THE CONSOLE 9 WORKING WITH THE MANAGEMENT CONSOLE
Management Wizard
Management Wizards have been introduced to simplify the use of the Management Console. The Wizards provide the Administrator with quick access to the most frequently used features. The use of one-click wizards eases the management of customer transactions, and configuration of user groups and security policies. The various wizard screens contain buttons on the bottom right of the screen which can be used to navigate through the wizard or to create new entities. You can choose to click to drill through to obtain further details concerning a selected entity.
To access the Management Wizards, click in the top left corner of the screen. This will take you to the Management Wizards screen. You have two options:
Click either or to proceed. • User Groups Wizard • Log Entry Wizard
See also: Management Console
Using the Management Console
User Groups Wizard
Log Entry Wizard
10 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
User Groups Wizard The User Groups wizard enables you to: • Create a new User Group. • View and add new users to existing User Groups. • View and edit User Group Details. The administrator can define the policies to be used for a specific user group (Security, logging and HTTPS policies). • View and edit individual user details. The administrator can define the policies to be used for a specific user (Security, logging and HTTPS policies)
Figure 2-6: User Groups Main Screen
NOTES: Only self-defined groups can be edited. You cannot delete the Unknown Users group nor the Independent Users Group. You also cannot edit the Independent Users group details.
See also: Management Wizard Log Entry Wizard Create a New User Group User Group Details Users
M86 SECURITY, WORKING WITH THE CONSOLE 11 WORKING WITH THE MANAGEMENT CONSOLE
Policy Management Managing Policy Rules Create a New User Group
To generate a new user group on-the-fly, use the Management Wizard’s User Groups option.
 To create a new user group: 1. In the Management Wizard main screen click User Groups. 2. Click New. The User Group Details screen appears. 3. Enter appropriate text in all required fields. For further information see User Group Details Screen. 4. Click OK.
NOTES: It is possible to view and edit the policy details and rules at this point, or later.
See: User Groups Wizard User Group Details Users Policy Management Managing Policy Rules User Group Details
In the User Group Details screen you can view or edit the user group details. For further information on the contents of the fields see User Group Details Screen.
12 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Figure 2-7: User Groups Details Screen From the User Groups Details screen, you can:
• Click to navigate to the users associated with this User Group. For further information see: Users.
• Click to manage the User Group’s policies. You can perform the following actions concerning the Security, Logging and HTTPS policies: y View and edit a Policy y Add a new Policy y View and edit the Policy rules For further information see: Policy Management.
M86 SECURITY, WORKING WITH THE CONSOLE 13 WORKING WITH THE MANAGEMENT CONSOLE
See Also: User Groups Wizard
Create a New User Group
Users
Policy Management
Managing Policy Rules Users
The User Group’s Users screen displays the Users that are associated with the User Group.
Figure 2-8: Users From this screen you can choose to: • Create a New User • View the User Details and edit them. • Delete a User • See also: User Groups Wizard Create a New User Group User Group Details
14 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Policy Management Managing Policy Rules Create a New User View the User Details Delete a User
Create a New User
To generate a new user on-the-fly, use the Management Wizard’s User Groups option.
 To create a new user: 1. In the Management Wizard main screen click User Groups.
2. In the User Groups screen, click next to the group that you want the user to be associated with. 3. Click Group Users. The User Group’s list of users screen appears.
NOTES: You can also access a User Group’s list of users by navigating to the User Group Details screen (see User Group Details) and clicking
4. Click New. The User Details screen appears. 5. Enter the appropriate text in the required fields. For further information see User Details Screen. 6. Click OK.
NOTE: It is possible to view and edit the policy details and rules at this point, or later. For further information see: Policy Management and Managing Policy Rules NOTES:
M86 SECURITY, WORKING WITH THE CONSOLE 15 WORKING WITH THE MANAGEMENT CONSOLE
See: User Groups Wizard Users View the User Details Delete a User
View the User Details
The User Details screen displays the User Details including the Security, Logging and HTTPS policies that are assigned to the User Group to which the user belongs. To view or edit a user’s details, use the Management Wizard’s User Groups option.
 To view the User Details screen: 1. In the Management Wizard main screen click User Groups.
2. In the User Groups screen, click next to the group that the user is associated with. 3. Click Group Users. The User Group’s list of users screen appears.
NOTES: You can also access a User Group’s list of users by navigating to the User Group Details screen (see User Group Details) and clicking .
4. Click . 5. Click User Details.
16 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Figure 2-9: User Details Screen For further information about the fields and options see: User Details Screen. From each policy listed in the User Details screen, you can choose to: • View and edit Policy Details. For further information see: Policy Details • View and edit Policy Rules. For further information see: Rule Details See: User Groups Wizard Users Create a New User Delete a User
Delete a User
To delete a user, use the Management Wizard’s User Groups option.
M86 SECURITY, WORKING WITH THE CONSOLE 17 WORKING WITH THE MANAGEMENT CONSOLE
 To delete a user: 1. In the Management Wizard main screen click User Groups.
2. In the User Groups screen, click next to the group that the user is associated with. 3. Click Group Users. The User Group’s list of users screen appears.
NOTE: You can also access a User Group’s list of users by navigating to the User Group Details screen (see User Group Details) and clicking .
4. Click . 5. Click Delete User. A warning screen appears asking you to confirm that you want to delete this user. 6. Click OK. See: User Groups Wizard
Users
Create a New User
View the User Details Policy Management
Once you have navigated to the User Group Details screen, either when defining a new group, or when you want to update a user group’s policies, you can manage the group’s policies and rules. You can perform the following actions concerning the Security, Logging and HTTPS policies: • View a Policy • Add a new policy
18 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
• View and edit the Policy rules
Figure 2-10: Managing Policies See also: User Groups Wizard
Create a New User Group
User Group Details
Users
Managing Policy Rules
Policy Details
Create a New Policy
Viewing Policy Rules
Policy Details
The Policy Details screen displays the policy name, description and provides a list of User Groups that use this policy. The editing buttons (Edit, Save, Cancel) are disabled when you access the screen from the User Groups Details screen. For further details see: Security Policy Details.
 To view a policy: 1. In the Management Wizard main screen click User Groups.
2. In the User Groups screen, click next to the group that you want the policy to be associated with. 3. Click Group Details.
M86 SECURITY, WORKING WITH THE CONSOLE 19 WORKING WITH THE MANAGEMENT CONSOLE
4. Select which policy you want to view: Security, Logging or
HTTPS and click next to this policy. 5. Click Policy Details.
Figure 2-11: Policy Details Screen
From the Policy Details screen you can click to navigate to the Managing Policy Rules screen or click to return to the User Group Details screen. For full information on all the policies, see also: Security Policies - Advanced. See also: Policy Management User Groups Wizard Create a New Policy Viewing Policy Rules
Create a New Policy
To generate a new policy on-the-fly, use the Management Wizard’s
20 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
User Groups option.
 To create a new policy: 1. In the Management Wizard main screen click User Groups.
2. In the User Groups screen, click next to the group that you want the policy to be associated with. 3. Click Group Details. 4. Select which policy you want to add: Security, Logging or HTTPS and click next to this policy. 5. Click Add New Policy.
Figure 2-12: Add New Policy 6. Fill in the fields in the Policy Details screen. For further information see: Security Policy Details. See also: User Groups Wizard
Policy Management
Policy Details
M86 SECURITY, WORKING WITH THE CONSOLE 21 WORKING WITH THE MANAGEMENT CONSOLE
Viewing Policy Rules
Viewing Policy Rules
The Rules screen displays the list of rules associated with the specific policy. For further details see: Security Policy Details.
 To view the policy rules: 1. In the Management Wizard main screen click User Groups.
2. In the User Groups screen, click next to the group that you want the policy to be associated with. 3. Click Group Details. 4. Select which policy you want to view: Security, Logging or
HTTPS and click next to this policy.
22 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
5. Click Policy Rules.
Figure 2-13: Policy Rules For further information on managing policy rules through the Management Wizard see Managing Policy Rules. See also: User Groups Wizard
Policy Management
Policy Details
Create a New Policy Managing Policy Rules
The Rules screen can be accessed in two ways:
•From the User Group Details screen click and select Policy Rules.
•From the Policy Details screen, click .
M86 SECURITY, WORKING WITH THE CONSOLE 23 WORKING WITH THE MANAGEMENT CONSOLE
The Rules screen displays the rules that make up the specific policy. You can choose one of the following options: • Create a new rule • View and edit Rule Details • View and edit Rule Conditions • Delete a Rule • Move and position a Rule
Figure 2-14: Rule Management Options
NOTE: Changes cannot be made to predefined Finjan Policies See: User Groups Wizard
Create a New User Group
User Group Details
Users
Policy Management
Create a New Rule
Rule Details
Rule Conditions
Condition Details
24 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Create a New Rule
To generate a new rule on-the-fly, use the Management Wizard’s User Groups option to navigate to the User Group Details screen. You can only add rules to customer (non-M86 Security) policies.
 To create a new rule:
1. In the User Group Details screen click Policy Rules.
2. In the Rules screen, click . 3. Fill in the fields in the Rule Details screen. For further information see Security Rule Details. 4. Click Okay to add the new rule.
Figure 2-15: Add New Rule See: Managing Policy Rules
Rule Details
Rule Conditions
Condition Details
M86 SECURITY, WORKING WITH THE CONSOLE 25 WORKING WITH THE MANAGEMENT CONSOLE
Rule Details
The Rule Details screen provides the definitions for specific rules. You can only edit rules that are customer (non-M86 Security) rules. For further information on the fields in this screen see Security Rule Details.
Figure 2-16: Rule Details Screen From this screen you can: • Edit the Rule details.
• Click to return to the Rules screen.
• Click to navigate to the Conditions’ Details screen. See: Managing Policy Rules
Create a New Rule
Rule Conditions
Condition Details
26 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Rule Conditions
The Rule Conditions screen, provides you with a list of the conditions that define a Rule.
Figure 2-17: Rule Conditions’ List Screen For each condition, you can choose to: • View and edit the Condition Details • Delete the Condition See: Managing Policy Rules
Create a New Rule
Rule Details
Condition Details
Condition Details
The Condition Details screen supplies the conditions that apply to the selected rule. You can only edit conditions that are attached to
M86 SECURITY, WORKING WITH THE CONSOLE 27 WORKING WITH THE MANAGEMENT CONSOLE
customer (non-M86 Security) rules.
Figure 2-18: Condition Details Screen For further information on the fields in this screen see Condition Details for Security Policy Rules. See: Managing Policy Rules
Create a New Rule
Rule Details
Rule Conditions
Log Entry Wizard The Log Entry Wizard enables administrators to easily track down specific transactions. This simplifies handling of customer queries by following blocked transactions and reassessing them accordingly. The Log Entry Wizard also provides all web log information and user group information, in a detailed and simplified manner. Therefore, administrators can easily perform different tasks in connection with these logs.
28 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
When a customer query is made, the user has to notify the administrator when the blocked transaction occurred and what was the transaction ID. The transaction ID is always provided in end- user messages, so that they can be reported to the administrator and a request can be made to check the logs.
Figure 2-19: Log Entry Wizard Main Screen See also: User Groups Wizard
Finding a Log Entry
Adding to a URL List
Transaction Details Finding a Log Entry
 To use the Log Entry Wizard: 1. In the Management Wizard main screen click Log Entry. 2. Select the time period for the Log entries, based on the information provided by the user. 3. Enter the transaction ID. 4. Click Next. The Transaction Details screen appears.
M86 SECURITY, WORKING WITH THE CONSOLE 29 WORKING WITH THE MANAGEMENT CONSOLE
Figure 2-20: Transaction Details Screen The Transaction Entries sidebar includes both the Request and Response log details. For further information see Transaction Entry: Request and Response Phases. To return to the main Transaction Details screen click Details (on the sidebar). Once you have the transaction details, you can: • Add the URL to a White or Black URL list. for further information see Adding to a URL List. • Click on one of the tabs and view/edit the Transaction Details. For further details see Transaction Details. For additional information concerning Transaction Details see also:Web Logs Profile Settings See: User Groups Wizard
Log Entry Wizard
Adding to a URL List
Transaction Details Adding to a URL List
The Log Entry wizard makes it easier to add a specific URL to an appropriate URL List. Use the Log Entry wizard to reach the
30 M86 SECURITY, WORKING WITH THE CONSOLE WORKING WITH THE MANAGEMENT CONSOLE
Transaction Details screen. The administrator can then decide to add the specific URL to a Black or white list of his choice. In the Add to URL list screen the administrator can select from a range of pre-defined lists and/or edit the URL itself to fit the specific requirements.
 To add a URL to a list 1. Use the Management Wizard to reach the Transaction > Request Details screen. 2. On the Transactions tab, click the URL. The Add to URL list screen appears.
Figure 2-21: Add to URL List Screen 3. Select a list and/or edit the URL. 4. Click OK. Otherwise, Cancel. See also: User Groups Wizard
Log Entry Wizard
Finding a Log Entry
M86 SECURITY, WORKING WITH THE CONSOLE 31 WORKING WITH THE MANAGEMENT CONSOLE
Transaction Details Transaction Details
The Log Entry wizard provides the administrator with the means of updating transaction details on-the-fly. Use the Log Entry wizard to reach the Transaction Details screen. The Transaction Details screen contains several tabs that provide additional options that can be used to modify the settings as required. The Transaction Details screen contains the following tabs: • Details: Transaction • Details: User: Enables editing the group and the User details. For example, assigning the user to a different policy. • Details: Policy Enforcement: Allows the administrator to modify the Policy, Rules and Conditions which triggered the log transaction. • Details: Content: Enables viewing and modifying of the conditions and category details • Details: Scanning Server For further information see Transaction Entry Details. See also: User Groups Wizard
Log Entry Wizard
Finding a Log Entry
Adding to a URL List
32 M86 SECURITY, WORKING WITH THE CONSOLE DASHBOARD
Chapter 3: Dashboard The SWG Dashboard presents crucial information, in real-time, on the status of the M86 Secure Web Gateway and the M86 Devices within it. Its purpose is to keep System Administrators fully informed at all times.
Click in the Management Console toolbar to access the Dashboard.
Dashboard Console
The main screen of the Dashboard provides monitoring information on M86 Devices and is divided into the following categories: • Functionality • Device Gauges • Performance Graphs • Device Utilization Graphs • Messages (SNMP)
In the initial Dashboard screen, an Available Updates icon appears in the top left corner. When there are Security or other updates for your system, this icon will be lit. Installation of such updates is done through the Management Console, by navigating to Administration > Updates > Updates Management. For more information on updates, refer to the Updates section of this document.
Figure 3-1: Lit Updates Available icon
M86 SECURITY, ADMINISTRATION 33 DASHBOARD
Functionality All Dashboard graphs incorporate the following functionality:
Function Description
Period Selection Select a range of time from which to draw information. Dropdown menu includes daily, weekly, monthly, and yearly options.
Flexible Timeframe Allows for more detailed analysis of a specific time Selection period. Using a time bar or an interactive zoom (simply mark the timeframe range on the graph by placing the cursor over the area using the mouse left-click).
Usability Rolling over the top level of the graph offers basic information at a glance. Tooltips available on top of the graph for specific point information.
IMPORTANT: Selecting a specific period will enact the same changes for all graphs. • Period Selection: There are two ways in which Period selection is effected; through the dropdown menu, or graph slider on each graph.
Figure 3-2: Period Selection drop down • Granular Reports: Shows detailed breakdown of the system resource utilization and its different components.
34 M86 SECURITY, ADMINISTRATION DASHBOARD
Device Gauges • Threat Level •RPS Threat Level Gauge
This gauge shows the risk factor to which your organization is exposed. This risk calculation is based on the number of blocked transactions compared to the general traffic. Clicking on the Security Risk link opens up a graph showing the risk factors involved.
Figure 3-3: Threat Level Gauge
RPS Gauge
Shows the total requests per second. Requests per Second (RPS) is defined as any new request sent through the Secure Web Gateway server. Therefore, each object on a web page generates a request. For example, if a user loads a web page with 10 objects (images, applets, etc.) on it, the user will have generated 11 requests: the browser will have issued one request for the web page and individual requests for each of the 10 objects.
M86 SECURITY, ADMINISTRATION 35 DASHBOARD
Figure 3-4: RPS Gauge See also: Threat Level Dashboard Console Messages (SNMP) Device Utilization Graphs
36 M86 SECURITY, ADMINISTRATION DASHBOARD
Threat Level
Clicking the link in the Threat Level gauge, displays a graph showing the total threat level after calculating all the following factors. •Anti-Virus • Behavior Analysis • URL Lists • URL Categorization • Blocked DLP • Blocked in Total
Figure 3-5: Dashboard: Threat Level The graph shows the risk level in terms of transactions passing through the organization. • Average means the average amount of blocked transactions for that particular category over a period of 24 hours.
M86 SECURITY, ADMINISTRATION 37 DASHBOARD
• Current means the amount of blocked transactions for that particular category at this moment in time. • Maximum is the largest amount of blocked transactions at a particular time relative to the time period chosen. For example, per day, maximum of 24 hours.
Performance Graphs Using the drop-down list, select the relevant device to see the performance status - measured by requests per second. Average: Average request per second over a 24 hour interval. Maximum: Maximum requests per second at a specific time slot relative to the time period chosen.
Figure 3-6: Dashboard: Device Performance See also: Dashboard Console
38 M86 SECURITY, ADMINISTRATION DASHBOARD
Device Status
For each Device (Policy Server, Scanning Server, All in One), the following information is given:
Field Description
Device Type Defines the type of Device such as Scanning Server or All in One.
IP IP Address of the Device
Time Date and Time that last Status update was received
RPS Request per Second as shown on the Performance graph.
Device Utilization Clicking on the More Information link shows various graphs showing utilization information on this Device.
M86 SECURITY, ADMINISTRATION 39 DASHBOARD
Messages (SNMP) SNMP Messages will appear for errors or critical circumstances. The Message section includes A dropdown menu that offers three different viewing selections: • Show All - Show all messages in window whether read or unread • Noticed - Show messages in window that have been read • Unnoticed - Messages as yet unread: The Message window also includes a Notation capabilities as well as the following informational fields:
Message Field Description
Read Enable this checkbox to denote that you have read this message.
Note Click the icon and add a note in for yourself about the message
Severity Critical, Major, Minor, Warning, Normal or Unknown as defined by SNMP messages
Time Date and Time the message was generated
Source Device IP address
Message Text Message text. Last 30 updated messages will be displayed.
40 M86 SECURITY, ADMINISTRATION DASHBOARD
Device Utilization Graphs This screen is accessed by clicking the green More Information button. For each device, a number of graphs display relevant information to the system administrator, allowing real-time viewing on any overload for any particular device. Each graph shows both the Average (over a 24 hour period) and a Maximum at any one given time period. Data can be accessed as far back as 12 months, or as recent as same day per hour, by moving the slider across the Period selection option (bottom right of the graph). HTTP and HTTPS connections are constantly monitored. Information in this graph enables the administrator to see the overall load on the system.
NOTES: M86’s scanning servers protocol limits are: 16384 open connections for HTTP/ICAP, and 4096 connections for HTTPS. Too many open connections can indicate a growing environment which may require additional scanning servers The following graphs are available:
Graph Name Description
CPU Utilization Measures the percentage of CPU being used over time.
Memory Usage Measures the memory in bytes being used.
Disk Space Usage Measures the percentage of Disk Partitions used (var, tmp, opt, cache)
HTTP and HTTPS Constantly monitors open connections Connection Count
M86 SECURITY, ADMINISTRATION 41 DASHBOARD
Figure 3-7: Memory Usage The Memory Usage Graph includes the following information: • Used Real - The amount of memory that has been reserved for processes. • Buffers - The total amount of real or virtual memory currently allocated for use as memory buffers. • Cached - The total amount of real or virtual memory currently allocated for use as cached memory. • Unused Real - The total amount of real/physical memory currently unused or available. • Used Swap - The amount of swap memory used.
42 M86 SECURITY, ADMINISTRATION DASHBOARD
Figure 3-8: CPU Utilization The CPU Utilization graph includes the following information: • cpuIdle - The percentage of processor time spent idle • cpuSystem - The percentage of CPU time spent processing system-level code • cpuUser - The percentage of CPU time spent processing user- level code
NOTES: For more information regarding SNMP MIB data collection, please refer to http://net-snmp.sourceforge.net/docs/ mibs/ucdavis.html.
M86 SECURITY, ADMINISTRATION 43 DASHBOARD
Figure 3-9: Dashboard: Device Utilization
44 M86 SECURITY, ADMINISTRATION DASHBOARD
If the Device is not working or is experiencing any other error then the appropriate error message is displayed here. The Message includes the following information:
Message Field Description
Read Select to denote that you have read this message.
Note Click the icon to add a personal note about the particular message
Severity Normal or Critical as defined by SNMP messages
Date/Time Date and Time the message was generated
Source Device IP address
Message Message text
See also: Threat Level Dashboard Console Messages (SNMP)
M86 SECURITY, ADMINISTRATION 45 DASHBOARD
46 M86 SECURITY, ADMINISTRATION USERS
Chapter 4: Users
Users
The Users menu contains all the actions that can be carried out for end-users browsing through the Secure Web Gateway. The Management Console supports both individual Users and groups of Users. The Users menu contains the following options:
• Users/User Groups • Cloud User Certificate Management and Authentication Directories:
• LDAP and Active Directory
Figure 4-1: Users Menu See also:
Users/User Groups
Cloud User Certificate Management
LDAP
Active Directory
Users/User Groups
In the User Groups menu option, you can create/delete a new User or User group, assign a policy to a User or User group, add a user to an existing User group, or move a User from one group to another.
M86 SECURITY, USERS 47 USERS
The User Groups tree on the left pane allows arranging Users into User Groups and assigning them with specific Security and Logging Policies. They can also be uniquely identified in a number of ways.
Figure 4-2: User/User Groups See also:
Users
Cloud User Certificate Management
LDAP
Active Directory
User Group Details Screen
Blocked and Revoked Cloud Users
Unknown Users
Independent Users
Creating a New User Group
Adding a User to a User Group
Moving Users
The Importance of User/User Group Identifiers
48 M86 SECURITY, USERS USERS
User Group Details Screen When creating a new User Group or editing the Details, the User Group Details screen appears.
Figure 4-3: Users Group Details Screen
M86 SECURITY, USERS 49 USERS
The following table provides information on the fields displayed in the User Group Details screen:
Field Name Description
User Group Name Defines the User Group Name.
Security Policy Assigns a Security policy to the User Group. If you do not specifically define a Security Policy here, the Policy defined in Policies > Default Policy Settings will be used. This option is displayed as Use Default Values. NOTE: The Full Bypass Policy (which bypasses all scanning) can be set here. This Policy does not appear in the Security Policies Simplified or Advanced Configuration.
Logging Policy Assigns a Logging policy to the User group. If you do not specifically define a Logging Policy here, the Policy defined in Policies > Default Policy Settings will be used. This option is displayed as Use Default Values.
HTTPS Policy Assigns an HTTPS Policy to the User Group. If you do not specifically define an HTTPS Policy here, the Policy defined in Policies > Default Policy Settings will be used. This option is displayed as Use Default values.
IP Ranges This table defines the required IP addresses (From IP and To IP fields). For a detailed explanation on IP Ranges, please refer to The Importance of User/ User Group Identifiers.
Issue Vital Cloud Enabling this checkbox causes the policy server to Certificates automatically issue an end user certificate to new members belonging to this group.
See also:
Users/User Groups
Blocked and Revoked Cloud Users
Unknown Users
50 M86 SECURITY, USERS USERS
Independent Users
Creating a New User Group
Adding a User to a User Group
Moving Users
The Importance of User/User Group Identifiers
User Details Screen User Details Screen
When creating a new User or editing the Details, the User Details screen appears.
Figure 4-4: User Details Screen
M86 SECURITY, USERS 51 USERS
The following table provides information on the fields displayed in the User Details screen:
Field Name Description
User Name Provide a descriptive User Name. Use the Identifiers section to identify the user to the system.
Email Displays the email address assigned to the user. Used primarily to send certificates to cloud users.
Security Displays the Security policy assigned to the User Group to Policy which the user belongs.
HTTPS Displays the HTTPS policy assigned to the User Group to Policy which the user belongs.
Logging Displays the Logging policy assigned to the User/ Policy User group.
Identifiers The Identifiers section is used to uniquely identify the user to the system. If you want to identify the Users, you can choose between an Identifier Type, either IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field. For a detailed explanation on Identifiers, please refer to The Importance of User/User Group Identifiers.
See also:
User Group Details Screen
Independent Users
The Importance of User/User Group Identifiers
Blocked and Revoked Cloud Users Blocked Cloud Users are users that are browsing through the Secure Web Gateway whose certificates are suspected of being compromised and are therefore deemed no longer valid. The
52 M86 SECURITY, USERS USERS
current user certificate must be verified.
Figure 4-5: Blocked Cloud User Screen The following table provides information on the fields displayed in the Blocked Cloud Users Details screen
Field Name Description
Group Name Displays the group’s name. The field cannot be edited by the user.
Security Policy Displays the Security policy assigned to the Blocked Cloud User.
Logging Policy Displays the Logging policy assigned to the Blocked Cloud User.
M86 SECURITY, USERS 53 USERS
Field Name Description
HTTPS Policy Displays the HTTPS policy assigned to the Blocked Cloud User.
IP Ranges If a specific IP address is not identified in the system, then SWG searches for a match in the defined IP ranges. IP ranges should not be overlapping. If the IP matches more than one range, then it is not possible to predict which user/policy will be enforced.
Revoked Cloud Users refers to users that are browsing through the Secure Web Gateway whose certificates are known to have been compromised and are therefore deemed no longer valid. The current user certificate is revoked and a new certificate must be issued.
Figure 4-6: Revoked Cloud Users Screen
54 M86 SECURITY, USERS USERS
The following table provides information on the fields displayed in the Revoked Cloud Users Details screen:
Field Name Description
Group Name Displays the group’s name. The field cannot be edited by the user.
Security Policy Displays the Security policy assigned to the Revoked Cloud User.
Logging Policy Displays the Logging policy assigned to the Revoked Cloud User.
HTTPS Policy Displays the HTTPS policy assigned to the Revoked Cloud User.
IP Ranges If a specific IP address is not identified in the system, then SWG searches for a match in the defined IP ranges. IP ranges should not be overlapping. If the IP matches more than one range, then it is not possible to predict which user/policy will be enforced.
See also:
Users/User Groups
User Group Details Screen
Unknown Users
Independent Users
Creating a New User Group
Adding a User to a User Group
Moving Users
The Importance of User/User Group Identifiers
Unknown Users Unknown users are users that are browsing through the Secure
M86 SECURITY, USERS 55 USERS
Web Gateway but have not been identified.
Figure 4-7: Unknown User The following table provides information on the fields displayed in the Unknown Users Details screen:
Field Name Description
Group Name Displays the group’s name. The field cannot be edited by the user.
Security Displays the Security policy assigned to the Unknown Policy Users group.
HTTPS Policy Displays the HTTPS policy assigned to the Unknown Users group.
Logging Displays the Logging policy assigned to the Unknown Policy Users group.
56 M86 SECURITY, USERS USERS
Field Name Description
New Users Selecting the option displayed here means that unknown users are automatically added to the Unknown Users group. You cannot manually add users to this group. The default setting is disabled which means that unknown users in this situation remain unknown. This is useful in large organizations so that hundreds of new users are not inundating the system and conversely, useful in smaller organizations, allowing manual control over addition of new users.
Once there is a list of Unknown Users in this group browsing through the system, you have the option to move these Users into predefined User Groups by using the right-click tree menu option to Move Users. See also:
Users/User Groups
User Group Details Screen
Blocked and Revoked Cloud Users
Independent Users
Creating a New User Group
Adding a User to a User Group
Moving Users
The Importance of User/User Group Identifiers
Independent Users You can create independent users (i.e. they do not belong to a User Group) and assign them their own policies.
M86 SECURITY, USERS 57 USERS
 To create a new User: 1. Right-click on the Independent Users folder and select Add User. The User Details screen is displayed on the right hand pane. 2. Enter a User Name for the user, for example, Debra. The name supplied in this field is a descriptive name, and it does not have to be the real user name. The real user name is or IP is supplied in the Identifiers section. 3. Assign Policies as required. For example, for the Security Policy, assign the M86 Security Basic Security Policy. For the Logging Policy select Log All Protective Actions and for the HTTPS policy, assign the M86 Security HTTPS Policy.
NOTES: You can double check this via Policies > Security > Default Basic Security Policy which will show the Users that the Policy is assigned to 4. The Identifiers section is used to uniquely identify the user to the system. Click to add a row.
58 M86 SECURITY, USERS USERS
5. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field.
Figure 4-8: Example for Creating a New User
6. The IP Ranges can be deleted by clicking next to the relevant row and selecting Delete. 7. Click Save to apply the changes. See also:
Users/User Groups
User Group Details Screen
M86 SECURITY, USERS 59 USERS
Blocked and Revoked Cloud Users
Unknown Users
Creating a New User Group
Adding a User to a User Group
Moving Users
The Importance of User/User Group Identifiers
Creating a New User Group
 To create a new User Group: 1. Right-click on the User Groups main node and select Add Group from the drop-down menu. The User Group Details screen is displayed on the right hand pane. 2. Enter a Group Name for the new group, for example, Special Division.
60 M86 SECURITY, USERS USERS
Figure 4-9: Example for Creating New User Group 3. Assign Policies as required. For example, for the Security Policy, assign the M86 Security Basic Security Policy. For the HTTPS policy, assign the M86 Security HTTPS Policy and for the Logging Policy select Log All Protective Actions.
NOTES: All Policies have default values set via Policies > Default Policy Settings. The default values for each of the Policies (Security, HTTPS and Logging) are automatically assigned to users in the system if no other policy has been assigned to them.
4. In the IP Ranges section, click to add a new row.
5. Add the required IP addresses in the From IP and To IP fields. For a detailed explanation on IP Ranges, please refer to The Importance of User/User Group Identifiers.
M86 SECURITY, USERS 61 USERS
6. The IP Ranges can be deleted by clicking next to the relevant row and selecting Delete. 7. Click Save to apply the changes. See also:
Users/User Groups
User Group Details Screen
Blocked and Revoked Cloud Users
Unknown Users
Independent Users
Adding a User to a User Group
Moving Users
The Importance of User/User Group Identifiers
62 M86 SECURITY, USERS USERS
Adding a User to a User Group
 To add a new user to a User Group: 1. Right-click on the required User Group and select Add User. The New User pane is displayed.
Figure 4-10: New User Pane 2. Enter a new user name. 3. The Identifiers section is used to uniquely identify the user to the system. Click and select Add.
4. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field.
M86 SECURITY, USERS 63 USERS
5. Click Save to apply the changes. See also:
Users/User Groups
User Group Details Screen
Blocked and Revoked Cloud Users
Unknown Users
Independent Users
Creating a New User Group
Moving Users
The Importance of User/User Group Identifiers
Moving Users
 To move a user from one Group to another: 1. Right-click on the main folder of the source User Group you wish to move users from, and select Move Users from the drop- down menu. The Move Users screen is displayed on the right hand pane. 2. The Users in the selected group are listed in this screen. If the Users in the group exceeds the limit displayed per page (i.e. there is a large list of names spanning several pages) use the Previous and Next buttons to move between consecutive pages. Otherwise, enter a name in the Find All section and go to that particular selection. This filter may be cleared using the Clear button. 3. Select the destination User Group that you want to move your users To from the drop-down list.
64 M86 SECURITY, USERS USERS
Figure 4-11: Move Users from one Group to another 4. When you have finished moving the Users from the source User Group to the destination User Group, click OK to apply changes. See also:
Users/User Groups
User Group Details Screen
Blocked and Revoked Cloud Users
Unknown Users
Independent Users
Creating a New User Group
Adding a User to a User Group
The Importance of User/User Group Identifiers
M86 SECURITY, USERS 65 USERS
The Importance of User/User Group Identifiers A Security Policy is enforced only when it is assigned to a User or User Group. When the M86 SWG Appliance scans traffic, the first step is to identify the User and ascertain whether a security policy has been assigned. It is therefore important to enter the maximum number of available user identifiers. When working with a supported LDAP directory you do not need to enter identifiers for each individual user. You can import of LDAP groups from the LDAP server, relevant to the security policy. Or, you may prefer to create special groups for use with SWG. In order for user credentials to be available for matching with user identifiers, user authentication is required. Authentication is done by way of Identification policies. Please refer to the User Identification and Authentication Feature Description for more information. As soon as the Secure Web Gateway identifies a user by confirming a matching identifier, the assigned policy is enforced. The identification parameters are checked from the more specific to the less specific – until a match is found - in the following order: • User Name: The first transaction parameter that the system looks for is the user name. If a user name is found and can be matched to an assigned policy, then the policy is enforced and the remaining identifiers are no longer relevant. • IP Address: If a user name is not found, the system takes the IP address and looks for a user using this address. If a match is found, then the rule is enforced. • IP Range: If a specific IP address is not identified in the system, then the SWG searches for a match in the defined IP ranges. IP ranges should not be overlapping. If the IP matches more than one range, then it is not possible to predict which user/policy will be enforced. • LDAP Group: If user identifiers show that the user is included in an LDAP group, the group policy is assigned to the transaction.
66 M86 SECURITY, USERS USERS
If a user belongs to more than one group, the policy for the group highest on the list is assigned. See also:
Users/User Groups
User Group Details Screen
Blocked and Revoked Cloud Users
Unknown Users
Independent Users
Creating a New User Group
Adding a User to a User Group
Moving Users
Cloud User Certificate Management
The Cloud User Certificate Management section is used for identifying Secure Web Service users. It is a filtering system used to perform certificate issuing by supplying important user information. This screen includes the following fields:
Field Name Description
Domain Filter users within a specific domain
Name Filter for individual Users from within a particular domain by username.
Email Email address of a particular User.
Certificate Expiry date of an issued valid certificate. Expiration
M86 SECURITY, USERS 67 USERS
Field Name Description
Status Filter by status of certificate such as: •All •Blocked •Expired •Pending •Revoked • Non-issued • Valid
Click this button to run the filter
Click this button to clear all filters
Click this button to download certificates for an entire User Group en masse.
Previous or Next Click the Previous or Next buttons to view all filtered records.
Once the filter has been run and the required list of users has been obtained, right clicking on a particular user in the Domain field provides the following menu options: • Issue new certificates: In order to issue a new certificate • Block certificate: Choose this option to block an issued certificate until the certificate is confirmed not to have been compromised. • Revoke certificate: If a certificate has been deemed compromised, choose this option to revoke an issued certificate entirely. • Allow certificate: Re-allow a certificate for a particular user after initial certificate was blocked • Export certificate: Export a certificate to an external file on a per User basis
68 M86 SECURITY, USERS USERS
• Send provisioning email: Choose this option to re-send previously issued certificate information in the event that the initial certificate was lost.
 To filter a Cloud user certificate: 1. Navigate in the Management Console to Users > Cloud Users Certificate Management. 2. In the Domain field, select the required domain from the drop- down menu. This menu will include any domains imported from LDAP and Active Directory. 3. In the Status field, select the required certificate status option from the drop-down menu. For example, All or Valid. 4. Click the Filter button.
Figure 4-12: Cloud User Certificate Management
M86 SECURITY, USERS 69 USERS
5. Once the results are shown in the window, right-click for certificate procedure menu options.
NOTES: The right-click menu options are dependant on the certificate status. Only menu options that are applicable to the particular status will be active in the drop-down 6. Select the certificate option for the domain, for example, Issue new certificate. Certificate management is complete. See also:
Users
Users/User Groups
LDAP
Active Directory
LDAP
This section allows for importing of large numbers of LDAP Groups into the Management Console and assigning them with specific Security, HTTPS and Logging Policies, as well as authenticate users against the LDAP server. LDAP Groups can be imported or deleted. The definition of users and groups is based on a retrieval mechanism that is attached to a remote directory (LDAP directory) such as Microsoft Active Directory, IBM Tivoli, Custom Directory and Sun One Directory. Right-click on one of the directory types to add a directory. When there is a demand for increased security the import process should be encrypted using the Secure Socket Layer (SSL) protocol. SSL achieves a higher level of security through the use of
70 M86 SECURITY, USERS USERS
cryptography, digital signatures, and certificates.
Figure 4-13: LDAP Directories Screen In general, the LDAP procedural steps are as follows: • Define a Directory • Import Groups • Import Users
For further information See: on
Defining a Directory General Advanced Settings Example for Adding an LDAP Directory
Import Groups Import Groups
Import Users Populating the LDAP Groups with Users
See also:
Users
Users/User Groups
Cloud User Certificate Management
Active Directory
M86 SECURITY, USERS 71 USERS
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
General Depending on the type of directory you would like to add, right-click
72 M86 SECURITY, USERS USERS
on one of the directory types to add a new directory.
Figure 4-14: New LDAP Directory General Tab The following table provides information on the LDAP Directory
M86 SECURITY, USERS 73 USERS
fields displayed in the General tab:
Field Name Description
Name Supply a unique, descriptive, directory name. Two LDAP directories cannot share a name.
Address This enables the configuration of multiple directories. Each directory is identified with an IP or hostname, for example, 10.194.20.15. If the LDAP server does not listen to the default LDAP port, you can specify the port by adding:port_number after the IP address or hostname. For example: 10.194.20.15:636. The IPs should be separated by a comma
Base DN This is the DNS domain component name (e.g. dc=Finjan, dc=com).
Realm / This refers to the directory’s identifier in the Domain authentication process between the browser and the scanning server (e.g. M86 Security). This value will be detected automatically when working with Microsoft Active Directory.
User Authorized User DN for connecting to the directory. When using Microsoft Active Directory, enter the username only instead of its DN.
Password Password for entering into your organization’s directory.
Connect Over Enable to import the LDAP groups over SSL. Disabled by SSL default.
74 M86 SECURITY, USERS USERS
Field Name Description
Ignore This option is available only when Connect over Certificate SSL is enabled. When enabled, the Policy Server does Validation not perform certificate validation before starting the SSL session. When disabled, the Policy Server validates the certificate on each connection. If the certificate is invalid, user import fails and an event (such as a log, trap, or email) is created.
Check If checked, check the connection with the server after you Configuration press save. If the connection failed, the parameters will Settings not be saved.
See also:
LDAP
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
Import Keytab Import Keytab
The General tab in the LDAP directory screen offers a Kerberos Authentication option. Performing Kerberos Authentication requires a keytab file and the following requirements must be met:
M86 SECURITY, USERS 75 USERS
• A DNS server must be present, and all directory servers must be resolved via the M86 SWG Appliance. • The times on the Policy Server and the directory machine must be synchronized.
 To import the keytab file: 1. Right-click the LDAP directory in the left tree pane and select Import Keytab, which displays the Kerberos Keytab Upload screen. The Kerberos Authentication checkbox remains greyed-out until the keytab file has been imported to the directory that it supports. 2. After importing the keytab, return to the LDAP Directory screen and enable the Kerberos Authentication checkbox. See also:
General
Advanced Settings
Example for Adding an LDAP Directory
Advanced Settings The Advanced Settings tab provides User and Group attribute and filter settings.
76 M86 SECURITY, USERS USERS
Figure 4-15: Advanced Settings Tab The following table provides information on the LDAP Directory fields displayed in the Advanced Settings tab:
Field Name Description
User This parameter defines the attribute which indicates a Identifier user’s unique identifier. The value for this attribute is Attribute compared to the username provided by the proxy authentication. Default values are as follows: y Microsoft AD - sAMAccountName y IBM Tivoli - eraliases y SunOne - uid If this field is left empty then users/groups will be identified according to their DN.
M86 SECURITY, USERS 77 USERS
Field Name Description
User Object This parameter defines the filter in LDAP syntax that will Filter be used to identify user objects. Default values are as follows: y Microsoft AD - (&(objectclass=person)(objectclass=user)(!objectcl ass=computer)) y IBM Tivoli - (&(objectclass=person)(objectclass=organizational Person)) y SunOne - (&(objectclass=person)(objectclass=organizational Person))
Group This parameter defines the attribute which indicates a Identifier group’s unique identifier. The values of this attribute is Attribute used by the Management Console to display group names and assigning policies. Default values are as follows: y Microsoft AD - sAMAccountName y IBM Tivoli - ou y SunOne - cn If this field is left empty then users/groups will be identified according to their DN.
Group Object This parameter defines the filter in LDAP syntax that will Filter be used to identify group objects. Default values are as follows: y Microsoft AD - (objectclass=group) y IBM Tivoli - (&(objectclass=organizationalunit)(objectclass=erO rgUnitItem)) y SunOne - (objectclass=groupofuniquenames)
Connection This parameter enables you to set the maximum number Timeout of seconds for an unanswered LDAP query (the default is 120 seconds for all directory types).
78 M86 SECURITY, USERS USERS
Field Name Description
memberOf This parameter specifies which attribute holds the list of Attribute groups in which the user is a member. This attribute may remain empty, in which case the Member attribute is used to establish hierarchy. Default values are as follows: y Microsoft AD - memberOf y IBM Tivoli - erparent y SunOne - not supported Note: memberOf Attribute and Member Attribute cannot both be empty. If both attributes have values, the memberOf Attribute has priority.
Member This parameter specifies which attribute holds the list of attribute members of a selected group. This attribute may remain empty, in which case the memberOf Attribute is used to establish hierarchy. Default value is as follows: y SunOne - uniqueMember
Set Default Returns all the parameters above to their default values.
See also:
LDAP
General
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
M86 SECURITY, USERS 79 USERS
Example for Adding an LDAP Directory
 To add an LDAP Directory: 1. As an example, add a Microsoft Active Directory, right-click on the Microsoft AD server from the LDAP Directory tree on left pane and select Add Directory. The right pane is enabled for you to insert the Directory settings. 2. In the General tab, enter your company Base DN (for example, dc=finjan, dc=com), and IP Address for the new directory. To add a row for IP Address, click .to add a new row.
NOTES: The Realm/Domain is not required when the server is Microsoft Active Directory. An example for a different directory is FINJAN. 3. Enter the user name (for example, cn=administrator) and password for logging in to your organization's directory.
NOTES: LDAP passwords cannot include the < , > or space characters. Do not use non-English characters when using the Kerberos authentication method.
NOTES: For the Microsoft Active Directory, the user name should be the user’s account name (meaning, the name that appears on emails before the @company.com) 4. Select the connection mode. When increased security is recommended, select Connect over SSL. (Optional) When Connect over SSL is enabled, you can select to Ignore Certificate Validation. 5. Select the authentication mode. Select Use Kerberos Authentication. The Import button is enabled.
NOTES: You can use either SSL authentication or Kerberos authentication, or disable both and rely on simple authentication
80 M86 SECURITY, USERS USERS
Figure 4-16: Example for Adding LDAP Directory 6. Click the Import button to display the Kerberos Authentication Upload screen. 7. Browse to the location where the Kerberos Keytab file exists and then click Import to activate the changes. In order for Kerberos authentication to work, the following requirements must be met: yA DNS server must be present, and all directory servers must be resolved via the M86 SWG Appliance. yThe times on the Policy Server and the directory machine must be synchronized. 8. Configure the advanced settings in the Advanced Settings tab, as follows:
NOTES: When first selecting one of the server types the default recommended values for the advanced LDAP parameters are used.
M86 SECURITY, USERS 81 USERS
Figure 4-17: Example for Adding LDAP Directory Advanced Settings yIn the User Identifier Attribute field, enter sAMAccountName. yFor User Object Filter, enter (&(objectclass=person)(objectclass=user)(!objectcl ass=computer)) yFor Group Identifier Attribute, enter sAMAccountName. yFor Group Object Filter, enter (objectclass=group). ySelect the member Of Attribute and enter memberOf. yEnter the Connection Timeout (120 seconds is default). yTo ensure that your IP address is successful, run an automatic check of your connection by enabling the Check connection box.
82 M86 SECURITY, USERS USERS
9. Click Save. The Microsoft AD server will appear in the LDAP Servers tree. You can also check in the logs for verification.).
NOTES: Right-click on the Active Directory LDAP server in tree on the left pane and select Check Connection from the drop-down menu to check the IP address (i.e. successful connection to server). An error message is displayed if there was a problem connecting to the server(s). See also:
LDAP
General
Advanced Settings
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
Import Groups After defining the required Directory, the next step is to retrieve LDAP groups from the Directory to the Management Console, and choose those groups you want to import and define within the
M86 SECURITY, USERS 83 USERS
Secure Web Gateway.
 To import LDAP Groups: 1. Right-click on a defined LDAP directory and select Add Groups from the drop-down menu. The LDAP Groups screen is displayed on the right hand pane. If this is the first time you are adding groups, this screen will be empty. If this is a repeat procedure, the system will display the User Groups previously imported.
NOTES: If you have more than one LDAP directory with the same properties, you can use one LDAP directory to import the users, and another LDAP directory can be used to authenticate the users. In this case, right-click on the LDAP directory used for import the users and select the option: Set Importable.
Figure 4-18: Example for Importing LDAP Groups 2. Use the Retrieve LDAP Groups option to retrieve the list of User Groups from the directory and display them on the screen.
84 M86 SECURITY, USERS USERS
3. Select the User Groups for import into the Management Console and click OK. The User Groups are displayed in the tree on the left pane. See also:
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
Populating the LDAP Groups with Users
 To import LDAP users into an LDAP Group: 1. Right-click on the top node of the Directories tree.
M86 SECURITY, USERS 85 USERS
Figure 4-19: Import LDAP Users 2. Select Import LDAP Users. The Import begins immediately and a message should appear on the bottom left side of screen to please check system logs to confirm completion. 3. Navigate to Logs and Reports > View System Logs for confirmation that the immediate import was carried out. See also:
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
86 M86 SECURITY, USERS USERS
Settings and Defaults The tabs displayed refer to scheduling the importing of LDAP Users and the policies assigned to groups, which have not been defined within the system.
Figure 4-20: Settings and Defaults See also:
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
M86 SECURITY, USERS 87 USERS
Moving LDAP Groups
Scheduled Settings In this screen you can configure the LDAP Import Schedule. This determines whether or not to import LDAP users, defining the frequency and time at which the import process takes place. Click Edit to edit the LDAP Import Schedule screen.
Figure 4-21: LDAP Import Schedule Screen  To configure the Import Schedule: 1. In the LDAP Import Schedule, you can select an import to run either daily at a preconfigured time or every x number of hours. Alternatively, you can select No Scheduled Import. After
making any changes, click Save and click . 2. Another option in this bar is to perform an immediate import. This is done by right-clicking on the top level folder Directories and selecting Import LDAP Users. Navigate to Logs and Reports > View System Logs for confirmation that the immediate import was carried out. See also:
88 M86 SECURITY, USERS USERS
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Unassigned LDAP Groups
Assigning Policies
Moving LDAP Groups
Unassigned LDAP Groups Unassigned LDAP groups are groups which have not been defined within the system. To edit the LDAP Group screen, click Edit on right hand pane.
Figure 4-22: Unassigned LDAP Group Screen
M86 SECURITY, USERS 89 USERS
The following table provides information on the fields displayed in the LDAP Group screen:
Field Name Description
Group Name Defines the LDAP Group Name.
Security Assigns a Security policy to the LDAP group. If you do Policy not specifically define a Security Policy here, the Policy defined in Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values. NOTE: The Full Bypass Policy (which does not appear in the Security Policies list) can be set here.
Logging Assigns a Logging policy to the unassigned LDAP Policy groups. If you do not specifically define a Logging Policy here, the Policy defined in Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values.
HTTPS Policy Assigns an HTTPS policy to the unassigned LDAP groups. If you do not specifically define an HTTPS Policy here, the Policy defined in Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values.
See also:
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
90 M86 SECURITY, USERS USERS
Assigning Policies
Moving LDAP Groups
Assigning Policies User groups can be imported from various LDAP directories.
 To assign policies to an LDAP Group: 1. Click on the imported user group to display the LDAP Group Policy screen on right hand pane.
Figure 4-23: LDAP Group Policies 2. To edit the LDAP Group screen, click Edit. 3. Assign a Security policy to the LDAP group from the drop-down menu. 4. Assign a Logging policy to the LDAP group from the drop-down menu. 5. Assign a HTTPS policy to the LDAP group from the drop-down menu.
NOTES: If you do not specifically define a policy here, the policy defined in the Policies > Default Policy Settings section will be used. This option is displayed as Use Default Values.
M86 SECURITY, USERS 91 USERS
6. Click Save to apply changes. Otherwise, Cancel. See also:
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Moving LDAP Groups
Moving LDAP Groups If an LDAP user is included in more than one group, the policy implemented will automatically be that of the first group appearing in the list. Group priority is listed from top to bottom.
 To move an LDAP Group: (Changing the order of the imported groups.)
92 M86 SECURITY, USERS USERS
1. Right-click on the LDAP group which you want to move.
Figure 4-24: LDAP Groups Before Move 2. Select Move Group to from the drop-down menu.
Figure 4-25: LDAP Group Menu
M86 SECURITY, USERS 93 USERS
3. Right-click on the LDAP group before which you want this group to be positioned. 4. Select Above this Group from the drop-down menu. The following shows the new position of the selected LDAP Group.
Figure 4-26: LDAP Groups After Move See also:
LDAP
General
Advanced Settings
Example for Adding an LDAP Directory
Import Groups
Populating the LDAP Groups with Users
94 M86 SECURITY, USERS USERS
Settings and Defaults
Scheduled Settings
Unassigned LDAP Groups
Assigning Policies
Active Directory
The Authentication Server is used to store username and password information that identify the users logging on. The Authentication Server validates this information and specifies whether or not user access is granted. For access to specific network resources, the server may itself store user permissions and company policies or provide access to directories that contain the information. M86 Secure Web Gateway supports authentication against Microsoft Active Directory authentication servers using the SMB Protocol. Multiple domains with a trust between them can be supported at the same time by defining a global list of authentication realms. Each realm is identified by the NetBIOS domain name and a list of redundant domain controllers given by IP or DNS name. See also:
Users
Users/User Groups
Cloud User Certificate Management
LDAP
Authentication Server
Authentication Server In this screen, you can Add or Delete Authentication Servers and Edit the server user information. This screen shows a list of the
M86 SECURITY, USERS 95 USERS
Authentication Servers including the Realm/Domain, address and status (active or not).
NOTES: Up to 10 Authentication Servers can be defined serving many trusted domains. The authenticate action will not perform real authentication unless there is at least one Authentication Server defined
Figure 4-27: Authentication Servers The following table provides information on the Authentication Server fields:
Field Name Description
Realm/ NETBIOS This refers to the Authentication Server’s name in the Name authentication process between the browser and the Scanning Server / Authentication Device. When using Active Directory you should specify the domain NetBIOS name.
Domain Controller This is the hostname. (It should be written without periods.)
96 M86 SECURITY, USERS USERS
Field Name Description
Trusted Domains These are domains that are trusted for authentication by the primary domain controller (specified in Realm/ Domain)
Active Select to activate the Authentication Server.
 To add an Authentication Server: 1. Right-click on the top-level heading and select Add Server. 2. Enter an appropriate Realm/NETBIOS name. 3. In the Domain Controller section, click to add a new row. Enter a new Domain name. 4. In the Trusted Domain section, click to add a new row. Enter a new Domain name. 5. Repeat for as many times necessary. You can delete entries by clicking on the same row as the item and selecting Delete Row.
6. Click Save to apply changes. Next, click to commit them.
If you need to modify these fields in the future, select Edit and make your changes. See also:
Active Directory
M86 SECURITY, USERS 97 USERS
98 M86 SECURITY, USERS ADMINISTRATION
Chapter 5: Administration The Administration menu contains various sub-sections which allow you to configure the system components and manage global settings.
Figure 5-1: Administration Menu The Administration Menu contains the following options: • Administrators - Allows a super administrator to create administrators and administrator groups and assign permissions for the various configuration options within the Management Console. • System Settings - Allows you to configure the following: M86 Devices, Scanning Options, Scanning Engines, Digital Certificates and Administrative Settings • Cloud - Allows you to manage all aspects of M86 Secure Web Service Hybrid that pertain to Policy Server configuration and GUI management. • Rollback - Used for rolling the system back to a previous stable state. This comprises the Backup and Restore functions. • Reports Settings - Allows the Administrator to either backup or restore data from the Reports database. • Export/Import - Allows you to export Policies, HTTPS Policies, Identification Policies and Identification Logging Policies - as
M86 SECURITY, ADMINISTRATION 99 ADMINISTRATION
well as their conditions - from one Policy Server and import them into another. • Updates - Allows you to configure and upload the various updates for both security and software releases onto your Appliance. • Alerts - Allows you to monitor the main modules and components of the system and notify you of system events, application events or update events (via Email or SNMP). • System Information - Provides a simple way for the administrator to view the status of the system with respect to license and module information • Change Password - Allows an administrator to change his/her password. See also: Administrators
System Settings
Cloud
Rollback
Export/Import
Updates
Alerts
System Information
Change Password
Administrators
The Management Console can support multiple administrators working within the system. This function provides administrators with different permissions on classes (such as Policies or Logs) and on specific items (such as a specific security policy or URL list). This granularity addresses two issues relating to administrator
100 M86 SECURITY, ADMINISTRATION ADMINISTRATION
management: Roles – In a typical organization, different administrators have different roles, for example one administrator can be responsible for security settings, another administrator is responsible for system settings and a third administrator requires only a monthly view of the system. This functionality is achieved by providing the different administrators with different permissions on the functions. i.e. the security administrator will have full permissions on Policies and Condition Settings and read permission on Logs and Reports, the System administrator will have full permission on System functionality and no permission on all other functionality, etc. Separate management – There are deployments where the system supports multiple departments or companies, each having its own administrators and there is no data sharing. This scenario is addressed using administrator groups. An administrator group is associated with one or more user groups it manages and the actual data which is relevant for them, for example, a security policy. Within an administrator group, administrators can be defined, each with its own role, as previously explained. The data relevant to the user group, such as a specific security policy or URL white list is managed by the relevant administrator group. Therefore, each administrator group is granted permissions to each of the data objects such as security policy, URL list, etc. As a consequence all administrators within an administrator group share the same permissions on all data objects, even though they will have different roles. Administrators from different Groups can be granted permissions to see elements such as Policies, Logs etc belonging to other Administrator Groups. Super Administrators are not limited by the above constraints and can see all the Management Console options for all user groups.
NOTES: Only super administrators can create administrator groups and add administrators to administrator groups See also:
M86 SECURITY, ADMINISTRATION 101 ADMINISTRATION
Administration
System Settings
Cloud
Rollback
Export/Import
Updates
Alerts
System Information
Change Password
Default Permissions
Administrator Group Details
Administrator Details
Creating a new Administrators Group
Adding an Administrator to an Administrators Group
Permissions
Default Permissions This screen displays the baseline defaults for administrators in the Management Console. These defaults are preconfigured by M86 for easy permissions assignment and cannot be edited. The Default Permissions window contains two tabs: • Permissions - Categories View • Permissions - Grid View
Both tabs contain the following information:
102 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Description Example
Class Class is any entity within the Header Fields, Import/ Management Console. It can Export, Security Policies be a stand-alone entity or it can contain other objects within it.
Sub-Class Group with permissions for the N/A objects. Finjan = default permissions My = My administrator group or any administrator group I am responsible for Other = Any administrator group outside of my jurisdiction
Object Object within a class (Header Fields) Media Players,
Default Default Permissions which are Update = can make Values granted when no other changes, create new permissions have been objects, etc defined. View = can view classes/ objects only None = has no permissions to this object/ class
Access Sets the Access permission. Default = Use the default setting Update = can make changes, create new objects, etc View = can view classes/ objects only None = has no permissions to this object/ class
M86 SECURITY, ADMINISTRATION 103 ADMINISTRATION
Permissions - Categories View
Incorporating all the data found in the Grid view, the Permissions Categories View displays data intuitively, in line with the current SWG Management Console menu. When selecting a permission category, the Sub-Category drop- down menu provides corresponding information. For example, when selecting the Condition Settings category, the corresponding conditions are viewable:
Figure 5-2: Default Permissions - Categories View
104 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Permissions - Grid View
Figure 5-3: Default Permissions - Grid View For information pertaining to the Permissions - Grid View tab, refer to Default Permissions. See also: Administrators
Administrator Group Details
Administrator Details
Creating a new Administrators Group
Adding an Administrator to an Administrators Group
Permissions
M86 SECURITY, ADMINISTRATION 105 ADMINISTRATION
Administrator Group Details Click Edit to change the values in this screen. Use Save after editing this screen.
Figure 5-4: Administrator Group Details The administrator group Details screen contains the following information:
Field Description
Group Name Name of the Administrators Group (e.g. Finance, Marketing)
Notes Here you can write a description of the group.
Password expiration after x Select the required number of days after days which the administrators in this group will be forced to replace the password
106 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Description
Enforce secure password If checked, the passwords must use at least 3 of the following criteria: contains [A-Z] contains [a-z] contains [0-9] contains one of the following [!@#$%^&*()]
Require password change If checked, then a new administrator in on first login this group will need to change the password on first login
Permissions definition Refer to Permissions for more information.
See also: Administrators
Default Permissions
Administrator Details
Creating a new Administrators Group
Adding an Administrator to an Administrators Group
Permissions
Administrator Details Click Edit to change the values in this screen. Use Save after
M86 SECURITY, ADMINISTRATION 107 ADMINISTRATION
editing this screen.
Figure 5-5: Administrator Details The administrator details screen contains the following information:
Field Description
Administrator Name Name of the Administrator
Notes You can write here a description of the group.
Email Enter the administrator’s email address.
108 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Description
Master Policy The Master Security Policy provides an extra level of protection for policy administrators to assign to Users. For further information see Master Security Policy.
Permissions Refer to Permissions for more definition information.
Password Change
Old Password Enter the current password (when there is one).
New Password Enter the new password for the administrator.
Confirm Password Re-enter the password to confirm it.
See also: Administrators
Default Permissions
Administrator Group Details
Creating a new Administrators Group
Adding an Administrator to an Administrators Group
Permissions
Creating a new Administrators Group
 To create a new Administrators Group:
1. Right-click on the Administrators main node (Default Permissions) and click Add Administrator Group (you can use the left toolbar to do the same action by clicking on the icon).
M86 SECURITY, ADMINISTRATION 109 ADMINISTRATION
The Administrator Group Details screen is displayed on the right hand pane. 2. Enter a Group Name for the new group, for example, Special Division. 3. Enables the options of your choice. Refer to Administrator Group Details for information on the fields in this screen. 4. Edit the Permissions Definitions. For further details refer to Permissions. 5. Click Save to apply the changes.
NOTES: The Super Administrator group, is a default administrator group and can contain one or more administrators. It has permissions on all objects within all classes. See also: Administrators
Default Permissions
Administrator Group Details
Administrator Details
Adding an Administrator to an Administrators Group
Permissions
110 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Adding an Administrator to an Administrators Group
 To add a new administrator to an Administrator Group: 1. Right-click on the selected Administrator Group and select Add Administrator.
Figure 5-6: New Administrator Details Screen 2. Enter a new Administrator name.
M86 SECURITY, ADMINISTRATION 111 ADMINISTRATION
3. The Identifiers section is used to uniquely identify the user to the system. Click on and select Add. 4. In the Type drop-down list, choose between IP or User Name. If you have chosen IP, then add the required IP address in the Value field. If you have chosen User Name, then add the appropriate domain_name\user_name in the Value field. 5. Click Save to apply the changes. See also: Administrators
Default Permissions
Administrator Group Details
Administrator Details
Creating a new Administrators Group
Permissions
Permissions The Permissions scheme is based on inverted hierarchy. If at any level no permission (update, view, etc.) is specified, then the default is the setting one level up. If that is not specified, the next level is used, etc. The hierarchical level is both on an administrator level and on a data level. For administrators - permission given for each level can be overridden by the next level - with Administrator being the highest level: Default Permissions Æ Administrator Group Æ Administrator For data, permission given for each level can be overridden by the next level with Objects being the highest level: Class Æ Sub-class Æ Object
112 M86 SECURITY, ADMINISTRATION ADMINISTRATION
The Permissions Definition grid is divided as follows:
Field Description Example
Class Class is any entity within the Header Fields, product. It can be a stand-alone Import/Export, or it can contain other groups Security Policies within it.
Sub-Class Group with permissions N/A attached. Finjan = default permissions My = My administrator group or any administrator group I am responsible for Other = Any administrator group outside of my jurisdiction Note that each individual administrator can have different permissions on the groups that his/her group is responsible for.
Object Object within a class (Header Fields) Media Players,
Default Default Permissions as defined Inverted Hierarchy by a previous hierarchical level - Each level can override the one above in this order: Administrator > Administrator Group > Default Permissions
M86 SECURITY, ADMINISTRATION 113 ADMINISTRATION
Field Description Example
Access Permissions to be granted Update = can make changes, create new objects, etc View = can view classes/objects only None = has no permissions to this object/class Default = whatever is written in the Default column to the left of this one will be the granted permission
NOTES: Select Web Logs and the administrator groups under Others with the View Access to allow administrators to view Web Logs for Users belonging to other administrator groups.
114 M86 SECURITY, ADMINISTRATION ADMINISTRATION
The Super Administrator group, which is a default administrator group and can contain one or more administrators, has permissions on all objects within all classes.
Figure 5-7: Default Permissions - Super Administrators See also: Administrators
Default Permissions
Administrator Group Details
Administrator Details
Creating a new Administrators Group
Adding an Administrator to an Administrators Group
M86 SECURITY, ADMINISTRATION 115 ADMINISTRATION
System Settings
The System Settings menu allows you to configure the following: • M86 Devices • Scanning Options • Mail Server • Scanning Engines • Administrative Settings • Digital Certificates • License • Debug Logs • GUI Log Level
Figure 5-8: System Settings See also: Administration
Administrators
Cloud
116 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Rollback
Export/Import
Updates
Alerts
System Information
Change Password
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
M86 SECURITY, ADMINISTRATION 117 ADMINISTRATION
M86 Devices In the Main Tool bar, navigate to Administration > System Settings > M86 Devices to display the Devices tree in the left pane. The Devices tree includes a list of device IPs defined in the system.
Figure 5-9: Devices Tree Each device can be allocated with the following device role: • Policy Server: An administration point for system configuration and security policy settings. The settings defined in the Policy Server are pushed to all Scanning Servers such that the system is always updated. • Scanning Server: Scanning servers scan content and enforce the predefined policy for that content. The Secure Web Service
118 M86 SECURITY, ADMINISTRATION ADMINISTRATION
(cloud) scanner performs the same actions, hosted in the cloud. See Cloud Configuration for more information. • Log Server: A short-term centralized repository for transactional information. The transactional information is generated by the Scanning Servers and queued in Log Relays, after which they are aggregated to the centralized repository. By default, the Log Server is installed together with the Policy Server. In addition, there is the Report Server which generates and distributes reports based on transactional information. By default, the Report Server is installed together with the Policy Server and does not have any configurable settings. You can add devices to your system as well as configure existing ones.
NOTES: In order for each device to function in the device role you have assigned to it, you need to define initial system settings for each device. Please refer to the Setup and Configuration guide for more information. See also: System Settings
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
M86 SECURITY, ADMINISTRATION 119 ADMINISTRATION
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
Available Device Tree Options The Devices tree includes a list of device IPs defined in the system. The following right-click options for Policies tree are available:
Action Description
Add Device Available from top-level folder only. Allows you to add a new Device to your deployment.
Add Device by Range Available from top-level folder only. Allows you to add a new Device (in a certain IP Range) to your deployment.
Delete Device Available from Device IP.
Set As Default Available from Module or Module elements. Sets the values defined here for the Module and/or its elements as the default values - which will be displayed under Scanning Server Default Values folder.
Apply Default Values Available from Module or Module elements. Applies the default values as displayed under Scanning Server Default Values folder to the module and/ or elements here.
120 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Action Description
Flush Cache (Cache Enables flushing the cache. See only) Flushing the Cache for more information.
Import Root Enables importing a root certificate. Certificate (HTTPS Refer to Import Certificate for further only) details.
Generate Root Enables generating a root certificate. Certificate (HTTPS Refer to Generate a Certificate for only) further details.
Export Root Enables exporting a root certificate. Certificate (HTTPS Refer to Export Certificate for further only) details.
Reset all with Default Available from Default Scanning Server Values Values only. Resets all Scanning Servers with the default values displayed here. Refer to Default Values for more information
Reset
See also: System Settings
M86 Devices
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
M86 SECURITY, ADMINISTRATION 121 ADMINISTRATION
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
Device IP Clicking on any Device IP address displays the Device IP screen. This screen displays the following fields:
Field Description
Device IP Defines the IP address of the current device.
Type Allows you to choose between the available types (e.g Policy Server, All in One)
Description Description of the device.
The following tabs are included: • Status Tab: The Status tab provides status information on the device such as connection and activity status. • Access List Tab: The Access List tab enables defining specific IPs or IP ranges controlling access to the Management Access List, the User Access List and access to SWG system ports.
122 M86 SECURITY, ADMINISTRATION ADMINISTRATION
• Configuration Scheduling Tab: The Configuration Scheduling tab allows administrators to configure changes on the Policy Server and to determine when they take effect. See also: System Settings
M86 Devices
Available Device Tree Options
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
Status
Access List
Troubleshooting: Access List
Configuration Scheduling
M86 SECURITY, ADMINISTRATION 123 ADMINISTRATION
Status
The Status tab provides status information on the device such as connection and activity status.
Figure 5-10: Device IP - Status The following table provides information on the Device IP Status screen:
Field Description
Sync Status Defines whether the Device is synchronized with the Policy Server.
Connection Defines whether the device is connected to Status the Policy Server. Whenever the Connection Status is Not Active, the relevant Server will be displayed in yellow.
124 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Description
Committing Defines whether the device is undergoing a Status Preparing to Commit status, Committing Changes status or is Stable.
Last Connection Defines the last time this device was Time connected to the Policy Server. When connected, displays the current time.
Device Role Displays the roles which belong to that Device.
Activity Status Defines whether it is Active or not.
See also: Device IP
Access List
Troubleshooting: Access List
Configuration Scheduling Access List
The Access List tab enables defining specific IPs or IP ranges controlling access to the following: • The Management Access List refers to the Management Console, SSH and SNMP for administrators. For example, in order to block access to the Management Console for other specific administrators, specify only the relevant IP addresses of authorized administrators. When enabled, this list must have at least one IP filled in so that access is not totally blocked to the Management appliances. • The User Access List refers to end-users browsing through the appliance, and is based on the Scanning Server IPs. Using this option, you can allow only specific ranges of end-users to browse through SWG, and block other users.
M86 SECURITY, ADMINISTRATION 125 ADMINISTRATION
• Access to SWG system ports refers to a list of device IPs that have access to the SWG system.
 To enable and edit the Access List feature: 1. Click on the IP address of the device and select the Access List tab. 2. Click Edit on right pane. 3. Select the Use Access List checkbox.
Figure 5-11: Access List 4. Once enabled, you must define AT LEAST one Management Access List (preferably containing the IP of the machine accessing the Management Console).
126 M86 SECURITY, ADMINISTRATION ADMINISTRATION
5. Click and select Add Row from the drop down menu. Define the ranges from the smallest IP number to the largest IP number. 6. Similarly, define ranges for any additional User Access lists or SWG system ports.
7. To delete an entry, select it and click on in the same row. Select Delete Row from the drop down menu to remove the list.
8. Click Save to apply changes. Next, click to commit them. See also: Device IP
Status
Advanced
Troubleshooting: Access List
Configuration Scheduling Troubleshooting: Access List
If the Access List is enabled, then modifying the Device IP, the Appliance role or adding an additional device to the topology, among other things, might cause a possible loss of connection with the modified device. Connection loss may also influence the connection with other devices in this cluster and also for administrators. In order to avoid this, please perform the following procedure on the device you want to make changes to:
 When changing roles, IPs or adding additional devices to the tree:
1. Disable Access List through the Limited Shell using the disable_al command.
M86 SECURITY, ADMINISTRATION 127 ADMINISTRATION
2. Perform the change of role, IP or device addition. 3. Enable Access List through the Limited Shell using the enable_al command. In situations where the connection to the device is lost or the Access List has not been disabled, Administrators can connect to the device via serial port console and disable the access list. See also: Device IP
Status
Access List
Configuration Scheduling
Advanced Advanced
The Device IP Advanced tab allows administrators to enable the Reverse DNS lookup option, to determine the domain name that is associated with a given IP address (using DNS). In doing so, the administrator may prevent users from bypassing URL filtering security measures. Enabling this checkbox runs the reverse lookup prior to writing log entries, which results in log entries listing the URL name rather than the IP address. Click Edit and check the Enable Reverse DNS box. Click Save to commit the changes. See Also: Status
Access List
Device IP
128 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Configuration Scheduling
The Configuration Scheduling tab allows administrators to configure changes on the Policy Server and to determine when they take effect. If Configuration Scheduling is enabled, configuration changes that are made will not be committed to the device immediately. Changes must wait until the designated time specified in Configuration Scheduling and will only be committed during the timeframe entered in the Update Window field. (For example, changes could take effect at 12:00 p.m. within a window of 2 minutes.) When setting configuration times, click Edit in the Configuration Scheduling tab. Schedule updates at a specific hour, and specify in the Update Window the number of minutes in which the changes can be committed.
Figure 5-12: Configuration Scheduling See also: Device IP
Status
Access List
M86 SECURITY, ADMINISTRATION 129 ADMINISTRATION
Troubleshooting: Access List
Network Roles Expand the device IP in the Devices tree to display all the network roles for the specific device. The following network roles are available: • Log Server • Scanning Server • Policy Server See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
130 M86 SECURITY, ADMINISTRATION ADMINISTRATION
GUI Log Level
Log Server The Log Server creates log entries to be sent to the Policy Server for viewing via the Management Console. The Log Server contains the following module: • Log Properties
Figure 5-13: Log Server See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
M86 SECURITY, ADMINISTRATION 131 ADMINISTRATION
Digital Certificates
License
Debug Logs
GUI Log Level
Log Properties Log Properties
The Log Properties screen displays the log server for the specified device. This screen contains the following tabs. • Collect Logs From • Syslog Target • Syslog Fields • Log Archiving The Logs Properties window displays all the available devices that generate logs.The window contains the following editable tabs:
Field Name Description
Collect Logs Relay Device IPs are displayed in order to gather log From information from the log relays of these devices.
Syslog Targets Sends information to one or two UNIX Syslog facilities which log data.
Syslog Fields Contains configuration options for scanner syslog messages.
Log Archiving Send Log information to an external archive location and schedule when the archives should be sent.
See also: Collect Logs From
Syslog Target
Log Archiving
132 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Collect Logs From
The Log Relay Device section is reserved for situations where there are several devices in your configuration. In this case, the Relay Device IPs are displayed in order to gather log information from the log relays of these devices. The Log Relay device collects the logs every few seconds by default. However you can define specific time periods for specific scanning servers during which to collect the log information. This may be useful if you have a distributed system in which scanning devices are located in different time zones or are reachable via slow communication lines. When users browse using the scanning servers, each scanning server locally collects its own logging information, according to the defined logging policy. Occasionally, the scanners push the log data to the Policy Server so that it can present the information in the Log Viewer. This process uses significant bandwidth during the data transfer and may affect performance in distributed environments in which the bandwidth is limited. To utilize the available bandwidth more efficiently, the Log Properties screen provides a Scheduling mechanism, which allows the administrator to define when the log is transferred from the scanning servers to the Policy Server
NOTES: Scheduling only applies to Message Logs from Scanning Servers - based on the defined Logging Policy. In other words, the other types of logs will still be retrieved every few seconds. See also: Log Properties
 To configure Log Scheduling: 1. In the Management Console, navigate to Administration > System Settings > M86 Devices > Device IP.
M86 SECURITY, ADMINISTRATION 133 ADMINISTRATION
2. Click and expand the Log Server node and then click Log Properties. 3. Click Edit in the Log Properties window. 4. The Active checkbox indicates if the device is active or not. 5. The Secured checkbox should be enabled to ensure that messages are sent encrypted for maximum security.
6. In the Log Relay Device field, click to expand Scheduling.
Figure 5-14: Collect Logs From Configure time frames for each scanning server from which logs should be received.
NOTES: On remote devices only, The Collect Logs From tab can be expanded to show the Scheduling field. Click or to specify scheduled times. 7. Click Save. Otherwise Cancel.
8. Click to commit changes. See also:
134 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Log Properties
Syslog Target
Log Archiving
Syslog Target
The Syslog tab includes Syslog Configuration options.
Figure 5-15: Syslog The following table provides information on the Syslog Targets
M86 SECURITY, ADMINISTRATION 135 ADMINISTRATION
Configuration fields:
Field Name Description
Facility Name
Facility Mode Select one facility mode from the drop-down list which is operational for all message types. The facility option enables you to differentiate between M86 logs and other platform’s logs on the remote Syslog server.
Primary Syslog Defines the target address and enables/disables IP sending information to the Primary Syslog Server.
Secondary Defines the target address and enables/disables Syslog IP sending information to the Secondary Syslog Server.
Send System If checked, System Log messages are sent to Syslog. Log Messages
Send Scanner If checked, information from each Log Rule in the Messages dedicated Logging Policy, which has Sent to Syslog checked, will be sent to Syslog.
Send Audit If checked, Audit messages (all changes made or Messages actions taken from the Management Console) are sent to Syslog.
See also: Log Properties
Collect Logs From
Log Archiving
Syslog Fields
The Syslog Fields tab contains configuration options for scanner syslog messages. This tab allows you to select the transaction field names required for scanner messages, such as Client IP or User ID. The Syslog Fields tab contains:
136 M86 SECURITY, ADMINISTRATION ADMINISTRATION
NOTES: The Syslog Fields tab is relevant only when the Message Type selected in the Syslog Targets tab is ‘scanner’.
Title Description
Select/Deselect All Enable this checkbox to select or deselect the transaction fields required for the scanning syslog messages.
Name Name of the field of the scanner syslog transaction.
Prefix The prefix of the syslog transaction item when listed in the final syslog message.
Encode To format data to represent characters which cannot be typed in current context, or would have an interpretation other than intended.
 To configure Syslog Fields:
1. In the Management Console, navigate to Administration Æ System Settings Æ M86 Devices. 2. Click and expand the Log Server node and then click Log Properties. 3. Click Edit in the Log Properties window and click the Syslog Fields tab. 4. Enable or disable the checkbox to select or deselect all transaction item names. 5. Check the transaction Names required, and check any fields that require the output to be Encoded. 6. Click Save to commit configurations.
In the Log Relay Device field, click to expand Scheduling.
See also:
M86 SECURITY, ADMINISTRATION 137 ADMINISTRATION
Syslog Target
Logging Policies
Figure 5-16: Syslog Fields Configuration
Log Archiving
The Log Archiving tab includes Log Archiving Location and Log Archiving Scheduling. This tab allows you to send Log information to an external archive location and to schedule when the archives should be sent. Please refer to How to Use Log Archiving feature
138 M86 SECURITY, ADMINISTRATION ADMINISTRATION
description for further information.
Figure 5-17: Log Archiving Log Archiving Location - The Log Archiving feature enables sending large amounts of information to an external archive location. There are two formats: Basic and Extended. The information is displayed with comma separated values and sent in a Gzip file format. This information can then be imported into an external database for viewing or running reports. The Basic file contains most of the current Log fields available, displayed in the following way:
M86 SECURITY, ADMINISTRATION 139 ADMINISTRATION
Figure 5-18: Log Archiving In order to send the log archives to an external storage location, you must select the Connection Method to be used for connecting to the required location. In addition, you must create the required Logging Policy with the Send to Archive option ticked and have this assigned to the User Group. The following connection methods are available in the Connection method drop-down list and explained in the table below:
Connection Method Description
None An external archive is not used. (This is the default option).
FTP Connects via regular File Transfer Protocol methods.
FTP Passive Connects via File Transfer Protocol; there is a firewall located between the Policy Server and the remote FTP site.
Samba Use the Server Message Block (SMB) communication protocol.
SFTP Use the Secure File Transfer Protocol.
Your selected Connection Method determines the values used to define your Archive Location, User to connect with and
140 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Password fields.
Selected: Description:
None No information can be entered.
FTP The Archive Location must include the server IP address/ dir for your selected location, for example, 10.194.5.104/ Sarah_FTP. The User to connect with is the user name used when connecting to the Archive Location. The Password should be the password used by the above user.
FTP Passive The Archive Location must include the server IP address/ dir for your selected location, for example, 10.194.5.104/ Sarah_FTP_Passive. The User to connect with is the user name used when connecting to the Archive Location. The Password should be the password used by the above user.
Samba The Archive Location must include the server IP address and directory for your selected location, in the following format: //address/dir, for example, //192.168.1.10/archive. The User to connect with must include the workgroup name and the user name used when connecting to the Archive Location, in the following format: workgroup/user, for example, marketing/nicole. The Password should be the password used by the above user.
SFTP The Archive Location must include the server IP address for your selected location, for example, 10.194.5.104/ The User to connect with is the user name used when connecting to the Archive Location. The Password should be the password used by the above user.
When you click the Test button, an attempt is made to send a test file to the archive location. If the attempt failed, a message pops up. If the operation is successful, the message Archiving Operation Succeeded, displays in the bar on the bottom left of the
M86 SECURITY, ADMINISTRATION 141 ADMINISTRATION
screen. When everything is configured correctly, click Save to activate your changes. Log Archive Scheduling - you can choose to send the data to the archive location either at a fixed time every day or every number of hours as required.
NOTES: In addition to the SWG Internal Reporting Tool, M86 Security offers comprehensive support for integration with the Security Reporter. The Security Reporter (SR) is an advanced external reporter that offers organizational, security, and productivity reports. The SR option allows for sending log archives to both the Security Reporter and to an external storage location for archival purposes. See also: Log Properties
Collect Logs From
Syslog Target
Scanning Server The Scanning Server is responsible for analyzing and checking all content passing through the system in accordance with the Security Rules. The Scanning Server contains the following modules: • General • HTTP • Authentication • ICAP • FTP • WCCP • Cache • HTTPS
142 M86 SECURITY, ADMINISTRATION ADMINISTRATION
See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
General
HTTP
Available Device Tree Options
Default Values General
The Scanning Server General screen displays the general definitions for the specified device. This screen contains options to
M86 SECURITY, ADMINISTRATION 143 ADMINISTRATION
configure Downloads, Timeout and Transparent Proxy Mode. To edit the Scanning Server Proxy screen, click Edit on right pane. See also: Scanning Server
HTTP
Downloads
Timeout
Transparent Proxy Mode
Downloads
The Downloads tab allows you to configure the maximum scannable size for files downloaded or uploaded via the proxy (in megabytes).
Figure 5-19: Scanning Server - Downloads See also: General
Timeout
Transparent Proxy Mode
Timeout
The SWG system acts as a Proxy device which handles connections coming from the client to the server. Client Side
144 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Timeout is defined as the time between consecutive requests within the client-proxy connection Server Side Timeout is defined as the time between consequent content pieces received from server. It is highly recommended not to modify these timeout options.
Figure 5-20: Scanning Server - Timeout See also: General
Downloads
Transparent Proxy Mode
Transparent Proxy Mode
The SWG Appliance can work as a transparent proxy. If enabled, FTP, HTTPS, and HTTP requests are intercepted by the appliance transparently and passed on to the server (Web or FTP). When multiple scanning servers are used, a layer 4 load balancer appliance, or a WCCP enabled router or switch should redirect the Web and FTP traffic to the scanning servers using transparency. Transparency in SWG works at the IP layer. Traffic must be routed to the SWG appliance in order for it to be scanned. For example, the SWG scanning server could be specified as the default gateway for client machines. • Select Enable Transparent Proxy Mode to enable FTP, HTTPS, and HTTP requests to be intercepted. Once you select this checkbox, you can configure the FTP,
M86 SECURITY, ADMINISTRATION 145 ADMINISTRATION
HTTPS, and HTTP ports. Only traffic destined for the ports defined in the HTTP and HTTPS Ports and FTP Ports fields are scanned. Traffic on other ports will be passed through. To scan FTP transparently, select the Enable FTP for device checkbox located in Administration > System Settings > M86 Devices > Scanning Server > FTP.
Figure 5-21: Transparent Proxy Mode
NOTES: If traffic exists on the network using non-standard port numbers, it is possible to add additional port numbers for scanning. For example, if there is HTTP traffic on Port 81, it is treated as HTTP and scanned by SWG Â To add/delete HTTP Ports and FTP Ports: 1. Click Edit in the right pane. 2. Select Enable Transparent Proxy mode.
146 M86 SECURITY, ADMINISTRATION ADMINISTRATION
3. In the HTTP/FTP/HTTPS Ports section, click to add a new row. 4. Enter the Port Range values in the From and To fields.
5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row
6. Click Save to apply changes. Next, click to commit them. See also: General
Downloads
Timeout Device Policies
The Device Policies tab allows central management of all device related policies. In this screen, the administrator selects the policies to be associated with this particular device IP. Policy Options include:
M86 SECURITY, ADMINISTRATION 147 ADMINISTRATION
Field Name Description
Identification Identification Policies define whether and how the end- Policy user will be identified or authenticated by the system. Proper identification allows the system to enforce the proper Security Policy for the end-user. M86 provides several predefined Identification Policies: Source IP Only: identifies user by source IP Read Headers: identifies user by HTTP header Get User Credentials: requests user to send credentials Authentication: performs real user authentication against password server
Device A Device Logging Policy is a set of rules dealing with the Logging logging of transaction data for this specific Device IP. The Policy only action resulting from a logging rule is to log the transaction. The Logging Policy can implement logging at different levels, depending on your requirements. Logging Rules decides both what is logged (blocked, allowed, all) and where the information is sent to (logs, archives, reports etc.). As with Security rules, any action taken will be according to the rule of highest priority that matches the terms of the Rule.
Upstream The Upstream Proxy Policy screen allows administrators Proxy Policy to configure upstream proxy settings for traffic scanned by the SWG system. The screen incorporates one default proxy (Direct). The Upstream Proxy Policies are built as follows: y Policies are compiled from rules y Rules are based on Conditions A Policy may be assigned to one user or user group that passes through a specific device. The right-click menu option in the Upstream Proxy Policies tree allows you to Add a Policy. Once a new policy is created, you can add rules, or delete / duplicate policy.
Caching The global caching policy affects all users who are Policy browsing using the SWG system. By default, when the system license includes caching, caching is enabled and SWG caches all cacheable HTTP content.
148 M86 SECURITY, ADMINISTRATION ADMINISTRATION
To select policies for this Device IP, click Edit in the
See also: Device Policies HTTP
The Scanning Server HTTP screen displays the HTTP settings for the specified device. To edit the Scanning Server HTTP screen, click Edit. This screen includes the option to Enable HTTP for Device. When HTTP is enabled, you can disable HTTPS (and vice versa), thus closing the unused ports and tightening up security. See also: Scanning Server
General
HTTP Service
Advanced
Upstream Proxy
Headers
Allowed Server Ports
M86 SECURITY, ADMINISTRATION 149 ADMINISTRATION
HTTP Service
The HTTP Service tab contains HTTP Service settings.
Figure 5-22: HTTP Service The following table provides information on the HTTP Service:
Field Name Description
Listening IP Defines the IP address for HTTP listening. If this field is left empty, then HTTP listens on all interface cards configured in the system.
Listening Port Defines the port (The default port is 8080).
URL Rewriting Rewrite URL destination location feature
See also: HTTP
Advanced
Upstream Proxy
Headers
Allowed Server Ports
150 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Advanced
The Advanced tab contains HTTP Advanced settings.
Figure 5-23: HTTP Advanced The following table provides information on the HTTP Advanced Setting fields:
Field Name Description
Maximum HTTP Defines the maximum number of queued Transactions Backlog pending connections waiting to be accepted.
Always try FTP Check this option in order to enable passive FTP Passive Mode mode when connecting to an FTP server. This is Connection to Server the default mode. If you uncheck it, FTP works only in Active Mode.
M86 SECURITY, ADMINISTRATION 151 ADMINISTRATION
Field Name Description
Enable Connection- If an HTTP proxy is used between the client and Based Authentication server, it must take care not to share Protocols through authenticated connections between different Proxy authenticated clients to the same server. If this is shared, then the server can easily lose track of security context associations. A proxy that correctly preserves client to server authentication integrity will supply the “Proxy- support: Session-Based-Authentication" HTTP header to the client in HTTP responses from the proxy. The client must not utilize the SPNEGO HTTP authentication mechanism through a proxy unless the proxy supplies this header with the "401 Unauthorized" response from the server. So when this option is turned on, proxy injects the above header to tell client it is allowed to authenticate with the web server. This header can only be injected if there are no other proxies between client and server.
Prevent Content Enables/disables incoming content from being Caching by all cached locally. This is disabled by default. Downstream Nodes
Block Tunneled Blocks tunneling through the proxy (CONNECT Protocols (HTTPS) requests). When enabling HTTPS, both HTTPS scanning and HTTP tunneling on port 443 are enabled on this device. To disable HTTP tunneling, select the Block Tunneled Protocols (HTTPS) checkbox.
Enable Trickling During download of a large file, enables small chunks of data to be sent periodically to the user in order to prevent timeouts. (Default: enabled)
Client Wait Time (in Defines the amount of time, in seconds, seconds) between trickling portions from the Proxy to the Client. The default value for this is 5 (Do not change this default).
152 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Name Description
Client Side - Version - Enables/disables a persistent connection (using Persistent HTTP 1.0/1.1) from the end-user.
Server Side - Version - Enables/disables a persistent connection (using Persistent HTTP 1.0/1.1) to the web server.
See also: HTTP
HTTP Service
Upstream Proxy
Headers
Allowed Server Ports The following table provides information on the HTTP Upstream fields:
Field Name Description
Client IP Header Header information for user identifiers supplied by an upstream proxy.
User Name Header Specifies the User Name in the Header Field.
Protocol
Protocol - IP Address For each protocol - HTTP, HTTPS, FTP click Active - Port - Active and add the required IP address. To use the same proxy for all protocols, select Use for all protocols
See also: HTTP
HTTP Service
Advanced
Headers
M86 SECURITY, ADMINISTRATION 153 ADMINISTRATION
Allowed Server Ports
Headers
The Headers tab allows you to manipulate Request or Response Headers in the HTTP transaction.
Figure 5-24: HTTP Headers The following table provides information on the fields.
Action drop-down Description list option
Add Header Adds the header to the HTTP Request.
Remove Header Removes the header from the HTTP Request.
Copy Value to New Creates a new header with the information from the Header Value/Source Header contained within.
 To add a Header: 1. Click Edit on right pane.
154 M86 SECURITY, ADMINISTRATION ADMINISTRATION
2. In the HTTP Request Headers section, Click to add a new row.
3. In the HTTP Response Header section, Click to add a new row. 4. Enter the required Header Name, corresponding Value / Source Header, and Action in both sections.
5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row.
6. Click Save to apply changes. Click to commit them. See also: HTTP
HTTP Service
Advanced
Upstream Proxy
Allowed Server Ports
Allowed Server Ports
The Allowed Server Ports screen allows you to configure ports that the proxy is allowed to connect to for each protocol listed - HTTP, HTTPS, FTP over HTTP.
NOTES: These ports are not relevant if you are working in the Transparent Proxy Mode.
M86 SECURITY, ADMINISTRATION 155 ADMINISTRATION
Figure 5-25: Allowed Server Ports in URI Â To add/delete a specific port: 1. Click Edit on right pane. 2. Select Enable HTTP for Device.
3. In the Enable HTTP for Device section, Click to add a new row to Specific Ports for HTTP, Specific Ports for HTTPS, and Specific Ports for FTP over HTTPS respectively. 4. Enter the required ports in the From and To range.
5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row.
6. Click Save to apply changes. Next, click to commit them. See also: HTTP
HTTP Service
Advanced
156 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Upstream Proxy
Headers
URL Rewriting
The URL Rewriting feature allows the proxy to direct URLs (or IP addresses) to a specified alternate location. This may be helpful to avoid expending unneccessary internet traffic resources when browsing, and/or forwarding users to localized resources. (for example, *.google.com - *.google.co.il. The URL Rewriting tab is comprised of the following:
Field Name Description
Enable URL Checkbox to enable the feature that effectively Rewriting ‘redirects’ users to an alternate location
Number Defines the order of the application
Enable Enable the application of this particular rule
Source The intended URL or IP address such as: ^http://(.*\ .yahoo\.*)/(search.*)
Destination The location to which the URL has been redirected. Can be URL or IP address such as: http://\1/\ 2&vm=r
Case Sensitive Checkbox to indicate whether the rule is case sensitive
Mode
Server The browser is unaware that a redirect is occurring. Each request is re-directed by proxy
Client The browser is instructed to go to an alternate location, and the client is aware of the change
NOTES: The GUI provides a clear example of the Source and Destination criteria. It is found directly under the Enable URL Rewriting checkbox.
M86 SECURITY, ADMINISTRATION 157 ADMINISTRATION
 To enable URL Rewriting:
1. Navigate in the Management Console to Administration Æ M86 Devices Æ Scanning Server Æ HTTP 2. Click the URL Rewriting tab. Click Edit. 3. Check the Enable URL Rewriting checkbox. Editing options in this grid will only be available when this checkbox is enabled.
4. Click to add a record. In subsequent rules, clicking allows you to add or delete records to the end of this list. 5. Type the Source and Destination URLs, for example: ^http://(.*\ .yahoo\..*)/(search.*) and http://\1/\2&vm=r 6. Click the Case Sensitive checkbox when there are two alternate locations where one is lower case and one is upper case. 7. Select the Mode with which to rewrite, either Server mode or Client mode. An administrator determines mode according to 8. Check the Enable field to ensure that this rule is applied. 9. The # field pertains to the priority given to this specific application. To change the priority of a specific record, click . For example: • CNN.com/* • cnn.com/news • cnn.com/news/canada The right-click menu on this icon offers the following: • Add record • Delete record • Increase priority • Decrease priority
158 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-26: URL Rewrite right-click menu 10.Click Save.
Figure 5-27: URL Rewriting Screen
WARNING: If Caching is disabled, URL Rewriting will not work.
The URL Rewrite feature works only if Caching is enabled. The Caching module performs the rewrite, and as such, if caching is disabled, the rewrite will not work. However, the outcome of the URL Rewrite policy takes precedence over the caching function.
M86 SECURITY, ADMINISTRATION 159 ADMINISTRATION
 To run the Test function: 1. If in Edit mode, Click Save in the tab and navigate to Cache within the same left tree pane. (M86 Devices Æ Scanning Server Æ Cache) 2. Click Edit. Check the Enable Caching checkbox. 3. Click Save, and return to previous HTTP screen Æ URL Rewriting tab. 4. In the first text field, enter the Source URL. For example, 5. Click Test. The Destination URL (the location of the redirected URL) will appear in the secondary text field.
NOTES: If the Test returns no data, it means that no rules apply. It is not necessary to be in Edit mode or run the URL Rewrite test. 6. Click Save and Exit. See Also: HTTP Cache M86 Devices
Integrated SSL Scanning When HTTPS scanning is enabled, SWG Scanning Server serves as an intermediary, providing SSL authentication by not only encrypting the data but also by determining whether the original HTTPS server and the end-user have the expected authentications. The Scanning Server performs this task by acting both as an HTTPS server replying to the end-user requests, and as an HTTPS client requesting the original HTTPS server for the content on behalf of the end-user. When the end-user requests the server's certificate from the
160 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Scanning Server, the Scanning Server retrieves the certificate from the original Web server. The Scanning Server then validates the certificate and, according to the security policy, sends it to the user or blocks it. This transaction includes two sessions, one between the client and the Scanning Server, and another between the Scanning Server and the original Web server. See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
HTTPS
Certificate Management
ICAP
M86 SECURITY, ADMINISTRATION 161 ADMINISTRATION
Authentication
FTP
WCCP
Cache HTTPS
The Scanning Server HTTPS screen displays the HTTPS configuration for the specified device. HTTPS Scanning is a license based feature (i.e., fields are active only if user has the license) which enables decrypting HTTPS traffic and inspecting it for malicious code. It then re-encrypts the communication and sends it through to the end-user, ensuring clean content. Administrators can also set Bypass, Inspect Content and User Approval policies for encrypted traffic in order to ensure greater control over the content passing through the system. This screen includes the option to Enable HTTPS for Device. When HTTPS is enabled, you can disable HTTP (and vice versa), thus closing the unused ports and tightening up security.
NOTES: When enabling HTTPS, both HTTPS scanning and HTTP tunneling on port 443 are enabled on this device. To disable HTTP Tunneling, select the Block Tunneled Protocols checkbox in the HTTP Service section of the HTTP screen. This screen contains the following tabs: • HTTPS Service • Advanced • Allowed Server Ports You can import a root certificate by right-clicking on the HTTPS node. Refer to Import Certificate for more details. To edit the Scanning Server HTTPS screen, click Edit on right pane. See also:
162 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Integrated SSL Scanning
Certificate Management
ICAP
Authentication
FTP
WCCP
Cache
HTTPS Service
Advanced
Allowed Server Ports
HTTPS Service
The HTTPS Service tab allows you to configure the HTTPS Service settings.
Figure 5-28: HTTPS Service
M86 SECURITY, ADMINISTRATION 163 ADMINISTRATION
This table provides information on the HTTPS Service fields.
Field Name Description
Listening IP Defines the interface on which HTTPS traffic will be received.
Listening Port Defines the port that will be listening to incoming HTTPS requests.
See also: HTTPS
Advanced
Allowed Server Ports
Advanced
The HTTPS Advanced tab allows you to configure the protocol
164 M86 SECURITY, ADMINISTRATION ADMINISTRATION
settings.
Figure 5-29: HTTPS Advanced The following table provides information on the fields.
Field Name Description
Allow SSLv2 Enables support for SSLv2 protocol. This option is disabled by default. This protocol is non-secure and should not be used unless there are some compatibility problems.
Allow SSLv3 Enables support for SSLv3 protocol. This option is enabled by default.
Allow TLSv1 Enables support for TLSv1 protocol. This option is enabled by default.
M86 SECURITY, ADMINISTRATION 165 ADMINISTRATION
Field Name Description
Use Diffie- Enables the use of Diffie-Hellman as the key exchange Hellman mechanism between the client and the proxy. This is enabled by default.
Allow weak Allows the choice of weak (non-secure) cipher suites Ciphersuites while performing an SSL handshake between SWG and the HTTPS server. This option is disabled by default.
Allow Allows support for Certificate Wildcards. The Certificate Certificate Wildcard works in conjunction with an existing Certificate Wildcards Validation rule. This means that only if there is a policy with a Certificate validation rule will the wildcard support be relevant.
Enable Session Enables session caching of HTTPS traffic. Caching
Enable Enables caching of HTTPS traffic certificates. Certificate Caching
SSL Handshake Defines the amount of time (in seconds) after which the Timeout SSL Handshake is timed out if not responsive.
Max HTTPS Defines the maximum number of outstanding connection Transactions requests to be served by the system. After this number is Backlog reached, the system is timed out. The default value is 36.
HTTPS Timeout Defines (in seconds) the amount of time after which an idle connection is timed out.
NOTE: If the Allow SSLv2 protocol is selected, a message appears stating that this protocol is a less secure protocol than the SSLv3/TLSv1 protocols and may compromise your encrypted data. To confirm selection you must click OK. See also: HTTPS
HTTPS Service
166 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Allowed Server Ports
Allowed Server Ports
The HTTPS Allowed Server Ports tab allows you to configure ports allowed for each protocol. For example, the end-user sends the request to the proxy on port 8443, which is the port M86 is “listening” for HTTPS, but the original server listens on port 444.
Figure 5-30: Allowed Server Ports
NOTES: These ports are not relevant if you are working in the Transparent Proxy Mode. Â To add/delete a specific port: 1. Click Edit on right pane. 2. Select Enable HTTPS for Device
3. In the Enable HTTPS for Device section, Click to add a new row. 4. Enter the required port in the From and To range.
5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row.
M86 SECURITY, ADMINISTRATION 167 ADMINISTRATION
6. Click Save to apply changes. Next, click to commit them. See also: HTTPS
HTTPS Service
Advanced Certificate Management
During the installation and setup of SWG, a private key is created by the system, followed by the creation of a self-signed certificate. By default, SWG signs the on-the-fly certificates using the self- generated private key, and the end-user sees the self-signed certificate.
NOTES: The HTTPS Certificates guarantees the security of the content. The task of verifying the certificate can be broken down into two parts: Validating each certificate and ensuring that the chain leads back to a trusted authority. A list of trusted Certificate Authorities is maintained by the system and used for SSL Certificate validation. The following options are available: • Import Certificate • Generate a Certificate • Export Certificate See also: Integrated SSL Scanning
HTTPS
ICAP
Authentication
FTP
168 M86 SECURITY, ADMINISTRATION ADMINISTRATION
WCCP
Cache
Import Certificate
Generate a Certificate
Export Certificate
Import Certificate
The SWG system allows you to import a new certificate. Two types of certificates are supported: • Root CA: This options allows system administrators to import the certificate into the system together with the private key. • CSR: This options allows you to import a certificate signed by the CA after a CSR was generated by SWG. This root certificate is uploaded and displayed to users browsing HTTPS sites and is done globally for all scanning servers.
 To import a certificate: 1. Right-click on HTTPS and select Import Certificate from the drop-down menu. 2. Select the Certificate Type. 3. In the Certificate field, enter a certificate in PEM or DER format.
NOTES: Skip steps #4 and #5 and go to step #6 if you selected CSR as the Certificate Type 4. In the Private Key field, enter the private key in PEM or DER format (Browse to select). 5. In the Private Key Password field, enter the password. 6. Click OK. If the root certificate has been imported successfully, a message is displayed on the bottom of the screen.
M86 SECURITY, ADMINISTRATION 169 ADMINISTRATION
Figure 5-31: Import Certificate See also: Certificate Management
Import Certificate
Generate a Certificate
Export Certificate
Generate a Certificate
Large organizations, which employ their own CA that is already trusted by end-users, can generate a Certificate Signing Request (CSR). After the generation of the CSR, the system administrator can export the request (which is signed by SWG’s private key) and send it to the Certificate Authority. The CA will then generate a certificate, which will be imported into SWG. This procedure makes the process of exporting the certificate to end-users unnecessary.
170 M86 SECURITY, ADMINISTRATION ADMINISTRATION
 To generate a certificate: 1. Right-click on HTTPS and select Generate Certificate from the drop-down menu. 2. Select the Type. 3. Select the Country Name. 4. In the State of Province field, enter the State or Province. 5. In the Locality or City field, enter the locality or the name of the city. 6. In the Organization field, enter the name of the organization generating the certificate. 7. In the Organization Unit field, enter the name of the relevant unity in the organization that is generating the certificate. 8. In the Common Name field, enter the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate. For example, www.M86.com. 9. Click OK. If the root certificate has been generated successfully, a message is displayed on the bottom of the screen.
Figure 5-32: Allowed Server Ports See also:
M86 SECURITY, ADMINISTRATION 171 ADMINISTRATION
Certificate Management
Import Certificate
Export Certificate
Export Certificate
System administrators can export the SSL certificate from the system to install it later on end-user machines as a trusted CA. Installing SWG certificates on end-user machines will prevent the security validation error messages to be sent to the end-users.
 To export a certificate: 1. Right-click on HTTPS and select Export Certificate from the drop-down menu. The File Download - Security Warning screen appears. 2. Click Save.
Figure 5-33: Certificate Export See also:
172 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Certificate Management
Import Certificate
Generate a Certificate ICAP
This section covers the ICAP server settings required to enable communication between a third party ICAP client with the respective M86 ICAP server service/device. It is necessary to set these settings before configuring the ICAP client services in order to enable automatic ICAP client setup (BlueCoat: Sense Settings function). Detailed information can be found in the Setup and Configuration Guide. The Scanning Server ICAP screen displays the ICAP configurations for the specified device. This screen contains the following: • ICAP Service • ICAP Clients • Options • Advanced • Headers This screen includes the option to Enable ICAP for Device. When ICAP is enabled, you can disable HTTP (and vice versa), thus closing the unused ports and tightening up security.
NOTES: If there is no direct Internet access, in order to perform prefetching of Java classes for Applet scanning, ALL Scanning Servers must have the next proxy configured. If you are using ICAP, ensure that the SWG Appliance Scanning Server appears on the Access List. To edit the Scanning Server ICAP screen, click Edit on right pane. See also: Integrated SSL Scanning
M86 SECURITY, ADMINISTRATION 173 ADMINISTRATION
HTTPS
Certificate Management
Authentication
FTP
WCCP
Cache
ICAP Service
ICAP Clients
Options
Advanced
Headers
ICAP Service
The ICAP Service tab displays various ICAP Service settings.
Figure 5-34: ICAP The following table provides information on the fields:
Field Name Description
Listening IP Defines the listening IP for the ICAP protocol handler.
Listening Port Defines the binding port. (|Default is 1344)
174 M86 SECURITY, ADMINISTRATION ADMINISTRATION
See also: ICAP
ICAP Clients
Options
Advanced
Headers
ICAP Clients
The following table provides information on the fields:
Figure 5-35: ICAP Clients
Field Name Description
Type Defines the ICAP client.
Source IP Defines the IP address of ICAP client.
Weight Defines the percentage of resources for this client. (Note: this field does not support a zero value.)
M86 SECURITY, ADMINISTRATION 175 ADMINISTRATION
 To add/delete a new ICAP client: 1. Click Edit on right pane. 2. Select Enable ICAP for Device.
3. Click to add a new row. 4. Choose the Type from the drop-down list. 5. Enter the Source IP address of the new client and add the weight. Note that the weight is in percentage. If there is only one ICAP client, enter 100 in the weight field.
6. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row.
7. Click Save to apply changes. Next, click to commit them. The following resources are applicable: • For request mode: icap://servername:port/Finjan_REQMOD For example: icap://192.168.120.150:1344/ Finjan_REQMOD • For response mode: icap://servername:port/Finjan_RESPMOD For example: icap://192.168.120.150:1344/ Finjan_RESPMOD For more information please refer to Setup and Configuration Guide. See also: ICAP
ICAP Service
Options
176 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Advanced
Headers
Options
The Options tab controls the response to a special Options request that an ICAP client periodically sends to an ICAP server.
Figure 5-36: ICAP Options The following table provides information on the fields:
Field Name Description Default
Preview Size Defines the requested preview size in 4096 (Bytes) bytes of the content to be scanned.
Options Time Defines the time in seconds that the 3600 to Live Options response is valid. After this time (Seconds) period the ICAP client is expected to send the OPTIONS request again.
X-Client-IP The ICAP client is expected to send the N/A client IP address in each ICAP request
M86 SECURITY, ADMINISTRATION 177 ADMINISTRATION
Field Name Description Default
X-Server-IP The ICAP client is expected to send the N/A web server IP address in each ICAP request
X- The ICAP client is expected to send the N/A Authenticated authenticated user credentials in each -User ICAP request.
See also: ICAP
ICAP Service
ICAP Clients
Advanced
Headers
Advanced
The Advanced tab allows you to define various connections.
Figure 5-37: Advanced
178 M86 SECURITY, ADMINISTRATION ADMINISTRATION
The following table provides information on the fields:
Field Name Description Default
Maximum Defines the Maximum TCP/IP connections 256 TCP/IP backlog. Connections Backlog
Enable By enabling trickling, you are allowing small N/A Trickling chunks of data to be sent periodically to the user in order to prevent timeouts. Trickling refers only to the Status Page and is only available from NetApp.
See also: ICAP
ICAP Service
ICAP Clients
Options
Headers
Headers
The Headers tab allows you to manipulate Request or Response Headers in the HTTP transaction. Use the Edit buttons followed by
M86 SECURITY, ADMINISTRATION 179 ADMINISTRATION
Save/Cancel to make settings changes.
Figure 5-38: Headers The following table describes the actions available in more detail:
Action Description
Add Header Adds the header to the HTTP Request.
Remove Header Removes the header from the HTTP Request.
Copy Value to New Creates a new header with the information from the Header Value/Source Header contained within.
 To add a Header: 1. Click Edit on right pane. 2. Select Enable ICAP for Device.
3. In the ICAP Request/Response Headers sections, click to add a new row. 4. Enter the required Header Name, corresponding Value/Source Header, and Action.
180 M86 SECURITY, ADMINISTRATION ADMINISTRATION
5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row
6. Click Save to apply changes. Next, click to commit them. See also: ICAP
ICAP Service
ICAP Clients
Options
Advanced Authentication
The Scanning Server Authentication screen displays the Authentication configuration for the specified device. This screen contains the following tabs: • Configuration • Advanced • Domain To edit the Scanning Server Authentication screen, click Edit on right pane. See also: Integrated SSL Scanning
HTTPS
Certificate Management
ICAP
FTP
WCCP
M86 SECURITY, ADMINISTRATION 181 ADMINISTRATION
Cache
Configuration
Advanced
Domain
Configuration
The Configuration tab enables configuration of the required authentication settings. The Authentication Retention Methods section allows authenticated user credentials to be cached so as to reduce the number of authentication sessions.
Figure 5-39: Authentication Configuration
182 M86 SECURITY, ADMINISTRATION ADMINISTRATION
The following table provides information on the fields:
Field Name Description
Identification Identification Policies define whether and how the end- Policy user will be identified or authenticated by the system. Proper identification allows the system to enforce the proper Security Policy for the end-user. M86 provides several predefined Identification Policies: Source IP Only: identifies user by source IP Read Headers: identifies user by HTTP header Get User Credentials: requests user to send credentials Authentication: performs real user authentication against password server
Identification Identification Logging Policies log the transactions carried Logging Policy out by the Identification Policies. M86 provides predefined Device Logging Policies Authentication Retention Methods
No Retention If selected, the authentication data is not kept and authentication is requested for each call (i.e. there is repeated authentication/no caching request).
IP caching If selected, each request from a cached IP uses the same authentication data. The authentication data is kept for the specified timeout (1-600 seconds range).
Cookie If selected, the browser’s cookie mechanism is used for identifying different HTTP requests. In general the Cookie is sent unencrypted inside the HTTP protocol. If required, it is possible to tighten the security by encrypting the cookie. To do this, select the Use Encryption checkbox. If selected, an encryption key is auto-generated and used by all scanning servers. Select the Persistent checkbox to store the cookie until the defined Timeout expires.
M86 SECURITY, ADMINISTRATION 183 ADMINISTRATION
NOTES: By default, the Authentication Retention Method is set to Cookie, when the system is installed from a CD. If Transparent Proxy Mode is selected, the Cookie retention method is the only valid and possible configuration. Â To set up a device to perform user authentication: 1. Click Edit on right pane. 2. Select the Identification Policy that the device should enforce from the drop-down list. 3. Select the Identification Logging Policy that the device should enforce from the drop-down list.
4. Click Save to apply changes. Next, click to commit them. See also: Authentication
Advanced
Domain
Advanced
The Advanced tab enables advanced configuration of the required
184 M86 SECURITY, ADMINISTRATION ADMINISTRATION
authentication settings.
Figure 5-40: Authentication Advanced The following table provides information on the fields:
Field Name Description
Enable Challenge Token Reuse (NTLM Settings)
Enable Challenge Token A client authenticating with a proxy is reuse provided with a Challenge Token which is a random token that must be generated each time the NTLM protocol is performed. Select this option to enable the NTLM Settings. Enabling the NTML Settings option decreases the system security level
M86 SECURITY, ADMINISTRATION 185 ADMINISTRATION
Field Name Description
Random Challenge Token To save authentication time and proxy reuse number resources, the same token can be reused several times before a new random token is generated. This section defines the number of times a Challenge Token can be reused (large values weaken the security level)
Challenge Token Lifetime Challenge Token lifetime cannot exceed (in seconds) the configured limit
Active Directory Connection to Authentication Servers
Connection Timeout This is the timeout in seconds for connecting to an Authentication Server.
Try Reconnect After When the server is not accessible it is marked as dead and can be checked again for revival according to the defined time (in seconds).
Transparent Authentication
Virtual Redirection End user is re-directed to the host using a Hostname configured port. Once re-direction to host takes place, SWG ‘knows’ to authenticate the user. It is mandatory that the host name be resolvable (configured in the local DNS). It is recommended to use only the host name and not a FQDN in order to prevent a user and password popup window.
Virtual Redirection Port Configured port used to redirect the host.
186 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Name Description
Replace Domain With When user identification is in use and the user does not send a real domain name but rather a computer name, the identification will fail, since the user will not match any users imported from the LDAP Directory. When the Replace Domain With field is configured, SWG searches for the users by first searching the credentials sent by the user in the imported users list, and in the case of no found match with the user’s list, SWG replaces the value of the domain sent by the user with the value configured in this field and re-search for the user.
Forward Upstream Proxy Enabling this option allows for a non- Authentication standard situation where an upstream proxy can authenticate users through SWG. This means that SWG will not perform authentication but will forward proxy authentication from the downstream client. In this case, all SWG authentication mechanisms must be disabled.
 To set the NTLM Settings: 1. Click Edit on right pane. 2. Select Enable Challenge Token Reuse. 3. Define the number of times a Challenge Token can be reused (large values weaken the security level). 4. Define a lifetime in seconds for the Challenge Token.
5. Click Apply to save the changes. Next, click to commit them. See also:
M86 SECURITY, ADMINISTRATION 187 ADMINISTRATION
Authentication
Configuration
Domain
Domain
The following table provides information on the fields:
Field Name Description
Use all Active This enables the user to disable all the Authentication Servers Authentication Servers at once. When unchecked, the Scanner will cease to send authentication requests to the Authentication Servers.
Default Domain Enter the Default Domain used when SWG tries to get user credentials. This section appears for backwards compatibility
Figure 5-41: Authentication Domain See also:
188 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Authentication
Configuration
Advanced FTP
The Scanning Server FTP screen displays the FTP definition for the specified device. The FTP area allows you to configure your organization's FTP settings. The FTP screen contains the following tabs: • FTP Service • Upstream Proxy • Allowed Server Ports To edit the Scanning Server FTP screen, click Edit on right pane. Select Enable FTP for Device to enable using the FTP protocol in conjunction with the SWG appliance. See also: Integrated SSL Scanning
HTTPS
Certificate Management
ICAP
Authentication
WCCP
Cache
FTP Service
Upstream Proxy
Allowed Server Ports
M86 SECURITY, ADMINISTRATION 189 ADMINISTRATION
FTP Service
The following table describes the FTP Service fields:
Field Name Description
Listening IP Defines the IP address used by the FTP proxy. If this field is left empty and the machine has multiple IP addresses, the FTP proxy listens on all IP addresses (interfaces).
Listening Port Defines the ports used by the FTP proxy.
Figure 5-42: Scanning Server FTP Service Screen See also: FTP
Upstream Proxy
Allowed Server Ports
190 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Upstream Proxy
The following table explains the Upstream Proxy fields:
Field Name Description
Enable Next Proxy If SWG is in a proxy chain, then check the Enable Next Proxy box. This refers to an upstream proxy.
Next Proxy IP Defines the IP address used by the next proxy. Address
Next Proxy Port Defines the port used by the next proxy.
Figure 5-43: Scanning Server FTP Upstream Proxy See also: FTP
FTP Service
Allowed Server Ports
Allowed Server Ports
The Allowed Server Ports tab is used to define the ports used by
M86 SECURITY, ADMINISTRATION 191 ADMINISTRATION
the FTP Protocol.
Figure 5-44: Scanning Server Allowed Server Ports Screen
NOTES: These ports are not relevant if you are working in the Transparent Proxy Mode. Â To add/delete a specific port: 1. Click Edit on right pane. 2. Select Enable FTP for Device.
3. Click to add a new row. 4. Enter the required ports in the From and To range.
5. Repeat for as many times necessary. To delete entries, click on the same row as the entry and select Delete Row.
6. Click Save to apply changes. Next, click to commit them. See also: FTP
FTP Service
192 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Upstream Proxy WCCP
The Web Cache Communication Protocol (WCCP) is a protocol which enables WCCP enabled routers (and switches) to redirect traffic to other WCCP enabled servers, without the need for the users to configure their browsers or any other proxy settings. When you send a request, this request is sent to the original server and the WCCP router (or switch) redirects the request to the Scanning Server, which then inspects the request. The Scanning Server then generates a new request and sends the request to the original server. The reply is sent back to the end-user after it was scanned by the Scanning Server The WCCP protocol limits the number of ports per service to 8. If more than 8 ports are configured, a warning will be issued, and an arbitrary 8-port subset of these ports will be serviced by the WCCP.
NOTES: Transparent proxy must be enabled for WCCP to work
M86 SECURITY, ADMINISTRATION 193 ADMINISTRATION
Figure 5-45: Scanning Server WCCP Screen To edit the WCCP screen, click Edit on right pane. Select Enable WCCP V2 to enable using the WCCP Version 2 protocol in conjunction with the SWG appliance.
194 M86 SECURITY, ADMINISTRATION ADMINISTRATION
The following table describes the WCCP Configuration fields:
Field Name Description
Forwarding Method This is used to determine the communication protocol between the WCCP enabled router and the Scanning Server, namely Layer2 or GRE (Generic Router Encapsulation). When the Scanning Server is connected to a switch, the return method must be Layer2. For a router, the return method must be GRE. If Layer2 is selected, the Scanning Servers and WCCP enabled router must be on the same network.
Assignment Method Hash or Mask Assignment. When Hash is in use, the WCCP enabled router performs a hash function on the IP address. The routers hold a hash table, which maps the result of the hash function to one of the Scanning Servers. Mask Assignment, if supported by the WCCP enabled router, performs a bitwise logical AND operation between each mask value and the content of the packet. The WCCP enabled router compares a list of values for each mask.
Password This is an optional authentication password.
Routers This defines the IP address of the router. Click and select Add Row to add IP address for cases where there is more than one router.
Service IDs Router service number describing a well known service: HTTP, HTTPS and FTP.
See also: Integrated SSL Scanning
HTTPS
Certificate Management
ICAP
M86 SECURITY, ADMINISTRATION 195 ADMINISTRATION
Authentication
FTP
Cache Cache
Using an HTTP caching element in the system ensures that content delivery to end-users is accelerated. When content is delivered from a local cache after download, there is no need to reload identical content for each user's subsequent request, therefore reducing the end-user’s response time. Furthermore, it also reduces the bandwidth used to download multiple copies of the same object. Freeing bandwidth allows the applications of your organization to run more efficiently.
For further information on: See:
To set Secured Caching on a Setting the Caching Policy global basis
Configuring caching policies Caching Policy
To flush the cache Flushing the Cache
NOTES: Due to privacy issues, HTTPS content is not cached. This avoids situations where the secured content of one user is displayed to another user See also: Integrated SSL Scanning
HTTPS
Certificate Management
ICAP
Authentication
FTP
196 M86 SECURITY, ADMINISTRATION ADMINISTRATION
WCCP
Setting the Caching Policy
Flushing the Cache
Setting the Caching Policy
The Caching policy is a global policy that applies to all users who browse using the system. By default, when caching is enabled, all content is cached. You can manually define which caching policy will be implemented. For further information regarding cache policies and their configuration, please refer to Caching Policy. Although multiple Caching Policies can be configured, only a single policy can be activated at any single time, and this policy will be global to all users who are browsing using SWG. If there is a need to allow (or disallow) certain users to access particular Websites or to download certain file types, it will be enforced by the Security Policies. To set Secured Caching on a global basis, navigate in the Management Console to Administration > System Settings > M86 Devices. In the M86 Devices pane, open Device Default Values on the Devices tree. Open Device Settings and click Cache. The following parameters can be configured by the system administrator in the Cache screen, once caching is enabled:
Policy Feature Description
Enable caching Check to enable a global caching policy.
M86 SECURITY, ADMINISTRATION 197 ADMINISTRATION
Policy Feature Description
Caching Policy The global caching policy affects all users who are browsing using the SWG system. By default, when the system license includes caching, caching is enabled and SWG caches all cacheable HTTP content.
Maximum Object HTTP caching is performed for HTTP objects, such Size as images, scripts, static HTML pages, and so on. The system administrators can set the maximum size of a single object that SWG caches.
 To configure the cache 1. In the Cache screen, click Edit. 2. Enable the Enable Caching checkbox. When checked, the rule is enabled. When unchecked, the rule is disabled.
NOTES: In order to enable caching, the system license must include the caching module. 3. Select the desired policy from the options available in the Caching Policy drop-down menu. This list is based on the caching policies set by the administrator. Please refer to Caching Policy Details for more information. The M86 Recommended Caching Policy serves as the default policy. 4. Insert an appropriate value in the Maximum Object Size box. This indicates the maximum size of a single object.
5. Click Save to apply changes. Next, click to commit them.
198 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-46: Secured Caching Configuration See also: Cache
Flushing the Cache
Flushing the Cache
Cache Flushing allows system administrators to delete all content from the cache. This operation should not be part of the day-to-day maintenance, as this operation terminates all existing connections. Flushing the cache can be done: • Via the Limited Shell using the following command: flush_webcache. For further details see: “limited shell”. • Via the Management Console. • By right-clicking Cache and selecting Flush Cache from the menu.
 To flush the cache: 1. Navigate in the Management Console to Administration > System Settings > M86 Devices. In the M86 Devices pane, open Device Default Values on the Devices tree. Open Device Settings and right-click Cache. 2. Click Flush Cache. A warning message appears: Flushing the cache will terminate all existing connections.
M86 SECURITY, ADMINISTRATION 199 ADMINISTRATION
Figure 5-47: Cache Flush Warning Message 3. Click OK to continue. See also: Cache
Setting the Caching Policy For more information on WCCP, please refer to the WCCP Technical Brief.
Default Values These contain default settings for Device Modules and other settings. See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Policy Server
200 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
Device General Settings
Access List
Device Settings Device General Settings
The following settings are for Access List. See also: Default Values
Access List
Device Settings Access List
The Access List default settings are listed here. You can choose to apply the default settings displayed here to all the Access Lists. See also: Default Values
Device General Settings
Device Settings
M86 SECURITY, ADMINISTRATION 201 ADMINISTRATION
Device Settings
The Default Scanning Server Values node contains device modules with their default settings supported by SWG. These screens look exactly the same as the screens displayed for each device in the Devices tree.
NOTES: When creating a new device under Administration > System Settings > Devices, the default settings shown here are automatically applied to the new device. The unique setting for the device can then be edited as required in the Devices tree. You can choose to reset the values for a specific device or all modules to the default values shown under Default Values as follows:
 To reset all Devices and their modules with default values: 1. Right-click on the Default Scanning Server Values main folder and select Reset all with default values. 2. Click OK on the confirmation message that appears. The devices together all their modules are now reset with the default values listed here as the Default Values.
 To reset specific Device modules with default values: 1. Right-click on the Scanning Server module, for example, HTTP, and select Reset all HTTP Devices with Default Values. 2. Click OK on the confirmation message that appears. The specific module is now reset with the default values listed in the Device Default Values for the Scanning Server. See also: Default Values
Device General Settings
Access List
202 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Policy Server The Policy Server includes the following modules: • VSOS Updates • High Availability • RADIUS Authentication See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
VSOS Updates
High Availability
M86 SECURITY, ADMINISTRATION 203 ADMINISTRATION
RADIUS Authentication VSOS Updates
You can choose to update selected scanning servers with the latest Operating System update instead of sending the update to all the scanning servers at the same time. The option to update selected scanning servers ensures greater stability of the system and allows you greater control over the individual scanning servers in your configuration. Having the means to select specific scanning servers is also useful when updating a Policy Server with a new VSOS in a High Availability configuration. In this scenario, some scanning servers can be left untouched, so that if the Update fails, the Policy Server will still be able to control the selected Scanning Servers. All scanning servers will continue to function normally and logs will be retrieved from all of them; however they will not receive security updates or configuration changes.
NOTES: Policy Servers are only able to configure and send security updates to Scanning Servers which have the same VSOS. Any scanning server which has a different VSOS update to the Active Policy Server will have their corresponding icon displayed in yellow.
204 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-48: VSOS Updates To edit the VSOS Updates screen, click Edit. • Select Update selected Scanning Servers and check the Scanning Servers in your configuration that should be updated. Alternatively, Select All to update all the Scanning Servers.
NOTES: Scanning Server VSOS Updates does not apply to Maintenance or Hot Fix releases See also: Policy Server
High Availability
RADIUS Authentication High Availability
SWG supports both an Active Policy Server and a Standby Policy Server for cases of malfunction. Having a standby Policy Server means that there is no single point of failure and this in turn prevents cases of both hardware and software failures. You can switch from the Active Policy Server to
M86 SECURITY, ADMINISTRATION 205 ADMINISTRATION
the Standby Policy Server, guaranteeing continuous operation of the system. Before using this feature, another appliance needs to be configured as a Policy Server with the same VSOS as the Active Policy Server. Both appliances must be configured as Policy Servers, and not as an All in One. The High Availability screen contains the following tabs. • Configuration • Synchronization
Figure 5-49: High Availability To edit the High Availability screen, click Edit on right pane. Select Enable High Availability Policy Server to enable the High Availability Policy Server feature. See also: Policy Server
206 M86 SECURITY, ADMINISTRATION ADMINISTRATION
VSOS Updates
RADIUS Authentication
Configuration
Synchronization
Configuration
In this tab you can define the Standby Policy Server IP which will be switched over to if required. You can only switch over once there has been an initial synchronization which is reflected in the Last Switch Time field. Both active and standby Policy Servers have to have the same VSOS update installed. If this is not the case, an error message will appear on the screen.
NOTES: If, for any reason, the Active Policy Server fails, it is possible to change the Standby Policy Server to become an Active Policy Server through the Limited Shell. This procedure is detailed in the Setup and Configuration Guide. The VSOS Update checkbox is used to ensure that the latest Version Software is sent automatically from the active Policy Server to the Standby Policy Server after an update.
 To define the Standby Policy Server and switch Policy Servers:
1. Click Edit on the right pane. 2. Enable the High Availability Policy Server and define the Standby Policy Server IP. 3. Click Save. 4. Right-click on High Availability node in tree on left hand pane and select Switch Now from the drop-down menu.
M86 SECURITY, ADMINISTRATION 207 ADMINISTRATION
5. You will be automatically redirected to the other Policy Server which is now working in Active mode. See also: High Availability
Synchronization
Synchronization
Select the Scheduled Synchronization checkbox to synchronize the configuration changes with the Standby Policy Server at a predefined time. That is, any change to Policy Server settings which involve pressing Save and Commit Changes. This also includes Security updates. Select scheduled synchronization to run either daily (hh:mm) or hourly and enter the required values.
Figure 5-50: High Availability - Synchronization You can also choose to manually synchronize information between
208 M86 SECURITY, ADMINISTRATION ADMINISTRATION
the Policy Servers at any time.This information includes the latest VSOS (Software Version) if it has been selected in the VSOS Update field in the High Availability Configuration tab. The Last Synchronization Time refers to the last time any synchronization was made, whether automatic or manual.
NOTES: Please refer to the High Availability Policy Server Feature Description for a detailed explanation on this feature. Â To manually synchronize Policy Servers: 1. Right-click on High Availability node in tree on left hand pane and select Synchronize Now from the drop-down menu. 2. Click OK to confirm, else Cancel. See also: High Availability
Configuration RADIUS Authentication
M86 Secure Gateway system allows multiple administrators to manage the system at once. In addition to manually adding administrators to the system, you can also connect to a RADIUS server, which authenticates using an external Users database. Connecting to the RADIUS server simplifies the process for the system administrator to grant access to the system to new administrators by using already-defined users instead of defining new M86 administrators.
NOTES: To prevent your browser from freezing (specifically in IE6), it is recommended to reduce the number of seconds set in the Retry Interval field on your RADIUS server In this screen, you can configure the Authentication Method and Edit the server user information, including the time frame for
M86 SECURITY, ADMINISTRATION 209 ADMINISTRATION
Retrying authentication. The RADIUS Authentication screen includes the following fields:
Field Name Description
Authentication Means by which a user’s identity is verified, such as Method username and password
Primary Primary server name or IP address Authentication Host
Secondary Secondary server name or IP address Authentication Host
Port Defines the communication port between client and server
Shared Secret A password that defines a shared string between client and server
Retry Limit Maximum number of attempts to authenticate
Retry Interval Defines the interval, in seconds, between attempts
 To connect to the RADIUS server:
1. In the Management Console, navigate to Administration Æ System Settings Æ M86 Devices. 2. Expand the Policy Server node and click RADIUS Authentication. 3. In the RADIUS Authentication window, click Edit. 4. Enable the Active checkbox.
210 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-51: Configure RADIUS Authentication 5. According to your RADIUS server configuration, select the Authentication Method from the drop-down menu. 6. In the Primary and Secondary Authentication Host fields, enter the host name, which is the server name or IP. 7. In the Port field, enter the RADIUS authentication port. This is the port on which the servers will communicate. 8. In the Shared Secret field, enter a password to define a shared string to authenticate the client and the server.
NOTES: Fields highlighted in yellow are mandatory and cannot be left empty. 9. Select a number from the Retry Limit drop-down menu. For example, retry limit is 6 times. 10.Select a number from the Retry Interval drop-down menu to define the interval, in seconds, between each attempt. 11.Select an option from the drop-down menu for Database Password Encoding. (The option chosen here defines the encoding method used for both the RADIUS server and the M86 device). 12.Select an option in the event that the RADIUS server does not respond and click the appropriate radio button. For example, Block Administrator Access.
M86 SECURITY, ADMINISTRATION 211 ADMINISTRATION
13.Click Save. Otherwise, Cancel.
NOTES: To ensure that the process runs efficiently, it is highly recommended to use NTP synchronization. For more information refer to Limited Shell in the Setup and Configuration Guide. See also: Policy Server
VSOS Updates
High Availability
Permissions
Permissions
Administrators are manually defined and assigned to specific groups using the management console. When the administrator logs in, credentials are validated by RADIUS. The administrator will receive the permissions associated with their assigned group. New, undefined administrators will receive the policy assigned to the RADIUS Default Group. After their first login, an existing administrator can move the new administrator to another group. The new administrator will then inherit the policy that is assigned to the other group. If the user is authenticated but the RADIUS server has no parameter containing the administration group ID, the user will automatically be assigned to a limited permission group, the RADIUS Default Group.
NOTES: The Radius Default Group should be set to View Only on all fields in the GUI. See also: RADIUS Authentication
212 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Administrators Dashboard
This Dashboard window allows you to enable or disable a Dashboard view of this particular Device IP. 1. Click Edit to activate the window. Enable or disable the Dashboard checkbox.
2. Click Save to commit the change. Click on the toolbar to confirm the results. See also: Dashboard Console
Scanning Options
In the Main Tool bar, select Administration Æ System Settings Æ Scanning Options. This screen is used to enable the HTML Repair feature; caching of results of scanned files and a Status page. To edit the Scanning Options screen, click Edit on right pane. HTML Repair: Select the Automatic removal of suspicious code checkbox on the Scanning Options screen to enable the HTML Repair feature. By selecting this option, malicious scripts on an HTML page are automatically detected and repaired and the HTML page is sent on to the end-user in a transparent manner. Logging rules in the M86 logging policy Log All Protective Actions enable you to display this information in the Web Log View.
NOTES: The HTML Repair feature is enabled by default
Security Caching: Select the Enable caching checkbox to enable caching of results of scanned files. This improves system performance by reducing scanning time. The system is configured such that the largest CPU and time-
M86 SECURITY, ADMINISTRATION 213 ADMINISTRATION
consuming Scanning engines will make use of this feature accordingly. Enable Status Page: When files are being downloaded from the Internet, a status page can be displayed to the end-user in the browser window. This provides important information while the end-user waits for the download to finish, as the file must be scanned by SWG before it reaches the browser. The status page can be configured and activated accordingly.The Status Page is disabled when working with HTTPS. This section includes the following tabs: • General Settings • Activate See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
214 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Debug Logs
GUI Log Level
General Settings
Activate General Settings
By selecting Enable Status Page, you can configure the options listed in the following table:
Field Name Description
Size Threshold for Configures the download file size threshold that Immediate Activation activates the status page. (KB)
Immediate Activation Configures the number of seconds into a download for Downloads taking after which the status page is activated. more than (in seconds)
Progress Bar Update Determines the frequency at which the progress Interval (in seconds) bar shown in the status page is updated during the download.
Completed Download Configures the amount of time that the downloaded Lifetime (in seconds) content remains on the SWG proxy before it is removed.
Downstream Proxy When checked, enables working with ISA Server. Compatibility
See also: Scanning Options
Activate Activate
When files are being downloaded from the Internet, a status page can be displayed to the end-user in the browser window.
M86 SECURITY, ADMINISTRATION 215 ADMINISTRATION
 To edit options in Status Page: 1. To edit the Activate tab on the Status Page, click Edit. 2. Select Enable Status Page. 3. In the On User Agents/Activate When/Unless sections, click to add new rows. 4. Enter appropriate User Agent and Values. 5. Repeat for as many times necessary. You can delete entries by clicking on the same row as the item and selecting Delete Row.
6. Click Save to apply changes. Next, click to commit them. You can choose to activate or deactivate the Status Page based on the following: • User Agent: The User Agent is an HTTP header field by which the browser is identified by the Server. Most browsers, including Internet Explorer, specify Mozilla as part of the User-Agent field. Rows can be added or deleted using . • Content Type: Content type can be an extension type or a Mime type. Specific extensions and Mime types can be added or deleted using .The Extensions displayed are provided as default Extensions. For example, you can choose not to activate the Status Page if the file is a PDF file (i.e. its value is defined as pdf). Mime Type is an example of an HTML header field. For example, an HTML page can be sent with Content Type: text/ html. The substrings that are displayed in the screen are given as default content types. See also: Scanning Options
General Settings
216 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Mail Server The Email Settings screen refers to the Simple Mail Transfer Protocol (SMTP) Server information which controls sending of emails for the following: system events, application events, software updates. To edit the Email Settings screen, click Edit on the right hand pane.
Figure 5-52: SMTP Server Settings The table below provides an explanation of the fields:
Field Name Description
Enable Sending Email Enables Emails to be sent
Hostname/IP This is the IP address of the SMTP Server you are using (e.g., mail.M86.com).
Port Defines the port that the SMTP Server uses; this is usually Port 25.
M86 SECURITY, ADMINISTRATION 217 ADMINISTRATION
Field Name Description
User Name User name for SMTP Authentication (e.g. VS_NG. This is optional - depending on your SMTP requirements).
Password Password for SMTP Authentication (optional - depending on your SMTP requirements).
Originating Domain The email alerts originate from this pre-defined user and domain name, using the machine name in the email alias name (e.g. CustomerDomain.com).
Test Recipient This is a test email address to validate that the messages are being received. For example, [email protected]
Click on Test to send a sample email alert to the test recipient email address. See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Scanning Engines
218 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
Scanning Engines In the Main Tool bar, select Administration > System Settings > Scanning Engines. The Scanning Engines screen displays an Engines tree on the left pane which includes third-party engines that work together with the SWG system. Third-party engines can be used only if you have obtained the appropriate license.
Figure 5-53: Scanning Engines Scanning Engines include the following: • Anti-Spyware • Anti-Virus (Kaspersky) • URL Filtering (M86) • Anti-Virus (McAfee) • Anti-Virus (Sophos) • URL Filtering (IBM)
M86 SECURITY, ADMINISTRATION 219 ADMINISTRATION
• URL Filtering (Websense) See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Administrative Settings
Digital Certificates
License
Debug Logs
GUI Log Level
Anti-Spyware
Anti-Virus (Kaspersky)
Anti-Virus (McAfee)
Anti-Virus (Sophos)
URL Filtering (IBM)
URL Filtering (Websense)
220 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Anti-Spyware
Select the Anti-Spyware M86-proprietary engine to display the following information on the right pane: • Spyware Home Black List: refers to a black list of URLs known to accommodate Spyware • Known Spyware: refers to a list of spyware with known Class IDs (CLSID) • Spyware Profiles. refers to spyware that are picked up by the Active Content List CP These lists are continuously updated by M86’s MCRC. The information in these lists cannot be configured or deleted. The Anti-Spyware profile appears as a built-in behavior profile in the Script Behavior Profiles in the Rule Conditions.
Figure 5-54: Anti-Spyware See also: Scanning Engines
Anti-Virus (Kaspersky)
Anti-Virus (McAfee)
Anti-Virus (Sophos)
URL Filtering (IBM)
URL Filtering (Websense)
M86 SECURITY, ADMINISTRATION 221 ADMINISTRATION
Anti-Virus (Kaspersky)
Kaspersky includes pre-configured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed. You can add the amount of time, in seconds, after which the Anti- Virus engines will stop scanning a large file. The maximum time allowed is 300 seconds. This option reduces the possibility of system time-outs.
NOTES: This time limit refers to one single item - so in cases where there are containers containing many items - this time limit will be extended. See also: Scanning Engines
Anti-Spyware
Anti-Virus (McAfee)
Anti-Virus (Sophos)
URL Filtering (IBM)
URL Filtering (Websense) Anti-Virus (McAfee)
McAfee engine includes preconfigured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed. You can add the amount of time, in seconds, after which the Anti- Virus engines will stop scanning a large file. The maximum time allowed is 300 seconds. This option reduces the possibility of system time-outs.
222 M86 SECURITY, ADMINISTRATION ADMINISTRATION
NOTES: This time limit refers to one single item - so in cases where there are containers containing many items - this time limit will be extended. For the McAfee Anti-Virus engine alone, SWG offers the following capabilities: • Enable Macro Scanning: Ability to scan macros in Office documents. • Enable Heuristics: Ability to use generic methods to scan for potentially unknown threats.
NOTES: These 3rd party anti-virus engines can be used only if you have obtained the appropriate license. See also: Scanning Engines
Anti-Spyware
Anti-Virus (Kaspersky)
Anti-Virus (Sophos)
URL Filtering (IBM)
URL Filtering (Websense) Anti-Virus (Sophos)
Sophos engine contains preconfigured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed. You can add the amount of time, in seconds, after which the Anti- Virus engines will stop scanning a large file. The maximum time allowed is 300 seconds. This option reduces the possibility of
M86 SECURITY, ADMINISTRATION 223 ADMINISTRATION
system time-outs.
NOTES: This time limit refers to one single item - so in cases where there are containers containing many items - this time limit will be extended. See also: Scanning Engines
Anti-Spyware
Anti-Virus (Kaspersky)
Anti-Virus (McAfee)
URL Filtering (IBM)
URL Filtering (Websense) URL Filtering (M86)
URL Filtering blocks or allows content based on analysis of its content, rather than its source. To this end, a proprietary M86 List Categorization engine is deployed as the primary URL Categories Filter in the Secure Web Gateway.
NOTES: Every SWG deployment has only a single URL Categorization Engine License. The appropriate license is selected upon initial acquisition of the primary SWG license and is dependant on the amount of Users. The M86 URL Categories Filter identifies embedded URLs as opposed to some third party URL filters which cannot. See Also: Scanning Engines
Anti-Spyware
Anti-Virus (Kaspersky)
Anti-Virus (McAfee)
224 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Anti-Virus (Sophos)
URL Filtering (IBM) URL Filtering (IBM)
For IBM Proventia Web Filter, there are preconfigured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed
NOTES: Third-party URL Filtering engines can be used only if you have obtained the appropriate license. See also: Scanning Engines
Anti-Spyware
Anti-Virus (Kaspersky)
Anti-Virus (McAfee)
Anti-Virus (Sophos)
URL Filtering (Websense) URL Filtering (Websense)
For Websense, there are preconfigured profiles generated by the software manufacturers. Version numbers and signature/DAT file numbers are displayed.
NOTES: Third-party URL Filtering engines can be used only if you have obtained the appropriate license. See also: Scanning Engines
Anti-Spyware
Anti-Virus (Kaspersky)
Anti-Virus (McAfee)
M86 SECURITY, ADMINISTRATION 225 ADMINISTRATION
Anti-Virus (Sophos)
URL Filtering (IBM)
Administrative Settings In the Main Tool bar, select Administration > System Settings > Administrative Settings. The Administrative Settings is comprised of the following: Console Timeout: Allows the administrator to configure the amount of idle time, in minutes, after which the current session times out. This is useful for security purposes as it stops someone unauthorized from using the Management Console. The administrator must re-log in to the Management Console if the session times out. Commit Changes: Enabling this checkbox forces a note to be sent to the audit log every time a configuration change has been committed. Once this checkbox is enabled, upon clicking commit change, filling the Note box becomes obligatory.
(Commit changes are performed by clicking in the Management Console toolbar) Customer Feedback Information: By enabling this checkbox, the customer agrees to provide data to the M86 Security Malicious Code Research Center (MCRC) for review. The primary data sent to MCRC is comprised mainly of blocked transactions and browse habits. Gathering this information helps M86 Security uncover new or unknown malicious dangers that can, in turn, be prevented in future versions of the SWG product to keep the customer protected. Data is best sent when the load on your company’s system is at it’s minimum. As such, the Customer Feedback fields are configurable as follows: • Run daily at a specified hour • Run Weekly on a particular day, at a specified hour
226 M86 SECURITY, ADMINISTRATION ADMINISTRATION
To edit the setting, click Edit, make changes and then click Save.
Figure 5-55: Administrative Settings Options
NOTES: This checkbox is also available in the License agreement screen. For more information on the M86 licensing agreement, please refer to End User Licensing Agreement. See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
M86 SECURITY, ADMINISTRATION 227 ADMINISTRATION
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Digital Certificates
License
Debug Logs
GUI Log Level
Digital Certificates Digital Signature-based technology helps with the risk factor when downloading ActiveX controls, and other executables over the Internet. It identifies the publisher of signed software and verifies that the code hasn't been tampered with, before you download software to your computer. Digital certificates use a cryptographic technology called public-key cryptography to sign software publications and to verify the integrity of the certificate itself. In the Main Tool bar, navigate to Administration > System Settings > Digital Certificates. The digital certificates comprise authorized and certified active content, thus adding another layer
228 M86 SECURITY, ADMINISTRATION ADMINISTRATION
of security for your organization.
Figure 5-56: Digital Certificates See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
M86 SECURITY, ADMINISTRATION 229 ADMINISTRATION
Scanning Engines
Administrative Settings
License
Debug Logs
GUI Log Level
Importing Certificates Into Customer Certificate Lists
Certificate Details Screen Importing Certificates Into Customer Certificate Lists
 To import certificates into the customer certificate lists: 1. Right-click on the Digital Certificate in the left pane and select Import Component from the drop-down menu. The Import Digital Certificate screen is displayed on the right pane.
Figure 5-57: Import Digital Certificate 2. Browse to the required file location and then Import the file, making sure that the file has the correct PEM extension. The imported certificate appears in the Digital Certificate list.
230 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-58: Digital Certificate Imported See also: Digital Certificates
Certificate Details Screen Certificate Details Screen
Use the Edit and then Save/Cancel buttons to make any changes in this screen - such as deleting certificates. The following information is contained in this screen.
Field Description
Certificate Name Name of the Digital Certificate list
Issued By Name of the Certificate Authority who issued the certificate
M86 SECURITY, ADMINISTRATION 231 ADMINISTRATION
Field Description
Issued To Name of the organization who the certificate is issued to (In the case of root certification authorities or self-signed certificates, the names are the same.)
Expiration Expiration date of the certificate
Friendly Name Name of certificate presented externally
The following lists are available: • Customer CAs for Cloud: Contains a list of certificates specifically for the Cloud. Here the policy server must have all links of the CA chain issued from a trusted authority. All files must be in a PEM format before imported. PEM is a Base-64 encoded X.509 certificate text file format. • Customer Certificate Revocation List: This contains a list of certificates which have been cancelled. This is an external list. If you want to update this list, you must subscribe to the Certificate Revocation List and thereby receive pre-defined files which can be imported into the Policy Server. All files must be in a PEM format before imported. PEM is a Base-64 encoded X.509 certificate text file format. • Customer Trusted Publishers (code signing only) and Customer Untrusted Publishers: These two lists contain certificates from trusted/untrusted publishers. Again, these files are received from an external source and must be in a PEM format with a PEM extension before being imported. Each file to be imported may contain a number of certificates, but M86 only displays the first one in the file. • Customer Trusted Root CA: Root Certificate Authorities (CA) refer to “self-signing” certificates, that is, certificates which were issued on their own authority. • Finjan Certificate Revocation List: This list is non-editable. This contains a list of certificates which have been cancelled.
232 M86 SECURITY, ADMINISTRATION ADMINISTRATION
• M86 Security Trusted and Untrusted Publishers: These two lists are non-editable and contain M86 predefined lists of trusted and untrusted publishers respectively. These are regularly updated via M86 Security Updates. • M86 Security Trusted Root CA: This list is also non-editable. Root Certificate Authorities (CA) refer to “self-signing” certificates, that is, certificates which were issued on their own authority.
Figure 5-59: Example of Digital Certificate Screen See also: Digital Certificates
Importing Certificates Into Customer Certificate Lists
CA Management Digital Certificates Used In:
The Used In right-click option allows the administrator, for every digital certificate list, to determine in what rules and policies it is
M86 SECURITY, ADMINISTRATION 233 ADMINISTRATION
used.
 To access the Used In data
Navigate in the Management Console to Administration Æ DIgital Certificates- and select the specific certificate component. For example: 1. Administration Æ Digital CertificatesÆ M86 Certificate Revocation List. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Administration Æ DIgital Certificates Æ to the specific component.
License Every customer has a license from M86, which is either an evaluation license or a permanent license. A single license key can be used for multiple Policy Servers. It can also be re-used for situations where the administrator needs to reinstall the system. Evaluation License: When entering the Management Console for the first time, an installation Wizard will run and the administrator must enter a license key. An evaluation key entitles you to a 30 day evaluation period with full SWG functionality. Once the 30 days evaluation period has passed, SWG will start forwarding Internet content through without scanning it. The Management Console will
234 M86 SECURITY, ADMINISTRATION ADMINISTRATION
be disabled until the administrator enters a permanent license key.
NOTES: The Policy Server will update M86 Headquarters as to the status of the License. This information is confidential and will be kept at the M86 Financial offices. Ten days before the evaluation license is about to expire, an informative message will be displayed. Permanent License: A permanent license is generated by M86 and sent to the customer. Its expiration date is based on a service agreement with the customer. Starting three months before the expiration date, the administrator will receive notifications that the license needs to be renewed. Once the license has expired, you will be treated to a thirty day grace period where traffic will be scanned but administrators will have very limited access to the Management Console. After the grace period is complete, SWG will no longer function as required.
 To enter your new License Key: 1. Enter the license key provided by M86 and click Continue. 2. Read through the license agreement and check the I accept checkbox. 3. Click OK to finish. See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
M86 SECURITY, ADMINISTRATION 235 ADMINISTRATION
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
Debug Logs
GUI Log Level
Debug Logs These options are reserved for M86 Support personnel only. See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
236 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
GUI Log Level
GUI Log Level The GUI Log Level function is used to send support information to M86 and is primarily reserved for M86 Support personnel. GUI Log Level is composed of two tabs: Basic and Advanced. The Basic tab in the Log Level screen enables the system to be set to varying levels of debugging: y Trace y Debug y Info y Warn y Error y Fatal
NOTES: The level of debugging should not be modified without consulting M86’s Support personnel, as it may have an effect on product performance. The recommended debug level is set to Error. Only Error level is intended for the production environment.
M86 SECURITY, ADMINISTRATION 237 ADMINISTRATION
Figure 5-60: Management Console Debug Level Advanced
Whereas the Basic tab controls the general level of log messages, the Advanced tab allows more detailed control in deciphering the components involved with different loggers. The Advanced tab includes: y Root - all the other loggers y Hibernate general - all hibernating loggers y SQL -all SQL queries y JDBC Parameters - database connection parameters y HBM DDL - DDL info y Hibernate Entity - contents of objects, containing database data y Hibernate Cache - contents of 1st and 2nd level hibernating cache y Database Transaction - transactions held with database y JDBC - logging level of jdbc database driver y AST - translation of Java commands into native SQL y JAAS – authentication and authorization information
238 M86 SECURITY, ADMINISTRATION ADMINISTRATION
See also: System Settings
M86 Devices
Available Device Tree Options
Device IP
Network Roles
Log Server
Scanning Server
Integrated SSL Scanning
Default Values
Policy Server
Scanning Options
Mail Server
Scanning Engines
Administrative Settings
Digital Certificates
License
Debug Logs
Cloud
M86 Secure Web Service Hybrid (SWSH) is a cloud-based computing solution. This solution expands the corporate web security policy enforcement to all users, regardless of location, and provides a hybrid model with the existing LAN web security. When using SWSH, all web traffic initiated by the remote worker computer is redirected to an M86 scanner securely hosted in the cloud. SWSH then scans the traffic, according to the user policy
M86 SECURITY, ADMINISTRATION 239 ADMINISTRATION
profile, and, if allowed, redirects it to the internet.
Cloud Configuration To configure M86 Secure Web Service Hybrid computing navigate in the Management Console to Administration Æ Cloud. The three SWG Cloud options are comprised of the following: • Certificate Management Mode • Configuration • Email Template
Figure 5-61: Cloud Management Certificate Management Mode The initial section in the Cloud Configuration menu determines the certification management mode in which the administrator will be
240 M86 SECURITY, ADMINISTRATION ADMINISTRATION
working. Mode options include:
Field Description
Internal Certification Allows organizations that do not have a pre- existing certificate authority to use the SWG policy server for certification
Enterprise PKI Allows organizations to use a pre-existing certificate authority already in their company’s certification program
IMPORTANT: Upon switching to PKI mode when configured in the original cloud mode, and vice-versa, previous CA definitions will not be saved
Figure 5-62: Cloud Mode Selection Click Edit, enable the relevant checkbox, and click Save.
Configuration The number and types of tabs available for cloud configuration are dependent upon the mode selected in the Certificate Management Mode section
NOTES: Fields that are yellow and tabs that include “Warning” symbols ( !) indicate that they are mandatory.
M86 SECURITY, ADMINISTRATION 241 ADMINISTRATION
The following table outlines the basic differences of the two cloud configuration modes:
Mode Required Tabs
Internal Certification • Provisioning Mode • Agent Configuration • Proxies • Bypass • CA Management
Enterprise PKI Mode • Provisioning • Agent Configuration • Proxies • Bypass • CA Management • CRL Handling
To configure M86 Secure Web Service Hybrid computing navigate in the Management Console to Administration Æ Cloud Æ Configuration.
NOTES: When in internal certification mode only, you must configure users and email setting before starting with the Provisioning. See also: Administration
Administrators
System Settings
Rollback
242 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Export/Import
Updates
Alerts
System Information
Change Password
Cloud Configuration
Email Template
Mail Server
LDAP
M86 Devices
Cloud
Provisioning
Agent Configuration
Proxies
Bypass
CA Management Provisioning
A remote client can be provisioned with a provisioned email. Configure the Policy Server to automatically send a provisioning email to the target cloud users with a link to the agent installation and with the target user certificate. This option is suitable for the integration phase or for a small rollout of up to a few hundred users.
NOTE: You can also choose to use the Policy Server to automatically or manually send the target user an email with either the client agent installation instructions and/or the target user certificate.
M86 SECURITY, ADMINISTRATION 243 ADMINISTRATION
The provisioning tab is activated by clicking Edit and is comprised of the following fields:
Mode Field Description
Internal Agent Installer URL Address, as chosen by the Certification administrator, where the Agent only Installation Package is saved.
Internal Automatically send Sends an email to new cloud Certification an email with users with provisioning only provision instructions. instructions to new cloud members
Internal Send an email Sends an email to existing Certification update upon cloud users once changes have only configuration been committed. changes
Internal Mobile User Private The password with which the Certification Key Password certificate is eventually installed only by the end user. This field is mandatory.
Internal Confirm Private Confirmation of the mobile user Certification Key Password private key password. only
244 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Mode Field Description
Internal Download PAC File Click the Download PAC File Certification button and follow the Download and Wizard instructions to save the Enterprise created file. The Proxy PKI Automatic Configuration (PAC) contains the updated Scanner URLs.
Download Agent Click the Download Agent Installer Installer button only after all information is configured in the Policy Server. The Agent Installer contains the PAC file. Follow the Download Wizard instructions to save the created file.
 Configure provisioning parameters:
1. Navigate in the Management Console to Administration Æ Cloud Æ Configuration Æ Provisioning tab. 2. Click Edit to activate the screen for editing. 3. Enter the Agent Installer URL. This URL is the address, as chosen by the administrator, where the Agent Installation Package is saved. 4. Enabling the Automatically send an email with provision instructions to new cloud members checkbox ensures that update emails are sent to users. Each time a new user receives new cloud certification or a configuration change has occurred, an update email is sent. Enable this checkbox if required. 5. Enabling the Send an email update upon configuration changes sends an email to existing users if something has changed in configuration. Enable this checkbox if required.
NOTES: Emails will only be sent after configuration changes that ultimately reflect on the client/user are committed.
M86 SECURITY, ADMINISTRATION 245 ADMINISTRATION
6. Enter the Mobile User Private Key Password. (The password with which the certificate is eventually installed by the end user). 7. Re-type the password to confirm. Before downloading PAC files and the Agent Installer package, mandatory fields in the Proxies and CA Management tabs must first be configured. Warning icons and/or yellow text denote which fields are mandatory.
IMPORTANT: Download buttons in the Provisioning screen are disabled until all relevant information is input and committed successfully.
Download PAC files
The PAC file defines how browsers can automatically choose the appropriate proxy server for retrieving a given URL. PAC files contain a "FindProxyForURL(url, host)" function that returns a string with one or more access method specifications. These specifications cause the user to use a particular proxy server or to connect directly. PAC files that are configured can be created within the management console, or a customer may appropriate the M86 PAC file template to use as their own. Customers using a proprietary PAC file must ensure that the local host proxy within the PAC file belongs to M86.
IMPORTANT: Download buttons in the Provisioning screen are disabled until all relevant information is input and committed successfully. Â Download PAC File
1. Navigate in the Management Console to Administration Æ Cloud Configuration Æ Provisioning tab. 2. Click Edit to activate the screen. 3. Click the Download PAC File button and save the created file.
246 M86 SECURITY, ADMINISTRATION ADMINISTRATION
4. The M86 created PAC file is eventually included in the Agent Installation Package. A proprietary customer PAC file is not. As such, it is the customer's responsibility to distribute the PAC file to its remote workers.
NOTES: Emails will only be sent after configuration, after a new certificate is issued, and after changes have been committed.
Agent Installation
Agents are installed for remote worker laptop computers or in situations in which the LAN desktop, whether at headquarters or a branch office, is not a domain member and the user is not authenticated with the domain. An Agent can also be installed in a branch office scenario as an alternative network solution to route the traffic to the cloud scanners. The SWSH Agent serves two main purposes: • Routing: Routing the traffic to the nearest scanner, cloud, or on-premise scanner. • Authentication: Establish mutual certificate authentication between the logged-on user and the target cloud scanner. The following steps are required to create the SWSH Agent installation package: • Proxies and CA Management configuration • Agent setting configurations • Client provisioning
 Download Agent Installer
1. Navigate in the Management Console to Administration Æ Cloud Æ Configuration Æ Provisioning tab. 2. When configuration changes are made and committed, the Agent Installer package must be re-loaded to where the link sits.
M86 SECURITY, ADMINISTRATION 247 ADMINISTRATION
3. Click the Download Agent Installer button only after all information is configured in the Policy Server and changes are committed. Follow the Download Wizard instructions to save the created file. You need to upload this file to the URL specified in Agent Installer URL field.
IMPORTANT: The Agent can be installed on Windows XP SP3, Vista SP1, and Win7. 4. For organizations using only the PAC file (without the Agent Installer), click the Download PAC File button and follow the Download Wizard instructions to save the created file. 5. Click Save to commit changes.
Figure 5-63: Remote Client Provisioning See also: Cloud Configuration
Agent Configuration
Proxies
Bypass
248 M86 SECURITY, ADMINISTRATION ADMINISTRATION
CA Management Agent Configuration
The Agent Enforcement tab includes two checkboxes, both of which are enabled by default: • Prevent user from disabling agent: Enabling this checkbox ensures that the user cannot disable the agent in the browser, thereby allowing surfing through an M86 agent only. • Enforce PAC file usage via the Secure Web Service Agent: Enabling this checkbox assures that the PAC file being used is a M86 PAC file. Administrators should keep this box unchecked if a proprietary PAC file is used. In Enterprise PKI mode, the Certificate Identification field is included in this tab: • The Certificate Identification box includes the Extended Key Usage (EKU) field. The EKU is an Object ID that allows the agent to identify the certificate with which it should connect to cloud scanners. The Administrator defines this EKU and must use it in the certificate template from which all cloud users certificates are created.
M86 SECURITY, ADMINISTRATION 249 ADMINISTRATION
Figure 5-64: Agent Enforcement Tab in Enterprise PKI Mode
NOTES: When working in Internet Explorer, The “Enforce PAC file usage via the Secure Web Service Agent” changes made within the browser take immediate effect. For Firefox users, if this option is enabled, any changes implemented after the initial installation require Firefox to be restarted before changes take effect. See also: Cloud Configuration
Provisioning
Proxies
Bypass
CA Management
250 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Proxies
The proxies tab includes the following fields:
Field Description
Cloud proxy
Cloud Proxy HTTP The HTTP port on which the cloud Port scanner listens
Cloud Proxy HTTPS The HTTPS port on which the cloud Port scanner listens
Local proxy Corporate proxies
Corporate Hostname Corporate address (www.M86security.com)
Internal Hostname IP IP of corporate hostname
Resolve IP Verification that corporate hostname and Internal hostname IP correspond
• Cloud Proxy: The Cloud proxy box defines the Cloud scanners or Load Balancers used for browsing. The Cloud Proxy grid includes the following fields: Comments, Address, and the Local Agent HTTP and Local Agent HTTPS Port to browse via SWSH.
NOTES: The local proxy can be left empty in a situation where the administrator determines for users which proxy to use. • Local Proxy: Add the local proxy. The PAC file will include instruction to use the local proxy, if resolvable, as it recognizes you are within the local network. If the corporate hostname is not resolvable, it will use the nearest (region) Cloud proxy available. The Local Proxy grid includes the following fields: IP
M86 SECURITY, ADMINISTRATION 251 ADMINISTRATION
Address, Proxy HTTP Port and Proxy HTTPS Port to browse via SWSH.
NOTES: note the differences between the Local Ports and the Listening Ports • Corporate Hostname: The administrator must ensure that the corporate hostname is resolvable with the Internal hostname IP. When the user is outside of the corporate network, the corporate hostname should be resolvable to a different IP. • Internal Hostname IP (resolve): The corresponding address to the Corporate Hostname. For example, the IP address for m86security.com. • Resolve IP: This button looks up the IP address of the internal hostname and displays the result in the Internal Hostname IP field.
Figure 5-65: Proxies Tab The following are the ports to which the agent connects when attempting to access the Cloud scanners/Load Balancers:
252 M86 SECURITY, ADMINISTRATION ADMINISTRATION
• Proxy Port: This port is used for the tunneling of HTTP transactions performed by the browser. • Proxy HTTPS Port: This port is used for the tunneling of HTTPS transactions performed by the browser. • Address: Ports that the browser uses to connect to the agent within the end user client. Address will be a hostname or an IP. See also: Cloud Configuration
Provisioning
Agent Configuration
Bypass
CA Management Bypass
The Bypass tab includes the following fields: Non-Routable Networks: This table shows all networks or domains (IPs) to bypass while using SWSH agent when browsing in Cloud proxy or local proxy. Trusted URLs: Choose URLs that you want the Cloud proxy to bypass. Allow the organization to bypass certain URLs that the administrator deems safe (for example, Microsoft update, Mozilla...).
M86 SECURITY, ADMINISTRATION 253 ADMINISTRATION
Figure 5-66: Bypass Tab See also: Cloud Configuration
Provisioning
Agent Configuration
Proxies
CA Management
URL Lists
254 M86 SECURITY, ADMINISTRATION ADMINISTRATION
CA Management
The Certification component of the SWG incorporates two modes for client certificate management. Internal mode and Enterprise PKI mode. In Internal mode, the policy server requires a certificate authority to create server and end-user client certificates with the ability to sign both. In the Enterprise PKI mode, the organization CA is responsible for the creation and signing of any end-user certificates. The policy server does however, require the organization’s Certificate Authority to sign the server certificate and provide its certificate for verification.
Figure 5-67: Enterprise PKI Mode Certificate Management Screen
M86 SECURITY, ADMINISTRATION 255 ADMINISTRATION
Figure 5-68: Internal Mode Certificate Management Screen The CA Management tab includes 8 different fields, with only the Common Name field mandatory. Subsequent field information is left to the discretion of the administrator. The tab includes the following:
Field Description
Common Name Generally refers to global company name but may also reference a smaller group.
Country Name Generally refers to company headquarters, or the country in which the physical server sits.
State or Province Company details
City or Locality Company details
Organization Company details
Organization Unit A unit within the company, for example, specific departments such as IT or Finance.
Email Email of the system administrator.
256 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Description
Expiration Date Expiration date of the certificate issued.
Issuer Either self-signed authority or external Certificate Authorization
The CA Generation options include the following
Certificate Management Description
CA Generation Options in Internal Mode: Generate a certificate authority to sign SWG and mobile worker’s certificates
Generate Self-signed CA The system administrator serves as the authority and self-signs the certificate.The administrator considers this sufficiently secure.
Import CA The system administrator imports the certificate, together with the private key, into the system via an external Certificate Authority.
Import CSR-based CA: A private and public key pair is created and saved directly to the system.
Generate CSR Prior to importing CSR-based CA, generate a digital certificate and have it signed by an external Certificate Authority.
Import CSR-based CA Import a certificate signed by the CA after a CSR was generated by SWG.
CA Certificate Import in Enterprise PKI Mode:
Import Enterprise CA Import the CA certificate from the enterprise Certificate PKI.
Server Certificate Generation options
Import CSR based Server Import a server certificate signed by the CA Certificate after a CSR was generated by the SWG
M86 SECURITY, ADMINISTRATION 257 ADMINISTRATION
Certificate Management Description
Generate CSR Prior to importing CSR-based server certificate, generate a digital certificate and have it signed by the enterprise Certificate Authority
Import Server Certificate Import a digital certificate for the cloud scanning server
Figure 5-69: CA Certificate Import in Enterprise PKI Mode
Figure 5-70: CA Generation Options in Internal Mode See also: Cloud Configuration
Provisioning
Agent Configuration
Proxies
Bypass
Generate Self-Signed CA
Import CA
Import CSR-based CA
258 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Generate Self-Signed CA
Use a self-signed certificate authority to sign SWG and mobile worker’s certificates.
 To generate self-signed CA: 1. Navigate in the Management Console to Administration > Cloud > Cloud Configuration > CA Management tab. 2. Click Edit and then click the Generate Self-Signed CA button. 3. In the Cloud Configuration screen, fill in the Common Name field (for example, M86 Security). All other fields in this screen are optional. Click OK. 4. Certificate information is stored internally in the database. The original Cloud Configuration screen shows the certificate details.
5. Click Save and then click to commit changes and complete certificate generation. See also: CA Management
Import CA
Import CSR-based CA
Import CA
The Import CA option allows system administrators to import the certificate into the system together with the private key.
 To import a CA certificate for the sender's root CA:
1. Navigate in the Management Console to Administration Æ Cloud Æ Cloud Configuration Æ CA Management tab. 2. Click Edit. Click the Import CA button.
M86 SECURITY, ADMINISTRATION 259 ADMINISTRATION
3. In the following Cloud Configuration screen, copy the certificate, private key, and password information. (This certificate information is received through an external certificate authority prior to this configuration.)
NOTES: Certificate information must be copied precisely. This includes beginning and ending information such as spaces and dashes. It should be in base64 format (.pem)
4. Click Save and then click to commit changes and complete certificate generation.
Figure 5-71: Import Root CA See also: CA Management
Generate Self-Signed CA
Import CSR-based CA
260 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Import CSR-based CA
The CSR-based CA option allows you to import a certificate signed by the Enterprise CA after a CSR (Certificate Signing Request) is generated by the Secure Web Gateway.
 To import CSR-based CA: 1. Navigate in the Management Console to Administration > Cloud > Cloud Configuration > CA Management tab. 2. Click Edit. Click the Generate CSR link within the description. 3. In the next Cloud Configuration screen, enter the Common Name (for example, M86 Security). All other fields in this screen are optional. 4. Click OK. The Generate CSR Based CA window is displayed.
Figure 5-72: Generate CSR Based CA
M86 SECURITY, ADMINISTRATION 261 ADMINISTRATION
5. Copy the contents of the Generated Request pane to the clipboard or click Copy Clipboard. Click OK.
NOTES: The Copy to Clipboard button exists only for users of Internet Explorer. Firefox users will not have this option 6. Paste and send this certificate information to an external CA for signing. 7. Return to the original Cloud Configuration screen. Click the Import CSR-based CA button. 8. Paste the externally signed certificate information in the certificate field. Click OK 9. If the signee is not trusted by the system, the following pop-up message will appear: “The certificate of the CA that signed the CSR must be imported to the Trusted Cloud CAs list in the Digital Certificates screen”.
NOTES: Certificate information must be copied precisely. This includes beginning and ending information such as spaces and dashes. It should be in base64 format (.pem)
10.Click Save and then click to commit changes and complete certificate generation. See also: CA Management
Generate Self-Signed CA
Import CA CRL Handling
In Enterprise PKI mode, the CRL Handling tab will be present in the Configuration screen options. The Certificate Revocation List (CRL) is a list of all revoked certificates. The list specifies each revoked certificate, the entity
262 M86 SECURITY, ADMINISTRATION ADMINISTRATION
that issued it, the date of certificate issue, the reason for revocation, and a proposed date for the next release of the CRL. When a user tries to access a server, the server allows or denies access based on specific CRL entries. The CRL Handling screen is comprised of the following:
Title Description
Enterprise CA CRL The HTTP or HTTPS location of the CRL. location LDAP is not an option in this field. (For example, http://ntydc2.ila.sun85.local/certenroll/nty-ca.crl)
Click this button to test that the location of the address entered in the Enterprise CA CRL location field is accessible.
Scheduling
Run daily at Set to retrieve and use CRL at a specific hour per day
Run every Set to retrieve and use CRL at specific hourly intervals
No Scheduling The default selection. CRL must be retrieved manually as there is no set schedule
Retrieve the CRL on-demand. (The Retrieve now button is only active when not in Edit mode)
 To configure CRL Handling
1. Navigate in the Management Console to Administration Æ Cloud Æ Configuration Æ CRL Handling tab. 2. Click Edit to activate the screen. 3. Enter the Enterprise CA CRL location address. 4. Click the Test Location button to verify that the location is accessible.
M86 SECURITY, ADMINISTRATION 263 ADMINISTRATION
5. Click Save
NOTES: The Retrieve Now button is not active in Edit mode.
6. In the Scheduling box, enter the required information to schedule CRL retrieval. As No Scheduling is the default selection, retaining this option means the system has no schedule for which to retrieve the information and it must be recovered manually. 7. Click Save. If there is no retrieval schedule, click the Retrieve Now button.
NOTES: To Save and commit changes, all mandatory fields in other cloud configuration tabs must be filled. You will be automatically directed to these tabs to complete information before a Save is possible. Email Template The Secure Web Gateway provides an email template to automatically provision Cloud users via email.The provisioning email templates are used if the administrator wants to edit the mail before sending. Otherwise, the default provisioning email will be used.
 To setup the provisioning email:
1. Navigate in the Management Console to Administration Æ Cloud Æ Email Template. 2. Click Edit. Select from the Provisioning Email Template dropdown menu the template you want to use.
264 M86 SECURITY, ADMINISTRATION ADMINISTRATION
3. The menu consists of the following templates:
Certificate Management Description
Select Email Type Select email type with editing capabilities.
Standard Template Email is sent with the certificate attached.
Standard Template for Email is sent to inform user that a certificate was Re-installation issued anew. Follow email instructions.
Template with Agent Email arrives with both a certificate and link to the Agent installation.
Template with Agent Email arrives with both a certificate and link to for Re-installation the Agent installation after certificate has been re-issued or a new Agent added.
4. The template is activated for modification.
Figure 5-73: Email Template You can modify the contents of the From, Subject and Message fields (or accept the default settings). Add placeholder lists are provided for modifying the From and Message fields.
M86 SECURITY, ADMINISTRATION 265 ADMINISTRATION
You can click HTML View to view the message contents in HTML.
5. Click Save and then click to commit changes. See also: Cloud
Cloud Configuration
Issue Certificates per User Issue Certificates per User
See Users chapter for instructions on the Issue Vital Cloud Certificate for Group Member checkbox in the User Group Details Screen and Creating a New User Group sections. This task defines the users or user groups that will browse via M86 Secure Web Service Hybrid. Enabling this checkbox allows users or user groups to receive provisioning and update emails, certificates and installation instructions. See also: Email Template
CA Management
User Group Details Screen
Creating a New User Group
Cloud User Certificate Management
Rollback
The Rollback feature is used for rolling the system back to a previous stable state. The Backup consists of all data that an administrator can customize in the Management Console (including Policies, settings etc). Information that is not included in the backup includes the Log Server database, Report Server database and Updates.
266 M86 SECURITY, ADMINISTRATION ADMINISTRATION
This capability is useful for the following reasons: • Before applying major configuration and settings changes, the administrator can back up the current settings. • The administrator may choose to have periodical backups of the system to guarantee against unknown catastrophes. • In rare cases where failed updates may cause the system to function incorrectly. • In rare cases of system hardware failure, for example the hard disk of the Policy Server has stopped working.
NOTES: You must disable the High Availability Policy Server feature before performing Rollback. See section on High Availability. The Rollback feature consists of three parts: • Rollback Settings • Backup Now • Restore (Rollback)
Figure 5-74: Rollback Settings
M86 SECURITY, ADMINISTRATION 267 ADMINISTRATION
See also: Administration
Administrators
System Settings
Cloud
Export/Import
Updates
Alerts
System Information
Change Password
Rollback Settings
Backup Now
Restore (Rollback)
Rollback Settings During the Backup process the Policy Server settings are saved to an external network location. Exporting the data to an external location enables a smooth restore process in the case of hardware failure. To perform backup, the Rollback settings must be filled in as detailed below:
Connection Description Method
None Does not perform the backup operation. If this option is selected, scheduled backup is disabled.
FTP Connects via active File Transfer Protocol using the common active mode of operation.
268 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Connection Description Method
FTP Passive Connects via File Transfer Protocol using a passive mode of operation; this is useful if a firewall is located between the Policy Server and the remote FTP site.
Samba Uses the Server Message Block (SMB) communication protocol, which enables connection to Windows shared folders.
SFTP Use the Secure File Transfer Protocol.
Your selected Connection Method determines the content used to define your Backup Location, User to connect with and Password fields.
Selected: Result:
None No information can be entered.
FTP The Backup Location is the server IP address/dir for your selected location, for example, 10.194.5.104/ Sarah_FTP_Passive The User to connect with is the user name used when connecting to the Backup Location. The Password should be the password used by the above user.
FTP The Backup Location is the server IP address/dir Passive for your selected location, for example, 10.194.5.104/ Sarah_FTP_Passive. The User to connect with is the user name used when connecting to the Backup Location. The Password should be the password used by the above user.
M86 SECURITY, ADMINISTRATION 269 ADMINISTRATION
Selected: Result:
Samba The Backup Location must include the server IP address and directory for your selected location, in the following format: //address/dir, for example, // 192.168.1.10/archive. The User to connect with must include the workgroup name and the user name used when connecting to the Backup Location, in the following format: workgroup/user, for example, marketing/ nicole. The Password should be the password used by the above user.
SFTP The Backup Location is the server IP address/dir for your selected location, for example, 10.194.5.104/ Sarah_FTP_Passive The User to connect with is the user name used when connecting to the Backup Location. The Password should be the password used by the above user.
NOTES: The fields in this screen are enabled only after a connection method has been selected. You can choose to perform backups at specific times every recurring number of days by selecting Enable Scheduling and defining the times. The Check connection checkbox, when selected, verifies the Backup Location on Save. See also: Rollback
Backup Now
Restore (Rollback)
Backup Now Once you have defined the appropriate settings, you can perform a
270 M86 SECURITY, ADMINISTRATION ADMINISTRATION
manual backup by selecting Administration > Rollback > Backup Now. You can add a description to the Backup in this screen. For example, Backup for May 2008. Then click Backup. The Backup file details will appear in the Restore screen. See also: Rollback
Rollback Settings
Restore (Rollback)
Restore (Rollback) During the Restore process the settings are read and uploaded back on to the disk. The Restore screen displays the scheduled or manual Backups with the following information.
Column Description Heading
Date Date the backup was performed
Type Manual – Backups created manually Scheduled – Backups scheduled for specific times Automatic – Backups created automatically prior to a VSOS update
Version VSOS version in use when backup was created
Description Description of the backup file
The Restore process consists of the following steps:
 To restore settings: 1. To edit the Restore screen, click Edit on right pane.
M86 SECURITY, ADMINISTRATION 271 ADMINISTRATION
2. Make sure you have selected a Connection Method and collected some backups. 3. Click on the icon adjacent to the required backup and select Restore from the drop-down menu. A confirmation message is displayed.
4. Click Save to apply changes. Next, click to commit them.
See also: Rollback
Rollback Settings
Backup Now
Reports Settings
The Reports Settings option allows the Administrator to either backup or restore data from the Reports database. Partitioning of the Reports database is done on a weekly basis, and as such, provides all reports data from the previous week. The Database Settings screen includes an option to allow the administrator, by clicking the Backup Now button, to request a one-time backup. This action runs a backup of all data in the Reports database, beyond the one week partition. The Backup Now action does not change previously configured settings. Therefore, the Database Settings and the location and Connection method information remains unaffected. The Database Restore screen allows the administrator to select a specific date for which to retrieve report data. The screen provides a listing of available database backup files from which the administrator can choose. The Database Restore action does not change previously configured settings. Therefore, the Database Settings and the location and Connection method information remains unaffected.
272 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-75: Reports Settings Options Database Settings To define the appropriate Reports Settings and perform a manual backup, navigate to Administration > Reports Settings > Database Settings. The Database Settings screen includes the following:
Field Description
Connection
Connection None, FTP, FTP Passive, Samba Method
Backup Location The Backup Location is the server IP address/dir for your selected location, for example, 10.194.5.104/ Sari_FTP_Passive.
User to Connect The User to connect with is the user name used With when connecting to the Backup Location.
Password The Password should be the User password.
M86 SECURITY, ADMINISTRATION 273 ADMINISTRATION
Field Description
Check Connection The Check connection checkbox, when selected, checkbox verifies the Backup Location on Save
Backup:
Enable Automatic The Enable Automatic Backup checkbox, when Backup selected, ensures that data is backed up regularly without the need for manual intervention.
Backup Now To backup data from the Reports database on- button demand, without waiting for next partitioning.
Connection Description Method
None Does not perform the backup operation. If this option is selected, scheduled backup is disabled.
FTP Connects via active File Transfer Protocol using the common active mode of operation.
FTP Passive Connects via File Transfer Protocol using a passive mode of operation; this is useful if a firewall is located between the Policy Server and the remote FTP site.
Samba Uses the Server Message Block (SMB) communication protocol, which enables connection to Windows shared folders.
IMPORTANT: Click Save in the Database Settings screen, and the Commit Changes icon on the console, to activate the Backup Now button. It will remain inactive until the Save is complete. Â To configure Database Settings: 1. To edit the Database Settings screen, click Edit. 2. Select the relevant Connection Method (for example, FTP, FTP Passive, Samba, or None). Enter data in the Backup
274 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Location, User to Connect With, and Password fields - all of which are mandatory. 3. Enable the Check Connection box to verify the Backup location. The Backup grid provides options to backs up all data from the Reports database. This action allows the administrator a one-time opportunity to retrieve data that precedes that most recent weekly partition. 4. Navigate in the Management Console to Administration Æ Reports Settings Æ Database Settings 5. Check the Enable Automatic Backup checkbox.
6. Click Save to apply changes. Next, click to commit them.
7. Once it is active, click the Backup Now button. The Reports data will be sent to the location specified in the previous fields.
Figure 5-76: Database Backup
M86 SECURITY, ADMINISTRATION 275 ADMINISTRATION
Database Restore
 To configure Database Restore:
1. Navigate in the Management Console to Administration Æ Reports Settings Æ Database Restore. 2. Ensure that a Connection Method is selected in the previous Database Settings screen and that data is collected. 3. Highlight the record in the Available database backup files section and right or left-click . Click Restore. 4. The following message will appear: “Clicking restore will overwrite any pre-existing partition. Are you sure you want to restore this partition?” Click OK or Cancel.
Figure 5-77: Database Restore 5. The selected Reports data will be restored to the system. Check the System log to verify that the operation was successful.
276 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Export/Import
The Export/Import menu allows you to export Security Policies, HTTPS Policies, Identification Policies and Identification Logging Policies from one Policy Server and import them into another. This feature provides added flexibility by allowing you to choose whether to overwrite existing Policies and Conditions or to save them on the destination Policy Server under a different name on the Management Console. See also: Administration
Administrators
System Settings
Cloud
Rollback
Updates
Alerts
System Information
Change Password
Export
Import
Export The first step is to export the Policies from a source Policy Server. The settings are exported in an encrypted file and saved to a location of your choice (such as the local disk or network drive). This only refers to Policies, Rules and Conditions that the administrator has created; M86 default Policies, Rules and
M86 SECURITY, ADMINISTRATION 277 ADMINISTRATION
Conditions will not be affected.
NOTES: This feature is dependent on the role defined for the administrator. In other words, items which the administrator does not have write permissions for will not be exported. Â To export Policies, Rules and Conditions: 1. From the source Management Console, navigate to Administration > Export/Import > Export. The File Download message appears.
Figure 5-78: Saving File Dialog Box 2. Click Save and choose the location to save this file. See also: Export/Import
Import
278 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Import This screen shows the imported Policy Databases in the destination Policy Server. You can choose to import selected items, overwrite selected items or save imported items under different names to avoid potential conflicts.
NOTES: After importing any policy, please check again to ensure it reflects the new licensed engine. Â To import the Policies, Rules and Conditions: 1. In the destination Management Console, navigate to Administration > Export/Import > Import. 2. Right-click on the top level Database Files heading and select Import Policies from the menu or click in the left tree pane. 3. In the Import Policy screen, click Browse and select the file to be imported. 4. Click Import. The folders for import appear in the Import Policies tree in the left hand pane.
M86 SECURITY, ADMINISTRATION 279 ADMINISTRATION
Figure 5-79: Import - Interim Stage
NOTES: The settings have not, as yet, been imported into the destination Policy Server. This is an interim stage allowing you to resolve potential conflicts See also: Export/Import
Export
Database Files Tree
Importing Policies and Condition Component Settings
Export/Import Troubleshooting Database Files Tree
Once you have imported the back-up file, the following folders
280 M86 SECURITY, ADMINISTRATION ADMINISTRATION
appear in the left hand pane in the Database Files tree: •Policies •Rules • Conditions The Policies appear with the rules and conditions that they are comprised of their displayed details on the right and each item is displayed with a one of the following icons:
Icon Description
Folders
Imported File
Root Folder
Policies
Caching Policy
HTTPS Policy
Identification Logging Policy
Identification Policy
Security Policy
M86 SECURITY, ADMINISTRATION 281 ADMINISTRATION
Icon Description
X-Ray Policy
Rules
Allow Access
Block Access
Block Outgoing Data
Bypass Rule
Identification Rule
Logging Rule
Conditions
Anti.dote Profile
Anti-Virus
Behavior Profile Binary
282 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Icon Description
Behavior Profile Script
Certificate Validation Profile
Coaching
Condition Setting
Content List
Data Leakage Prevention
Direction
File Extension
Internet Messaging
Content Size
M86 SECURITY, ADMINISTRATION 283 ADMINISTRATION
Icon Description
True Content Type
URL List
Left click on the required object to view information about each Policy, Rule and Condition, assessing whether or not to import it. See also: Import
Importing Policies and Condition Component Settings
Export/Import Troubleshooting
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
284 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Security Policy Details - Import
Please refer to Security Policy Details for information on this screen. See also: Database Files Tree
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
M86 SECURITY, ADMINISTRATION 285 ADMINISTRATION
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Security Rule Details - Import
Please refer to Security Rule Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
286 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Caching Condition Details - Import
Condition Component Settings Details - Import
Security Condition Details - Import
Please refer to Condition Details for Security Policy Rules for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
M86 SECURITY, ADMINISTRATION 287 ADMINISTRATION
HTTPS Policy Details - Import
Please refer to HTTPS Policy Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
HTTPS Rule Details - Import
Please refer to HTTPS Rule Details for information on this screen.
288 M86 SECURITY, ADMINISTRATION ADMINISTRATION
See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
HTTPS Condition Details - Import
Please refer to Condition Details for HTTPS Policy Rules for information on this screen. See also: Database Files Tree
M86 SECURITY, ADMINISTRATION 289 ADMINISTRATION
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Logging Policy Details - Import
Please refer to Logging Policy Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
290 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Logging Rule Details - Import
Please refer to Logging Rule Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
M86 SECURITY, ADMINISTRATION 291 ADMINISTRATION
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Logging Condition Details - Import
Please refer to Conditions for Logging Policy Rules for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
292 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Logging Policy Details - Import
Logging Rule Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Identification Policy Details - Import
Please refer to Identification Policies Tree for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
M86 SECURITY, ADMINISTRATION 293 ADMINISTRATION
Logging Condition Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Identification Rule Details - Import
Please refer to Identification Rule Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
294 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Identification Condition Details - Import
Please refer to Identification Policy Rules Condition Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Logging Policy Details - Import
M86 SECURITY, ADMINISTRATION 295 ADMINISTRATION
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Identification Logging Policy Details - Import
Please refer to Identification Logging Policy Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
296 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Identification Logging Rule Details - Import
Please refer to Identification Logging Rule Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
M86 SECURITY, ADMINISTRATION 297 ADMINISTRATION
Caching Condition Details - Import
Condition Component Settings Details - Import
Identification Logging Condition Details - Import
Please refer to Identification Logging Policy Rule Conditions for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
298 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Caching Policy Details - Import
Please refer to Caching Policy Details for information on this screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Rule Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Caching Rule Details - Import
Please refer to Caching Policy Rule Details for information on this
M86 SECURITY, ADMINISTRATION 299 ADMINISTRATION
screen. See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Condition Details - Import
Condition Component Settings Details - Import
Caching Condition Details - Import
Please refer to Caching Policy Rule Condition Details for information on this screen. See also:
300 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Condition Component Settings Details - Import
Condition Component Settings Details - Import
Please refer to Condition Settings for information on the Condition Settings screens. For a specific Condition Component you can refer to the desired section below: • Condition Settings: Active Content List • Condition Settings: Archives
M86 SECURITY, ADMINISTRATION 301 ADMINISTRATION
• Condition Settings: Binary Behavior • Condition Settings: Content Size • Condition Settings: Data Leakage Prevention • Condition Settings: Destination Port Range • Condition Settings: File Extensions • Condition Settings: Header Fields • Condition Settings: HTTPS Certificate Validation • Condition Settings: IP Range • Condition Settings: Pre Authenticated Headers • Condition Settings: Script Behavior • Condition Settings: Time Frame • Condition Settings: URL Lists • Condition Settings: Vulnerability Anti.dote See also: Database Files Tree
Security Policy Details - Import
Security Rule Details - Import
Security Condition Details - Import
HTTPS Policy Details - Import
HTTPS Rule Details - Import
HTTPS Condition Details - Import
Logging Policy Details - Import
Logging Rule Details - Import
Logging Condition Details - Import
Identification Policy Details - Import
Identification Rule Details - Import
Identification Condition Details - Import
302 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Identification Logging Policy Details - Import
Identification Logging Rule Details - Import
Identification Logging Condition Details - Import
Caching Policy Details - Import
Caching Rule Details - Import
Caching Condition Details - Import Importing Policies and Condition Component Settings
Policies and Conditions have different import options available for them as a function of administrator permissions and other object properties. When determining if a Policy or Condition Component can be imported, the following criteria is used: • Importing Policies criteria: y One of the following situations exist: All Conditions attached to a Policy Rule can be imported The Condition is already present in the target database y The administrator, performing an Action, has update permissions for the policy type including the appropriate license for the appliance. • Importing Condition Component settings: y The administrator, performing an Action, has update permissions for the object class including the appropriate license for the appliance. The following table outlines the available actions dependent on the administrators class and object permissions as described in Default
M86 SECURITY, ADMINISTRATION 303 ADMINISTRATION
Permissions.
Allowed Class Permission Actions None/View Update
Object Permission
None/ Update None/View Update View
Object • Leave • Leave • Leave • Leave exists in Origin Original Original Original target al • Overwrite • Rename • Overwrite database • Rename
Object • Cannot Be Imported • Add As Is does not • Rename exist in target database
 To import a Policy: • Expand the tree on the left pane and right-click on the respective Policy and select Import. The Policy Import pane is displayed.
304 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-80: Import Policy
Field Description
Policy Name of the Policy Name
Action The available actions may vary depending on the policy being imported. You can select from a drop-down list to: Rename: This action allows you to rename the Policy so as not to overwrite an existing Policy with the same name. Add as is: This action imports the Policy to the Management Console as is. Leave Original: This action leaves the original policy as is. This choice allows changes to one or more policy conditions while leaving the remaining conditions unchanged. Overwrite: This action imports the Policy to the Policy Server thereby overwriting the Policy that exists with the same name.
M86 SECURITY, ADMINISTRATION 305 ADMINISTRATION
Field Description
New Name If you have chosen Rename in the Action above, then enter the new name for the Policy in this field.
Conditions Conditions attached to this Policy can also be selected for the following actions: Rename: This action allows you to rename the Condition so as not to overwrite an existing Condition with the same name. On Rename, enter the new name for the condition in the New Component Name column. Add as is: This action imports the condition to the Management Console as is. Leave Original: This action leaves the original Condition as is, while the Policy change affects the other Conditions attached to it. Overwrite: This action imports the Condition to the Policy Server thereby overwriting the Condition that exists with the same name. The available actions may vary depending on the Condition being imported.
 To import a Condition Component setting: • Expand the tree on the left pane and right-click on the respective Condition and select Import. The Condition Component Import pane is displayed.
. Figure 5-81: Condition Component
306 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-82: Import Condition Component
Field Description
Name Name of the Condition Component setting.
Action You can select from a drop-down list to: Rename: This action allows you to rename the Condition Component so as not to overwrite an existing Condition Component with the same name. Add as is: This action imports the Condition Component to the Management Console as is. Leave Original: This action leaves the original Condition Component as is. Overwrite: This action imports the Condition Component to the Policy Server thereby overwriting the Condition Component that exists with the same name. The available actions may vary depending on the Condition Component being imported.
New Name If you have chosen Rename in the Action above, then enter the new name for the Condition Component in this field.
See also: Import
Database Files Tree
Export/Import Troubleshooting Export/Import Troubleshooting
When importing a Condition from one Policy Server to another and one of the components in the Condition does not exist on the target Policy Server, an error message is displayed. There are two possible reasons for this issue and hence two possible ways to solve it: • One of the M86 predefined lists has had a component added. In this situation, make sure you have the latest Security Update
M86 SECURITY, ADMINISTRATION 307 ADMINISTRATION
Version installed on the target Policy Server and repeat the Import process. • One of the Customer defined lists has had a component added. In this situation, save the list in the source Policy Server under a different name. See also: Import
Database Files Tree
Importing Policies and Condition Component Settings
Updates
Updates includes both Updates Management options and Management Configuration options. allowing you to configure and upload Updates.
NOTES: In order to provide you with the correct update for your system, while contacting the update site, M86 Security automatically receives information on the software release currently in use.
308 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Figure 5-83: Updates See also: Administration
Administrators
System Settings
Cloud
Rollback
Export/Import
Alerts
System Information
Change Password
Updates Management
Updates Configuration
M86 SECURITY, ADMINISTRATION 309 ADMINISTRATION
Updates Management
In the Main Tool bar, navigate to Administration Æ Updates Æ Updates Management to display the Updates Management options. This screen allows you to upload the various updates for both security and software releases onto your Appliance. This screen contains three tabs: • Available Updates • Installed Updates • Update Key See also: Updates
Updates Configuration
Available Updates
Installed Updates
Update Key Available Updates
The Available Updates tab displays all currently available updates and provides options for uploading local or remote updates to be installed.
 To upload local updates: 1. Click Import Updates. An Import Local Update screen appears. 2. Click Browse to navigate to the local location containing the required updates (provided to you by M86), and then click Import. Or, 3. If you have been provided with a URL, enter this URL in the URL field, and then click Import.
310 M86 SECURITY, ADMINISTRATION ADMINISTRATION
4. Wait several minutes for the updates to be uploaded. A message will display telling you the Upload is in progress. 5. Next, follow the procedure described in To install an available update:
 To upload remote updates: 1. If you are working remotely, click on Retrieve Updates. 2. Wait several minutes for the updates to be uploaded.
NOTES: A successful retrieval of an update is indicated by a tick in the status column of the available updates tab The following information is displayed.
Figure 5-84: Available Updates Populated
Field Description
Plus Sign Click to expand. The Available Update will display the relevant Release Information. Click on the link to view the associated Release Notes (if applicable).
M86 SECURITY, ADMINISTRATION 311 ADMINISTRATION
Field Description
Drop-down menu Icon Left click on this icon to display drop-down menu. Install Now - Select this option to install the Available Update. Delete - Select this option to delete the Available update.
Status This column indicates the retrieval status of the available update. A widget indicates that the available update has been retrieved successfully. An hourglass indicates that the available update is in the process of being installed/ uploaded. A cross indicates that the install/upload has failed.
Type This column indicates what type of update is available, for example, security update, software release update, maintenance update.
Release Date This column indicates the date that this release became available for update (YYYY:MM:dd HH:mm:ss).
Description This column provides a brief description of the available update.
3. Next, follow the procedure described in To install an available update:
312 M86 SECURITY, ADMINISTRATION ADMINISTRATION
 To install an available update:
1. Click next to the required update and select Install Now from the drop-down menu. The tick icon will change to an hourglass icon. 2. You will receive messages from the system updating you on the progress of the installation. If the icon turns into a cross – this means the upload has failed. 3. Once the update has been installed – it will disappear from the Available Updates screen and will display on the Installed Updates screen.
 To delete an available update:
1. Click next to the update and select Delete from the drop- down menu. 2. The update is deleted.
NOTES: An update cannot be deleted once an installation has started See also: Updates Management
Installed Updates
Update Key Installed Updates
The Installed Updates tab displays the updates both automatically
M86 SECURITY, ADMINISTRATION 313 ADMINISTRATION
and manually installed.
Figure 5-85: Installed Updates Tab The following information is displayed:
Field Description
Plus Sign Click to expand. The Installed Update will display the relevant Release Information. Click on the link to view the associated Release Notes (if applicable).
Type This column indicates what type of update is available, for example, security update, software release update, maintenance update.
Release Date This column indicates the date that this release became available for update (YYYY:MM:dd HH:mm:ss).
Install Date This column indicates the date that this release was installed (YY:MM:DD HH:MM:SS).
Description This column provides a brief description of the available update.
314 M86 SECURITY, ADMINISTRATION ADMINISTRATION
See also: Updates Management
Available Updates
Update Key Update Key
The Update Key is primarily designed for customers who are using the appliance in an isolated network that is not connected to the Internet.
Figure 5-86: Update Key Tab Using this key, you can download updates using an Offline
M86 SECURITY, ADMINISTRATION 315 ADMINISTRATION
Updates application.
NOTES: This feature requires a special license. For more information on Offline Updates, please contact your M86 representative and/or refer to the Offline Updates Technical Brief. Â To generate the Update Key: 1. Click Generate Key. The key is generated and appears in the tab.
Figure 5-87: Update Key Generated 2. Select and copy the key to the clipboard or click Copy to Clipboard.
NOTES: The Copy to Clipboard button exists only for users of Internet Explorer. Firefox users will not have this option. See also:
316 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Updates Management
Available Updates
Installed Updates
Updates Configuration The Updates Configuration allows you to define the location from which updates will be retrieved, as well as when the downloads should begin and the frequency at which they should take place. You can also configure which of the updates should be automatically installed.
 To edit the Update Configuration screen: Click Edit. The Update Configuration pane is enabled.
Figure 5-88: Update Configuration In the Update Configuration section, the following types of updates can be automatically installed: • Security • Critical OS update
M86 SECURITY, ADMINISTRATION 317 ADMINISTRATION
• OS version update The following information is displayed in this section:
Field Description
URL Define the location from which updates will be retrieved.
Automatic Install - These updates include the following: Security Security updates released by MCRC which contain updates and new rules relating to proprietary M86 engines such as the Vulnerability Anti.dote and the Behavior-Based Engine. Third party software updates (Anti-Virus and URL Categorization engines). Database updates for the data elements behind the system including the 3rd party security engine updates such as Anti-Virus signatures and URL categorization. All Maintenance Updates.
Automatic Install - These updates include patches related to Critical OS Update OS and other security issues.
Automatic Install - These updates include Major and Minor OS Version Software Releases. Update
NOTES: By default, only the Security updates are automatically installed. This is because these do not interfere with system performance. The Proxy Configuration section is used when the Internet connection is blocked for the SWG appliance and information is routed through a next proxy so that you will still receive Updates.
318 M86 SECURITY, ADMINISTRATION ADMINISTRATION
The following information is displayed in this section:
Field Description
Proxy Server This is the IP address for your organization's next proxy.
Port This is the port for your organization's next proxy.
User Name This is the User Name required to access that proxy.
Password This is the Password required to access that proxy.
In the Scheduling section, you can change schedule for downloading the update configuration (for example, the Download Interval). The following information is displayed in this section:
Field Description
Start Date This defines the start date (YYYY:MM:dd).
Start Time This defines the start time (HH:mm:ss).
Download This defines the download frequency Every...days/hours/ (dd:hh:mm). minutes
Do not retrieve You can also choose not to retrieve the updates automatically updates automatically. This refers to all types of updates: Security, VSOS version and third party. This option can be used in conjunction with the Offline Updates option or on its own.
See also: Updates
M86 SECURITY, ADMINISTRATION 319 ADMINISTRATION
Updates Management
Alerts
The Alert menu allows you to monitor the main modules and components of the system. SWG will notify you of system events, application events, update events or security events. There are two different channels of Alerts communication (in addition to System Log messages): Email messages and SNMP notification. See also: Administration
Administrators
System Settings
Cloud
Rollback
Export/Import
Updates
System Information
Change Password
Alert Settings
SNMP
Security
Mail Server
Alert Settings Settings can be set for Email messages and SNMP notification. For each of the event types (System, Application, Update and Security events), select the corresponding SNMP checkbox, or email alert checkbox and specify the email addresses to which the
320 M86 SECURITY, ADMINISTRATION ADMINISTRATION
alert will be sent. Use to add or delete rows of email addresses.
NOTES: The Email option is enabled only if the Enable Sending Email checkbox in Administration > Alerts > Email screen is enabled. The SNMP option is enabled only if the Enable Trap Sending checkbox in Administration > Alerts > SNMP screen is enabled. Â To configure Alert Settings: 1.On the Management Console, navigate to Administration > Alerts > Alert Settings. The Alert Settings is displayed.
Figure 5-89: Alert Settings 2.In the Alert Settings screen, click Edit. 3.Check the required Alert (SNMP or Mail Server) and enter the relevant Email address. 4. Click Save. Otherwise, Cancel. The following table details the alerts available for each system
M86 SECURITY, ADMINISTRATION 321 ADMINISTRATION
event.
SNMP and Email Alerts
System Events
Hard Drive Threshold
System Load
Memory Usage Threshold
Application Events
Emergency Policy Selected
Archive Upload Failed
Backup Failed
Log Handler Down
Scanning Process is Unexpectedly Down
License Expiry
License Modification or Update
Active / Standby Policy Server
No Connection to Policy Server for Past Hour. Security Updates are Not Installed! Connection to Policy Server Restored
Connection to Email Server Failed
Update Events
OS Update Available
Security Update Available
Security Update Failed
OS Update Failed
Security Update Successfully Installed
322 M86 SECURITY, ADMINISTRATION ADMINISTRATION
SNMP and Email Alerts
OS Update Successfully Installed
Could Not Download the Update File
Error in Validating Checksum
Update Failed due to Internal Error
Received Update with Unsupported Version
Update Exceeded Maximum Installation Time
Could not find the Update File
The Update File was not Created Properly
Update Installed Successfully
OS Update Available
Security Updates Available
Update Added to Available Updates
Update already Installed
Update already Exists
A Later Version of Update Exists
Installing Update
Update Dependence Problem
All Scanners in the topology must have the same VSOS as Policy Server before you start Update Process
Update Installer - Cannot install OS Update when Standby Policy Server VSOS is different from Active Policy Server Version
Security Settings
Anti-Virus triggered (settings configurable)
Behavior Analysis (settings configurable)
M86 SECURITY, ADMINISTRATION 323 ADMINISTRATION
SNMP and Email Alerts
Blocked URL List (settings configurable)
URL Filtering (settings configurable)
Below is an example of an email alert for a System Event:
Figure 5-90: Example of Email Alert After making any changes in the Alerts screen, click Save to apply changes, else Cancel. See also: Alerts
SNMP
Security
324 M86 SECURITY, ADMINISTRATION ADMINISTRATION
SNMP The Simple Network Management Protocol (SNMP) is an application-layer Internet protocol designed to facilitate the exchange of management information between network devices. The SNMP Settings screen allows you to monitor the main modules and components of the system. SWG supports both SNMP v2.c and SNMP v3: • SNMPv2.c revises SNMPv1 and includes improvements in the areas of performance, security, confidentiality, and manager-to- manager communications. SNMPv2.c adds and enhances some of the SNMPv1 protocol operations. • SNMPv3 provides secure access to devices by a combination of authentication and encryption over the network (i.e. it includes authentication, privacy, and access control). The SNMP Settings screen is comprised of the following tabs: • General • SNMP Version See also: Alerts
Alert Settings
Security
General
SNMP Version General
The General tab allows you to configure the SNMP protocol for MIB Monitoring/Trap sending, as well as the ports. This section also enables configuration of the Hostname/IP destination servers for receiving the SNMP traps.
M86 SECURITY, ADMINISTRATION 325 ADMINISTRATION
 To configure the SNMP settings: 1. To edit the SNMP Settings screen, click Edit. The General tab is enabled.
Figure 5-91: SNMP - Configure Settings 2. Check Enable MIB monitoring such that SWG management system can be queried to get the MIB information and define the corresponding Listening Port (i.e. perform SNMP queries against specified port number, port 161 is default). 3. Check Enable Trap Sending to enable SWG to send traps and define the corresponding Trap Port (port 162 is default). 4. The Community field (enabled for SNMPv2.c only) is the group that the devices and management stations running SNMP belong to. It should be defined as required. The default string is “public”. 5. Three possible destination servers have been provided; you can configure the traps to be sent to any or all of these servers. If the checkbox next to the IP is unchecked, the remote server will
326 M86 SECURITY, ADMINISTRATION ADMINISTRATION
not receive the SNMP trap. The trap destination is usually defined by an IP address, but can be a host name, if the device is set up to query a Domain Name System (DNS) server. 6. The Test button allows you to test that the traps are successfully sent to the SNMP servers. A test message will be sent to the defined server with the SNMP name, IP and SWG Software Version.
7. Click Save to apply changes. Next, click to commit them. See also: SNMP
SNMP Version SNMP Version
The SNMP Version tab is used to define which version of SNMP the system works with SNMPv2.c or SNMPv3. If you select SNMPv2.c you need to enter a community name.
Figure 5-92: SNMPv2 Version SNMPV3 - SNMP MIB Monitoring: The Management Information Base (MIB) is a database of objects that can be monitored by the network management system (SNMP). This collection of information is organized hierarchically and comprises managed objects identified by object identifiers. (For more information on MIB, please refer to the How to use SNMP Monitoring feature
M86 SECURITY, ADMINISTRATION 327 ADMINISTRATION
description.).
Figure 5-93: SNMP MIB Monitoring The Monitoring parameters define the security protocol and encryption methods used to obtain information from the SNMP agent on the machine. The information retrieved is part of a MIB. The table below provides detailed explanation of the fields:
Field Name Description
Security Name SNMP user name. If the Security name in the SNMP MIB Monitoring section is the same as in the SNMP Traps section, then the rest of the parameters must be the same as well.
Security Level Messages can be sent unauthenticated, authenticated, or authenticated and encrypted.
Authentication Either MD5 or SHA (verification Protocol checksums)
328 M86 SECURITY, ADMINISTRATION ADMINISTRATION
Field Name Description
Authentication Authentication is performed by using the Key user’s authentication key to sign the message being sent.
Encryption Key Authentication is performed by using the user’s encryption key which encrypts the data portion of the message being sent.
NOTES: The authentication / encryption options are enabled only when the corresponding Security Level is selected. The encryption mode or privacy protocol used is DES (encryption algorithm) SNMPv3 - SNMP Traps: SNMP traps are deployed as a means of notifying the management station of specific events by way of an SNMP message. SNMPv3 mandates that trap messages are rejected unless the SNMPv3 user sending the trap already exists in the user database. The user database in a SNMPv3 application is referenced by a combination of the user's name (Security Name) and an identifier for the given SNMP application (engineID).
Figure 5-94: SNMP Traps
M86 SECURITY, ADMINISTRATION 329 ADMINISTRATION
The table below provides an explanation of the fields:
Field Name Description
Security Name SNMP user name. If the Security name in the SNMP MIB Monitoring section is the same as in the SNMP Traps section, then the rest of the parameters must be the same as well.
Security Level Messages can be sent unauthenticated, authenticated, or authenticated and encrypted.
Authentication Either MD5 or SHA (verification Protocol checksums)
Authentication Key Authentication is performed by using the user’s authentication key to sign the message being sent.
Encryption Key Authentication is performed by using the user’s encryption key which encrypts the data portion of the message being sent.
EngineID This is an identifier for the given SNMP application.
NOTES: The encryption mode or privacy protocol used is DES (encryption algorithm). See also: SNMP
General
Security Administrators can choose to be alerted by SNMP or by Email
330 M86 SECURITY, ADMINISTRATION ADMINISTRATION
when certain security thresholds have been reached. Alerts can be triggered for two main categories:
Category Block Event
Incoming Events • Malicious Activities Notification •Viruses •Scripts • Binary Content
Outgoing Events • URL Categorization Notification • URL Lists • Blocked Files according to file types
 To enable Security Alerts: 1. On the Management Console, navigate to Administration > Alerts > Security. 2. In the Security Settings screen, click Edit. 3. Enable the Enable Security Alerts When checkbox.
Figure 5-95: Enable Security Alerts 4. Enable the Incoming events notification and select the percentage of block events within a specific number of minutes. When there are more block events than the set percentage
M86 SECURITY, ADMINISTRATION 331 ADMINISTRATION
within the specified timeframe, an alert will be sent. Once the percentage goes below this number, a “clear” Alert will be sent. 5. Enable the Outgoing events notification and select the percentage of block events within a specific number of minutes. When there are more block events than the set percentage within the specified timeframe, an alert will be sent. Once the percentage goes below this number, a “clear” Alert will be sent.
6. Click Save to apply changes. Next, click
NOTES: An average percentage of blocked incoming events would be approximately 1%-5%. Above 7% percent of blocked data may indicate that there is some kind of security breach. See also: Alerts
Alert Settings
SNMP
System Information
The System Information screen provides a simple way for the administrator to view the status of the system with respect to license and module information such as available modules, versions, license expiration date etc. The System Information screen comprises three tabs: • General • Licensed Modules • Installed Components See also: Administration
Administrators
332 M86 SECURITY, ADMINISTRATION ADMINISTRATION
System Settings
Cloud
Rollback
Export/Import
Updates
Alerts
Change Password
General
Licensed Modules
Installed Components
General The General tab includes the Appliance Serial Number (eth0 interface of the Policy Server), the number of licensed seats (system users) and the license expiration date.
Figure 5-96: System Information General Tab See also: System Information
Licensed Modules
M86 SECURITY, ADMINISTRATION 333 ADMINISTRATION
Installed Components
Licensed Modules The Licensed Modules tab includes M86 and third party engine licenses.
Figure 5-97: System Information Licensed Modules Tab See also: System Information
General
Installed Components
Installed Components The Installed Components tab displays information per component and includes the Component name (for example, the VSOS, update, engine and data file) together with the
334 M86 SECURITY, ADMINISTRATION ADMINISTRATION
corresponding Version, Release date and Install date.
Figure 5-98: System Information Installed Components Tab See also: System Information
General
Licensed Modules
Change Password
The Change Password screen allows the administrator to change passwords when necessary.
Figure 5-99: Change Password
M86 SECURITY, ADMINISTRATION 335 ADMINISTRATION
See also: Administration
Administrators
System Settings
Cloud
Rollback
Export/Import
Updates
Alerts
System Information
336 M86 SECURITY, ADMINISTRATION POLICIES
Chapter 6: Policies
Working with Policies
The Policies menu contains the following options:
• Security Policies - Simplified: Simplified Policy Management interface allows you to configure the Security Policies using a light editing system. • Security Policies - Advanced: Security Policies contain rules which define how to handle content passing through the system. This option allows you to fine-tune the rules and conditions which make up these Policies. • Master Security Policy: Security Policy created by Super Administrators that are assigned to General Administrators. This policy is in addition to the normal security policies defined. • HTTPS Policies: HTTPS Policies contain rules which deal with access to HTTPS sites. • Caching Policy: The caching policy defines the rules by which content is stored in the appliance for future use. By default, all HTTP traffic is cached.
M86 SECURITY, POLICIES 337 POLICIES
• Logging Policies: Logging Policies define what transactions to log and which locations for sending the logged transactions. • Identification Policies: Identification Policies define which methods to use to either identify or authenticate the end-user browsing through the system. • Device Logging Policies: Device Logging Policies define which device related transactions are logged and to which locations to send the logged transactions. • Upstream Proxy: The Upstream Proxy Policy defines which upstream proxy settings to use for traffic scanned by the SWG system. • Default Policy Settings: Default Policy Settings define options relating to the Security, HTTPS and Logging Policies. • Condition Settings: Condition Settings have configurable values and are used to tweak the Policies to match your organization’s needs. • End User Messages: You can customize the Block Page and Warn Page messages sent to end-users as chosen in the Security and HTTPS Rules.
See also: Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Device Logging Policies
Default Policy Settings
338 M86 SECURITY, POLICIES POLICIES
Condition Settings
Caching Policy
End User Messages
Security Policies - Simplified
M86 has designed three Security Policies intended to meet your individual organization's unique security needs.
Figure 6-1: Simplified Security Policies • M86 Security Basic Security Policy: In this policy, only the basic engines for client web security are activated. This policy provides a baseline policy that can be used when connecting two relatively secure environments to each other. • M86 Security Medium Security Policy: This policy builds on top of the basic security policy and adds more proactive, behavioral, real-time elements in order to provide better security
M86 SECURITY, POLICIES 339 POLICIES
when connecting to the Internet. The policy uses all the security engines, and enforces the standard measures or code analysis. • M86 Security Strict Security Policy: This policy is used for higher sensitivity scenarios, where security cannot be compromised. It utilizes all the rules and standards for secure web behavior, while keeping HTML fixup enabled in order to still provide a usable browsing experience without blocking complete pages that may have violated some security standards. There are two adversely different ways of editing and configuring these Policies: • Simplified Setup: Designed for busy customers, this Simplified Policy Management screen enables you to configure the level of protection your organization needs with the minimum of configuration effort. Simplified Policy Management setup allows you to add Security Policies to specific User Groups. • Advanced Setup: For more experienced system administrators, the Policies are comprised of both rules and conditions and can be duplicated and then heavily edited and tweaked from the main Policies tab. For more information on Security Policies - Advanced, please refer to the Security Policies In-Depth manual. In the Simplified Policies management screen, each of the three Policies is composed of four “building blocks”: • URL Lists • File Extensions • True Content Type • URL Categorization
IMPORTANT: Any changes you make to any of these four building blocks will not be overwritten by Security Updates.
340 M86 SECURITY, POLICIES POLICIES
Figure 6-2: Simplified Policy Management See also: Policies
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Device Logging Policies
Default Policy Settings
Condition Settings
Caching Policy
End User Messages
URL Lists
File Extensions
True Content Type
URL Categorization
M86 SECURITY, POLICIES 341 POLICIES
URL Lists For each of the three Security Policies (Basic, Medium or Strict), the administrator can edit three URL Lists. Note that these Lists can also be edited via Policies Æ Condition Settings Æ URL Lists and can therefore change the Security Policy.
Component Description Advanced Security Name Rule
URL Bypass Any URLs that you add to Allow Trusted Sites List (Basic/ this list will be exempt from (Policies > Security Medium/Strict) scanning and as such Policies) should be highly trusted.
URL White List Any URLs that you add to Allow Access to White (Basic/ this list will be allowed Listed Sites (Policies > Medium/Strict) through but the containers Security Policies) will be scanned by Anti- Virus and M86 Security’s own security engines.
URL Black List Any URLs that you add to Block Access to (Basic/ this list will be blocked to Blacklisted Sites Medium/Strict) end-users. Policies > Security Policies (Strict/Medium) Block Customer- Defined File Extensions Policies > Security Policies (Basic)
342 M86 SECURITY, POLICIES POLICIES
Figure 6-3: Black Listed URL See also: Security Policies - Simplified
File Extensions
True Content Type
URL Categorization
File Extensions For each of the three Security Policies, the administrator can choose to edit three File Extensions Lists. Note that these Lists can also be edited via Policies Æ Condition Settings Æ File Extensions.
M86 SECURITY, POLICIES 343 POLICIES
.
Component Description Advanced Security Name Rule
File Any File Extensions that you Allow Customer- Extensions add to this list will be allowed Defined File White List through but the containers will Extensions Policies (Basic/ be scanned for viruses. > Security Policies Medium/ Strict)
File Any File Extensions that you Block Blacklisted Extensions add to this list will be blocked File Extensions Black List from entering the organization. Policies > Security (Basic/ Policies (Strict and Medium/ Medium only) Strict) Block Customer- Defined File Extensions Policies > Security Policies (Basic)
Figure 6-4: White Listed File Extensions See also:
344 M86 SECURITY, POLICIES POLICIES
Security Policies - Simplified
URL Lists
True Content Type
URL Categorization See: URL ListsTrue Content Type
URL Lists
True Content Type For each of the three Security Policies, the administrator can choose to edit three True Content Type lists. .
NOTES: These lists are based on existing True Content Type profiles and cannot be edited via Policies Æ Condition Settings.
Component Description Advanced Security Rule Name
True Content Any True Content Type Allow Customer-Defined Type White List that you check in this True Content Type (Basic/Medium/ list will be allowed (Policies > Security Strict) through but will be Policies) scanned for viruses
True Content Any True Content Type Block Customer-Defined Type Black List that you check in this True Type Content (Basic/Medium/ list will be blocked from (Policies > Security Strict) entering the Policies) organization.
M86 SECURITY, POLICIES 345 POLICIES
Figure 6-5: True Content Type Black List See also: Security Policies - Simplified
URL Lists
File Extensions
URL Categorization
URL Categorization For each of the three Security Policies, the administrator can choose to block URL Categories.
NOTES: These lists are based on existing URL Filtering categories and cannot be edited via Policies Æ Condition Settings.
346 M86 SECURITY, POLICIES POLICIES
Component Description Security Rule Name
URL Category Any category that you check Customer-Defined Black List - IBM / in this list will be blocked from URL Filtering (Policies Websense entering the organization. Æ Security Policies) (Basic/Medium/ This is in addition to the pre- Strict) selected categories in the URL Filtering condition.
Figure 6-6: URL Categorization (IBM) See also: Security Policies - Simplified
URL Lists
File Extensions
True Content Type
File ExtensionsTrue Content Type
M86 SECURITY, POLICIES 347 POLICIES
Assigned User Groups
This screen displays the User Groups you have in the system and the Security Policy assigned to them.
Figure 6-7: Assigned User Groups Clicking allows you to add new groups; clicking next to each User Group allows you to edit the details. See also: Policies
Security Policies - Simplified
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
348 M86 SECURITY, POLICIES POLICIES
Device Logging Policies
Default Policy Settings
Condition Settings
Caching Policy
End User Messages
Add/Edit User Group
Add/Edit User Group The following table provides information on the fields displayed in the User Group Details screen:
Field Name Description
Clicking allows you to add new groups.
Clicking next to each User Group allows you to edit the details.
User Group Defines the User Group Name. Name
Security Assigns a Security policy to the User Group. If you do not Policy specifically define a Security Policy here, the Policy defined in Policies > Default Policy Settings will be used. This option is displayed as Use Default Values. NOTE: The Full Bypass Security Policy (which bypasses all scanning) can be set here. This policy does not appear in the Security Policies Simplified or Advanced Configuration.
IP Ranges This field defines the required IP addresses (From IP and To IP fields). Use to add or delete IP ranges.
M86 SECURITY, POLICIES 349 POLICIES
Figure 6-8: Assigned User Groups Detail Click OK after making your changes. See also: Assigned User Groups
350 M86 SECURITY, POLICIES POLICIES
Security Policies - Advanced
In addition to editing the Security Policies via the Simplified Policy Management interface, you can also view or edit the Security Policies via the more advanced interface. In this context, a Security Policy is comprised of a set of rules that describe how to handle Web content passing through the system. It focuses on proactively blocking Active Content and Malicious Code while allowing non- dangerous content through. Active content characteristics are identified and classified as violations so that you can actually create a behavior profile for each code type to incorporate into your rules/policies. A typical Policy should use successive blocking rules that narrow down the possible content that passes via the M86 Secure Web Gateway Appliance.
Figure 6-9: Policies Menu Advanced Security Security Policies in the Advanced setup are built as follows: • Policies are compiled from rules. • Rules are based on Conditions. • A Policy must be assigned to at least one user or user group, in order for it to be active.
M86 SECURITY, POLICIES 351 POLICIES
In order to create a new Policy, you must create a set of rules on which the policy is built. Examples of such rules in a Security Policy are Block Access to Spyware Sites or Allow White-listed Executables. A rule specifies a combination of conditions with a corresponding action (User Response Action for Security / HTTPS rules and Logging Action for Logging rules). Security Policy rules are numbered in descending order of priority from highest priority at the top to lowest priority at the bottom. Any action taken will be according to the rule of highest priority that matches a given transaction. After a rule is enforced, rules of lower priority are no longer relevant and are not evaluated. This can be useful when considering which reasons are reported for blocking in the Logs and Reports (and optionally sent to an end-user). For example, if a rule could be blocked due to a specific virus or as a suspicious file type - then placing the Anti-Virus rule higher up will display the name of the Virus in the Logs - which is more useful information than the suspicious file type. In addition, allow rules which basically state that if their conditions are matched then the rules after that will not be checked against content, should be carefully positioned within the Policy. In other words, each Allow rule creates a trust level - and content after that is not scanned by any blocking rules that come after it. See also: Policies
Security Policies - Simplified
Assigned User Groups
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Device Logging Policies
352 M86 SECURITY, POLICIES POLICIES
Default Policy Settings
Condition Settings
Caching Policy
End User Messages
Security Policies Tree
Available Policies Tree Options
Security Policy Details
Security Rule Details
Condition Details for Security Policy Rules
Example for Creating a Security Rule
Security Policies Tree The Security Policies tree holds all the current Security Policies within that definition, as well as the rules that make up these Policies and the conditions that make up the rules.
Figure 6-10: Security Policies Tree The Security Policies tree provides easy navigation through each Policy and displays the rules and components of each Policy at a
M86 SECURITY, POLICIES 353 POLICIES
glance. M86 Security provides six preconfigured Security Policies: • M86 Security Basic Security Policy: In this policy, only the basic engines for client web security are activated. This policy provides a baseline policy that can be used when connecting two relatively secure environments to each other. • M86 Security Blocked Cloud Users Policy: Default Policy for Users that are temporarily blocked from using the cloud. • M86 Security Emergency Policy: This was designed for emergency situations such as a massive Internet virus outbreak. • M86 Security Medium Security Policy: This policy builds on top of the basic security policy and adds more proactive, behavioral, real-time elements in order to provide better security when connecting to the internet. The policy uses all the security engines, and enforces the standard measures or code analysis. • M86 Security Revoked Cloud Users Policy: Default Policy for Users that are revoked from using the cloud. • M86 Security Strict Security Policy: This policy is used for higher sensitivity scenarios, where security cannot be compromised. It utilizes all the rules and standards for secure web behavior, while keeping HTML fix-up enabled in order to still provide a usable browsing experience without blocking complete pages that may have violated some security standards. • M86 Security X-Ray Policy: An X-Ray Policy ensures that transactions are evaluated against rules but there is no blocking action or content change. The results of the X-Ray Policy, and rules within, can be assessed in the Logs View. The purpose of an X-Ray Policy is to evaluate the effects of a “would-be” security policy on the system before implementing it. • Full Bypass Policy: This Policy cannot be viewed in the Policies Tree, but rather the Full Bypass Policy is set via the Users menu. Please refer to Users/User Groups for more information on how to set this Policy. This policy contains one
354 M86 SECURITY, POLICIES POLICIES
rule which disables the Status page as well as security scanning. It can be configured by the administrator for end-users who wish to surf through the M86 SWG Appliance without any scanning.
NOTES: Rules within the X-Ray Policy are not marked as X-Ray.
In addition, individual rules in a Security Policy can also be created in X-Ray mode. This means that the rule is logged but not activated so that the transaction evaluation is continued and the next rule that meets the conditions for this transaction is activated and logged. This is useful when adding a new rule to an existing policy, allowing you to assess the impact of the rule on the system before actually enforcing it. If, in a policy, both x-Ray and non x-Ray rules were activated, only the last triggered rule will be reported. Policies, rules, and conditions can be added, duplicated, moved around (applies to rules only) or deleted by right-clicking on the relevant node. M86 Security's default Security Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies.
NOTES: For full details on the Security Policies, please refer to the Security Policies In-Depth manual See also: Security Policies - Advanced
Available Policies Tree Options
Security Policy Details
Security Rule Details
Condition Details for Security Policy Rules
Example for Creating a Security Rule
M86 SECURITY, POLICIES 355 POLICIES
Available Policies Tree Options The following right-click options for Policies tree are available: • Root Level
Figure 6-11: Root Level Menu Option • Policy Level
Figure 6-12: Policy Level Menu Options
356 M86 SECURITY, POLICIES POLICIES
• Rule Level
Figure 6-13: Rule Level Menu Options • Condition Level
Figure 6-14: Condition Level Menu Option The following Table describes each of the available Policies tree
M86 SECURITY, POLICIES 357 POLICIES
options.
Action Description
Root Level Actions
Add Policy Available from top level folder only. Allows you to create a new Policy.
Policy Level Actions
Add Rule Available from Policy folder. Allows you to create a new Rule.
Delete Policy Available from specific Policy. Allows you to remove a Policy. Note that deleting a Policy will delete all the Rules and Conditions belonging to it.
Duplicate Policy Available from specific Policy. Allows you to clone a predefined Policy and customize it for your own needs.
Export to HTML Available from specific Policy. Allows you to export to HTML format - which you can then save or print as required.
Export to XML Available from specific Policy. Allows you to export to XML format - which you can then save or print as required.
Rule Level Actions
Add Condition Available from Rule. Allows you to create a new Condition
Insert New Rule Available from any rule. Allows you to insert a new rule into your Policy above the rule you are currently standing on.
Delete Rule Available from specific Rule. Allows you to remove a Rule from the Policy.
358 M86 SECURITY, POLICIES POLICIES
Action Description
Move Rule To Available from specific Rule. Select Move Rule Before this Rule To and then move cursor to desired place. Select Before this Rule/After this Rule to move the rule After this Rule to the required location.
Condition Level Actions
Delete Condition Available from specific Condition. Allows to remove a Condition from a Rule.
See also: Security Policies - Advanced
Security Policies Tree
Security Policy Details
Security Rule Details
Condition Details for Security Policy Rules
Example for Creating a Security Rule
Security Policy Details Click on any Security Policy to display the Policy Details screen in
M86 SECURITY, POLICIES 359 POLICIES
the right pane.
Figure 6-15: Security Policy Details Screen For non-predefined Security Policies, click Edit on right pane to edit the fields on this screen. The Policies Details screen displays the following information:
Field Description
Policy Name Name of the specific policy
X-Ray Defines whether the Policy is X-Ray or not. (X-Ray means the policy is logged but no action is taken)
360 M86 SECURITY, POLICIES POLICIES
Field Description
Description Contains a description of the policy.
User Groups/Users Security Policies can be assigned to different User using this policy Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/User Groups.
See also: Security Policies - Advanced
Security Policies Tree
Available Policies Tree Options
Security Rule Details
Condition Details for Security Policy Rules
Example for Creating a Security Rule
Security Rule Details Click on a Security rule to display the Rules Details screen in the
M86 SECURITY, POLICIES 361 POLICIES
right pane.
Figure 6-16: Security Rule Details For non-predefined Security Rules, click Edit on right pane to edit the fields on this screen. When Allow is selected the Advanced Action options become activated.
Figure 6-17: Advanced Action Options
362 M86 SECURITY, POLICIES POLICIES
The Rules Details screen contains the following information:.
Field Description
Rule Name Defines the name of the Security rule.
X-Ray If the X-Ray checkbox is ticked, the rule is evaluated in the Logs only. In other words, an x-ray rule is activated and logged, but no block, warn or explicit allow action is taken.
Description This provides a place for you to write a description of the rule.
Enable Rule When checked, the rule is enabled. When unchecked, the rule is disabled.
Action Block, Coach or Allow action, on positive evaluation of the rule, as described below.
Block The web content is blocked.
Coach The web content is temporarily blocked and the end-user receives a warning message that this site is not recommended and that his/her activities will be logged. The end-user can then decide whether to proceed or not.
Allow The web content is allowed and the selected Advanced Action is taken as described below.
M86 SECURITY, POLICIES 363 POLICIES
Field Description
Advanced When Allow is selected you can choose one of the Action following Advanced Action options: • Allow transactions and scan containers The content is allowed, but container files are opened and the contents are scanned. (This is the default option) • Allow content and do not scan contain- ers Allows content through including con- tainer files, such as zip or rar files, without scanning inside them. Content is allowed through on request stage but may be stopped on response stage. • Bypass Scanning Allows content through without any scan- ning at all on the request or response stage. This allows full streaming and is useful, for example, for sites which contain stock ticker streaming.
Do not display Withholds sending a block page to the end-user End-User Message
End-User Defines which message is sent in the Page Block/Warn Message message. The end-user message list and associated text is managed via Block/Warn Messages. The end- user Message template can be modified via Message Template.
NOTES: The Coach action can be applied to URL Categories and URL Lists in an Outgoing direction only. In addition, the following Conditions only can be added: Time Frame, Header Fields, File Extension.
364 M86 SECURITY, POLICIES POLICIES
NOTES: The Allow-Advanced actions which allow container files through without scanning can be placed anywhere in your Security Policy.
NOTES: In certain circumstances, X-Ray block rules might block traffic. This happens when the web server replies with non-standard HTTP traffic. This is applicable only for X-ray rules and not for X-ray policies. For more detailed information on each of the Security Rules, please refer to the Security Policies In-Depth guide. See also: Security Policies - Advanced
Security Policies Tree
Available Policies Tree Options
Security Policy Details
Condition Details for Security Policy Rules
Example for Creating a Security Rule
Condition Details for Security Policy Rules Click on a condition to open up the Condition details in the right
M86 SECURITY, POLICIES 365 POLICIES
pane.
Figure 6-18: Condition Details for Security Policy Rules For non-predefined Security conditions, click Edit on right pane to edit the fields on this screen. The Condition Details displays the following information:
Field Description
Condition Name Displays name of Condition. If you are defining a new condition, choose the required condition from the drop-down list.
Applies To You can select which options are to be included or excluded. In other words, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.
366 M86 SECURITY, POLICIES POLICIES
Field Description
Select/Deselect Choose to select/deselect all the items in the All Condition
The items display differently according to the Condition you have chosen.
The following Conditions are available for selection within the Security Policy rules: • Active Content List • Anti-Virus (McAfee/Sophos/Kaspersky) • Archive Errors • Behavior Profile (Binary) • Behavior Profile (Script) • Binary VAD • Content Size • Data Leakage Prevention • Digital Signature • Direction • File Extensions • Header Fields • IM • Location • Parent Archive Type • Protocol • Spoofed Content • Static Content List • Time Frame • True Content Type • URL Filtering (IBM/Websense) • URL Lists
M86 SECURITY, POLICIES 367 POLICIES
• Rule Action See also: Security Policies - Advanced
Security Policies Tree
Available Policies Tree Options
Security Policy Details
Security Rule Details
Example for Creating a Security Rule
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
368 M86 SECURITY, POLICIES POLICIES
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Active Content List
The Active Content List condition contains active content objects such as ActiveX Controls and Java Applets which have already been scanned by SWG and are located in the SWG Server Database or added by M86's MCRC (Malicious Code Research Center). Each newly scanned Applet, Control or Executables is automatically added to the Auto-generated list, which is the only list that cannot be used in a rule. Items from the Auto-generated list may be moved to other lists, such as Allowed, Blocked or customer created lists in order to create exception rules.
Figure 6-19: Active Content List Condition This condition can be used to block or allow specific and known active content objects, without changing the Default Security Policy. Allowed and Blocked lists can be modified via Condition Settings:
M86 SECURITY, POLICIES 369 POLICIES
Active Content List The table below shows the default options in the Active Content List condition:
Option Description
Allowed List of trusted objects from the Auto-generated list which were identified as such by the administrator.
Auto- Generated
Blocked List of suspicious objects from the Auto-generated list which were identified as such by the administrator.
See also: Condition Details for Security Policy Rules
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
370 M86 SECURITY, POLICIES POLICIES
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Anti-Virus (McAfee/Sophos/Kaspersky)
This condition is used to identify known viruses by using traditional (signature-based) third party Anti-Virus scanners such as McAfee, Sophos or Kaspersky.
Figure 6-20: Anti-Virus Condition The Anti-Virus engine appears in Administration > System Settings > Scanning Engines but cannot be configured by the administrator.
M86 SECURITY, POLICIES 371 POLICIES
The table below shows the options in the Anti-Virus condition:
Option Descriptions
The AV Engine Refers to files that the Anti-Virus engine could not could not scan this scan. file
Virus Detected Refers to files that contain a virus as detected by the Anti-Virus engine.
See also: Condition Details for Security Policy Rules
Active Content List
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
372 M86 SECURITY, POLICIES POLICIES
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Archive Errors
The Archive Errors condition identifies compressed archive files (such as ZIP) which contain various errors.
Figure 6-21: Archive Errors Condition The archive depth, maximum entries in container and maximum extracted content size can be edited via Condition Settings: Archives.
M86 SECURITY, POLICIES 373 POLICIES
The table below shows the options in the Archive Errors condition:
Option Description
Archive Depth - Nesting depth (such as, archives within archives) exceeded exceeds the predefined limit.
File could not be The file could not be extracted from the container. extracted
Invalid format Contains an invalid format.
Maximum Entries in Number of files within the container exceeds the Container - predefined limit. exceeded
Maximum Extracted The expanded file size exceeds the predefined Container Size - limit. exceeded
Password protected The Archive is password protected.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
374 M86 SECURITY, POLICIES POLICIES
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Behavior Profile (Binary)
This condition is used to identify binary files which perform forbidden operations and violate the Behavior Profile policy. Behavior Profiles are lists of actions that might be considered malicious or suspicious when executed by ActiveX Controls, Java Applets, executable files or other relevant files. Each Behavior Profile contains a different subset of these forbidden actions. Administrators cannot modify or delete the default Profiles;
M86 SECURITY, POLICIES 375 POLICIES
however they can duplicate Profiles which can then be customized.
Figure 6-22: Behavior Profile (Binary) Condition The Binary Behavior profiles can be viewed, duplicated and edited via Condition Settings: Binary Behavior The table below shows the default options in the Behavior Profile (Binary) condition:
Option Description
Default Profile – Refers to the default Binary Behavior Profile. Binary Behavior
Full Profile – Refers to the full profile (this includes the higher Binary Behavior sensitivity profile and any new behaviors).
Higher Sensitivity Refers to the Higher Sensitivity Profile which has Binary Behavior every single item selected within the profile. Profile
376 M86 SECURITY, POLICIES POLICIES
Option Description
Medium Refers to the Medium Sensitivity Profile which has Sensitivity Binary items selected within the profile. Behavior Profile
Suspected Contains behavior profile patterns that are specific to Malware malicious software. This is a pre-defined Profile which is supplied with the Anti-Spyware module and cannot be modified or viewed by the administrator.
Unscannable Refers to Active Content that has not been scanned. Active Content
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
M86 SECURITY, POLICIES 377 POLICIES
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Behavior Profile (Script)
This condition is used to identify textual files which perform forbidden operations and violate the Behavior Profile policy. Behavior Profiles are lists of actions that could be considered malicious or suspicious when executed by Web pages, VB Script files, Java Script files or other relevant files. Each Behavior Profile contains a different subset of these forbidden actions. Administrators cannot modify or delete the default profiles, however they can duplicate Profiles which can then be customized.
378 M86 SECURITY, POLICIES POLICIES
Figure 6-23: Behavior Profile (Script) Condition The Script Behavior profiles can be viewed, duplicated and edited via Condition Settings: Script Behavior The table below shows the default options in the Behavior Profile (Scripts) condition:
Option Description
Default Profile – Refers to the default script behavior profile. Script Behavior
M86 Security Refers to the Basic script Anti.dote behavior profile. Basic Anti.dote Profile
M86 Security Refers to the Basic script behavior profile. Basic Behavior Profile
M86 SECURITY, POLICIES 379 POLICIES
Option Description
HTML Repair When checked, content that has been “repaired” by (only visible in the HTML Repair feature will be displayed in the Log Logging Rule View. Editor)
Higher Refers to the Higher Sensitivity Script Behavior Profile Sensitivity Script which has every single rule selected within the profile. Behavior Profile
Higher Refers to the Higher Sensitivity Vulnerability Anti.dote Sensitivity behavior profile which has every single rule selected Vulnerability within the profile. Anti.dote Profile
Spyware Profile Refers to the list of behavior profile patterns specific to Spyware objects. This cannot be viewed or modified by the administrator.
Unscannable Refers to Active Content that has not been scanned. Active Content
Vulnerability Refers to the default Vulnerability Anti.dote behavior Anti.dote Profile profile.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
380 M86 SECURITY, POLICIES POLICIES
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Binary VAD
The Binary Vulnerability Anti.dote (VAD) condition scans binary files looking for patterns of exploits containing suspected malware.
Figure 6-24: Binary VAD Condition The Binary Exploits list is maintained and updated by MCRC and is
M86 SECURITY, POLICIES 381 POLICIES
not accessible by the administrator. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists
382 M86 SECURITY, POLICIES POLICIES
Content Size
This condition is used to assign rules to specific file sizes. Content size is relevant for performance and stability, not necessarily security.
Figure 6-25: Content Size Condition The administrator can create new content sizes as required via Condition Settings: Content Size. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Data Leakage Prevention
M86 SECURITY, POLICIES 383 POLICIES
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Data Leakage Prevention
This condition allows the administrator to monitor and prevent data leakage of confidential information.
Figure 6-26: Data Leakage Prevention Condition
384 M86 SECURITY, POLICIES POLICIES
The screen shows a list of pre-defined conditions from which to choose. The administrator can build new data leakage prevention conditions by using the Condition Builder/Editor via DLP Condition Editor and Builder. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
M86 SECURITY, POLICIES 385 POLICIES
URL Lists Digital Signature
This condition allows the administrator to block (or allow) content where the digital signature is either missing or invalid. The missing or invalid Digital Signatures are maintained and updated by M86 and cannot be accessed by the administrator. Digital signatures provide an extra layer of security in determining the integrity of the content.
Figure 6-27: Digital Signature Condition The table below shows the options in the Digital Signature condition:
Option Description
Invalid Digital The digital signature is invalid. For example, it might Signature be corrupted or it might have expired.
Missing Digital The binary object does not have a digital signature. Signature
See also: Condition Details for Security Policy Rules
Active Content List
386 M86 SECURITY, POLICIES POLICIES
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Direction
This condition allows the administrator to trigger a rule specifically on the request (Outgoing) or response (Incoming) phase of the transaction. For example, in HTTP, outgoing is the request phase, and in ICAP, outgoing is the REQMOD phase. If no direction is specifically applied – then the rule is checked on both the request
M86 SECURITY, POLICIES 387 POLICIES
and response phases.
Figure 6-28: Direction Condition The table below shows the options in the Direction condition:
Option Description
Incoming Information coming from the Internet to the end- user.
Outgoing Information sent from the end-user to the Internet.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
388 M86 SECURITY, POLICIES POLICIES
Data Leakage Prevention
Digital Signature
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists File Extensions
This condition refers to the requested content type, meaning, the file extension. This condition also includes potentially malicious multiple extensions (for example, txt.exe). This condition is normally enforced during the request phase.
M86 SECURITY, POLICIES 389 POLICIES
Figure 6-29: File Extensions Condition The File Extensions condition can be modified via Condition Settings: File Extensions. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
390 M86 SECURITY, POLICIES POLICIES
Direction
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Header Fields
This condition is used to identify transactions based on request or response HTTP headers.
M86 SECURITY, POLICIES 391 POLICIES
Figure 6-30: Header Fields Condition The Header Fields condition can be modified via Condition Settings: Header Fields. The table below shows the options in the Header Fields condition:
Option Description
Content-Disposition Defines malicious exes detected as spoofed Executable executables.
Exclude by Headers Provides a list for customers to add headers which identify applications (such as IM etc.).
Firefox 1.x and 2.x Defines specific browser versions of Firefox
Media Players Defines Media Players header fields.
Netscape 7.x Defines browser version of Netscape version 7.
392 M86 SECURITY, POLICIES POLICIES
Option Description
Older and Unsafe Defines a list of browsers based on older versions Browsers and those that are considered unsafe.
Partial Downloading Refers to partial downloads of Internet content.
SSL Defines SSL header fields. Pinpointing specific SSL headers enables the administrator to build specific rules regarding SSL content.
Trojans Defines header fields suspected of being created by a Trojan Horse.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
IM
Location
Parent Archive Type
Protocol
M86 SECURITY, POLICIES 393 POLICIES
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists IM
This condition is used to identify an initialization of Instant Messenger transactions, which are tunneled through port 80. You can use this condition to log or block new IM sessions, but it cannot be used to track sessions that have been opened or scan the content of transferred files or messages. IM includes AOL, ICQ, MSN Messenger and Yahoo Messenger.
Figure 6-31: IM Condition This list of supported IM types is predefined and non-editable.
394 M86 SECURITY, POLICIES POLICIES
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Location
This condition allows the administrator to block (or allow) content
M86 SECURITY, POLICIES 395 POLICIES
based on the location of the scanning server.
Figure 6-32: Location Condition The table below shows the options in the Location condition:
Option Description
Cloud The scanning server is located in the internet cloud.
Local The scanning server is located in the enterprise.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
396 M86 SECURITY, POLICIES POLICIES
Digital Signature
Direction
File Extensions
Header Fields
IM
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Parent Archive Type
An archive file is considered a “parent” when it contains other files inside it, such as, ZIP, CAB, etc. This condition will not match files outside of archives or the archive files themselves.
M86 SECURITY, POLICIES 397 POLICIES
Figure 6-33: Parent Archive Type Condition This list of supported archive types is predefined and non-editable. When using the Parent Archive Type condition, at its Rule level, you can set the Action to Allow and then choose one of the Advanced Action options: • Allow transactions and scan containers This is the default option. The content is allowed, but container files are opened and the contents are scanned. File scanning is controlled by Condition Settings: Archives, where Archive Depth configures the maximum depth level of nested archives. • Allow content and do not scan containers Allows content through including container files, such as zip or rar files, without scanning inside them. Content is allowed through on request stage but may be stopped on response stage, for example if the File Extensions condition is used.
398 M86 SECURITY, POLICIES POLICIES
• Bypass Scanning Allows content through without any scanning at all on the request or response stage. See Security Rule Details for more information about Rule level actions. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
M86 SECURITY, POLICIES 399 POLICIES
URL Filtering (IBM/Websense)
URL Lists Protocol
The Protocol condition enables detection of different types of protocols and can block or allow them in conjunction with other conditions.
Figure 6-34: Protocol Condition This list of supported protocols is predefined and non-editable. The table below shows the options in the Protocol condition:
Option Description
FTP over Protocol between a web browser and an FTP endpoint/ HTTP proxy.
HTTP Protocol which usually uses port 80.
HTTP HTTP Tunneling forwards packet data in both ways, hence Tunneling acting as a tunnel. It can also be used for delivering HTTPS traffic and for ICAP.
400 M86 SECURITY, POLICIES POLICIES
Option Description
HTTPS Protocol used between M86 Security’s SSL appliance and the M86 SWG appliance.
Native FTP FTP Protocol which usually uses port 21.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Spoofed Content
Static Content List
Time Frame
True Content Type
M86 SECURITY, POLICIES 401 POLICIES
URL Filtering (IBM/Websense)
URL Lists Spoofed Content
This condition identifies potentially malicious file content using deception to appear harmless. The list of potentially malicious files and their spoofed type is provided by MCRC. In addition to the spoofed content detected by the scanning engine, one can also block unscannable content.
Figure 6-35: Spoofed Content Condition The table below shows the options in the Spoofed Content condition:
Option Description
Spoofed Potentially malicious file content using deception to appear Content harmless.
Unscannable Unscannable content. Data
See also: Condition Details for Security Policy Rules
Active Content List
402 M86 SECURITY, POLICIES POLICIES
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Static Content List
This condition is used to identify known Malicious Objects based
M86 SECURITY, POLICIES 403 POLICIES
on their malicious behavior signatures.
Figure 6-36: Static Content List Condition These content and object lists are invisible to the administrator and are constantly updated by M86 MCRC. The table below shows the options in the Static Content List condition:
Option Description
Known Content known to be safe. Legitimate Content List
Malicious Malicious objects based on their malicious behavior Objects List signatures.
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
404 M86 SECURITY, POLICIES POLICIES
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Time Frame
True Content Type
URL Filtering (IBM/Websense)
URL Lists Time Frame
This condition is used to execute Policies during certain hours of the day or week. As such, rules based on this condition reflect the needs of your organization and focus on productivity rather than security.
M86 SECURITY, POLICIES 405 POLICIES
Figure 6-37: Time Frame Condition These settings can be modified via Condition Settings: Time Frame. The table below shows the default options in the Time Frame condition:
Option Description
Business Monday through Friday, 9:00am to 5:30pm Hours
Lunch Monday through Friday, 12:30pm to 1:00pm Break
Weekend Friday 5:30pm to Sunday 11:59pm
See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
406 M86 SECURITY, POLICIES POLICIES
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
True Content Type
URL Filtering (IBM/Websense)
URL Lists True Content Type
Unlike declared content type, such as file extension or MIME type, the True Content Type detection scanner can detect types of files based on their actual structure and format. This condition can identify known file types even if they have a non-standard name.
M86 SECURITY, POLICIES 407 POLICIES
Figure 6-38: True Content Type Condition The list of supported file types is predefined and non-editable. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
408 M86 SECURITY, POLICIES POLICIES
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
URL Filtering (IBM/Websense)
URL Lists URL Filtering (IBM/Websense)
This condition can be used to apply rules based on the type or category of the requested site. For example, a condition used to block requests to “News” sites will prevent users from browsing to CNN.com.
M86 SECURITY, POLICIES 409 POLICIES
Figure 6-39: URL Filtering Condition
The list of categories is maintained by the respective 3rd party provider. The categories cannot be modified, however, the administrator can select/clear the necessary categories within the Rule Condition. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
Binary VAD
Content Size
Data Leakage Prevention
410 M86 SECURITY, POLICIES POLICIES
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Lists URL Lists
This condition refers to predefined and configurable lists of URL addresses.
M86 SECURITY, POLICIES 411 POLICIES
Figure 6-40: URL Lists Condition The administrator can use this condition to create blocking or coaching rules as required. These lists can be modified and created via Condition Settings: URL Lists.
NOTES: The M86 Security Recommended Black List cannot be viewed. See also: Condition Details for Security Policy Rules
Active Content List
Anti-Virus (McAfee/Sophos/Kaspersky)
Archive Errors
Behavior Profile (Binary)
Behavior Profile (Script)
412 M86 SECURITY, POLICIES POLICIES
Binary VAD
Content Size
Data Leakage Prevention
Digital Signature
Direction
File Extensions
Header Fields
IM
Location
Parent Archive Type
Protocol
Spoofed Content
Static Content List
Time Frame
True Content Type
URL Filtering (IBM/Websense)
Example for Creating a Security Rule
 To create a Security rule: 1. Right-click on an existing rule and select Add Rule from the drop-down menu. The Rule Details pane is displayed.
M86 SECURITY, POLICIES 413 POLICIES
Figure 6-41: Add New Rule 2. Enter a new rule name in the Rule Name field. The name you select should describe as clearly as possible the purpose of the rule, for example, Block All Binary Executables. 3. Use the Description field to add a more comprehensive description of the rule. 4. Select the Enable Rule box in order to activate the new rule. 5. In the Action drop-down menu, select Block. 6. Select a message from the End-User Message drop-down list which will be displayed in the Page Block message sent to the end-user. For example, Binary VAD Violation. 7. Click Save. 8. In the Security Navigation tree on the left, right-click on the Block All Binary Executables rule and select Add Condition from the drop-down menu.
414 M86 SECURITY, POLICIES POLICIES
9. In the New Condition screen, select True Content Type from the Condition drop-down list. 10.Select Any of the items selected below. 11.In the options displayed, select Windows Executable File.
Figure 6-42: Creating a New Security Rule Condition
12.Click Save to apply changes. Next, click to commit them. See also: Security Policies - Advanced
Security Policies Tree
Available Policies Tree Options
M86 SECURITY, POLICIES 415 POLICIES
Security Policy Details
Security Rule Details
Condition Details for Security Policy Rules
Master Security Policy
The Master Security Policy provides an extra level of protection by allowing Super Administrators to force general administrators to use a specific security policy in addition to the security policy the administrator can assign to its users. Once the Super Administrator assigns a master policy to an Administrator, all the users belonging to this Administrator will be forced to use this policy in addition to the normal security policy defined. The Master Security Policy contains general basic blocking or basic allow-rules that are selected by the Super Administrator. At the discretion of the Super Administrator, different Master Policies can be assigned to different administrator groups or individually to specific administrators.
416 M86 SECURITY, POLICIES POLICIES
Figure 6-43: Master Policy Setting
NOTES: The Master Policy and the Security Policy for a user can be the same. There is a chance however, that a minimal amount of system degradation could occur.
NOTES: It is possible to configure the Master Policy in x-ray mode. X-Ray means the policy is logged but no action is taken. For more information on X-ray mode, refer to Security Policy Details See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
HTTPS Policies
M86 SECURITY, POLICIES 417 POLICIES
Logging Policies
Identification Policies
Device Logging Policies
Default Policy Settings
Condition Settings
Caching Policy
End User Messages
Assigning a Master Policy
Default Master Policy
Master Policy Log Events
Assigning a Master Policy Assigning a Master Policy can be done while creating a new Administrators group or a new administrator, or it can be imposed on existing Administrator groups or individual administrators.
 Example for assigning a Master Policy: 1. In the Management Console, navigate to Administration > Administrators 2. Select administrator to which you want to assign a Master Policy. 3. Click Edit.
418 M86 SECURITY, POLICIES POLICIES
4. From the Master Policy drop-down list, select the appropriate policy.
Figure 6-44: Configure Master Policy For example, M86 Security Strict Security Policy. 5. Click Save.
For further see: information on:
Creating a new Creating a new Administrators Group Administrators Group
M86 SECURITY, POLICIES 419 POLICIES
For further see: information on:
Creating a new Adding an Administrator to an Administrators Administrator Group
Super Administrators administrators Administrator Details
See also: Master Security Policy
Default Master Policy
Master Policy Log Events
Default Master Policy
Master Policy can also be found under Policies Æ Default Policy Settings on the Management Console. Defining the Master Policy from this location will automatically assign it to every new Administrator created.
 Defining a Default Master Policy:
1. On the Management Console, navigate to PoliciesÆ Default Policy Settings. 2. In the Default Policy Settings screen, click Edit. 3. If required, enable the Enable Emergency Policy checkbox.
420 M86 SECURITY, POLICIES POLICIES
Figure 6-45: Define Default Master Policy Select the appropriate Emergency Security and HTTPS policies. 4. In the Default Policy Values section, select the desired policy from the Master Policy drop down list. 5. Click Save. Otherwise, Cancel.
NOTES: Selecting the empty field in the drop down menu ensures that no Master Policy will be added See also: Master Security Policy
Assigning a Master Policy
Master Policy Log Events
Master Policy Log Events Log events triggered by the Master Policy as opposed to those triggered by the normal security policy, are indicated as such in the Transaction Details area of the Management Console Web Logs
M86 SECURITY, POLICIES 421 POLICIES
screen.
NOTE: In the case of customer license expiration or an emergency, the Master Policy will be the default Master Policy.
Figure 6-46: Master Policy Log Events Master Policy Name and Master Rule Name must be selected in the Web Logs Profile Settings pane General tab to display their corresponding columns in the Transaction Details area.
422 M86 SECURITY, POLICIES POLICIES
Figure 6-47: See also: Master Security Policy
Assigning a Master Policy
Default Master Policy
HTTPS Policies
HTTPS Policies provide the option to define which HTTPS sites are fully allowed, which are inspected, which request user approval to continue and which are blocked. The blocking mechanism is based on White Lists, URL categorization and checking to see if Certificates have errors or comply with validation criteria. The HTTPS Policies are only displayed for customers who have the required license. HTTPS Policies can be assigned per User Group or User.
M86 SECURITY, POLICIES 423 POLICIES
Figure 6-48: HTTPS Policies Menu Selection See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
Logging Policies
Identification Policies
Device Logging Policies
Default Policy Settings
Condition Settings
Caching Policy
End User Messages
HTTPS Policies Tree
HTTPS Policy Details
424 M86 SECURITY, POLICIES POLICIES
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
HTTPS Policies Tree The HTTPS Policies tree holds all the current HTTPS Policies within that definition, as well as the rules that make up these Policies and the conditions that make up the rules.
Figure 6-49: HTTPS Policies Tree M86 provides two preconfigured default HTTPS policies: • M86 Security Emergency HTTPS Policy: This was designed for emergency situations and contains two rules. This can be globally enabled via Default Policy Settings. This can also be enabled per User. • M86 Security HTTPS Policy: This Policy contains just one rule which is designed to block any sites which contain faulty certificates.
NOTES: For full details on the M86 Security HTTPS Policy and the M86 Security Emergency HTTPS Policy and their rules, please refer to the Security Policies In-Depth manual.
M86 SECURITY, POLICIES 425 POLICIES
Policies, rules, and conditions can be added, duplicated or deleted by right-clicking on the relevant node. M86's default HTTPS Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies. See also: HTTPS Policies
HTTPS Policy Details
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
Available Policies Tree Options
HTTPS Policy Details Click on any HTTPS Policy to display the Policy Details screen in the right pane.
426 M86 SECURITY, POLICIES POLICIES
Figure 6-50: HTTPS Policy Details Screen To edit the fields on this screen, click Edit on right pane. The Policy Details screen contains the following information:
Field Description
Policy Name Name of the specific HTTPS policy
Description Contains a description of the policy.
User Groups Policies can be assigned to different User Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/User Groups.
See also: HTTPS Policies
M86 SECURITY, POLICIES 427 POLICIES
HTTPS Policies Tree
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
Available Policies Tree Options
HTTPS Rule Details Click on an HTTPS rule to display the Rules Details screen in the right pane.
428 M86 SECURITY, POLICIES POLICIES
Figure 6-51: HTTPS Rule Details Screen To edit the fields on this screen, click Edit on right pane. Note that you cannot edit predefined policies. The Rule Details screen contains the following information:
Field Description
Rule Name Defines the name of the HTTPS rule.
Description A place to write a description of the rule.
M86 SECURITY, POLICIES 429 POLICIES
Field Description
Enable Rule When checked, the rule is enabled. When cleared, the rule is disabled.
Action • Block HTTPS: Blocks HTTPS sites. • User approval: Sends an approval page to the end-user for each new HTTPS site that is accessed. This is sent for situations where user approval is required to decrypt traf- fic for this site. If the end-user chooses not to approve the transac- tion, the connection is closed. • Bypass: No HTTPS or Security scanning will take place. • Inspect Content (default): HTTPS rules and Security rules scanning is carried out.
End-User Message On Block HTTPS or User Approval action this field defines which reason to use in the message sent to the end-user. The reason text and template can be edited via End User Messages.
Do not display End- Withholds displaying a page blocked message to User message the end-user.
Selecting Add Condition defines the conditions for inclusion within the rule. Please refer to Condition Details for HTTPS Policy Rules for further information.
NOTES: After content is scanned by the HTTPS rules, the content will be subjected to security scanning See also: HTTPS Policies
430 M86 SECURITY, POLICIES POLICIES
HTTPS Policies Tree
HTTPS Policy Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
Condition Details for HTTPS Policy Rules HTTPS Policy Rules contain one or more conditions. When Clicking on a Condition the Condition details are displayed in the right pane.
Figure 6-52: Condition Details for HTTPS Policy Rules
M86 SECURITY, POLICIES 431 POLICIES
The Condition Details screen contains the following information.
Field Description
Condition Name Displays name of Condition. If you are defining a new condition, choose the required condition from the drop-down list.
Applies To You can select which options are to be included or excluded. In other words, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.
Select/Deselect Choose to select/deselect all the items in the All Condition
The items will display differently according to the Condition you have chosen.
Predefined HHTTPS Policies and their Rules/Conditions cannot be edited. Policies and their Rules/Conditions added by the administrator have the option to be changed using the Edit > Save/ Cancel options. Each HTTPS rule may include multiple conditions; all of which must be met in order for the rule to be followed. The following Conditions are available for selection within the HTTPS rules: • Certificate Validation Errors refers to various types of errors that can arise when checking the validity of certificates for secured content. • Location allows the administrator to block (or allow) content based on the location of the scanning server. • URL Filtering (IBM/Websense) can be used for URL categorization for HTTPS based sites. • URL Lists refers to predefined and configurable lists of URL addresses. See also: HTTPS Policies
432 M86 SECURITY, POLICIES POLICIES
HTTPS Policies Tree
HTTPS Policy Details
HTTPS Rule Details
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
Certificate Validation Errors This condition refers to various types of errors that can arise when checking the validity of certificates for secured content.
Figure 6-53: Certificate Validation Errors Condition The Certificate Validation errors can be viewed and customized via Condition Settings: HTTPS Certificate Validation. See also: HTTPS Policies
HTTPS Policies Tree
HTTPS Policy Details
M86 SECURITY, POLICIES 433 POLICIES
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Location
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
Location This condition allows the administrator to block (or allow) content based on the location of the scanning server.
Figure 6-54: Location Condition The table below shows the options in the Location condition:
Option Description
Cloud The scanning server is located in the internet cloud.
Local The scanning server is located in the enterprise.
See also: HTTPS Policies
434 M86 SECURITY, POLICIES POLICIES
HTTPS Policies Tree
HTTPS Policy Details
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
URL Filtering (IBM/Websense)
URL Lists
Example for Creating an HTTPS Rule
URL Filtering (IBM/Websense) This condition can be used for URL categorization for HTTPS based sites. For example, a condition using the Bypass functionality can ensure that content such as banking sites will not be decrypted for scanning, safeguarding end users privacy.
Figure 6-55: URL Filtering Condition
M86 SECURITY, POLICIES 435 POLICIES
The list of categories is maintained by the respective 3rd party provider. The categories cannot be modified, however, the administrator can select/deselect the necessary categories from the Simplified Policy Management Interface or within a Rule condition if it’s not a predefined M86 Security Policy. See also: HTTPS Policies
HTTPS Policies Tree
HTTPS Policy Details
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Lists
Example for Creating an HTTPS Rule
URL Lists This condition refers to predefined and configurable lists of URL addresses.
436 M86 SECURITY, POLICIES POLICIES
Figure 6-56: URL Lists Condition The administrator can create new lists in the Lists tab which will appear as part of the condition. These lists can be viewed and modified via Condition Settings: URL Lists. See also: HTTPS Policies
HTTPS Policies Tree
HTTPS Policy Details
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
M86 SECURITY, POLICIES 437 POLICIES
Example for Creating an HTTPS Rule
Example for Creating an HTTPS Rule
 To create an HTTPS rule: 1. Right-click on an existing rule and select Insert New Rule from the drop-down menu. The New Rule pane is displayed.
Figure 6-57: Insert New HTTPS Rule 2. Enter a new rule name in the Rule Name field. The name you select should describe as clearly as possible the purpose of the rule, for example, Block Non-Validated Certificate. 3. Select the Enable Rule box in order to activate the new rule. 4. In the Action drop-down menu, select Block HTTPS. 5. Select a message from the End-User Message drop-down list which will be displayed in the Page Block message sent to the end-user. For example, Certificate Validation Mismatch. 6. Click Save.
438 M86 SECURITY, POLICIES POLICIES
7. In the Security Navigation tree on the left, right-click on the Block Non-Validated Certificate rule and select Add Condition from the drop-down menu. 8. In the New Condition screen, select Certificate Validation Errors from the Condition drop-down list. 9. Select Any of the items selected below. 10.Select Default Certificate Validation Profile.
Figure 6-58: Adding an HTTPS Rule Condition
11.Click Save to apply changes. Next, click to commit them. See also: HTTPS Policies
HTTPS Policies Tree
M86 SECURITY, POLICIES 439 POLICIES
HTTPS Policy Details
HTTPS Rule Details
Condition Details for HTTPS Policy Rules
Certificate Validation Errors
Location
URL Filtering (IBM/Websense)
URL Lists
Logging Policies
A Logging Policy is a set of rules dealing with the logging of transaction data. The only action resulting from a logging rule is to log the transaction. The Logging Policy can implement logging at different levels, depending on your requirements. Logging Rules decides both what is logged (blocked, allowed, all) and where the information is sent to (logs, archives, reports etc.). As with Security rules, any action taken will be according to the rule of highest priority that matches the terms of the Rule.
440 M86 SECURITY, POLICIES POLICIES
o Figure 6-59: Logging Policies Menu Selection
NOTES: If any transaction is not matched specifically in the rules, it is allowed. Meaning, the M86 SWG default behavior is Allow
See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Identification Policies
Device Logging Policies
Default Policy Settings
Condition Settings
M86 SECURITY, POLICIES 441 POLICIES
Caching Policy
End User Messages
Logging Policies Tree
Logging Policy Details
Logging Rule Details
Conditions for Logging Policy Rules
Example for Creating a Logging Rule
Logging Policies Tree The Logging Policies tree holds all the current Logging Policies within that definition, as well as, the rules that make up these Policies and the conditions that make up the rules.
Figure 6-60: Logging Policies Tree This provides easy navigation through each Policy - displaying the components of that Policy at a glance.
442 M86 SECURITY, POLICIES POLICIES
Policies, rules, and conditions can be added or deleted by right- clicking on the relevant node. M86's default Logging Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies. M86 provides four default Logging Policies: • Archive All Protective Actions (RUSafe mode only) • Log All Protective Actions • Log All Protective Actions and Web pages • Logging everything except Image files These M86 Logging Policies comprise the following rules:
Rule Name Description Target
Log All Coached Logs all HTTP transactions Send to log Transactions that have been defined as Send to report coach in the Security Policy.
Log All Blocked Logs all HTTP transactions Send to log Transactions that have been defined as Send to report block in the Security Policy.
Log all User Logs all HTTPS transactions Send to log Approval that have been defined as Send to report Transactions User Approval in the HTTPS Policy.
Log all Block Logs all HTTPS transactions Send to log HTTPS that have been defined as Send to report Transactions block in the HTTPS Policy.
M86 SECURITY, POLICIES 443 POLICIES
Rule Name Description Target
Log all Web pages Logs all Web pages that Send to log (relevant for Log have passed through the All Protective system (both HTTP and Actions and Web HTTPS) pages policy only)
Log everything Logs all content passing Send to log except Image files through the system except (relevant for for Image files (both HTTP Logging everything and HTTPS) except Image files policy only)
You may, for example, want to log all blocked transactions together with all transactions where Web pages were viewed, in order to analyze URL categories accessed by your users. Another example is that you may want to log all HTTP Web pages only. In this case, you would duplicate the Log All Protective Actions policy and amend the rules by choosing to select everything except the HTTPS Protocol.
444 M86 SECURITY, POLICIES POLICIES
Figure 6-61: Log all Web Pages Except for HTTPS
NOTES: When defining the Logging Rule, the conditions selected must match those of the Security Policy rule in order for the relevant transactions to appear in the Log View.
See also: Logging Policies
Logging Policy Details
Logging Rule Details
Conditions for Logging Policy Rules
Example for Creating a Logging Rule
M86 SECURITY, POLICIES 445 POLICIES
Logging Policy Details Clicking on any Logging Policy displays the Policy Details on the right pane.
Figure 6-62: Logging Policy Details The Policy Details screen contains the following information with the option to make changes using the Edit Æ Save/Cancel options.
Field Description
Policy Name Name of the specific policy
446 M86 SECURITY, POLICIES POLICIES
Field Description
Description Contains a description of the policy.
User Groups/Users Policies can be assigned to different User Groups and Users. This section displays which Users have this particular Policy assigned to them. For more information on assigning Policies to Users, please refer to Users/User Groups.
See also: Logging Policies
Logging Policies Tree
Logging Rule Details
Conditions for Logging Policy Rules
Example for Creating a Logging Rule
Available Policies Tree Options
Logging Rule Details Clicking on any Logging rule displays the Rule Details screen in the right pane.
M86 SECURITY, POLICIES 447 POLICIES
Figure 6-63: Logging Rule Details The Logging Rule Details screen contains the following information with the option to make changes using the Edit Æ Save/Cancel options.
Field Description
Rule Name Defines the name of the Logging rule.
Description Contains a description of the rule.
448 M86 SECURITY, POLICIES POLICIES
Field Description
Enable Rule When checked, the rule is enabled. When cleared, the rule is disabled.
Send To:
Archive Sends log information in files to an external remote location. This must be selected to ensure that there is relevant information to archive.
Log Sends information to the M86 log database, which can be seen via the Log View.
Report Sends information to the M86 reports database. This must be selected prior to running Reports to ensure that there is relevant information to display results.
Syslog Sends information to one or two UNIX Syslog facilities which log data.
See also: Logging Policies
Logging Policies Tree
Logging Policy Details
Conditions for Logging Policy Rules
Example for Creating a Logging Rule
Conditions for Logging Policy Rules Clicking on a condition opens up the Condition details in the right pane.
M86 SECURITY, POLICIES 449 POLICIES
Figure 6-64: Logging Policy Rules Condition Details The Condition Details screen displays the following information with the option to make changes using the Edit Æ Save/Cancel options.
Field Description
Condition Name Displays name of Condition. If you are defining a new condition, choose the required condition from the drop-down list.
Applies To You can select which options are to be included or excluded. In other words, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.
450 M86 SECURITY, POLICIES POLICIES
Field Description
Select/Deselect All Choose to select/deselect all the items in the Condition
The bottom of the screen will display differently according to the Condition you have chosen.
The following Conditions are available for selection within the Logging Policy rules: • Active Content List • Anti-Virus (McAfee/Sophos/Kaspersky) • Archive Errors • Behavior Profile (Binary) • Behavior Profile (Script) • Binary VAD • Content Size • Digital Signature • Direction • File Extensions • Header Fields • IM • Location • Parent Archive Type • Protocol • Spoofed Content • Static Content List • Time Frame • True Content Type • URL Filtering (IBM/Websense) • URL Lists
M86 SECURITY, POLICIES 451 POLICIES
• Rule Action See also: Logging Policies
Logging Policies Tree
Logging Policy Details
Logging Rule Details
Example for Creating a Logging Rule
Rule Action Rule Action
This condition allows you the option of logging transactions when a specific end-user action is carried out: •Allow •Block • Block HTTPS •Bypass • Coach • Inspect Content • User Approval Rule Action is for Logging Rules only.
Figure 6-65: Rule Action Condition
452 M86 SECURITY, POLICIES POLICIES
IMPORTANT: If you want to log all end-user actions do not include the Rule Action condition in your Logging Policy Rule.
NOTES: If you want to log more than one end-user action (but not all of them), you must add a separate rule for each action you need to the Logging Policy. See also: Conditions for Logging Policy Rules
Logging Policies Tree
Logging Policy Details
Logging Rule Details
Example for Creating a Logging Rule
NOTES: When defining a Logging Rule, the conditions selected must match those of the Security Policy rule in order for the relevant transactions to appear in the Log View. Â To create a Logging Rule: 1. Create a new logging policy. 2. Right-click on this Policy and select Add Rule. The New Rule screen appears.
M86 SECURITY, POLICIES 453 POLICIES
Figure 6-66: Adding a New Logging Policy Rule 3. Enter a name for the new Logging Rule for example, Log All Transactions with Content Size Greater than 100 MB. Enter a brief description of the logging rule in the Description box. 4. Select the Enable Rule box in order to activate the new rule. 5. In the Send To area, click the required checkboxes and click Save. 6. Right-click on the rule you have created and select Add Condition, the New Condition pane is displayed. 7. in the Condition Name drop-down menu, select Content Size. 8. In the Applies To area, select Any of the items selected below.
454 M86 SECURITY, POLICIES POLICIES
9. Select Greater than 100 MB from the options below.
Figure 6-67: Creating a Logging Policy Rule Condition
10.Click Save to apply changes. Next, click to commit them.
See also: Logging Policies
Logging Policies Tree
Logging Policy Details
Logging Rule Details
Conditions for Logging Policy Rules
M86 SECURITY, POLICIES 455 POLICIES
Identification Policies
Identification Policies carry out the classification of an end-user to determine whether the end-user should browse through the system or not. The Identification Policy also enables the system to enforce the proper Security Policy for the end-user. The Rules are based on both the type of Authentication or Identification that M86 SWG will use as well as using Conditions of Header Fields, IP Ranges, Port Ranges and URLs.
NOTES: For full configuration details on the Authentication feature, please refer to the User Identification and Authentication Feature Description.
Figure 6-68: Identification Policies Menu Selection See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
456 M86 SECURITY, POLICIES POLICIES
HTTPS Policies
Logging Policies
Device Logging Policies
Default Policy Settings
Condition Settings
Caching Policy
End User Messages
Identification Policies Tree
Identification Policy Details
Identification Rule Details
Identification Policy Rules Condition Details
Identification Policies Tree The Identification Policies tree holds all the current Identification Policies within that definition, as well as the rules that make up these policies and the conditions that make up the rules.
Figure 6-69: Identification Policies Tree This provides easy navigation through each Policy - displaying the components of that Policy at a glance. Policies, rules, and conditions can be added, duplicated or deleted
M86 SECURITY, POLICIES 457 POLICIES
by right-clicking on the relevant node. M86 Security's default Identification Policies cannot be modified or deleted; however, they can be duplicated to create new customizable policies. M86 Security provides several predefined Identification Policies: • Authentication: This Policy contains the Identify and Authenticate Users rule whose purpose it is to authenticate end- users using an Authentication Device. The rule in this policy is disabled by default. To activate it, configure an Authentication Domain via the Authentication Directories (), • Default Cloud Scanners Read Headers Policy: This policy contains the following rules: y Identify Branch Office Users by Headers rule whose purpose is to identify the users based on the HTTP headers that have been pre authenticated. y Always Identify Users by Headers whose purpose is to identify the end-users based on pre-defined Cloud Scanner HTTP headers. • Get User Credentials: This policy contains the Get User Credentials to Identify Users rule whose purpose is to obtain USERID information using the NTLM protocol and the default cluster of Authentication Devices IF the end-user is NOT in the defined IP Range and Header Field lists. • Read Headers: This policy contains the Always Identify Users by Headers rule whose purpose is to identify the users based on the HTTP headers that have been pre authenticated. • Source IP Only: This Policy contains the Always Identify Users by Source IP rule whose purpose is to identify the user by Source IP. This is the default identification action.
NOTES: For full configuration details on the Authentication feature, please refer to the User Identification and Authentication Feature Description. See also: Identification Policies
458 M86 SECURITY, POLICIES POLICIES
Identification Policy Details
Identification Rule Details
Identification Policy Rules Condition Details
Identification Policy Details Clicking on any Identification Policy displays the Policy Details screen in the right pane.
Figure 6-70: Identification Policy Details The Policy Details screen contains the following information with
M86 SECURITY, POLICIES 459 POLICIES
the option to make changes using the Edit > Save/Cancel options:
Field Description
Policy Name Name of the specific policy.
Authenticated By Device making the authentication.
Description Contains a description of the policy.
See also: Identification Policies
Identification Policies Tree
Identification Rule Details
Identification Policy Rules Condition Details
Identification Rule Details Clicking on an Identification rule displays the Rule Details screen in
460 M86 SECURITY, POLICIES POLICIES
the right pane.
Figure 6-71: Identification Rule Details The Identification Rule Details screen contains the following information with the option to make changes using the Edit > Save/Cancel options.
Field Description
Rule Name Defines the name of the Identification rule.
Description Contains a description of the rule.
M86 SECURITY, POLICIES 461 POLICIES
Field Description
Enable Rule When checked, the rule is enabled. When unchecked, the rule is disabled.
Action • Authenticate: SWG communicates with the client to get USERID information and uses an external Authentication Server to validate this information. In order to do so, various parameters must be defined. • Get User Credentials: SWG gets User Identifica- tion via NTLM or another method. • Identify by Headers: Used when a downstream device (proxy) provides user information by for- warding device specific HTTP headers within the request. • Identify by Source IP: Identifies the end-user by source IP. This is the default method of identifica- tion. Depending on the action taken the following options appear.
Authentication Determines the type of protocol (Basic, NTLM or Both) Protocols
Authentication Depending on the selected Action this drop-down list is Domain displayed, which includes the customer Authentication Domains as defined in the Authentication Directories: LDAP and/or Active Directory.
Pre Depending on the selected Action this drop-down list is Authenticated displayed, which includes all headers which have been Headers pre authenticated as defined in Condition Settings: Pre Authenticated Headers
See also: Identification Policies
Identification Policies Tree
Identification Policy Details
Identification Policy Rules Condition Details
462 M86 SECURITY, POLICIES POLICIES
Identification Policy Rules Condition Details Clicking on a condition opens up the Condition details in the right pane.
Figure 6-72: Identification Policy Rules Condition Details The Condition Details screen contains various options.
Field Description
Condition Name This displays the condition name. When creating new conditions, choose the required condition from the drop-down list.
Applies To You can select which options are to be included or excluded. Meaning, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.
Select/Deselect Choose to select/clear all the items in the condition. All
The bottom pane displays different items according to the condition you have chosen.
The following conditions are available for selection within the
M86 SECURITY, POLICIES 463 POLICIES
Identification rules: • Destination Port Range • Header Fields • IP Range • Location • URL Lists See also: Identification Policies
Identification Policies Tree
Identification Policy Details
Identification Rule Details
Destination Port Range
Header Fields
IP Range
Location
URL Lists Destination Port Range
This condition is used to distinguish a client application connecting to M86 SWG by the destination port that they target.
464 M86 SECURITY, POLICIES POLICIES
Figure 6-73: Destination Port Range Condition The default rule allows the administrator to exclude a list of Port ranges. Destination Port Range can be edited via Condition Settings: Destination Port Range. See also: Identification Policy Rules Condition Details
Header Fields
IP Range
Location
URL Lists Header Fields
This condition is used to identify a client application connecting to M86 SWG by the User Agent or any other HTTP header name and
M86 SECURITY, POLICIES 465 POLICIES
value.
Figure 6-74: Header Fields Condition The Header Fields list can be modified via Condition Settings: Header Fields The table below shows the options in the Header Fields condition:
Option Description
Content- Defines malicious exes detected as spoofed Disposition executables. Executable
Exclude by Provides a list for customers to add headers which Headers identify applications (such as IM etc.). In the default rule provided, these identification headers are excluded from identification.
466 M86 SECURITY, POLICIES POLICIES
Option Description
Firefox 1.x, 2.x Defines specific browser versions of Firefox.
Media Players Defines Media Players header fields.
Netscape 7.x Defines browser version of Netscape version 7.
Older and Unsafe Defines a list of browsers based on older versions and Browsers those that are considered unsafe.
Partial Refers to partial downloads of Internet content. Downloading
SSL Defines SSL header fields. Pinpointing specific SSL headers enables the administrator to build specific rules regarding SSL content.
Trojans Defines header fields suspected of being created by a Trojan Horse.
See also: Identification Policy Rules Condition Details
Destination Port Range
IP Range
Location
URL Lists IP Range
This condition is used by the administrator to define IP address ranges that end-users may be using in order to effectively identify or authenticate them. In the default rule provided, these IP ranges are excluded from identification methods.
M86 SECURITY, POLICIES 467 POLICIES
Figure 6-75: IP Range Condition This list can be edited via Condition Settings: IP Range. See also: Identification Policy Rules Condition Details
Destination Port Range
Header Fields
Location
URL Lists Location
This condition is used to distinguish a client application connection by the location of the scanning server.
468 M86 SECURITY, POLICIES POLICIES
Figure 6-76: Location Condition The table below shows the options in the Location condition:
Option Description
Cloud The scanning server is located in the internet cloud.
Local The scanning server is located in the enterprise.
See also: Identification Policy Rules Condition Details
Destination Port Range
Header Fields
IP Range
URL Lists
M86 SECURITY, POLICIES 469 POLICIES
URL Lists
This condition refers to predefined and configurable lists of URLs.
Figure 6-77: URL Lists Condition The administrator can create new lists to identify client connections to the SWG by the URL they target. These lists can be viewed and modified via Condition Settings: URL Lists See also: Identification Policy Rules Condition Details
Destination Port Range
Header Fields
IP Range
Location
470 M86 SECURITY, POLICIES POLICIES
Device Logging Policies
Device Logging Policies log the transactions carried out by the Identification and Upstream Proxy Policies.
Figure 6-78: Identification Logging Policies Menu Selection See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Default Policy Settings
Condition Settings
Caching Policy
M86 SECURITY, POLICIES 471 POLICIES
End User Messages
Identification Logging Policies Tree
Identification Logging Policy Details
Identification Logging Rule Details
Identification Logging Policy Rule Conditions
Identification Logging Policies Tree The Identification Logging Policies tree holds all the current Identification Logging Policies within that definition - as well as the rules that make up these Policies - and the conditions that make up the rules. This provides easy navigation through each Policy - displaying the components of that Policy at a glance.
Figure 6-79: Identification Logging Policies Tree Policies, rules, and conditions can be added or deleted by right- clicking on the relevant node. M86 Security's default Identification Logging Policy cannot be modified or deleted; however, it can be duplicated to create new customizable policies. M86 Security provides a predefined Identification Logging Policy: • Identification Logging Policy: This Policy contains one rule designed to log all authentication attempts that failed. See also: Device Logging Policies
Identification Logging Policy Details
Identification Logging Rule Details
Identification Logging Policy Rule Conditions
472 M86 SECURITY, POLICIES POLICIES
Identification Logging Policy Details Clicking on any Identification Logging Policy displays the Policy Details on the right pane.
Figure 6-80: Identification Logging Policy Details The Policy Details screen displays the following information.:
Field Description
Policy Name Name of the specific policy
Description Contains a description of the policy.
See also: Device Logging Policies
Identification Logging Policies Tree
M86 SECURITY, POLICIES 473 POLICIES
Identification Logging Rule Details
Identification Logging Policy Rule Conditions
Identification Logging Rule Details Clicking on any Identification Logging rule displays the Rule Details on the right pane.
Figure 6-81: Identification Logging Rule Details The Identification Logging Rule Details screen contains the following information.
Field Description
Rule Name Defines the name of the logging rule.
Description This provides a place for you to write a description of the rule. M86 provides pre-defined rule descriptions.
474 M86 SECURITY, POLICIES POLICIES
Field Description
Enable Rule When checked, the rule is enabled. When unchecked, the rule is disabled.
Send To:
Archive Sends log information in files to an external remote location. This must be selected to ensure that there is relevant information to archive.
Log Sends information to the M86 log database, which can be seen via the Log View.
Report Sends information to the M86 reports database. This must be selected prior to running Reports to ensure that there is relevant information to display results.
Syslog Sends information to one or two UNIX Syslog facilities which log data.
See also: Device Logging Policies
Identification Logging Policies Tree
Identification Logging Policy Details
Identification Logging Policy Rule Conditions
Identification Logging Policy Rule Conditions Each rule may include multiple conditions; all of which must be met in order for the rule to be followed.
M86 SECURITY, POLICIES 475 POLICIES
Figure 6-82: Identification Logging Policy Rule Condition Details The following Conditions are available for selection within the Identification Logging Policy rules: • Authentication Cluster • Authentication Methods • Authentication Protocols • Authentication Status • Authentication Domain • Header Fields • IP Range • Location • Destination Port Range • Pre Authenticated Headers • URL Lists
NOTES: When defining the Identification Logging Rule, the conditions selected must match those of the Identification Policy rule in order for the relevant transactions to appear in the Log View.
476 M86 SECURITY, POLICIES POLICIES
See also: Device Logging Policies
Identification Logging Policies Tree
Identification Logging Policy Details
Identification Logging Rule Details
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
URL Lists Authentication Cluster
This logging policy rule condition applies to the clusters as used in the parameters for Authenticate or Get User Credentials actions
M86 SECURITY, POLICIES 477 POLICIES
in Identification Rule Details.
Figure 6-83: Authentication Cluster Condition See also: Identification Logging Policy Rule Conditions
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
URL Lists Authentication Domain
This logging policy rule condition applies to the Domains (identifying names for Authentication Server) as used in the parameters for Authenticate or Get User Credentials actions in Identification Rule Details.
478 M86 SECURITY, POLICIES POLICIES
Figure 6-84: Authentication Domain Condition
NOTES: Prior to using the Authentication Domain condition you must first define the Domains used at your site, see Authentication Server and Authentication for configuration instructions. See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
URL Lists
M86 SECURITY, POLICIES 479 POLICIES
Authentication Methods
This condition details the four authentication methods defined in the Action field in Identification Rule Details. This condition can be used to include or exclude the authentication methods for logging purposes.
Figure 6-85: Authentication Methods Condition The table below shows the options in the Authentication Methods condition.
Option Description
Authenticate M86 SWG communicates with the client to get USERID information and uses an external Authentication Server to validate this information.
Get user credentials M86 SWG gets user identification via NTLM or another such method.
Identify by headers Identifies the end-user according to the Header (HTTP)
Identify by source IP Identifies the end-user by source IP
480 M86 SECURITY, POLICIES POLICIES
See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Protocols
Authentication Status
Authentication Domain
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
URL Lists Authentication Protocols
This condition logs the protocols used for authentication (Basic, NTLM or both).
Figure 6-86: Authentication Protocols Condition
M86 SECURITY, POLICIES 481 POLICIES
See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Status
Authentication Domain
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
URL Lists Authentication Status
This condition logs the failed status of authentication attempts.
Figure 6-87: Authentication Status Condition See also: Identification Logging Policy Rule Conditions
482 M86 SECURITY, POLICIES POLICIES
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Domain
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
URL Lists Header Fields
This logging rule condition covers the Header Fields as detailed in
M86 SECURITY, POLICIES 483 POLICIES
Header Fields.
Figure 6-88: Header Fields Condition See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
IP Range
Location
484 M86 SECURITY, POLICIES POLICIES
Destination Port Range
Pre Authenticated Headers
URL Lists IP Range
This logging rule condition covers the IP ranges as detailed in IP Range.
Figure 6-89: IP Range Condition See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
Header Fields
Location
Destination Port Range
M86 SECURITY, POLICIES 485 POLICIES
Pre Authenticated Headers
URL Lists Location
This condition is used to distinguish a client application based on the location of the scanning server.
Figure 6-90: Location Condition The table below shows the options in the Location condition:
Option Description
Cloud The scanning server is located in the internet cloud.
Local The scanning server is located in the enterprise.
See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
486 M86 SECURITY, POLICIES POLICIES
Authentication Domain
Header Fields
IP Range
Destination Port Range
Pre Authenticated Headers
URL Lists Destination Port Range
This logging rule condition covers the Destination Port ranges as detailed in Destination Port Range.
Figure 6-91: Destination Port Range Condition See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
Header Fields
M86 SECURITY, POLICIES 487 POLICIES
IP Range
Location
Pre Authenticated Headers
URL Lists Pre Authenticated Headers
This logging rule condition applies to the Pre Authenticated headers as used in the Identify by headers action in Identification Rule Details.
Figure 6-92: Pre Authenticated Headers Condition See also: Identification Logging Policy Rule Conditions
Authentication Cluster
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
488 M86 SECURITY, POLICIES POLICIES
Header Fields
IP Range
Location
Destination Port Range
URL Lists URL Lists
This logging rule condition covers the URL Lists as detailed in URL Lists.
Figure 6-93: URL Lists Condition See also: Identification Logging Policy Rule Conditions
Authentication Cluster
M86 SECURITY, POLICIES 489 POLICIES
Authentication Methods
Authentication Protocols
Authentication Status
Authentication Domain
Header Fields
IP Range
Location
Destination Port Range
Pre Authenticated Headers
Upstream Proxy
The Upstream Proxy Policy screen allows administrators to configure upstream proxy settings for traffic scanned by the SWG system. To allow for more thorough configurations, multiple Upstream Proxy policies can be defined, although the default Upstream Proxy is (Direct). This allows direct access to the internet in every situation. As such, the default component is non- editable.
490 M86 SECURITY, POLICIES POLICIES
Upstream Proxy Policies are built as follows: • Policies are compiled from rules • Rules are based on Conditions • A Policy may be assigned to one user or user group that passes through a specific device
NOTES: Rules and Conditions must be configured prior to adding a policy, to ensure that the proper options are available per policy. Refer to the Condition Settings: Upstream Proxy for more information. The right-click menu option in the Upstream Proxy Policies tree allows you to Add a Policy. Once a new policy is created, you can add rules, or delete / duplicate policy:
Field Name Description
Client IP Header Header information for user identifiers supplied by an upstream proxy.
User Name Header Specifies the User Name in the Header Field.
Protocol
Protocol - IP Address For each protocol - HTTP, HTTPS, FTP click Active - Port - Active and add the required IP address. To use the same proxy for all protocols, select Use for all protocols
 To Add Upstream Proxy Policy
1. Right click the Policies node in the left tree pane, or click and select Add Policy. 2. Define the Policy Name and give it a detailed description. Click Save. 3. Right click the
M86 SECURITY, POLICIES 491 POLICIES
Figure 6-94: Upstream Proxy
Default Policy Settings
In the Default Policy Settings screen you can define options relating to the Security, HTTPS and Logging Policies.
492 M86 SECURITY, POLICIES POLICIES
Figure 6-95: Default Policy Settings Screen Enable Emergency Policy - Setting Emergency Policies here assigns them to all Users and overrides any other Security Policies individually set per User or per User Group. •From the Emergency Policy drop-down list, select the policy to be used as an emergency policy. •From the Emergency HTTPS Policy drop-down list, select the policy to be used as an emergency HTTPS policy. Default Policy Values - The default Security, Logging and HTTPS policies are set here and will automatically be assigned to users in the system if no other Policies have been assigned to them in the Users tab. They will also be assigned automatically to unknown users. •From the Master Policy drop down list, select one of the policies to be used as the Security policy by default. The empty option is the default value provided by the system.
M86 SECURITY, POLICIES 493 POLICIES
•From the Security Policy drop-down list, select one of the policies to be used as the Security policy by default. The M86 Security Strict Security Policy is the default value provided by the system. •From the Logging Policy drop-down list, select one of the policies to be used as the Logging policy by default. The Log All Protective Actions policy is the default value provided by the system. •From the HTTPS Policy drop-down list, select one of the policies to be used as the HTTPS policy by default The M86 Security HTTPS Policy is the default value provided by the system.
NOTES: The policies you define here will be the values referred to in User Groups and LDAP Groups. See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Device Logging Policies
Condition Settings
Caching Policy
End User Messages
494 M86 SECURITY, POLICIES POLICIES
Condition Settings
Many of the Policy Rule Conditions have configurable values and can be tweaked to fine-tune the Policies to match your organization’s needs. The following Condition Settings are available for editing:
• Condition Settings: Active Content List • Condition Settings: Archives • Condition Settings: Binary Behavior • Condition Settings: Content Size • Condition Settings: Data Leakage Prevention • Condition Settings: Destination Port Range • Condition Settings: File Extensions
M86 SECURITY, POLICIES 495 POLICIES
• Condition Settings: Header Fields • Condition Settings: HTTPS Certificate Validation • Condition Settings: IP Range • Condition Settings: Pre Authenticated Headers • Condition Settings: Script Behavior • Condition Settings: Time Frame • Condition Settings: URL Lists • Condition Settings: Vulnerability Anti.dote See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Device Logging Policies
Default Policy Settings
Caching Policy
End User Messages
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention
496 M86 SECURITY, POLICIES POLICIES
Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote
Available Condition Settings Tree Options The following right-click options are available for each of the Condition Settings:
Action Description
Add Component Available from top level folder only. Allows you to create a new Condition Component.
Delete Component Available from specific Component. Allows you to delete a Component.
Duplicate Component Only available from M86 Security pre-defined profiles. Allows you to duplicate a Component and then select required options.
For each Condition Setting there are numerous right-click options are provided for further functionality. (Access these options either through the right-click menu or the left tree pane icons.)
NOTES: Condition options are dependent upon the specific condition component.
M86 SECURITY, POLICIES 497 POLICIES
They include:
Action Description
Available from specific URL list Component. Delete List Deletes the list
Available from specific Component. Import to List Allows importing many URL addresses into a list. Please refer to Generating a New Item in a URL List
Available from specific Component. Export to File Allows exporting the URL addresses within a list to a file which can then be edited, printed, imported etc.
Available from specific Component. Deletes all the Delete all Items URL addresses in the list on the right screen.
Available for all Components. Allows the Used In administrator to see in which policies and rules this particular condition was used.
The Used In option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Data Leakage Prevention. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears:
498 M86 SECURITY, POLICIES POLICIES
Figure 6-96: Condition Component- Used In 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. 6. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. See also: Condition Settings
Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention
M86 SECURITY, POLICIES 499 POLICIES
Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote
Condition Settings: Active Content List The system identifies Java Applets, ActiveX and executable files when they enter the system, and then creates a signature for each file. These signatures are stored for caching purposes in the system. A list of these items, the Auto-Generated list, is generated automatically. This list cannot be used in a rule but items from this list may be moved to the following two lists (or indeed any new list that you create by right-clicking the Add List menu option) in order to create exceptions as rule conditions: • Allowed – you can move trusted items from the Auto- generated list to the Allowed list. • Blocked – you can move questionable objects from the Auto- generated list to the Blocked list. Click on any piece of Active Content to display information on the Active Content.
Condition Settings Tree Options
For every condition component, an administrator can use the Used In option to determine in what rules and policies a specific condition is used. This function is found in either the right-click
500 M86 SECURITY, POLICIES POLICIES
options list or the left tree pane icons.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Active Content List. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. 6. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. Add List:
Creating a new Active Content List allows you to move items from other lists, including the Auto-Generated list, to a newly created one. The right pane window therefore, supplies only a Name field. After a new list has been added, refer to Moving Between Active Content Lists to populate it with items. For example; 1. Right click the top level Active Content List in the left tree pane or the icon to Add List. 2. Give the new list a name such as “Custom List”. Click OK. See also:
M86 SECURITY, POLICIES 501 POLICIES
Condition Settings
Available Condition Settings Tree Options Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Moving Between Active Content Lists
Auto-Generated List Settings Moving Between Active Content Lists
M86 Security has provided an Allowed and Blocked list for you to move Active Content items to.
 To move an entry from one Active Content list to another: 1. Select a component from the Active Content tree, for example, Auto-generated list. 2. Click Edit to enable changes.
502 M86 SECURITY, POLICIES POLICIES
Figure 6-97: Moving between Active Content Lists 3. Use the checkbox to select all the entries you want to move. 4. In the To drop-down list, choose the list you want to move the entries to, for example, the Blocked list.
5. Click Save to apply changes. Next, click to commit them.
NOTES: Moving these objects into new lists or changing their status from Blocked or Allowed, will impact on your Security Policy – if these lists are selected in the Rule Conditions See also: Condition Settings: Active Content List Auto-Generated List Settings
M86 SECURITY, POLICIES 503 POLICIES
Auto-Generated List Settings
Auto-Generated list is automatically generated with Java Applets, ActiveX and executable files that enter the system. The following options are available for the Auto-Generated List.
Field Description
List Name Displays the list name: Auto-generated.
Find All Enter a search term in this field.
Plus Icon Expands entry to show more detail.
Search Click Go after entering a search term in the Find All field to return a list matching your search term.
Clear Clears the items found in the Search and restores the Auto-generated list.
Previous/Next Allows you to move through the pages of entries in the List.
Checkbox Check this if you want to select one or all entries to move to another list.
To Select which list to move the selected entries to. Click Save to move the entries.
Delete after x days Defines the number of days after which the Active Content in this list will be deleted.
Maximum number of Defines the maximum number of profiles entries that will be left in the List after daily cleanup (midnight) - after which the list will fill up again.
See also: Condition Settings: Active Content List Moving Between Active Content Lists
504 M86 SECURITY, POLICIES POLICIES
Condition Settings: Archives An archive file is a file that contains other files. That is, it is a bundle of files packaged together. Groups of files that belong together are archived because it's easier to move one bundled file from one place to another than it is to transfer many individual files, one at a time. In the Archives tabs, you can configure the amount of files bundled together; the amount of archives within archives and the size of the extracted file. Archives include: Zip Archive, GZip Archive, RAR Archive, CAB Archive, BZ2 Archive and TAR Archive. The following table provides more information on the Archive Engines fields:
Field Description Defaults Allowed Name Values
Archive Configures the maximum 5 1- 64000 Depth depth level of nested archives.
Maximum Configures the maximum 2000 1- 4500000000 Entries in number of entries allowed Container per archive. If the number of entries exceeds this amount, the container will not be scanned or forwarded.
Maximum Determines the size of the 1073741820 1- 4000000000 Extracted maximum extracted content. bytes bytes Content Size
See also:
Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List
M86 SECURITY, POLICIES 505 POLICIES
Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote
Condition Settings: Binary Behavior M86’s binary behavior engine is based on checking security behaviors and profiles that are a subset of all available behaviors. The behaviors are examined through the inspection of the binary’s exposed mechanisms that define its required interfaces in the system, and which can be detected and filtered by the groups defined below. By applying the organizational security policy and translating it to the behaviors defined in the binary behavior profile, adequate protection and implementation of the security policy can be achieved. The behavior groups are created by Security experts from M86’s Malicious Code Research Center (MCRC), and fed into the Binary Behavior Profile, enabling the identification of malicious active content that defies the standard organizational security policy. M86 provides a Default Binary Profile Behavior, which displays the following tabs: • Automatic Execution and Termination • File Access
506 M86 SECURITY, POLICIES POLICIES
• Registry Access • Network Access • Minor Risk Operations • Disclosure of Information • Java Runtime • Change Settings • System Settings • General • Other Running Applications Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Binary Behavior. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. 6. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.
M86 SECURITY, POLICIES 507 POLICIES
See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications
508 M86 SECURITY, POLICIES POLICIES
Automatic Execution and Termination
The following Automatic Execution options are considered unsafe when performed by ActiveX and Executables:.
Automatic Execution Description
Create Process Potential misuse of function which is used to create system processes.
Dynamic Link Library Access to external DLL files in order to gain Invocation Functions additional functionality by ActiveX.
Terminate Process The binary file contains a reference to process termination operation.
Unresolved Library An attempt to access a library of functions that Access cannot be resolved directly.
The following Automatic Execution options are considered unsafe when performed by Java Applets:
Automatic Execution Description
Access Other Accessing applications outside the context of the Applications applet is considered a security violation. Applets are usually self-contained and do not need access to other applications.
Create Process Potential misuse of function, which is used to create system processes
Load Class Potential misuse of function which is used to load/ locate external Java program
Load Library Potential misuse of function which is used to load library (external library which contains program codes)
Remote Method An attempt to call a method on a remote object Invocation accessible over the network (internal or external)
M86 SECURITY, POLICIES 509 POLICIES
Automatic Execution Description
System Commands The binary file contains a reference to system commands (execute, schedule processes, etc.)
Terminate Process The binary file contains a reference to process termination operation
See also: Condition Settings: Binary Behavior File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications File Access
The following File Access options are considered unsafe when performed by ActiveX and Executables:
File Access Description
File Delete Potential misuse of local privileged functions for file/ directory remove
File Read Potential misuse of local privileged functions for file read, data read
File Write Potential misuse of local privileged functions which write data to a file (audio, text or binary types)
510 M86 SECURITY, POLICIES POLICIES
The following File Access options are considered unsafe when performed by Java Applets:
File Access Description
File Create Potential misuse of local privileged functions as File Create/File Copy
File Write Potential misuse of local privileged functions which write data to a file (audio, text or binary types)
File Delete Potential misuse of local privileged functions for file/ directory remove
File Read Potential misuse of local privileged functions for file read, data read
File Query Potential misuse of local privileged functions for file read, open file, querying files parameters, etc.
File Rename Potential misuse of local privileged functions for file rename
See also: Condition Settings: Binary Behavior Automatic Execution and Termination Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications
M86 SECURITY, POLICIES 511 POLICIES
Registry Access
The following Registry Access options are considered unsafe when performed both by Java Applets and ActiveX and Executables:.
Registry Access Description
Registry Delete Potential misuse of local privileged functions for deleting registry key/value
Registry Read Potential misuse of local privileged functions for reading registry key/value
Registry Write Potential misuse of local privileged functions for writing/changing registry key/ value
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications Network Access
The following Network Access options are considered unsafe when
512 M86 SECURITY, POLICIES POLICIES
performed by ActiveX and Executables:
Network Access Description
Bluetooth Potential misuse of local privileged functions Networking such as sending an authentication request to a remote Bluetooth device or retrieving information on a remote Bluetooth device
DNS Functions Potential misuse of local privileged functions that use DNS Client API, such as DNS query, record compare, etc.
Network Connect Potential misuse of local privileged functions in order to connect to other network elements such as functions that use HTTP client API to send requests through HTTP protocol to other HTTP servers, etc.
Network Listen Potential misuse of local privileged functions calls in order to access network services (e.g. listen for incoming connection)
Network Receive Potential Misuse of local privileged functions calls in order to access network services (e.g. retrieving content/data from other resources such as retrieving file from FTP server)
Network Send Potential misuse of local privileged functions calls in order to access network services (e.g. send network commands)
The following Network Access options are considered unsafe when performed by Java Applets.
Network Access Description
Network Receive Suspected network behavior such as open socket, receiving data packets
Network Resolve Suspected network behavior such as communicating with DNS server, getting host information, etc.
M86 SECURITY, POLICIES 513 POLICIES
Network Access Description
Network Send Suspected network behavior such as open socket, sending data packets
Open Socket Suspected network behavior such as open socket for communication (for data packet transfer)
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications Minor Risk Operations
The following Network Access options are considered unsafe when
514 M86 SECURITY, POLICIES POLICIES
performed by ActiveX and Executables:
Minor Risk Description Operations
Potentially Changing the way that an application uses the Dangerous Memory system memory may result in a crash or the Management disclosure of sensitive data. Functions
Potentially Process debugging functions may be used to Dangerous Process- reveal information from the system and alter the Debugging execution logic of the debugged applications. Functions
The following Minor Risk Operations options are considered unsafe when performed by Java Applets:.
Minor Risk Operations Description
CORBA Connection An attempt to create or manage a CORBA connection (Common Object Request Broker Architecture). This may utilize functionality that is provided remotely by an external object.
Memory Write An attempt to write data to a mapped memory segment.
Database Access Functionality related to database access activity.
Print Access Indicated access to printing functionality within the application.
Exit Browser Terminates the browser session.
Use Reflection Provides functionality to query existing applications and objects by examining them and gathering functionality information.
See also: Condition Settings: Binary Behavior
M86 SECURITY, POLICIES 515 POLICIES
Automatic Execution and Termination File Access Registry Access Network Access Disclosure of Information Java Runtime Change Settings System Settings General Other Running Applications Disclosure of Information
The following Disclosure of Information options are considered unsafe when performed by Java Applets:.
Disclosure of Information Description
Access Clipboard Potential misuse of local privileged functions such as reading computer clipboard and revealing sensitive information
Access Cookies Potential misuse of local privileged functions such as reading Internet cookies which might allow remote user to access bank accounts/ web based email, etc.
Enumerate Printer Potential misuse of local privileged functions Connections such as mapping or removing printer connections
Get User Information Potential misuse of local privileged functions such as getting specific user information (user name, system name, etc.)
Keystrokes Potential misuse of local privileged functions such as logging of keystrokes which might reveal user’s password
516 M86 SECURITY, POLICIES POLICIES
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Java Runtime Change Settings System Settings General Other Running Applications Java Runtime
The following Java Runtime options are considered unsafe when performed by Java Applets since by doing so an attacker may eliminate security restrictions:.
Java Runtime Description
Set Class Loader Potential misuse of function in order to locate, run Java program
Set Properties Potential misuse of function which might change the current working environment
Set Security Manager Potential misuse of function in order to set system’s security
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access
M86 SECURITY, POLICIES 517 POLICIES
Network Access Minor Risk Operations Disclosure of Information Change Settings System Settings General Other Running Applications Change Settings
The following Change Settings options are considered unsafe when performed by ActiveX and Executables:.
Change Settings Description
Change Network Potential misuse of local privileged functions calls Systems in order to change network settings (e.g. using HTTP server API functions)
Change System Potential misuse of local privileged functions in Settings order to change system settings (e.g. shell commands, network programming)
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime System Settings General
518 M86 SECURITY, POLICIES POLICIES
Other Running Applications System Settings
The following System Settings options are considered unsafe when performed by Java Applets:.
System Settings Description
Change Printer Attempt to change printer connections which may Connections lead to disclosure of data
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings General Other Running Applications General
The following General options are considered unsafe when
M86 SECURITY, POLICIES 519 POLICIES
performed by ActiveX and Executables:
Database Access Description
Database Potential misuse of local privileged functions which Access allow accessing database
Exit Windows Potential misuse of local privileged functions which perform system shutdown, lock work station, etc.
See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings Other Running Applications Other Running Applications
The following Other Running Applications options are considered
520 M86 SECURITY, POLICIES POLICIES
unsafe when performed by ActiveX and Executables:
Other Running Description Applications
Code Injection into Potential misuse of local privileged functions Running Process which allows, for example, creating a thread that runs in the virtual address space of another process
Sending Messages to Potential misuse of local privileged functions other Applications which allows sending messages to a specific system process/procedure on local machine, etc.
The Higher Sensitivity Binary Behavior Profile contains the same Profile information. However, in this screen all the options are checked. See also: Condition Settings: Binary Behavior Automatic Execution and Termination File Access Registry Access Network Access Minor Risk Operations Disclosure of Information Java Runtime Change Settings System Settings General
Condition Settings: Content Size Content size refers to the amount of content being scanned. These content size values can be selected as a Condition to be included in your Policy Rules thereby limiting very large files from entering
M86 SECURITY, POLICIES 521 POLICIES
or leaving your organization. The predefined content sizes cannot be modified. However, new Content Size lists can be created.
NOTES: For containers, the content size refers to the size of the files once taken out of the containers - so while the actual container might be smaller than the size you defined, it could still be blocked. Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Content Size. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. See also: Condition Settings
Available Condition Settings Tree Options
522 M86 SECURITY, POLICIES POLICIES
Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating a Content Size Generating a Content Size
 To generate a Content Size: 1. Right-click on the top-level heading Content Size and select Add Component. 2. Enter an appropriate Content Size name. 3. Enter the required Content Size.
4. Click Save to apply changes. Next, click to commit them. 5. If you need to modify this component in the future, select Edit and make your changes. See also: Condition Settings: Content Size
M86 SECURITY, POLICIES 523 POLICIES
Condition Settings: Data Leakage Prevention Data loss is of great concern to corporate security. M86 SWG specializes in scanning web content, thereby providing the ability to monitor and prevent specific types of data leakage. The intention is to protect information such as customer records, financial information, or intellectual property from leaving the company network. Data leakage prevention (DLP) capabilities should also assist companies in demonstrating regulatory compliance such as HIPAA, CISP etc.
NOTES: M86 provides Data Leakage prevention and monitoring capabilities for web protocols only. Email or other protocols will not be handled unless specifically mentioned. When dealing with DLP, SWG can scan HTTP, HTTPS and the FTP protocols for textual parts of documents. The document is split into multiple parts such as: Document body, Document metadata, like Microsoft Word document properties, such as, Author, Comments, and Headers/Footers.
NOTES: FTP will only be scanned for incoming content.
The supported file types are: • Microsoft Office y MS Word 2003 and 2007 (Binary), 2007 (XML) y MS Excel 2003 binary and 2007 XML y RTF • Adobe PDF The DLP rule builder enables the administrator to create on the fly rules which are a textual representation of the type of information that is not allowed to leave the company's network. Confidential Information:
The Confidential Information condition is a default condition supplied by the SWG that incorporates a multi-language built
524 M86 SECURITY, POLICIES POLICIES
condition used in a DLP rule, in X-ray mode, within a default policy. The Confidential information condition is pre-set to identify potentially harmful data.
The condition is editable by clicking and then clicking Edit. Click Save to commit changes.
 Creating a Data Leakage Prevention Condition: 1. Navigate to Policies > Condition Settings > Data Leakage Prevention. 2. To Create a new Filter Condition, right click the Data Leakage Prevention node and select Add filter condition (You can use the left toolbar to do the same action by clicking on the icon). 3. Enter the condition name In the Data Leakage Prevention Name field. 4. When creating a new condition, the screen opens in the Condition Editor mode. Click Condition Builder to switch to the Condition Builder mode. For further information see DLP Condition Editor and Builder.
NOTES: All rules which are built using the condition editor will be automatically accessible via the condition builder and vice versa 5. When the condition is complete, click Save.
M86 SECURITY, POLICIES 525 POLICIES
6. Click on the management console (if enabled) to commit them. The new condition can be associated with any appropriate rule. See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote DLP Condition Editor and Builder DLP Condition Editor and Builder
The Data Leakage Prevention (DLP) rule builder provided by M86 has two modes of operation: the Condition Builder and the Condition Editor. Both modes use Boolean operators like And and Or to create filters. • The Condition Editor lets you manually enter the text that you want the DLP filter to search for (in a text box). In addition you
526 M86 SECURITY, POLICIES POLICIES
can use Boolean operators, like And, Or, Not and () when necessary. There are 4 different signs that represent various ASCII symbols:
y Represents any single symbol
y Represents any alphabetic single symbol
y Represents any single digit (0-9)
y Represents any single alphanumeric symbol including dash and underscore
NOTES: When copying text from another source, remove all formatting by pasting the text into Notepad or a similar plain text application first, and then re-copy it from the text application to the SWG screen. Â To Edit in Condition Editor mode: 1. Click a DLP condition listed in the left hand pane. 2. In view mode, click Edit.
M86 SECURITY, POLICIES 527 POLICIES
Figure 6-98: The Condition Editor Screen 3. Update the rule to your satisfaction. 4. Click Save.
5. Click (if enabled) to commit them.
• The Condition Builder: The condition builder lets you create or view the same rules as the condition editor using a graphical interface.
 To Edit in Condition Builder mode: 1. Click a DLP condition listed in the left hand pane. 2. Click Condition Builder. 3. Click Edit.
528 M86 SECURITY, POLICIES POLICIES
Figure 6-99: The Condition Builder Update the rule to your satisfaction.
NOTES: To Toggle between the different views use the button when in the builder view and the
when in editor mode
4. Click Save.
5. Click (if enabled) to commit them.
See also: Condition Settings: Data Leakage Prevention Condition Details for Security Policy Rules
Example for Creating a Security Rule
Condition Settings: Destination Port Range
Condition Settings: Destination Port Range The Destination Port Range contains one or more port ranges that may be used as inclusion in the Identification Policy Rule in order
M86 SECURITY, POLICIES 529 POLICIES
to be blocked/allowed. This Range is used to distinguish a client application connecting to the SWG device by the destination port that they target.
NOTES: Persistent connections enable the client to connect to various targets via the same proxy connection. This means that the first request may target a different server port than the following requests Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Destination Port Range. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. See also: Condition Settings
530 M86 SECURITY, POLICIES POLICIES
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating an Item in the Destination Port Range Generating an Item in the Destination Port Range
 To generate a new item in a Destination Port Range: 1. Right-click on the top-level heading Destination Port Range and select Add Component. 2. Enter an appropriate Destination Port Range name. 3. In the Destination Port Range section, click to add a new row. 4. Enter a Port number in the From/To range (for example, 443 to 450). 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Port Range.
M86 SECURITY, POLICIES 531 POLICIES
6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this range in the future, select Edit and make your changes. See also: Condition Settings: Destination Port Range
Condition Settings: File Extensions
Condition Settings: File Extensions Each File Extension listed here is actually a list of other file extensions according to topic. The File Extensions are presented here as predefined lists for ease of convenience. They can be used as rule conditions in your security policy. You cannot add or delete extensions from the existing File Extensions provided by M86. However, you can create new File Extension lists.
See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range
532 M86 SECURITY, POLICIES POLICIES
Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating a New Item in File Extensions
Multiple File Extensions Generating a New Item in File Extensions
 To generate a new item in File Extensions: 1. Right-click on the top-level heading and select Add Component. 2. Enter an appropriate File Extension name.
3. In the File Extensions section, click to add a new row. 4. Enter the relevant File Extension. 5. Repeat for as many times necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Extension.
6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this list in the future, select Edit and make your changes. See also: Condition Settings: File Extensions Multiple File Extensions Multiple File Extensions
The Multiple File Extensions list can be edited here. Multiple File Extensions means that a file has more than one extension at the
M86 SECURITY, POLICIES 533 POLICIES
end of it, for example, file.txt.exe. where the last extension allows the Operating System to run the file. See also: Condition Settings: File Extensions Generating a New Item in File Extensions Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ File Extensions. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.
Condition Settings: Header Fields Headers are metadata allowing the customer to customize rules based on these header fields. For example, you can create a rule
534 M86 SECURITY, POLICIES POLICIES
that blocks requests from specific user-agents. The headers can be either request or response headers. See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating an Item in the Header Field Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Header Fields.
M86 SECURITY, POLICIES 535 POLICIES
2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component. Generating an Item in the Header Field
 To generate a new item in Header Field: 1. Right-click on the top-level heading and select Add Component. 2. Enter an appropriate Header Field name. 3. In the Header Fields section, click to add a new row. 4. Enter a Header Name, Condition, and Header Value as required.
NOTES: The Header Field value uses various parameters for Regular Expression or Equals to. For example, “.*?M86” searches for the shortest string before the word M86. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Header.
6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this Component in the future, click Edit and make your changes.
536 M86 SECURITY, POLICIES POLICIES
See also: Condition Settings: Header Fields
Condition Settings: HTTPS Certificate Validation
Condition Settings: HTTPS Certificate Validation Certificate validation includes expiration checks, revocation and matching. SWG ensures that corporate policies regarding certificates are enforced, while removing the decision from the user’s hands by automatically validating each certificate and making sure that the chain goes back to the trusted authority. Policies regarding certificates are enforced by checking individual certificate names, date, trusted authority chain and revocation lists. A list of trusted certificate authorities is supplied with the system and used for digital signature analysis and for SSL certificate validation. Digital certificate lists are updated via the M86 security updates. These lists include the required trusted certificate authorities as well as the Certificate Revocation Lists. Administrators cannot modify or delete this default profiles, however they can duplicate the Default HTTPS Profile which can then be customized. M86 includes one predefined Default Certificate Validation Profile which contains the following certificate error events: • Invalid Certificate Structure • Certificate Cannot be Trusted • Certificate is Not Currently Valid • Certificate Revoked • Host Cannot be Trusted • Bad Certificate Usage See also: Condition Settings
Available Condition Settings Tree Options
M86 SECURITY, POLICIES 537 POLICIES
Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Invalid Certificate Structure Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted Bad Certificate Usage Invalid Certificate Structure
The following table describes the options:
Invalid Certificate Description Structure
Cannot decode The certificate signature could not be decrypted issuer public key (meaningful for RSA keys).
Certificate signature The public key in the certificate cannot be decrypted SubjectPublicKeyInfo could not be read.
538 M86 SECURITY, POLICIES POLICIES
See also: Condition Settings: HTTPS Certificate Validation Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted Bad Certificate Usage Certificate Cannot be Trusted
The following table describes the options:
Certificate Cannot be Description Trusted
Authority and issuer Authority and issuer serial number mismatch - serial number The current candidate issuer certificate was mismatch rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate.
Authority and The current candidate issuer certificate was subject key identifier rejected because its subject key identifier was mismatch present and did not match the authority key identifier current certificate.
Certificate chain too The certificate chain length is greater than the long supplied maximum depth.
Certificate is self The certificate is self signed and the same signed certificate cannot be found in the list of trusted certificates.
Certificate not The root CA is not marked as trusted for the trusted specified purpose.
Certificate rejected The root CA is marked to reject the specified purpose.
M86 SECURITY, POLICIES 539 POLICIES
Certificate Cannot be Description Trusted
Certificate signature The signature of the certificate is invalid. failure
Invalid CA certificate Either the CA is not valid or it may not be used to sign the tested certificate for HTTPS communication.
Issuer certificate This occurs if the issuer certificate of an untrusted could not be found certificate cannot be found.
Key usage does not The current candidate issuer certificate was include certificate rejected because it may not sign other certificates signing (keyUsage).
Root certificate The certificate chain could be built up using the could not be found untrusted certificates but the root could not be locally found locally.
Subject issuer The current candidate issuer certificate was mismatch rejected because its subject name did not match the issuer name of the current certificate.
Unable to get local The issuer certificate of a locally looked up issuer certificate certificate could not be found. This normally means the list of trusted certificates is not complete.
Unable to verify the Unable to verify the first certificate - signatures first certificate could not be verified because the chain contains only one certificate and it is not self signed.
See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted
540 M86 SECURITY, POLICIES POLICIES
Bad Certificate Usage Certificate is Not Currently Valid
The following table describes the options:
Certificate is Not Description Currently Valid
Certificate is not yet The notBefore date is after the current time. valid
Certificate has The notAfter date is before the current time. expired
Format error in The certificate notAfter field contains an invalid certificate notAfter time. field
Format error in The certificate notAfter field contains an invalid certificate notBefore time. field
See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate Cannot be Trusted Certificate Revoked Host Cannot be Trusted Bad Certificate Usage
M86 SECURITY, POLICIES 541 POLICIES
Certificate Revoked
The following table describes the options:
Certificate Revoked Description
Certificate revoked The certificate has been revoked.
CRL has expired Certificate has expired - The notAfter date is before the current time.
CRL is not yet Certificate is not yet valid - The notBefore date is valid after the current time.
CRL signature The signature of the certificate is invalid. failure
Format error in The CRL lastUpdate field contains an invalid time. CRL lastUpdate field
Format error in The CRL nextUpdate field contains an invalid time. CRL nextUpdate field
Unable to decrypt This means that the actual signature value could not CRL signature be determined rather than it not matching the expected value.
Unable to get The CRL of a certificate could not be found. certificate CRL
See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate Cannot be Trusted Certificate is Not Currently Valid Host Cannot be Trusted Bad Certificate Usage
542 M86 SECURITY, POLICIES POLICIES
Host Cannot be Trusted
The following table describes the options:
Host Cannot be Description Trusted
Cannot verify The host name is unavailable and therefore hostname cannot be verified against the certificate.
Host name does not The host name mismatches the one mentioned in match certificate the certificate. name
See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Bad Certificate Usage Bad Certificate Usage
The following table describes the options:
Bad Certificate Usage Description
Unsupported The supplied certificate cannot be used for the certificate purpose specified purpose.
Path length The basicConstraints pathlength parameter has constraint exceeded been exceeded.
See also: Condition Settings: HTTPS Certificate Validation Invalid Certificate Structure
M86 SECURITY, POLICIES 543 POLICIES
Certificate Cannot be Trusted Certificate is Not Currently Valid Certificate Revoked Host Cannot be Trusted
Condition Settings: IP Range The IP Range contains one or more IP ranges that end-users may be using in order to effectively identify or authenticate them. This can be used for inclusion as in the Identification Policy rule making. The range is used to distinguish the client machine connecting to the SWG device by its source IP. The default list named Exclude by IP was provided by M86 for the administrator to add/modify their own IP ranges as required.
See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists
544 M86 SECURITY, POLICIES POLICIES
Condition Settings: Vulnerability Anti.dote Generating a new Item in IP Range Generating a new Item in IP Range
 To generate a new item in an IP Range: 1. Right-click on the top-level heading IP Range and select Add Component. 2. Enter an appropriate IP Range name. 3. In the IP Range section, click to add a new row. 4. Add in the appropriate addresses in the From IP Address and To IP Address fields. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the item and selecting Delete IP Range.
6. Click Save to apply changes. Next, click to commit them. 7. If you need to modify this range in the future, select Edit and make your changes. See also: Condition Settings: IP Range
Condition Settings: Pre Authenticated Headers Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example:
M86 SECURITY, POLICIES 545 POLICIES
1. Policies Æ Condition Settings Æ IP Range. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.
Condition Settings: Pre Authenticated Headers Pre Authenticated Headers includes headers, which have been pre-authenticated (i.e. assumes that header data has been previously authenticated by a downstream proxy agent). These are available for inclusion in the Identification Policy Rules. See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions
546 M86 SECURITY, POLICIES POLICIES
Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote Generating a Pre Authenticated Header Generating a Pre Authenticated Header
 To generate a Pre Authenticated Header: 1. Right-click on the top-level heading Pre Authenticated Header and select Add Component. 2. Enter an appropriate Pre Authenticated Header name. 3. Enter an IP address for example X-Client-IP. 4. Select a Domain/User, for example, a Custom header such as X-Authenticated-User, or a Basic Authenticated header from downstream proxy.
NOTES: When the Basic Authenticated header from downstream proxy checkbox is set, the proxy will use the basic authentication header per transaction and not per connection.
5. Click Save to apply changes. Next, click to commit them. 6. If you need to modify this component in the future, select Edit and make your changes. See also: Condition Settings: Pre Authenticated Headers
Condition Settings: Script Behavior
M86 SECURITY, POLICIES 547 POLICIES
Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Pre-Authenticated Headers. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component.
Condition Settings: Script Behavior M86’s script behavior engine is based on checking security behaviors and profiles that are a subset of all available behaviors. The groups that drive the operation of the Application-Level Behavior Based engine are not signature-based. Groups at various levels define language tokens, semantic patterns of Active Code, forbidden combinations of operations, parameters and programming techniques. These Behavior groups are created by security experts from M86’s Malicious Code Research Center
548 M86 SECURITY, POLICIES POLICIES
(MCRC), and fed into the Behavior Profile scanning engines, enabling the identification of malicious active content. The system is preconfigured with default Behavior Profiles. These defaults are available for inclusion in your Rule Conditions. The Default Script Behavior displays the following tabs: • File System Operations • Windows Network Operations • Registry Operations • Operating System Operations • Advanced Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Script Behavior. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing.
M86 SECURITY, POLICIES 549 POLICIES
Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component
See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Time Frame Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote File System Operations Windows Network Operations Registry Operations Operating System Operations Advanced File System Operations
The following File System operations are considered unsafe when
550 M86 SECURITY, POLICIES POLICIES
performed by VB/Java scripts:.
File System Description Operations
File Copy Attempt to copy local file
File Create Attempt to create local file
File Delete Attempt to delete local file
File Query Attempt to detect whether a file exists under specific path in the local file system
File Read Attempt to read local file
File Write Attempt to write to a local file
See also: Condition Settings: Script Behavior Windows Network Operations Registry Operations Operating System Operations Advanced Windows Network Operations
The following Windows Network operations are considered unsafe when performed by VB/Java scripts:.
Windows Network Description Operations
Network Drive Attempt to remove a shared network drive from the Delete computer system
Network Drive Query Attempt to detect whether a specific network drive exists
M86 SECURITY, POLICIES 551 POLICIES
Windows Network Description Operations
Network Printer Attempt to manipulate network printers by adding/ Operations removing a remote MS-DOS-based or windows printer connection to the computer system or set different default printer, etc.
Query Logged-On An attempt to query for specific user domain User name, user name, computer name, etc.
Windows Log An attempt to manipulate a Windows log event Operations
See also: Condition Settings: Script Behavior File System Operations Registry Operations Operating System Operations Advanced Registry Operations
The following Registry operations are considered unsafe when performed by Java applets:.
Registry Description Operations
Registry Read Attempt to read system registry key or value
Registry Write An attempt to create a new key within the system registry, add another value-name to an existing key (and assign it a value), or change value of an existing value-name
Registry Delete An attempt to delete a key or one of its values from the system registry
See also:
552 M86 SECURITY, POLICIES POLICIES
Condition Settings: Script Behavior File System Operations Windows Network Operations Operating System Operations Advanced Operating System Operations
The following Operating System operations are considered unsafe when performed by Java applets:.
Operating System Description Operations
Access Microsoft An attempt to run Microsoft Outlook could Outlook result in accessing sensitive data (reading and sending out of corporate network)
Access Attempt to execute an application on a local Potentially machine. These applications are legitimate Dangerous ones and are used to bypass local machine Applications security to perform non legitimate acts such as accessing restricted data
Create Process An attempt to open shell command and execute system processes
Inter-Process An attempt to perform communication Communication between running processes by sending parameters which may results in performing non legitimate processes.
Environment Environment variables are strings that Variables-Related contain information about the environment Operations for the system, and the currently logged on user. This group refers to any manipulation performed on those variables.
See also: Condition Settings: Script Behavior File System Operations
M86 SECURITY, POLICIES 553 POLICIES
Windows Network Operations Registry Operations Advanced Advanced
The following Advanced operations are considered unsafe when performed by Java applets:
Advanced Description
Access to Web content that tries to access local environment Environment variables may use the information for malicious or Variables identity theft purposes
Bogus Script Function Some non-legitimate script functions can cause the Usage to Crash browser to stop working Browser
Browser Status Bar The browser's status bar can be changed using Modification specially crafted scripts.
Channel Adding to the Remote scripts can be used to add active desktop Active Desktop channels
Clipboard Referencing Remote scripts can be used to grab information stored in the user’s clipboard
Code Obfuscation These are a set of different programmatic (Home- Encoding) techniques used to obfuscate code. Usually the purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious
Code Obfuscation These are a set of different programmatic (Home- Encoding) techniques used to obfuscate code. Usually the (Complementary purpose of code obfuscation is to bypass signature Rule) based security products and are considered potentially malicious
554 M86 SECURITY, POLICIES POLICIES
Advanced Description
Code Obfuscation These are a set of different programmatic (Home-Encoding) techniques used to obfuscate code. Usually the Type II purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious
Code Obfuscation These are a set of different programmatic (Home-Encoding) techniques used to obfuscate code. Usually the Type III purpose of code obfuscation is to bypass signature based security products and are considered potentially malicious
Dangerous ActiveX Some ActiveX Objects can be used to remotely Objects Remote read, write and execute files. Creation Protection, Remote File Read and Execution Protection
DHTML Properties Some uncommon DHTML attributes can be used to Setting mask malicious actions.
Dynamic Addition of Dynamically adding HTML elements can be used to HTML Elements mask malicious content.
Dynamic creation of Dynamic creation of HTML elements can be used to HTML Element mask malicious actions.
Dynamic HTML Dynamic assignment of HTML content can be used Assignment to mask malicious actions.
Dynamically setting a Dynamically setting a mouse event can be used to Mouse Event mask malicious actions.
Endless Loop Denial Scripts using endless loops can take over the CPU. of Service
Environment Referring to local environment variables can allow Variables Remote remote cross-zone scripting. Access/Reference Protection
M86 SECURITY, POLICIES 555 POLICIES
Advanced Description
Faking a known Displaying a fake version of a known local Application Dialog application dialog in the browser can be used for phishing and spoofing attacks.
Generic History Theft Scripts that try to access the browsing history can Protection use the information to collect browsing habits for the purpose of marketing, as well as refining attack vectors where the victim may visit a site who's profile matches his browsing habits
Generic Internet Specially created URLs can be used for phishing Explorer Remote and spoofing attacks. Zone Bypass, Address Bar Spoofing and Status Bar Spoofing
Generic Local Links to local files can be used for remote cross- Resource Remote zone scripting. Reference
Generic Shellcode Detect the use of shellcode. Shellcode should be Detection blocked since it compromises the end user’s computer.
Generic Shellcode This is another type of shellcode detection Detection Type II technique.
Generic VB Script/ Links containing script injections can be used for Java Script Injection remote cross-zone scripting. Attempts
Help Protocols and Help protocol handlers that are part of the help Windows Help System system provided by Microsoft Windows can be used Remote Code for remote cross-zone scripting. Execution
Help Protocols Usage Help protocol handlers can be used for remote cross-zone scripting and buffer overflow attacks.
HTML Code Injection HTML code injections can be used for masking malicious actions.
556 M86 SECURITY, POLICIES POLICIES
Advanced Description
HTML Code Injection HTML code injections at a specific location in the at a Specific Location data object model can be used for masking malicious actions.
HTML Elements Special ActiveX Objects that hide HTML elements hiding by ActiveX can be used in phishing and spoofing attacks. Objects
HTML Elements Special style attributes that hide HTML elements can Hiding by Setting the be used for phishing and spoofing attacks. HTML Style
IE Favorites Manager The Internet Explorer Favorites Manager can be Remote File used to overwrite local files. Overwriting Protection
IE NavigateAndFind The Internet Explorer NavigateAndFind function can Zone Bypass be used for remote cross-zone scripting. Protection
Import HTML Tag The HTML Import tag can be used to mask malicious Usage actions.
Importing a Style Scripts that add external style sheets to an existing Sheet into an Existing style sheet can be used to mask malicious actions. Style Sheet
Location.Assign Setting the "Assign" property of a location object can Remote Code be used for remote cross-zone scripting. Execution Vulnerability
MHTML Protocol When referring to MHT files, MHTML protocol Remote File Creation, handlers can be used for remote cross-zone Cross-Domain scripting or buffer overflow attacks. Scripting and/or Remote Code Execution
Mailto: Protocol The mailto protocol handler, when combined with Injection specially crafted scripts, can be used for remote cross-zone scripting.
M86 SECURITY, POLICIES 557 POLICIES
Advanced Description
Media Protocols Some media protocol handlers can be used for Usage remote cross-zone scripting or buffer overflow attacks.
Media/Search Bars Directing pages to the Internet Explorer Media and Code Injection Search bars can be used for remote cross-zone Protection scripting.
Microsoft IE popup Scripts that try to open popup windows may try to blocker bypass bypass the built-in protection in recent versions of vulnerability Internet Explorer.
Microsoft Office Microsoft Office protocol handlers can be used for Protocols Usage remote cross-zone scripting or buffer overflow attacks.
Microsoft Windows Scripts that refer to a user's desktop can be used for Remote Permanent remote cross-zone scripting. Code Execution/Script Injection into Desktop
Miscellaneous Some common protocol handlers can be used for Protocols Usage remote cross-zone scripting or buffer overflow attacks.
Mozilla Firefox Scripts attempting to use the about: protocol in (About:) Protocol Mozilla may try to alter system settings and make the security mechanisms built into the browser less effective.
Netscape/Mozilla The Privilege Manager in Netscape/Mozilla can be Privilege Manager used for remote cross-zone scripting. Protection
News Protocols News protocol handlers (e.g. http) can be used for Usage remote cross-zone scripting or buffer overflow attacks.
Obfuscated Text Obfuscating text content can be used for masking Content malicious actions.
Opening Non-focused This malicious behavior can be used for spoofing/ window from a link phishing attacks.
558 M86 SECURITY, POLICIES POLICIES
Advanced Description
P2P Protocols Usage P2P protocol handlers can be used for remote cross- zone scripting or buffer overflow attacks.
Potentially exploitable Detects and blocks the use of potentially exploitable protocol handlers protocol handlers
Reference to Local Any remote access to a local file is a clear violation Resources of the Internet Zones separation.
Remote Code Certain Internet Explorer default style behaviors can Execution, Remote be used for remote cross-zone scripting. Data Theft, and all Drag and Drops Generic Protection
Reoccuring Function Expression evaluation and time elapsed function Invocation or invocation functions can be used for masking Expression Evaluation malicious actions.
Resource Protocols Resource protocol handlers (e.g. using the “res” Usage protocol handler) can be used for remote cross-zone scripting.
Script Source The link tag allows loading a custom image as the Attributed to an Icon icon for a website, displayed in the location bar and in the tab title. Setting the href attribute of this tag to a javascript url is potentially malicious and non standard behavior.
Sensitive Data Some Internet Explorer HTML Tags and style Compromise behaviors can be used to disclose sensitive private information.
Show Modeless Modeless dialog, when combined with specially Dialog Suspicious crafted scripts, can be used for phishing and Usage of Function spoofing attacks.
Size Limitation of Tag Setting a very long value in HTML tag attributes can Property Inside HTML be used for buffer overflow attacks. Content
Telnet Protocols Telnet protocol handlers can be used for remote Usage cross-zone scripting or buffer overflow attacks.
M86 SECURITY, POLICIES 559 POLICIES
Advanced Description
Using Script Encoded Scripts that are encoded or may attempt to encode Functions content are considered potentially malicious as this technique is used to bypass signature based security protocols.
Web Forms Auto Scripts that use auto-complete functions can Completion Text disclose a user’s private information.
Windows and Frames Setting the position of windows or frames can be Showing in an used for phishing and spoofing attacks. Absolute Position
The Higher Sensitivity Script Behavior Profile contains the same Profile information. However, in this screen all the options are checked. See also: Condition Settings: Script Behavior File System Operations Windows Network Operations Registry Operations Operating System Operations
Condition Settings: Time Frame The existing M86 time frames given with the system can be modified to suit local times and customs. New Time Frames can also be added. This condition enables the administrator to modify organizational demands and needs according to varying times of the week, thereby increasing system efficiency and productivity. The Time Frame included as a Condition for Policy Rules can be configured here.
 To generate a new item in a Time Frame: 1. Right-click on the top-level heading Time Frame and select Add Component.
560 M86 SECURITY, POLICIES POLICIES
2. Enter an appropriate Time Frame name. 3. In the Time Frames section, click to add a new row. 4. Enter a Name, From Day, From Time and To Day, To Time values as required. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete Time Frame.
6. Click Save to apply the changes. Next, click to commit them. 7. If you need to modify this list in the future, click Edit and make your changes. Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Time Frame. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing.
M86 SECURITY, POLICIES 561 POLICIES
Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component
See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: URL Lists Condition Settings: Vulnerability Anti.dote
Condition Settings: Upstream Proxy
After traffic is scanned by the SWG system, it can be sent either to a router, based on routing table information, or to an upstream proxy, where the request is sent in proxy format. Before configuring any upstream policy, the upstream proxy must first be configured in the Condition Settings upstream screen. Right click the top Upstream Proxy node to Add Component, or click in the left tree pane.
562 M86 SECURITY, POLICIES POLICIES
NOTES: Direct is the default Upstream Proxy component and is therefore not editable. The Upstream Proxy window provides settings for upstream proxy configuration.
Figure 6-100: Upstream Proxy The following table provides information on the HTTP Upstream fields
Field Name Description
Client IP Header Header information for user identifiers supplied by an upstream proxy.
User Name Header Specifies the User Name in the Header Field.
M86 SECURITY, POLICIES 563 POLICIES
Field Name Description
Protocol
Protocol - Host - For each protocol - HTTP, HTTPS, FTP click Active Port - Active and add the required IP address. To use the same proxy for all protocols, select Use for all protocols
The Enable caching per whole proxy definition checkbox allows caching to be activated globally, OR on a per upstream proxy basis.
WARNING: A valid caching-enabled SWG license is required for the Enable caching per whole proxy definition to work. If no valid license exists, enabling this checkbox becomes irrelevant. See also: HTTP HTTPS Header Fields Device IP
Condition Settings: URL Lists The URL lists allow you to include specific URLs in a white list (allowed) or black list (blocked) to accelerate system performance. URL lists play a large part in Security Policy making. M86 predefined URL lists, such as M86 Security Recommended White List cannot be modified. The following right-click options are available from the URL Lists
564 M86 SECURITY, POLICIES POLICIES
tree:
Action Description
Available from specific URL list Component. Delete List Deletes the list
Available from specific Component. Import to List Allows importing many URL addresses into a list. Please refer to Generating a New Item in a URL List
Available from specific Component. Export to File Allows exporting the URL addresses within a list to a file which can then be edited, printed, imported etc.
Available from specific Component. Delete all Items Deletes all the URL addresses in the list on the right screen.
Available for all Components. Allows the Used In administrator to see in which policies and rules this particular condition was used.
NOTES: The Bypassed Context Scanning List can be edited here but is not included in Rule Conditions. You can edit this list to decide which embedded objects do NOT need to be scanned in their full context. This is automatically used as part of the scanning process Generating a New Item in a URL List
There are two different ways to add URLs to this new list. The first option involves importing pre-created text files or xml files containing URL addresses (without protocols).
 To add xml or txt files containing URLs to the list: 1. First, write a text file of URLs, with each URL starting on a new line. OR - write an xml file with each node representing a URL
M86 SECURITY, POLICIES 565 POLICIES
2. Next, save the file to a known location. Alternatively, export an existing list of URLs to a known location and edit the list. 3. Right-click on the list you want to import the files to on the right of the screen and select Import to List. 4. Click Browse and navigate to your saved file. Next, click Open on the Windows dialog box. 5. Click Import, located on the bottom of the screen. The contents of the file – that is, the URL addresses, appear in the pane.
6. Click Save to apply changes. Next, click to commit them. The second option involves adding individual URLs (without protocols) to the list.
 To add individual URLs to a given list: 1. Right-click on the top-level heading and select Add List. 2. Enter an appropriate URL List name.
NOTES: To include the entire domain, a slash (/) and an asterisk (*) must be added. 3. In the URL section, click to add a new row. 4. Enter an appropriate URL. 5. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete URL. 6. In the Regular Expressions tab, click Edit.
7. Click to Add a Regular Expression URL. Enter a brief description of this URL. For information on allowable syntax in this field, see Regular Expressions.
8. Right click in subsequent rows to add or delete Regular Expression URL records.
566 M86 SECURITY, POLICIES POLICIES
9. Click Save to apply changes. Next, click to commit them. 10.If you need to modify this list in the future, click Edit and make your changes. See also: Condition Settings: URL Lists
Condition Settings: Vulnerability Anti.dote
 To find a specific URL: 1. Right-click on the top-level heading and select Find URL. 2. In the Find URL field of the URL Lists screen, enter an appropriate URL. This field requires only partial URL 3. In the URL section, click to add a new row. 4. Enter an appropriate URL. Repeat for as many times as necessary. You can delete entries by clicking on the same row as the entry and selecting Delete URL. Regular Expressions
The URL list also allows the use of Regex (Regular Expressions used to describe or match a set of strings according to certain syntax rules) to support regular expressions usage for URL categorization. The regular expression may be defined for each category as well for the URL List, with the ability to define several regular expressions for each category. As with all Regular Expressions, specific syntax rules vary depending on the specific library used. The following tables contain the supported Regular Expression Syntax used in the M86 SWG URL lists:
M86 SECURITY, POLICIES 567 POLICIES
Character representations:
Sequence Meaning
\a Alert (bell).
\b Backspace.
\e ESC character, x1B.
\n Newline.
\r Carriage return.
\f Form feed, x0C.
\v Horizontal tab, x09.
\t Vertical tab, x0B.
\octal Character specified by a three-digit octal code.
\xhex Character specified by a hexadecimal code.
\cchar Named control character.
"..." All characters taken as literals between double quotes, except escape sequences.
Character classes and class-like constructs:
Sequence Meaning
[...] A single character listed or contained within a listed range.
[^...] A single character not listed and not contained within a listed range.
. Any character.
\d Digit character ([0-9]).
\D Non-digit character ([^0-9]).
568 M86 SECURITY, POLICIES POLICIES
Sequence Meaning
\s Whitespace character ([ \t\n\r\f\v]).
\S Non-whitespace character ([^ \t\n\r\f\v]).
\w Word character ([a-zA-Z0-9_]).
\W Non-word character ([^a-zA-Z0-9_]).
Alternation and Repetition:
Sequence Meaning
...|... Try subpatterns in alternation.
* Match 0 or more times (greedy).
+ Match 1 or more times (greedy).
? Match 0 or 1 times (greedy).
{n} Match exactly n times.
{n,} Match at least n times (greedy).
{n,m} Match at least n times but no more than m times (greedy).
*? Match 0 or more times (abstemious).
+? Match 1 or more times (abstemious).
?? Match 0 or 1 times (abstemious).
{n,}? Match at least n times (abstemious).
{n,m}? Match at least n times but no more than m times (abstemious).
{MACRO} Include the regex MACRO in the current regex.
M86 SECURITY, POLICIES 569 POLICIES
Anchors:
Sequence Meaning
^ Start of string or after a new line.
See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: Vulnerability Anti.dote Generating a New Item in a URL List
Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
570 M86 SECURITY, POLICIES POLICIES
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ URL Lists. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component
Condition Settings: Vulnerability Anti.dote Vulnerability Anti.dote utilizes a multi-layered rule-based engine that can “understand” HTML, scripts and other programmatical components that make up HTTP-based content, at a level similar to compiler analysis. M86’s MCRC experts create detailed rules that capture the essence of the various possible vulnerabilities in browser applications, Windows operating system and services, and other applications that can be accessed by active content such as FTP, Windows Media Player, etc. Based on these behavioral rules, M86's scanning servers detect any attempt to exploit one or more vulnerabilities and block such content from entering your network. Vulnerability Anti.dote appears as several tabs of identifiable browser and operating system vulnerabilities proprietary to M86. This Vulnerability Anti.dote profile is not configurable, but is
M86 SECURITY, POLICIES 571 POLICIES
updated by MCRC Security Updates as new Windows vulnerabilities are discovered. It is also possible to create a customized Vulnerability Anti.dote profile, selecting the required vulnerabilities to be added to the profile. The Vulnerability Anti.dote profile contains the following list of vulnerabilities: • Crashing Internet Clients • Remote Script • Remote ActiveX • Cross-Site and Spoofing • Buffer Overflows • 3rd Parties See also: Condition Settings
Available Condition Settings Tree Options Condition Settings: Active Content List Condition Settings: Archives Condition Settings: Binary Behavior Condition Settings: Content Size Condition Settings: Data Leakage Prevention Condition Settings: Destination Port Range Condition Settings: File Extensions Condition Settings: Header Fields Condition Settings: HTTPS Certificate Validation Condition Settings: IP Range Condition Settings: Pre Authenticated Headers Condition Settings: Script Behavior Condition Settings: Time Frame Condition Settings: URL Lists
572 M86 SECURITY, POLICIES POLICIES
Crashing Internet Clients Remote Script Remote ActiveX Cross-Site and Spoofing Buffer Overflows 3rd Parties Crashing Internet Clients
The following table describes the following Denial of Service vulnerabilities:
Crashing Internet Description Clients
BrowseDialog BrowseDialog ActiveX control is prone to class Internet Denial of Service vulnerability. Could allow Explorer Denial of remote attacker to cause Denial of Service Service vulnerability
DirectAnimation.S Microsoft Internet Explorer is vulnerable to tructuredGraphics a denial of service, caused by a NULL Control ActiveX pointer dereference denial of service vulnerability
FireFox object Mozilla Firefox is prone to denial of service DoS vulnerability
IE ActiveX Multiple ActiveX controls in Microsoft bgColor Property Windows operating systems allow attacker Denial of Service to cause Denial of Service to Internet vulnerability Explorer.
IE CLSID Denial of Microsoft Internet Explorer allows remote Service attackers to cause a denial of service Vulnerability (crash) via an OBJECT tag that contains a crafted CLSID
M86 SECURITY, POLICIES 573 POLICIES
Crashing Internet Description Clients
IE Microsoft Internet Explorer is vulnerable to DirectAnimation. a denial of service using the DirectX DAUser Data component responsible for animations in a Denial of Service certain manner. vulnerability
IE Microsoft Internet Explorer is vulnerable to DXImageTransfor a denial of service, caused by a NULL m.RevealTrans pointer dereference Denial of Service Vulnerability
IE HREF Save as A vulnerability in Microsoft Internet Explorer Denial of Service allows a remote user to create a link that will vulnerability cause the target user's browser to crash when attempting to save the link
IE Microsoft Internet Explorer is vulnerable to HtmlDlgSafeHelpe a denial of service, caused by a NULL r Denial of Service pointer dereference Vulnerability
IE Listbox Object A vulnerability in Microsoft Internet explorer DoS vulnerability which could cause Denial of Service.
IE Malformed File The affected browser will crash when a URI Denial of malformed 'file:' URI is processed. Service Vulnerability
IE Meta Tag Denial Internet Explorer allows remote attackers to of Service cause a denial of service (crash), which vulnerability triggers a null dereference
IE MHTML A Denial of Service occurs when Internet Redirect Denial of Explorer attempts to parse certain Service malformed HTML content. Vulnerability
574 M86 SECURITY, POLICIES POLICIES
Crashing Internet Description Clients
IE MHTMLFile Microsoft Internet Explorer is vulnerable to Denial of Service a denial of service, caused by a NULL Vulnerability pointer dereference
IE Microsoft Internet Explorer is vulnerable to Object.DXTFilter a denial of service, caused by a NULL Denial of Service pointer dereference Vulnerability
IE OVCtl Microsoft Internet Explorer is vulnerable to NewDefaultItem a denial of service, caused by an integer Denial of Service underflow and a NULL pointer dereference Vulnerability
IE Print Without Uses OLE object method ExecWB to Prompt bypass page-print dialog box Vulnerability
IE Recursive Indirect recursive calling of an onError JavaScript Event event which redefines an invalid source to Denial of Service an image tag Vulnerability
IE Style Tag Microsoft Internet Explorer is vulnerable to Comment Memory a heap-based buffer overflow which can be Corruption exploited by a remote attacker to execute Vulnerability arbitrary code
IE Vulnerability in Microsoft Internet Explorer TriEditDocument. that may allow a denial of service. TriEdit Document Denial of Service Vulnerability
IE Window Prevents IE crash when calling window Function Crash function or with no user interaction when Vulnerability calling from onload event.
M86 SECURITY, POLICIES 575 POLICIES
Crashing Internet Description Clients
IE7 DoS Microsoft Internet Explorer 7 is prone to a Vulnerability denial-of-service vulnerability which allow attackers to consume excessive CPU resources
Microsoft ADODB.Connection ActiveX object ADODB.Connecti contains a vulnerability which may cause on ActiveX Denial Remote Code Execution of Service vulnerability
Microsoft CEnroll Microsoft Internet Explorer is vulnerable to stringToBinary a denial of service, caused by a memory DoS vulnerability access error
Microsoft IE Vulnerability in Microsoft Internet Explorer OutlookExpress.A that may allow a denial of service due to a ddressBook COM null-pointer dereference. Object memory corruption vulnerability
Microsoft Internet Microsoft Internet Explorer version 6 Explorer crashes when executing 'for' scripts Malformed HTML Null Pointer Dereference Vulnerability (mshtml.dll)
Microsoft Office Microsoft Recipient ActiveX control in Outlook Recipient Windows XP SP2 allows remote attackers Control (ole32.dll) to cause a denial of service (Internet Denial of Service Explorer 7 hang) via crafted HTML vulnerability
576 M86 SECURITY, POLICIES POLICIES
Crashing Internet Description Clients
Microsoft OWC11 Microsoft Internet Explorer is vulnerable to DataSourceContr a denial of service, caused by an integer ol DoS underflow and a NULL pointer dereference vulnerability
Mozilla Firefox A Denial of Service vulnerability can occur Range Object in Mozilla Firefox. Denial of Service Vulnerability
MS dxtmsft.dll IE may crash when handling Multiple COM DoS vulnerability Objects.
MS A Microsoft Internet Explorer crash (Denial RDS.DataControl of Service) can be caused by the Remote heap overflow Data Service Object (RDS.DataControl). vulnerability
MS Shell32.dll Shell32.dll is vulnerable to a buffer overflow Dos vulnerability in the ShellExecute API function. A remote attacker can overflow a buffer and possibly cause a denial of service or execute code on the system
Multiple Vendor Microsoft Windows is prone to a denial of Graphics Driver service vulnerability which manifests when Large JPEG an image is resized using very large Processing dimensions Vulnerability
Several COM Initiation of a non-ActiveX COM object can Objects Initiation lead to IE crash. Internet Explorer Crash Vulnerability
See also: Condition Settings: Vulnerability Anti.dote
M86 SECURITY, POLICIES 577 POLICIES
Remote Script Remote ActiveX Cross-Site and Spoofing Buffer Overflows 3rd Parties Remote Script
The following table describes the Remote Script options:
Remote Script Description
Acer Notebook A vulnerability in LunchApp.APlunch ActiveX LunchApp.APlun Control, which can lead to remote code ch ActiveX execution. Control Remote Code Execution vulnerability
Acrobat Using a long argument string in the LoadFile AcroPDF.dll method in an AcroPDF ActiveX control could ActiveX Control allow an attacker full control over the victim's Remote Code machine. These flaws are due to memory Execution corruption errors in the AcroPDF ActiveX control (AcroPDF.dll) Vulnerabilities
ActiveX Control Microsoft Internet Explorer 5.01, 5.5, and 6 and COM objects allows remote attackers to cause a denial of Memory service (application crash) and possibly Corruption execute arbitrary code Vulnerability
Alipay Password Alipay ActiveX Control is vulnerable to a Input ActiveX remote code-execution vulnerability. Control Vulnerability
578 M86 SECURITY, POLICIES POLICIES
Remote Script Description
AOL A vulnerability in AOL’s ActiveX, which could CDDBControlAO allow Remote Code Execution L.CDDBAOLCon trol ActiveX Remoe Code Execution vulnerability
AOL A vulnerability found in ICQ, could lead to ICQPhone.SipxP Remote Code Execution honeManager ActiveX remote code execution vulnerability
AOL The AOL YGP (You've Got Pictures) Pic YGPPicDownloa Download ActiveX control is vulnerable to a d.dll Heap buffer overflow in the downloadFileDirectory Corruption property. A remote attacker could exploit this Vulnerabilities vulnerability to execute arbitrary code on a victim's system.
Attacker toolkit Detects and blocks Web Attacker toolkit detection which is a bundled hacking utility which allows anyone to upload client side browser exploit to web server and create malicious web page
Citrix ICAClient A vulnerability has been discovered in Citrix ActiveX Remote Presentation Server Client which could allow Code Execution Remote Code Execution. vulnerability
Code Base A vulnerability exists where the codebase of Vulnerability an ActiveX can be modified in a way that would allow an attacker to exploit the system, and may allow code execution.
M86 SECURITY, POLICIES 579 POLICIES
Remote Script Description
COM Object Microsoft Internet Explorer uses certain COM Instantiation objects as ActiveX controls, which allows Memory remote attackers to execute arbitrary code. Corruption Vulnerability - CVE-2007-0218
COM Object Microsoft Internet Explorer uses certain COM Instantiation objects as ActiveX controls, which allows Memory remote attackers to execute arbitrary code. Corruption Vulnerability, CVE-2006-3638 (MS06-042)
daxctle.ocx Heap Microsoft Internet Explorer is vulnerable to a Overflow denial of service, caused by a heap overflow Vulnerability when the DirectAnimation.PathControl COM object is instantiated as an ActiveX control with an invalid Spline method
DirectAnimation Vulnerability in DirectAnimation ActiveX ActiveX Controls controls. An attacker who successfully Memory exploited this vulnerability could take Corruption complete control of an affected system. Vulnerability
IE Microsoft Internet Explorer is prone to an %USERPROFILE issue which could permit an attacker to load a % Folder known, existing file in a user's temporary Disclosure directory Vulnerability
IE AutoScan A flaw has been reported in Microsoft Internet Method Browser Explorer in the way the AutoScan method is Security Policy implemented. This weakness may result in Violation the violation of the browser security policy. Vulnerability
580 M86 SECURITY, POLICIES POLICIES
Remote Script Description
IE Microsoft Internet Explorer versions 5.01, 5.5, BackToFramedJ and 6.0 are vulnerable to cross-site scripting PU Cross- Domain Policy Vulnerability
IE Cached Internet Explorer allows remote attackers to Objects Zone bypass the cross-domain security model and Bypass access information on the local system or in Vulnerability other domains, and execute code, via cached methods and objects
IE Cascading Microsoft Internet Explorer versions 5.01, 5.5, Style Sheet File and 6.0 could allow a remote attacker to read Disclosure portions of files on other user's systems, Vulnerability caused by a vulnerability in Cascading Style Sheets (CSS).
IE Codebase A vulnerability in IE may potentially permit Double HTML documents to gain unauthorized Backslash Local access to local resources by using specific Zone File syntax Execution
IE createObject This rule handlesa vulnerability in some COM vulnerability objects which could allow remote code execution.
IE Cross-Domain Microsoft Internet Explorer is prone to an Event Leakage issue that may leak sensitive information Vulnerability across foreign domains.
IE Custom HTTP A vulnerability in Internet Explorer, which can Error HTML be exploited by malicious people to execute Injection arbitrary script code due to an input validation Vulnerability error in the custom errors generated by IE.
IE DHTML Object Race condition in the memory management handling routines in the DHTML object processor in vulnerabilities Microsoft Internet Explorer allows remote attackers to execute arbitrary code
M86 SECURITY, POLICIES 581 POLICIES
Remote Script Description
IE DHTML Script A remote code execution vulnerability exists Function in the way Internet Explorer interprets certain Memory DHTML script function calls. Corruption Vulnerability
IE Dialog Same Cross-site scripting vulnerability in Internet Origin Policy Explorer allows remote attackers to execute Bypass scripts in the Local Computer zone Vulnerability
IE Document A vulnerability has been reported in Microsoft Reference Zone Internet Explorer that may allow for remote Bypass attackers to execute script code in the context Vulnerability of other domains/security Zones.
IE Double Microsoft Internet Explorer version 6.0 could Backslash CHM allow a remote attacker to execute files on a File Execution vulnerable system. Vulnerability
IE DragDrop The file upload control in Microsoft Internet Method Local Explorer allows remote attackers to File Reading automatically upload files from the local Vulnerability system via a web page containing a script to upload the files
IE Implicit Drag Microsoft Internet Explorer could allow a and Drop File remote attacker to execute arbitrary code on Installation a victim's system, caused by a vulnerability Vulnerability regarding the dragDrop method
IE ITS Protocol Microsoft Internet Explorer is prone to a Zone Bypass vulnerability that may permit hostile content to Vulnerability be interpreted in the Local Zone exploited via the ITS Protocol URI handler
IE Java Script Javascript can be used to enumerate files on Local File the local machine and reveal confidential Enumeration information regarding the system. Vulnerability
582 M86 SECURITY, POLICIES POLICIES
Remote Script Description
IE Local Local resources on the system (files and Resource applications) can be referenced and used Reference from within IE, which may lead to information Vulnerability disclosure, and code execution.
IE Malicious A vulnerability exists in Microsoft Internet Shortcut Self- Explorer which allows a malicious web Executing HTML content to create a self-executing HTML file. Vulnerability When that file contains scripting that creates, modifies and saves a link (.lnk) file on the system, it leads to remote code execution.
IE MMS Protocol Prevents MMS Protocol Handler Executable Handler Command Line Injection. Executable Command Line Injection Vulnerability
IE Script URL Microsoft Internet Explorer allows a remote Cross-Domain attacker to bypass the cross-domain security Access Violation model, caused by a vulnerability when a Vulnerability specific programming function is used.
IE Self-Executing Microsoft Internet Explorer contains a HTML File vulnerability that can allow script code within Vulnerability an HTML document to run an embedded executable file.
IE Microsoft Internet Explorer could allow a Shell.Application remote attacker to execute code on a victim's Object Script system. A remote attacker could create a Execution malicious Web page that uses the Vulnerability Shell.Application ActiveX object, which would execute arbitrary code on the victim's system.
IE ShowHelp Microsoft Internet Explorer versions 5.01, 5.5, Arbitrary and 6.0 could allow a remote attacker to Command bypass the cross-domain security model, Execution caused by a vulnerability in the Windows Vulnerability showHelp() method.
M86 SECURITY, POLICIES 583 POLICIES
Remote Script Description
IE Temporary An attacker can gain access to the path of the Internet Files temporary internet files folder on a remote Folder machine. This can lead to exploitation of Disclosure existing vulnerabilities to enable an attacker Vulnerability to execute any program
IE Unauthorized Microsoft Internet Explorer is prone to a Document vulnerability that may enable a frame or Object Model iframe to gain unauthorized access to the Access Document Object Model (DOM) of other Vulnerability frames/iframes in a different domain.
IE Unconfirmed Internet Explorer may be prone to a potential Memory memory corruption vulnerability that could Corruption allow a remote attacker to cause a denial of Vulnerability service condition in the browser
IE VML A remote code execution vulnerability exists Vulnerability in the Vector Markup Language (VML) implementation in Microsoft Windows.
IE Microsoft Internet Explorer could allow a WebViewFolderI remote attacker to execute arbitrary code on con vulnerability the system.
IE window.open Microsoft Internet Explorer may be prone to a Media Bar cross-zone scripting vulnerability that could Cross-Zone ultimately lead to execution of malicious script Scripting code and Active Content Vulnerability
IE window.open A vulnerability in Microsoft Internet Explorer Search Pane could enable unauthorized access by Cross-Zone malicious scripts and Active Content to Scripting document properties across different Security Vulnerability Zones and foreign domains
584 M86 SECURITY, POLICIES POLICIES
Remote Script Description
IE This rule handles a vulnerability in WMIScriptUtils WMISCriptUtils CreateObject. An attacker createObject who successfully exploits this vulnerability, vulnerability could gain the same user rights as a local user and gain full control over the victim's machine.
IE XML Page Internet Explorer does not properly handle Object Type object types, when rendering XML based web Validation sites. This may result in possible execution of Vulnerability malicious software.
IE5 with Office Prevents Remote Code Execution for 2000 Remote Microsoft Internet Explorer 5 users with Command Microsoft Office 2000 installed. Execution Vulnerability
MHTML Forced A vulnerability has been discovered in File Execution Microsoft Outlook Express when handling Vulnerability MHTML file and res URIs that could lead to an unexpected file being downloaded and executed.
MHTML A vulnerability in Microsoft Outlook Express Redirection may allow an attacker to parse local files on a Local File system. The vulnerable component is also Parsing used by Microsoft Internet Explorer. Vulnerability
MHTML URL Microsoft Outlook Express introduced a URL Handler File handler called MHTML (MIME Encapsulation Rendering of Aggregate HTML). This allows Internet Vulnerability Explorer to pass MHTML files to Outlook Express for rendering
Microsoft Vulnerability in Vector Markup Language Windows VML could allow Remote Code Execution. Buffer Overrun Vulnerability (MS07-004)
M86 SECURITY, POLICIES 585 POLICIES
Remote Script Description
Microsoft A vulnerability in Microsoft XML Core XMLHTTP.4.0 Services XMLHTTP ActiveX control which ActiveX remote could lead to Remote Code Execution. code execution vulnerability
MMC Redirect Microsoft Windows 2000 Management Cross-Site Console (MMC) is vulnerable to cross-site Scripting scripting, caused by improper restrictions on Vulnerability, certain embedded resource files used by the CVE-2006-3643 Microsoft Management Console library (MS06-044)
Mozilla Browser Mozilla Browser is prone to multiple Cache File vulnerabilities that could eventually allow for Multiple code execution on the local computer Vulnerabilities
Mozilla Browser A remote attacker could create a malicious Input Type HTML Web page containing JavaScript code, which Tag would cause a malicious file to upload to a Unauthorized server, once the Web page is visited Access Vulnerability
Mozilla data: URI Prevents bypass security restrictions and Remote Code Remote Code Execution. Execution Vulnerability
Mozilla Firefox Mozilla Firefox JavaScript Navigator Object JavaScript Remote Code Execution Vulnerability Navigator Object Remote Code Execution Vulnerability
586 M86 SECURITY, POLICIES POLICIES
Remote Script Description
Mozilla Shared Prevents Remote Code Execution Function Objects vulnerability exploitation in some of Mozilla's Remote Code shared function objects. Execution Vulnerability
MS ADODB Microsoft's ADODB is vulnerable to a buffer Buffer overflow overflow attack that can result in remote code vulnerability execution.
MS A remote code execution vulnerability exists CAPICOM.Certifi in Cryptographic API Component Object cates RCE Model (CAPICOM) that could allow an Vulnerability attacker who successfully exploited this vulnerability to take complete control of the affected system.
MS IE COM Microsoft Internet Explorer uses certain COM Object objects from Imjpcksid.dll as ActiveX controls, Instantiation which allows remote attackers to execute Memory arbitrary code. Corruption Vulnerability
MS IE COM A remote code execution vulnerability exists Object in the way Internet Explorer instantiates COM Instantiation objects that are not intended to be Memory instantiated in Internet Explorer. An attacker Corruption could exploit the vulnerability by constructing a specially crafted Web page that could Vulnerability - potentially allow remote code execution. CVE-2007-0219
MS IE COM Microsoft Internet Explorer uses certain COM Object objects from Imjpcksid.dll as ActiveX controls, Instantiation which allows remote attackers to execute Memory arbitrary code. Corruption Vulnerability - CVE-2006-4697
M86 SECURITY, POLICIES 587 POLICIES
Remote Script Description
MS The Microsoft Windows Media Server ActiveX MDSAuth.DLL control is prone to a remote code-execution ActiveX Control vulnerability. Remote Code Successfully exploiting this issue allows Execution remote attackers to execute arbitrary code on Vulnerability an affected system.
MS Shell Object The Shell object used from Microsoft Internet Vulnerability Explorer can be exploited to allow remote code execution.
Multiple IE Script Multiple issues in Microsoft Internet Explorer Execution Vulnerabilities
Multiple Vendor A vulnerability has been identified in multiple URI Protocol products from multiple vendors that may allow Handler a remote attacker to create or modify arbitrary Arbitrary File files. Creation/ Modification Vulnerability
Object tag Crafting an Object tag in a certain manner can vulnerability allow an attacker to execute code from web pages viewed by Internet Explorer.
RDS Cross Zone Blocks Cross-Zone Scripting using RDS Scripting ActiveX Object. Vulnerability
Rediff Bol This vulnerability allows remote code Downloader execution and may compromise affected (ActiveX Control) computers. Remote Code Execution vulnerability
588 M86 SECURITY, POLICIES POLICIES
Remote Script Description
Softwin The AVXSCANONLINE.AvxScanOnlineCtrl.1 BitDefender ActiveX control in BitDefender Scan Online AvxScanOnlineC allows remote attackers to obtain sensitive trl COM Object information or download and execute arbitrary Remote File code Upload and Execution Vulnerability
Sun Java The Java plug-in used to run applets from Runtime within a web page is vulnerable to an attack Environment vector that would allow bypassing the built-in Java Plug-in security mechanisms, and result in code Java Script execution. Security Restriction Bypass Vulnerability
SupportSoft Some vulnerabilities have been reported in ActiveX Remote various SupportSoft ActiveX controls, which Code Execution can be exploited by malicious people to Vulnerability compromise a user's system.
VeriSign A vulnerability has been identified in VeriSign ConfigChk ConfigChk ActiveX control, which could be ActiveX Control exploited by remote attackers to take Buffer Overflow complete control of an affected system. Vulnerability
Windows Media Buffer overflow in the plug-in for Microsoft Player Plugin Windows Media Player 9 and 10 allows Buffer Overflow remote attackers to execute arbitrary code via Vulnerability HTML with an EMBED element containing a long src attribute.
Windows Media Microsoft Windows Media Player is prone to a Player PNG remote code-execution vulnerability. This Vulnerability vulnerability is related to handling of malicious PNG images.
M86 SECURITY, POLICIES 589 POLICIES
Remote Script Description
Windows XP Microsoft Windows XP Explorer allows Explorer Self- attackers to execute arbitrary code via a Executing Folder HTML and script in a self-executing folder that Vulnerability references an executable file within the folder, which is automatically executed when a user accesses the folder.
Windows XP Microsoft Windows XP is vulnerable to cross- HCP URI Handler site scripting, caused by a vulnerability in the Arbitrary helpctr.exe program. Command Execution Vulnerability
Winzip remote WinZip is prone to multiple remote code- code execution execution vulnerabilities in an ActiveX control vulnerability that is installed with the package.
See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote ActiveX Cross-Site and Spoofing Buffer Overflows 3rd Parties
590 M86 SECURITY, POLICIES POLICIES
Remote ActiveX
The following table describes the options:
Remove ActiveX Description
DigWebX Prevents initiation of old versions of ActiveX Control DigWebX ActiveX Control. Unspecified Vulnerability
IE Cross Frame Internet Explorer versions 5.5 and 6.0 are security vulnerable to a Cross Frame Scripting attack, vulnerability which may allow execution of arbitrary code.
IE Internet Explorer allows remote attackers to NavigateAndFind bypass zone restrictions by using the Zone Bypass NavigateAndFind method to load a file. Protection
IE RDS ActiveX Microsoft Data Access Components (MDAC) Vulnerability is a collection of components that provide the back-end technology which enables database access for Windows platforms.
IE Self-Executing The WebBrowser ActiveX control, or the HTML Arbitrary Internet Explorer HTML rendering engine, Code Execution allows remote attackers to execute arbitrary Vulnerability code in the Local Security context.
IE ShowHelp Microsoft Internet Explorer versions 5.01, Arbitrary 5.5, and 6.0 could allow a remote attacker to Command bypass the cross-domain security model, Execution caused by a vulnerability in the Windows Vulnerability showHelp() method.
Office Web A vulnerability in an Microsoft Office Web Components Components (OWC) Spreadsheet Active Script component makes it possible to execute Execution arbitrary Active Script code, even when Vulnerability Active Scripting has been disabled by the client.
M86 SECURITY, POLICIES 591 POLICIES
Remove ActiveX Description
Office Web A vulnerability in OWC Spreadsheet Components component makes it possible to gain control Clipboard of the clipboard operations, even when the Information “Allow paste operations via script” security Disclosure feature in IE is disabled. Vulnerability
Outlook Web An interaction between the Outlook Web Access HTML Access (OWA) and Internet Explorer allows Attachment attackers to execute malicious script code Script Execution against a user's mailbox via a message Vulnerability attachment that contains HTML code.
Spyware object This rule was created in order to avoid false detected positives in top sites.
Windows HTML The windows Help Control is used to display Help Control Help information when using the PC. When Cross-Zone exploiting this vulnerability from a web page, Scripting the permissions of the malicious script could Vulnerability be elevated to those of the Help object and bypass security mechanisms.
Windows Media Vulnerability in Windows Media Player which Player Automatic allows remote attackers to execute arbitrary File Download code via a skins file with a URL containing and Execution hex-encoded backslash characters. Vulnerability
Windows Media A method for evading the Zone based Player IE Zone access control model used by Microsoft Access Control Internet Explorer which relies on a flaw in Bypass Windows Media Player that allows for Vulnerability untrusted content to access the Local Zone.
See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script
592 M86 SECURITY, POLICIES POLICIES
Cross-Site and Spoofing Buffer Overflows 3rd Parties Cross-Site and Spoofing
The following table describes the options:
Cross-Site and Description Spoofing
Bookmark URL-check Prevents security validations bypass Bypass Vulnerability vulnerability on URIs saved on favorites
Cross Site Scripting Scripts in HTML attributes such as style in HTML Script can be used for malicious actions. Sections
HTTP Request Protecting proxy from HTTP request splitting protection splitting which could be used to "smuggle" malicious sites by tricking the Proxy into unintentionally associating a URL to another URL page (content).
IE CDROM Ejection Prevents a remote attacker from Vulnerability via WMP opening the CDROM tray using WMPlayer ActiveX Object.
IE DHTML Script A remote code execution vulnerability Function Memory exists in the way Internet Explorer Corruption interprets certain DHTML script function Vulnerability calls.
IE FTP Commands Prevents command injections using Injection Vulnerability FTP protocols as part of a URL.
IE Java Script It is possible for a user to create a Desktop Spoofing webpage containing JavaScript, which Vulnerability will consume the entire screen of an unknowing Internet Explorer user.
M86 SECURITY, POLICIES 593 POLICIES
Cross-Site and Description Spoofing
IE Java Script Method Assigning methods from within a Assignment Cross- malicious script in a certain manner Domain Scripting could allow the privilege escalation of Vulnerability the script and execute arbitrary code on the attacked machine.
IE mailto URI Handler Blocks information disclosure Arbitrary File vulnerability in Microsoft Outlook Attachment caused by injection of command line Vulnerability argument.
IE Meta Data Foreign In Internet Explorer enables someone Domain Spoofing to use an ssl certificate in a website Vulnerability which belongs to someone else. This vulnerability can be used in Phishing scams.
IE MSXML XML File Cross-site scripting (XSS) in Internet Parsing Cross-Site Explorer allows remote attackers to Scripting insert arbitrary web script via an XML Vulnerability file that contains a parse error.
IE Popup.show A vulnerability exists in Microsoft Mouse Event Internet Explorer that may permit a Hijacking malicious Web page to hijack mouse Vulnerability events. This could potentially be exploited to trick an unsuspecting user into performing unintended actions such as approving pop-up dialogs.
IE showModalDialog The WebBrowser ActiveX control, or Cross-Site Scripting the Internet Explorer HTML rendering Vulnerability engine, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method.
594 M86 SECURITY, POLICIES POLICIES
Cross-Site and Description Spoofing
IE Unauthorized Internet Explorer 4 allows remote Clipboard Contents attackers (malicious web site operators) Disclosure to read the contents of the clipboard via Vulnerability the Internet WebBrowser ActiveX object.
IE Internet Explorer allows remote window.createPopup attackers to create chromeless windows Interface Spoofing using the Javascript Vulnerability window.createPopup method, which (chromeless) could allow attackers to simulate a victim's display, conduct unauthorized activities or steal sensitive data.
IE Window.MoveBy/ Internet Explorer allows remote Method Caching attackers to direct drag and drop Mouse Click Event behaviors, as well as other mouse click Hijacking actions to other windows. Vulnerability
Internet Explorer and Internet Explorer and Mozilla Firefox Mozilla Firefox Local are vulnerable to a JavaScript bug that File Disclosure could allow an attacker to trick users Vulnerability into giving up sensitive personal information (for version 8.4.x and above).
Internet Explorer CSS Microsoft Internet Explorer allows Cross-Domain remote attackers to bypass cross- Vulnerability domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files.
Microsoft Agent Prevents loading Microsoft Agent Spoofing ActiveX Control in order to avoid Vulnerability spoofing.
M86 SECURITY, POLICIES 595 POLICIES
Cross-Site and Description Spoofing
Mozilla FireFox about Mozilla Firefox might allow remote blank phishing attackers to conduct spoofing and vulnerability phishing attacks by writing to an about:blank tab and overlaying the location bar.
Mozilla Firefox Block attempt to use Java.net.socket Java.net.Socket API in a malicious manner. Information disclosure vulnerability
Mozilla Firefox Mozilla Firefox is vulnerable to data location.hostname theft. Remote attackers can steal Cross-Domain cookies and other information by writing Vulnerability CVE- a URI with a null byte to the hostname 2007-0981 (location.hostname) DOM property, due to interactions with DNS resolver code.
Multiple Browser URI A weakness has been reported in Display Obfuscation multiple browsers that may allow Vulnerability attackers to obfuscate the URI for a visited page.
Multiple Vendor Web In Internet Explorer and Opera Browser Java Script malicious JavaScript may subvert some Modifier Keypress keypress events, with consequences Event Subversion including the disclosure of arbitrary Vulnerability local files to a remote server.
Onunload Multiple The vulnerability is caused due to an Browser Entrapment error in multiple browsers' handling of Vulnerability "on-unload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar.
596 M86 SECURITY, POLICIES POLICIES
Cross-Site and Description Spoofing
Opera Web Browser A condition in Opera web browser IFrame OnLoad causes Opera to fill in the address bar Address Bar URL before the page has been loaded, which Obfuscation allows remote attackers to spoof the Vulnerability URL in the address bar.
Outblaze Webmail Outblaze Webmail is reported prone to HTML Injection an-HTML injection vulnerability Vulnerability because the application fails to properly sanitize user-supplied HTML email content.
See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script Remote ActiveX Buffer Overflows 3rd Parties
M86 SECURITY, POLICIES 597 POLICIES
Buffer Overflows
The following table describes the options:
Buffer Overflows Description
IE Shell: IFrame The Windows Shell application allows remote Cross-Zone attackers to execute arbitrary code by Scripting spoofing the type of a file via a CLSID Vulnerability specifier in the filename.
Internet Explorer This new rule blocks attempts to exploit the Input- createTextRange() function vulnerability. createTextRange Memory Corruption Vulnerability
Macrovision Multiple buffer overflows in an ActiveX control FLEXnet (boisweb.dll) in Macrovision FLEXnet boisweb.dll Connect could allow remote code execution ActiveX Control of malicious code. Buffer Overflow Vulnerability
Microsoft An exploitable buffer overflow in Microsoft Windows Windows DirectSpeechSynthesis and XVoice.dll and DirectSpeechRecognition which may allow Xlisten.dll Buffer remote code execution. Overflow Vulnerability
Mozilla A Remote Code Execution vulnerability exists InstallVersion- in the way Mozilla compares installation compareTo versions. It is possible to control the EIP and Remote Code therefore construct a Remote Code Execution Execution. Vulnerability
598 M86 SECURITY, POLICIES POLICIES
Buffer Overflows Description
MS Office Buffer overflow in the Microsoft Office DeleteRecordSo MSODataSourceControl ActiveX object urceIfUnused allows remote attackers to cause a denial of vulnerability service (crash) and possibly execute arbitrary code.
MS Office Buffer overflow in the HelpPopup method in OUACTRL.OCX the Microsoft Office ActiveX control HelpPopup (OUACTRL.OCX) allows remote attackers to method Remote cause a denial of service through a specially Buffer Overflow crafted web page.
Office XP RTF A buffer overflow in Office XP RTF file format Buffer Overflow can allow Remote Code Execution. Vulnerability
Several COM Prevents memory corruption vulnerability Objects Memory remote code execution exploitation of several Corruption COM objects. Remote Code Execution Vulnerability
See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script Remote ActiveX Cross-Site and Spoofing 3rd Parties
M86 SECURITY, POLICIES 599 POLICIES
3rd Parties
The following table describes the options:
3rd Parties Description
Acrobat reader Vulnerability Anti.dote Multiple cross-site XSS vulnerability scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin allows remote attackers to inject malicious JavaScript.
Akamai Download Stack-based buffer overflow vulnerability Manager ActiveX was detected in Akamai Download Stack Buffer Manager ActiveX Control. Successful Overflow exploitation allows execution of arbitrary Vulnerability code.
AOL SuperBuddy A vulnerability in America Online (AOL) ActiveX Control SuperBuddy ActiveX control was detected, Code Execution which can be exploited to compromise a Vulnerability user's system.
Baofeng Storm Multiple vulnerabilities in the Baofeng ActiveX Remote Storm application's ActiveX control may Heap Overflow enable an attacker to allow execution of vulnerability arbitrary code on the attacked system.
BlueSkychat Heap-based buffer overflow in the ActiveX Remote BlueSkychat ActiveX control allows remote Heap Overflow attackers to execute arbitrary code. vulnerability
CA caller dll RCE A vulnerability exists in eTrust Intrusion vulnerability Detection, that can allow a remote attacker to execute arbitrary code.
EnjoySAP ActiveX A vulnerability has been discovered in Controls Memory EnjoySAP ActiveX control which could Corruption allow remote attackers to execute arbitrary Vulnerabilities code.
600 M86 SECURITY, POLICIES POLICIES
3rd Parties Description
Hewlett Packard Hewlett Packard 'hpqvwocx.dll' ActiveX hpqvwocx.dll control library is prone to a stack-based Stack Overflow buffer-overflow vulnerability. Successfully vulnerability exploiting this issue allows remote attackers to execute arbitrary code.
HP Digital Imaging A vulnerability has been discovered in HP ActiveX Arbitrary Digital Imaging ActiveX control, which can Data Write be exploited by attackers to overwrite arbitrary files or compromise a user's system.
HP Mercury Quality The HP Mercury Interactive Quality Center Center ActiveX Spider Module ActiveX control contains a Control ProgColor stack buffer overflow. Successful Buffer Overflow exploitation allows execution of arbitrary Vulnerability code when visiting a malicious website.
IBM Access eEye Digital Security has discovered a Support security vulnerability in IBM's signed (eGatherer) "eGatherer" activex. ActiveX Dangerous Methods Vulnerability
IBM acpRunner acpRunner ActiveX allow remote attackers ActiveX Dangerous to execute arbitrary code via the (1) Methods DownLoadURL, (2) SaveFilePath, and (3) Vulnerability Download ActiveX methods.
IBM and Lenovo The IBM and Lenovo Access Support Access Support acpRunner ActiveX control could allow a acpRunner ActiveX remote attacker to execute arbitrary commands on the system.
IE Heartbeat An unspecified vulnerability exists in the ActiveX Control Microsoft Internet Explorer Heartbeat MSN Unspecified gaming ActiveX control (heartbeat.ocx). Vulnerability
M86 SECURITY, POLICIES 601 POLICIES
3rd Parties Description
Image ActiveX Prevents remote code execution using unspecified Image ActiveX. Vulnerability
jetAudio 7.x A vulnerability in jetAudio can be exploited ActiveX to overwrite files on the local system by DownloadFomMusi using specially crafted code on a web cStore RCE page. vulnerability
LinkedIn ActiveX Critical vulnerability exists in LinkedIn RCE vulnerability ActiveX control which can allow a remote attacker to execute arbitrary code.
McAfee Security Remote exploitation of a buffer overflow in Center an ActiveX control distributed with McAfee IsOldAppInstalled Security Center could allow for the ActiveX Buffer execution of arbitrary code. Overflow Vulnerability
Microsoft DXMedia A vulnerability was reported in Microsoft SDK 6 Remote DirectX in an ActiveX control. A remote Code Execution user can cause arbitrary code to be Vulnerability executed on the target user's system.
Microsoft Outlook A vulnerability in Microsoft Outlook which Mailto: Parameter causes insufficient filtering of parameters Quoting Zone of mailto: URLs which allow remote Bypass attackers to execute arbitrary programs. Vulnerability
Microsoft Visual Microsoft Visual FoxPro ActiveX control is FoxPro 6.0 prone to a stack-based buffer-overflow FPOLE.OCX vulnerability because it fails to perform Remote Stack adequate boundary checks on user- Overflow supplied data. vulnerability
602 M86 SECURITY, POLICIES POLICIES
3rd Parties Description
Microsoft Visual This vulnerability in Microsoft Visual Studio Studio 6.0 can be exploited to execute arbitrary PDWizard RCE commands on your computer. vulnerability
Microsoft Visual Absolute directory traversal vulnerability in Studio 6.0 a certain ActiveX control in the VB To VSI VBTOVSI.DLL Support Library (VBTOVSI.DLL) in Arbitrary Data Microsoft Visual Studio 6.0 allows remote Write vulnerability attackers to create or overwrite arbitrary files on the system.
MS Office RCE A remote code execution vulnerability vulnerability exists in Microsoft Office
NCTAudioEditor Multiple vulnerabilities have been identified ActiveX DLL in NCTAudioEditor and NCTAudioStudio, Arbitrary Data which could be exploited by attackers to Write vulnerability bypass security restrictions and manipulate arbitrary files
NCTAudioFile2.Au Stack-based buffer overflow in the dioFile ActiveX NCTAudioFile2.AudioFile ActiveX control Remote Stack (NCTAudioFile2.dll), as used by multiple Overflow products, allows remote attackers to execute arbitrary code.
Nesus ActiveX Directory traversal vulnerability in a certain Remote Code ActiveX control in Nessus Vulnerability Execution Scanner 3.0.6 allows remote attackers to Vulnerability create or overwrite arbitrary files
Norton Anti-Virus Multiple unspecified "input validation error" 2006 ActiveX vulnerabilities in multiple ActiveX controls Remote Code in Norton Antivirus, Internet Security, and Execution System Works products for 2006, allows remote attackers to execute arbitrary code
PPStream Buffer overflow in PPStream allows remote (PowerPlayer.dll) attackers to execute arbitrary code via a ActiveX Remote long Logo parameter. Overflow Exploit
M86 SECURITY, POLICIES 603 POLICIES
3rd Parties Description
Real Player Denial A vulnerability in RealPlayer may allow an of Service attacker to perform a denial of service by vulnerability using specially crafted web page content.
Sony Network A vulnerability has been discovered in Camera SNCP5 Sony Network Camera viewer ActiveX v1.0 ActiveX control which could allow remote code viewer Heap execution. Overflow
Sony/First4Internet The CodeSupport ActiveX contains CodeSupport methods which allow remote code ActiveX Remote execution and remote denial of service. Code Execution Vulnerability
Sony/SunnComm This ActiveX contains some methods MediaMax which allow remote code execution and AxWebRemoveCtrl remote denial of service. ActiveX Remote Code Execution Vulnerability
Symantec COM A vulnerability has been reported in various Object Security Symantec products, which can be ByPass exploited by malicious people to bypass Vulnerability (CVE- certain security restrictions. 2006-3456)
Symantec Two vulnerabilities in various Symantec NavComUI ActiveX products allow remote attackers to execute Control RCE code and to compromise affected Vulnerability computers.
604 M86 SECURITY, POLICIES POLICIES
3rd Parties Description
Symantec Norton Buffer overflow in the ISAlertDataCOM Internet Security ActiveX control for Norton Personal 2004 Firewall and Internet Security, may allow ISAlertDataCOM remote code execution. ActiveX control stack buffer overflow vulnerability
VMware multiple Some vulnerabilities have been reported in vulnerabilities several VMware products, which can be exploited by malicious users to cause a DoS (Denial of Service) or bypass certain security restrictions
Windows Media A remote code execution vulnerability Player RCE exists in windows media player that can be Vulnerability exploited by a web page containing specially crafted malicious code.
Xunlei Web Some vulnerabilities have been reported in Thunder several VMware products, which can be ThunderServer.we exploited by malicious users to cause a bThunder ActiveX DoS (Denial of Service) or bypass certain multiple security restrictions Vulnerabilities
Yahoo Messenger A vulnerability was reported in Yahoo! ActiveX Control Messenger where a remote user can Buffer Overflows create specially crafted HTML.When Vulnerability loaded by the target user, the HTML will trigger a buffer overflow and execute arbitrary code on the target system.
Yahoo Messenger Yahoo! Messenger is vulnerable to a stack- AudioConf ActiveX based buffer overflow, caused by improper Control Buffer bounds checking by the Yahoo.AudioConf Overflow ActiveX control.
M86 SECURITY, POLICIES 605 POLICIES
3rd Parties Description
Yahoo Messenger This vulnerability in a certain ActiveX CYFT Object control in Yahoo! Messenger allows remote Arbitrary File attackers to force download of arbitrary Download files, and create or overwrite arbitrary files. vulnerability
Yahoo Widget dll Stack-based buffer overflow in Yahoo! Remote Code Widgets allows remote attackers to Execution execute arbitrary code Vulnerability
Yahoo! Messenger Buffer overflow in the Yahoo! Webcam ywcupl.dll ActiveX Upload ActiveX control in ywcupl.dll 2.0.1.4 Control Buffer for Yahoo! Messenger 8.1.0.249 could Overflow allow remote code execution of malicious code.
Yahoo! Messenger Buffer overflow in the Yahoo! Webcam ywcvwr.dll ActiveX Viewer ActiveX control in ywcvwr.dll Control Buffer 2.0.1.4 for Yahoo! Messenger 8.1.0.249 Overflow could allow remote code execution of malicious code.
See also: Condition Settings: Vulnerability Anti.dote Crashing Internet Clients Remote Script Remote ActiveX Cross-Site and Spoofing Buffer Overflows Condition Settings Tree Options
The Used In right-click option allows the administrator, for every condition item, to determine in what rules and policies it is used.
606 M86 SECURITY, POLICIES POLICIES
 To access the Used In data
Navigate in the Management Console to Policies Æ Condition Settings - and select the specific condition component. For example: 1. Policies Æ Condition Settings Æ Vulnerability Anti.dote. 2. Right-click the component or click the icon in the furthest left pane and select Used In. 3. The Used In screen appears: 4. Rules may contain numerous components and policies may contain various rules. As such, to view the policies in which this item is used and the rules accorded to the policy, click on a specific record and select either Navigate to Policy page or Navigate to Rule page. 5. The selected screen will open for viewing. Return to the Used In screen by navigating through Policies Æ Condition Settings Æ to the specific Component
Caching Policy
The SWG Appliance can be used as a caching device. This means that the content is stored in the appliance for future use - thereby speeding up performance time. Caching policies consist of both an Action and a Condition and are configured by system administrators. • Action: The administrator can set the Action to bypass caching according to specific URL or file extension lists, ensuring that specific, non-cacheable URLs or specific file extensions are not cached. System administrators can also cache only specific sites or file extensions. • Condition: Once an action is set, the administrator can select the criteria to which the rule will or will not match. The condition
M86 SECURITY, POLICIES 607 POLICIES
can be a specific URL list, multiple URL lists, or all lists excluding selected URL lists. Administrators can also select file extensions that M86 SWG caches or bypasses.
NOTES: M86 provides two predefined Caching Policies.
The Caching policy is a global policy that applies to all users who browse using the system. By default, when caching is enabled, all content is cached. The default policy also contains the Bypass Caching rule and has two conditions: • Bypass Cache based on URL list • Bypass Cache based on file extension lists
NOTES: The URL list and the file extension lists are empty. Should you want to bypass a specific type of traffic, these lists should first be edited. See Condition Settings: File Extensions and Condition Settings: URL Lists for more information For related information see:
Condition Settings: Active Content List To enable Secured Caching on a global basis using a specific policy, see Cache. See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
608 M86 SECURITY, POLICIES POLICIES
Identification Policies
Device Logging Policies
Default Policy Settings
Condition Settings
End User Messages
Caching Policy Details
Caching Policy Rule Details
Caching Policy Rule Condition Details
Caching Policy Details Click on any Cache Policy to display the Details screen in the right pane.
Figure 6-101: Caching Policy Details Screen The Caching Policy Details screen contains the following information with the option to make changes using the Edit >
M86 SECURITY, POLICIES 609 POLICIES
Save/Cancel options:
Field Description
Policy Name Name of the specific policy
Description Contains a description of the policy.
See also: Caching Policy
Caching Policy Rule Details
Caching Policy Rule Condition Details
Caching Policy Rule Details For non-predefined Rules, click Edit on right pane to edit the fields
610 M86 SECURITY, POLICIES POLICIES
on this screen.
Figure 6-102: Caching Policy Rule Details Screen The Rules Details screen contains the following information:
Field Description
Rule Name Defines the name of the Caching rule.
Description This provides a place for you to write a description of the rule.
Enable Rule When checked, the rule is enabled. When unchecked the rule is disabled.
M86 SECURITY, POLICIES 611 POLICIES
Field Description
Action: The web content is cached. Cache
Action: The web content is not cached. Bypass Cache
See also: Caching Policy
Caching Policy Details
Caching Policy Rule Condition Details
Caching Policy Rule Condition Details To add a condition to a caching policy rule, right-click on the rule in the Policies tree and click Add Condition. The Condition Details screen appears in the right pant. To edit an existing condition click Edit in this pane.
612 M86 SECURITY, POLICIES POLICIES
Figure 6-103: Caching Policy Rule New Condition Details Screen The Condition Details displays the following information:
Field Description
Condition Name Displays name of Condition. If you are defining a new condition, choose the required condition from the drop-down list. The following options are available: • File Extensions • Location •URL Lists
Applies To You can select which options are to be included or excluded. In other words, you can either choose to apply this rule to everything selected below or to apply this rule to everything EXCEPT for the items selected below.
M86 SECURITY, POLICIES 613 POLICIES
Field Description
Select/Deselect All Choose to select/deselect all the items in the Condition
The items will display differently according to the Condition you have chosen.
For further information on See:
File Extension Condition Settings: File Extensions
Location Location
URL Lists Condition Settings: URL Lists
See also: Caching Policy
Caching Policy Details
Caching Policy Rule Details
End User Messages
This option covers the End-User Messages sent out to end-users as chosen in the Security and HTTPS Rules. It also covers the general End-User message template. See End User Messages (Appendix B of this document) for a list of the message texts sent when a URL is blocked (or coached).
614 M86 SECURITY, POLICIES POLICIES
Figure 6-104: End User Messages Menu See also: Policies
Security Policies - Simplified
Assigned User Groups
Security Policies - Advanced
Master Security Policy
HTTPS Policies
Logging Policies
Identification Policies
Device Logging Policies
Default Policy Settings
Condition Settings
Caching Policy
M86 SECURITY, POLICIES 615 POLICIES
Block/Warn Messages
Block/Warn Message Details
Creating a Block/Warn Message
Message Template
Block/Warn Messages The Block/Warn messages are sent to end-users in the event that the URL site they are surfing to has been blocked by SWG or designated as a site requiring user approval or coaching action (user approval and coaching messages are referred to collectively as Warn Messages). These messages are chosen for each Block/ Coach/User Approval rule in the Security/HTTPS Policies as required. The messages include Place Holders which are replaced with real values when displayed to the end-user.
Figure 6-105: Block/Warn Messages See also: End User Messages
616 M86 SECURITY, POLICIES POLICIES
Block/Warn Message Details
Creating a Block/Warn Message
Message Template
Block/Warn Message Details Each message is composed of a mixture of free text and placeholders, which can be moved around to create your own unique message. See End User Messages for a list of the message texts sent when a URL is blocked (or coached).
NOTES: When copying text from another source, remove all formatting by pasting the text into Notepad or a similar plain text application first, and then re-copy it from the text application to the SWG screen
Figure 6-106: Block/Warn Message Details
M86 SECURITY, POLICIES 617 POLICIES
The following table provides information on the Place Holders:
Place Holder Description
Binary Description of the potentially dangerous binary Behavior content operation. Profile Names
Binary Profile Active Content List name that appears in a M86 List Security or customer defined black list.
Binary VAD Description of Binary exploit.
Client IP Client IP address.
Container Type of container holding the content of this Type transaction.
Container Container condition, such as password Violation protection, or deep nesting of archives.
Content Type Name of the Content Type. Name
Digital Type of violation of digital signature. Signature Violation
Direction Direction (Incoming or Outgoing) of the transaction.
Domain End-user NTLM domain name.
File File extension of the content. Extension
File Name File name as extracted from URL. Please note that not all URLs contain file names (i.e. this placeholder may appear blank).
File size Size of the file (bytes). Currently, the file size appears without the unit after it. Please add the word "bytes" to make it clear to the end-user.
618 M86 SECURITY, POLICIES POLICIES
Place Holder Description
Header Fields Header Field names associated with the transaction.
HTTPS Defined Certificate Validation errors. Certificate Validation Mismatch
HTTPS Policy Name of HTTPS Policy enforced on the Name transaction (as shown in Management Console > Policies).
IBM Category Name of the URL category as defined by the URL categorization engine.
Identification Name of Identification Policy enforced on the Policy Name transaction (as shown in Management Console > Policies).
Instant IM method. Messaging
Logging Name of Logging Policy enforced on the Policy Name transaction (as shown in Management Console > Policies).
McAfee/ Name of the virus as identified by one of the AV Sophos/ Scanning Engines. Kaspersky Virus Name
Policy Name Policy name currently set to the User or User Group initiating the transaction.
Script Description of the potentially dangerous script Behavior content operation. Profile Names
Site domain Domain name of the site that was blocked or coached.
Site URL URL name.
M86 SECURITY, POLICIES 619 POLICIES
Place Holder Description
Size Category Content Size.
Spoofing Type of spoofed content. Type
Spyware Description of the spyware as identified by Description MCRC Spyware database.
Spyware Name of the Spyware as identified by MCRC name Spyware database.
Static Content found in the Malicious Objects List. Content List
Time Frame Time Frame for the defined transaction.
Transaction Unique transaction ID which can be matched in ID the management console log view.
Transaction Time that the transaction was carried out. time
URL List URL List name that appears in a M86 Security or Name customer defined list.
User Name End-user NTLM name.
Websense Name of the URL category as defined by the URL Category categorization engine.
The following Place Holders deal with formatting issues:
Bold End Delineates the end of bold format for a word or phrase.
Bold Start Delineates the start of bold format for a word or phrase.
New Line Delineates a new line in the error message.
See also:
620 M86 SECURITY, POLICIES POLICIES
End User Messages
Block/Warn Messages
Creating a Block/Warn Message
Message Template
Creating a Block/Warn Message
 To create a new Block/Warn message: 1. Right-click on the top level heading and select Add Message.
Figure 6-107: Add End User Message 2. Type in the Message Name. 3. In the Message section, enter the required message text. Use the Place-Holders to provide the end-user with more information. 4. Click Save. The new message can now be selected from the Rule Details screen, in the End-User Message drop-down list.
M86 SECURITY, POLICIES 621 POLICIES
5. If you need to modify this message in the future, click Edit and make your changes.
NOTES: For a full list of the pre-defined Block/Warn Messages that will appear in the Page Blocked/Coach/User Approval messages and their corresponding Security Rule (where applicable), please refer to Appendix B: Block/ Warn Messages. The end result of this message page is either a Coach/User Approval (Warning) message or a Page Blocked message sent to the end-user as in the following example.
Figure 6-108: Page Blocked Message to End-User See also: End User Messages
Block/Warn Messages
Block/Warn Message Details
Message Template
622 M86 SECURITY, POLICIES POLICIES
Message Template In this screen, you can edit the template for the End-User Message.
 To edit a Message page: 1. In the Select Action to Edit drop-down list, select either the Block Page or one of the Warning message pages. 2. Click Preview Window to see the actual message that is displayed on the end-user’s computer. 3. Select Back button on the right-hand side of the screen to reveal the code for the Back button. Next, select Preview in pane to see the actual look of the Back button. 4. Select the Redirect button to reveal the code for the Redirect button. Next, select Preview in pane to see the actual look of the Redirect button.
5. Click Save to apply changes. Next, click to commit them. See also: End User Messages
Block/Warn Messages
Block/Warn Message Details
Creating a Block/Warn Message
M86 SECURITY, POLICIES 623 POLICIES
624 M86 SECURITY, POLICIES LOGS AND REPORTS
Chapter 7: Logs and Reports The Log Server logs all transactions according to a defined logging policy. The Logs windows incorporates a number of viewing and configuration options, all of which can be used to help you view the logging data in line with your requirements.
Figure 7-1: Logs and Reporting Tool The log types are described in the following table:
Log Type Description
Web Logs Displays all web-surfing transactions of users in your network depending on your logging policy.
System Logs View events that have taken place in the system, for example, updates that have been installed, a module that is not responding and so on.
Audit Logs Displays all changes made or actions taken from the Management Console, including tracking the creation of and changes to, policies, as well as system configuration.
See also: View Web Logs
View System Logs
View Audit Logs
M86 SECURITY, LOGS AND REPORTS 625 LOGS AND REPORTS
Reporting Tool
View Web Logs
This window displays all Web surfing transactions of users assigned to you in your network. The super administrator sees a Web View with logs belonging to all other administrators in the M86 SWG. System administrators see those Logs belonging to User groups assigned to them or according to the specific permissions given. The logs show user transactions that have been blocked or allowed or coached, all depending on the Policy requirements that are assigned to them.
Figure 7-2: Web Logs View
NOTES: Blocked transactions can be allowed (and vice versa) by redefining the appropriate Security Policy. In addition, the current Logging Policy can also be redefined to change the data you see in the Web Logs view. The View Web Logs screen provides the following settings: • Profile: Choose the profile from the drop-down list. The Profile includes the columns for display in the Web Log view as well as
626 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
filtering specifications for each log entry. These can be set via the Edit Profile tab at the bottom right of the screen. • Admin Group: View the web logs of other administrator groups depending on the permissions granted you in Permissions. The drop-down list displays the logs belonging to the user groups of the administrators; these can be viewed only one at a time • Time Frame: View the Web transactions according to the Logs List. This drop-down list displays the available time frames of the transactions. Each date corresponds to the log information stored for that period of time. • Date Range: View the Web transactions according to the Logs List. The date range provides the available transaction details from dates and hours specified. Each date and hour corresponds to the log information stored for that period of time.
The button directly under the date range applies to the timeframe fields and will refresh information provided within the parameters provided. • Find Transaction ID: Search for the transaction using the unique item ID (Transaction ID) number field. The and buttons apply to the Transaction ID filter only. • Previous/Next: Use the Previous/Next buttons at the bottom of the page to navigate through larger listings of records. • Log Cleanup: You can delete all the log entries in the table for a fresh start by clicking on Log Cleanup. This only appears for Web Logs. Note: Log cleanup cannot be stopped once it is initiated, and the process is irreversible. • Manage Profiles: Clicking this button directs you to the Web Log Profiles screen in which you can create and/or manage current profile settings. To return to the View Web Logs page, navigate in the Console to Logs and Reports Æ View Web Logs. • Edit Profile: Clicking this button directs you to the Web Log screen in which Web logs are defined by determining which
M86 SECURITY, LOGS AND REPORTS 627 LOGS AND REPORTS
columns and filters are used and the number of entries to be displayed. The Default View has no specified filters, but filters can be defined in the appropriate tab. Please refer to Web Logs Profile Settings for more information. Click the Back button to return to the View Web Logs page. For each transaction, the following options are available by clicking
Option Description
Details Opens up the Transaction Entry Details panes, which provide more information on the transaction.
Open in a new Opens up a new window containing the window Transaction Entry Details panes, which provide more information on the transaction.
Add to URL list Adds the URL to the required URL list, thus allowing it to be blocked/allowed in the Security Policy.
See also: Logs and Reports
View System Logs
View Audit Logs
Reporting Tool
Add to URL List
Web Logs Profile Settings
Transaction Entry Details
Add to URL List You can add the URL from the Web log entry to a choice of URL Lists thereby allowing it to be blocked or allowed within the end- user’s Security Policy. See also:
628 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
View Web Logs
Web Logs Profile Settings
Transaction Entry Details
Web Logs Profile Settings The Profile options at the top of the Web Logs window allow you to choose the Profile that accurately reflects the columns you want displayed and the type of log entries within. M86 Security provides a predefined Profile Default View. See also: View Web Logs
Add to URL List
Transaction Entry Details
Creating a New Profile
Filtering the Web Logs View Creating a New Profile
At the bottom of the View Web Logs window is the Manage Profile button. Clicking Manage Profile opens the Web Logs Profile tab, which allows you to create (or delete) a profile containing the columns and conditions you want for your Log Entries.
M86 SECURITY, LOGS AND REPORTS 629 LOGS AND REPORTS
 To create a new profile: 1. Click the Manage Profile button. The Profile window is displayed.
Figure 7-3: Web Logs: Profile Window 2. In the left tree pane, right click Profiles and select Add Profile and type in the required name to use in the adjoining field. 3. Make the option changes you want in the General tab or accept the default setting.
630 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
The General tab options for the Web Logs are described in the following table.
Field Name Description
Refresh every Defines the refresh interval, in seconds, between (seconds) updates of items displayed in the viewer.
Defines the number of items to display. Entries in table Note: Maximum number of items in the Web Logs is 120.
The following columns can be selected for display in the Web Logs view. You can check or Displayed Columns clear Select/Deselect all, selecting/clearing all of the options described below.
Rule Action (Block, Allow, Coach or Block Action HTTPS, Bypass, Inspect or User Approval).
Active Content List Active Content List that matched the content in Found this transaction.
Anti-Virus Virus detected by the Kaspersky Anti-Virus (Kaspersky) engine.
Anti-Virus (McAfee) Virus detected by the McAfee Anti-Virus engine.
Anti-Virus (Sophos) Virus detected by the Sophos Anti-Virus engine.
Authenticated User Domain as provided by NTLM or basic Domain authentication
Authenticated User User Name as provided by NTLM or basic Name authentication.
Behavior Profile Behavior profile of blocked Java applets and (Binary) Windows ActiveX binary transactions.
Behavior Profile Behavior profile of blocked CSS, HTML, Java, VB (Script) and XML script transactions.
Block Reason Reason chosen for the Rule that blocked the content and displayed to end user.
M86 SECURITY, LOGS AND REPORTS 631 LOGS AND REPORTS
Field Name Description
Lists how many times the cache was used Cache Hits instead of the original site.
Client IP Client IP address of the end user.
Coach Bypass Displays Coach Bypass information.
Coach Page Displays the Coach Page.
File extension (including multiple extensions) Extension matching the content in this transaction.
File Name Name of the file specified in the requested URL.
Header Field that matched the content in this Header Field transaction.
Name of the HTTPS policy used to process the HTTPS Policy Name transaction.
Name of the HTTPS rule used to process the HTTPS Rule Name transaction.
Identification Policy Name of the identification policy used to process Name the transaction.
Identification Rule Name of the identification rule used to process Name the transaction.
Identification Status Lists if the user session was authenticated or not.
Name of the IM/P2P protocol used by the end IM/P2P Protocol user.
Name of the master policy used to process the Master Policy Name transaction.
Name of the master rule used to process the Master Rule Name transaction.
Parent Archive Type that matched the content in Parent Archive Type the transaction.
632 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Field Name Description
Protocol Protocol that was used by the end-user.
Scanning Server IP Scanning Server IP address of the end user.
Name of the Security Policy used to process the Security Policy Name transaction.
Name of the Security rule used to process the Security Rule Name transaction.
Site Displays Internet main domain address.
Unique ID which identifies the specific Transaction ID transaction.
Transaction Time Time and date that the transaction took place.
True Content Type that matches the blocked True Content Type transaction.
URL URL that the user browsed to.
URL Category that matched the IBM content in URL Category (IBM) this transaction.
URL Category URL Category that matched the Websense (Websense) content in this transaction.
Name of the user defined in the Users tab who User Name requested the transaction.
Defines whether or not the transaction was processed in X-Ray mode. If X-Ray mode is X-Ray Mode enabled, the log view shows what would have happened to the transaction had the rule/policy been active.
4. Click OK to save your Profile Settings and return to the Logs view or click the Filter tab to further define the conditions for log retrieval and display, see Filtering the Web Logs View for instructions. See also:
M86 SECURITY, LOGS AND REPORTS 633 LOGS AND REPORTS
Web Logs Profile Settings
Filtering the Web Logs View Filtering the Web Logs View
When using the Filter tab, you can fine-tune the range of data to view the logs.
NOTES: The filter displays different fields for the Web Logs, System Logs and Audit Logs views  To define a filter for the Logs view: 1. Click the Filter tab. The Filter tab is displayed.
Figure 7-4: Filter Tab
2. Click to add a new row. 3. From the Field drop-down list, select the required filter, for example Scanning Server IP. 4. From the Operator drop-down list that appears, select the relevant parameter. For example, Equals. For each log data type selection, different fields are displayed to enable the filter creation. Depending on the log data type selection, either an additional drop- down list or a blank field is displayed. Either select an entry from the drop-down list or enter a numerical value or text definition in the Value field to complete your initial filter selection. A filter selection that includes AND together with OR may need clarification with parentheses as to whether the OR is included or excluded (which sub-expression is to be evaluated first). Enter a left parentheses character “(“in the left parentheses box and then enter a right parentheses character “)” at the end of the following added row, after all log data types have been selected.
634 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Figure 7-5: Define Filter for Web View Continue by using the AND/OR buttons to add additional conditions to your filter selection. 5. Click OK to save your Profile Settings and return to the View Web Logs screen. See also: Web Logs Profile Settings
Creating a New Profile
Transaction Entry Details For each transaction entry in the Web Logs, there is an option to view transaction details (by clicking the icon).
 To view the transaction entry details:
1. From the Web Logs view Click and choose Details (or Open in a new window). The Transaction Entry Details window is displayed.
M86 SECURITY, LOGS AND REPORTS 635 LOGS AND REPORTS
Figure 7-6: Transaction Entry Details Window This window contains the Details pane and Request and Response phases of the Transaction Entry, where relevant. 2. Select the tab or phase to view its details, as described in the following sections: Details: Transaction Details: User Details: Policy Enforcement Details: Content Details: Scanning Server Transaction Entry: Request and Response Phases 3. Click Back to return to the Web Logs view. See also: View Web Logs
Add to URL List
Web Logs Profile Settings
Details: Transaction
Details: User
636 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Details: Policy Enforcement
Details: Content
Details: Scanning Server
Transaction Entry: Request and Response Phases Details: Transaction
Figure 7-7: Transaction Tab The Transaction tab contains the following fields:
Field Description
Transaction ID The Unique ID identifies the specific transaction as displayed in the End User Message and is useful when following up a blocked transaction for the end user. It is advisable to have the Transaction ID displaying at all times. However, even if you have chosen not to display this column heading, you can still search for it in the Logs.
Transaction Time Time and date that the transaction took place.
M86 SECURITY, LOGS AND REPORTS 637 LOGS AND REPORTS
Field Description
URL URL that the user browsed to. Click on this URL to add it to the required URL List.
Destination IP Address
Protocol Protocol that was used by the end-user.
See also: Transaction Entry Details
Details: User
Details: Policy Enforcement
Details: Content
Details: Scanning Server
Transaction Entry: Request and Response Phases Details: User
Figure 7-8: User Tab
638 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
The User tab contains the following fields:
Field Description
User Name Name of the user defined in the Users tab who requested the transaction.
Client IP Address IP address of the end-user.
Authenticated User User Name as provided by NTLM or basic Name authentication.
Authenticated User Domain as provided by NTLM or basic Domain authentication.
See also: Transaction Entry Details
Details: Transaction
Details: Policy Enforcement
Details: Content
Details: Scanning Server
Transaction Entry: Request and Response Phases
M86 SECURITY, LOGS AND REPORTS 639 LOGS AND REPORTS
Details: Policy Enforcement
Figure 7-9: Policy Enforcement Tab The Policy Enforcement tab contains the following fields:
Field Description
Action Rule Action (Block, Allow, Coach or Block HTTPS, Bypass, Inspect or User Approval).
X-Ray Mode Defines whether or not the transaction was processed in X-Ray mode. If X-Ray mode is enabled, the log view shows what would have happened to the transaction had the rule/policy been active.
Master Policy Name Name of the master policy used to process the transaction.
Security Policy Name of the Security Policy used to process the Name transaction.
HTTPS Policy Name Name of the HTTPS Policy used to process the transaction.
Identification Policy Name of the Identification Policy used to process Name the transaction.
640 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Field Description
Upstream Proxy Name of the Upstream Proxy Policy used to Policy Name process the transaction
Block Reason Message sent to the end-user explaining the reason the content was blocked.
Master Rule Name Name of the master rule used to process the transaction.
Security Rule Name Name of the Security rule used to process the transaction.
Security Rule Text that appears in the Rule Description field. Description
HTTPS Rule Name Name of the HTTPS rule used to process the transaction.
Identification Rule Name of the Identification rule used to process the Name transaction.
Identification Status If identification succeeded or not.
Upstream Proxy Name of the Upstream Proxy rule used to process Rule Name the transaction
Upstream Proxy If the connection to the Upstream Proxy was a Status success or failure.
See also: Transaction Entry Details
Details: Transaction
Details: User
Details: Content
Details: Scanning Server
Transaction Entry: Request and Response Phases
M86 SECURITY, LOGS AND REPORTS 641 LOGS AND REPORTS
Details: Content
Figure 7-10: Content Tab The Content tab contains the following fields.
Field Description
File Name Name of the file specified in the requested URL.
Behavior Profile Behavior profile (binary) that matched the content (Binary) in the transaction.
True Content Type True Content Type that matched the content in the transaction.
Behavior Profile Behavior profile (script) that matched the content in (Script) the transaction.
Parent Archive Type Parent Archive Type that matched the content in the transaction.
Active Content List Active Content List that matched the content in this Found transaction.
642 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Field Description
File Extension File extension (including Multiple Extension) that matched the content in this transaction.
Header Field Header Field that matched the content in this transaction.
URL Category URL Category that matched the content in this transaction
URL Category URL Category that matched the Websense content (Websense) in this transaction.
URL Category (IBM) URL Category that matched the IBM content in this transaction.
Advanced Binary Scanning
Anti-Virus (Sophos) Virus detected by the Sophos Anti-Virus engine. Scan Result
Anti-Virus (McAfee) Virus detected by the Mcafee Anti-Virus engine. Scan Result
Anti-Virus Virus detected by the Kaspersky Anti-Virus engine. (Kaspersky) Scan Result
Cache Hits Lists how many times the cache was used instead of the original site.
See also: Transaction Entry Details
Details: Transaction
Details: User
Details: Policy Enforcement
Details: Scanning Server
Transaction Entry: Request and Response Phases
M86 SECURITY, LOGS AND REPORTS 643 LOGS AND REPORTS
Details: Scanning Server
Figure 7-11: Scanning Server Tab The Scanning Server tab contains the following fields:
Field Description
Scanning Server IP IP address of the Scanning Server that scanned this transaction.
Scanning Server Type Type of Scanning Server that scanned this transaction. (Cloud or otherwise)
See also: Transaction Entry Details
Details: Transaction
Details: User
Details: Policy Enforcement
Details: Content
Transaction Entry: Request and Response Phases Transaction Entry: Request and Response Phases
For each transaction, the content is scanned on both the request
644 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
and/or the response phase depending on the nature of the content and the nature of the rule that it triggered.
Figure 7-12: Request Phase
Figure 7-13: Response Phase
M86 SECURITY, LOGS AND REPORTS 645 LOGS AND REPORTS
The information displayed in these panes depends on the nature of the transaction and is useful in determining why the transaction was blocked. See also: Transaction Entry Details
Details: Transaction
Details: User
Details: Policy Enforcement
Details: Content
Details: Scanning Server
View System Logs
The System Logs view displays information relevant to the components of the M86 Secure Web Gateway Appliance.
Figure 7-14: System Logs View The View System Logs screen provides the following settings:
646 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
• Profile: Choose the profile from the drop-down list. The Profile includes the columns for display in the System Log ID view as well as filtering specifications for each log entry. These can be set via the Edit Profile tab at the bottom right of the screen. • Find Log ID: Search for the transaction using the unique item ID (Log ID) number field. The and buttons apply to the Find Log ID filter only. • Manage Profiles: Clicking this button directs you to the System Log Profiles screen in which you can create and/or manage current profile settings. To return to the View System Logs page, navigate in the console to Logs and Reports Æ View System Logs. • Edit Profile: Clicking this button directs you to the System Log screen in which System logs are defined by determining which columns and filters are used and the number of entries to be displayed. The Default View has no specified filters, but filters can be defined in the appropriate tab. Please refer to System Logs Profile Settings for more information. Click the OK button to return to the View System Logs page.
See also: Logs and Reports
View Web Logs
View Audit Logs
Reporting Tool
System Logs Profile Settings
System Logs Profile Settings The Profile options at the bottom of the View System Logs window allow you to choose the Profile that accurately reflects the columns you want displayed and the type of log entries within. M86 Security provides a predefined Profile Default View.
M86 SECURITY, LOGS AND REPORTS 647 LOGS AND REPORTS
See also: View System Logs
Creating a New System Logs Profile
Filtering the System Logs View Creating a New System Logs Profile
At the bottom of the View System Logs window is the Manage Profile button. Clicking the Manage Profile button opens the Profile tab, which allows you to create a profile containing the columns and conditions you want for your Log Entries.
 To create a new System Logs profile: 1. In the System Logs Profile Settings, right click Profiles and select Add Profile. The Profile window is displayed.
Figure 7-15: System Logs: Create New Profile
648 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
2. In the New Profile window type in the required name to use in the adjoining field. 3. Make the option changes you want in the General tab or accept the default setting. The General tab options for the System Logs are described in the following table.
Field Name Description
Entries in table Defines the number of items to display. Note: Maximum number of items in the System Logs is 120.
Displayed Columns The following columns can be selected for display in the System Logs view. You can check or clear Select/Deselect all, selecting/clearing all of the options described below.
Device IP IP of the affected Device.
Log ID Uniquely identifying number.
Message Details of the action that occurred.
Module The logical module to which the process (and message) relates.
Sender The actual process that issued the System Log message.
Severity Logs an Error (when something is wrong) or Normal.
Time Time and date the activity took place.
4. Click Save. Click the Filter tab to further define the conditions for log retrieval and display. See Filtering the System Logs View for instructions on filtering. Click Save to ensure your Profile Settings and return to the View System Logs page. See also:
M86 SECURITY, LOGS AND REPORTS 649 LOGS AND REPORTS
System Logs Profile Settings
Filtering the System Logs View Filtering the System Logs View
When using the Filter tab, you can fine-tune the range of data to view the logs.
NOTES: The filter displays different fields for the Web Logs, System Logs and Audit Logs views. Â To define a filter for the Logs view: 1. Click the Filter tab. The Filter tab is displayed.
Figure 7-16: Filter Tab
2. Click to add a new row. 3. From the Field drop-down list, select the required filter, for example Time. 4. From the Operator drop-down list that appears, select the relevant parameter. For example, Equals. For each log data type selection, different fields are displayed to enable the filter creation. Depending on the log data type selection, either an additional drop- down list or a blank field is displayed. Either select an entry from
650 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
the drop-down list or enter a numerical value or text definition in the Value field to complete your initial filter selection. A filter selection that includes AND together with OR may need clarification with parentheses as to whether the OR is included or excluded (which sub-expression is to be evaluated first). Enter a left parentheses character “(“in the left parentheses box and then enter a right parentheses character “)” at the end of the following added row, after all log data types have been selected.
Figure 7-17: Define Filter for System View Continue by using the AND/OR buttons to add additional conditions to your filter selection. 5. Click OK to save your Profile Settings and return to the View System Logs screen. See also: System Logs Profile Settings
Creating a New System Logs Profile
View Audit Logs
The Audit Logs view allows you to keep track of changes all administrators have made to the M86 SWG Management Console. The Audit logs all changes made or actions taken from the Management Console, including tracking the creation of and
M86 SECURITY, LOGS AND REPORTS 651 LOGS AND REPORTS
changes to, policies, as well as system configuration.
Figure 7-18: Audit Logs View The View Audit Logs screen provides the following settings: • Profile: Choose the profile from the drop-down list. The Profile includes the columns for display in the System Log ID view as well as filtering specifications for each log entry. These can be set via the Edit Profile tab at the bottom right of the screen. • Find Log ID: Search for the transaction using the unique item ID (Log ID) number field. The and buttons apply to the Find Log ID filter only. • Manage Profiles: Clicking this button directs you to the Audit Log Profiles screen in which you can create and/or manage current profile settings. To return to the View Audit Logs page, navigate in the console to Logs and Reports Æ View Audit Logs. • Edit Profile: Clicking this button directs you to the Audit Log screen in which Audit logs are defined by determining which columns and filters are used and the number of entries to be displayed. The Default View has no specified filters, but filters can be defined in the appropriate tab. Please refer to Audit Logs
652 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Profile Settings for more information. Click the OK button to return to the View Audit Logs page.
See also: Logs and Reports
View Web Logs
View System Logs
Reporting Tool
Audit Logs Profile Settings
Audit Logs Profile Settings The Profile options at the top of the Audit Logs window allow you to choose the Profile that accurately reflects the columns you want displayed and the type of log entries within. M86 Security provides a predefined Profile Default View. See also: View Audit Logs
Creating a New Audit Logs Profile
Filtering the Audit Logs View Creating a New Audit Logs Profile
At the bottom of the View Audit Logs window is the Manage Profiles button. Clicking Manage Profiles opens the Profile tab, which allows you to create a profile containing the columns and
M86 SECURITY, LOGS AND REPORTS 653 LOGS AND REPORTS
conditions you want for your Log Entries.
 To create a new Audit Logs profile: 1. Click Settings. The Profile window is displayed.
Figure 7-19: Audit Logs: Create New Profile 2. Select New Profile and type in the required name to use in the adjoining field. 3. Make the option changes you want in the General tab or accept the default setting. The General tab options for the Audit Logs are described in the
654 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
following table.
Field Name Description
Refresh every Defines the refresh interval, in seconds, between updates (seconds) of items displayed in the viewer.
Entries in Defines the number of items to display. table Note: Maximum number of items in the Audit Logs is 120.
Displayed The following columns can be selected for display in the Columns Audit Logs view. You can check or clear Select/Deselect all, selecting/clearing all of the options described below.
Admin Name The name of the administrator.
Client IP IP address of the administrator.
Device IP IP address of the device that had changes made to it.
Log ID Unique identifying number.
Message Details of the action that occurred.
Module The logical module to which the process (and message) relates.
Notes The notes describing the administrator.
Time Defines the time and date it took place.
4. Click OK to save your Profile Settings and return to the Logs view or click the Filter tab to further define the conditions for log retrieval and display, see Filtering the Audit Logs View for instructions. See also: Audit Logs Profile Settings
Filtering the Audit Logs View
M86 SECURITY, LOGS AND REPORTS 655 LOGS AND REPORTS
Filtering the Audit Logs View
When using the Filter tab, you can fine-tune the range of data to view the logs.
NOTES: The filter displays different fields for the Web Logs, System Logs and Audit Logs views  To define a filter for the Audit Logs view: 1. Click the Filter tab. The Filter tab is displayed.
Figure 7-20: Filter Tab
2. Click to add a new row. 3. From the Field drop-down list, select the required filter, for example Log ID. 4. From the Operator drop-down list that appears, select the relevant parameter. For example, Equals. For each log data type selection, different fields are displayed to enable the filter creation.
656 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Depending on the log data type selection, either an additional drop- down list or a blank field is displayed. Either select an entry from the drop-down list or enter a numerical value or text definition in the Value field to complete your initial filter selection. A filter selection that includes AND together with OR may need clarification with parentheses as to whether the OR is included or excluded (which sub-expression is to be evaluated first). Enter a left parentheses character “(“in the left parentheses box and then enter a right parentheses character “)” at the end of the following added row, after all log data types have been selected.
Figure 7-21: Define Filter for Audit View Continue by using the AND/OR buttons to add additional conditions to your filter selection. 5. Click OK to save your Profile Settings and return to the Logs view. See also: Audit Logs Profile Settings
Creating a New Audit Logs Profile
M86 SECURITY, LOGS AND REPORTS 657 LOGS AND REPORTS
Log Profiles:
Web Log Profiles The Web Log Profiles screen is where profile management for Web Logs is administered. Note that each profile is administrator specific. Web Logs provide a listing of all Web surfing transactions sent through scanning servers connected to the Secure Web Gateway. These Log Profiles allow you to create and modify profiles that are used to configure your Web Log reports. The Web Log Profile Settings allows the administrator to choose the profile that best fits your needs for the columns to be displayed, the number of entries per table, and the type of log entries within.
System Log Profiles
Audit Log Profiles
Reporting Tool
The M86 Security Reporting Tool supplies reports integral to the M86 Secure Web Gateway Appliance. The reports enable enterprises to analyze the activity and performance of the SWG system based on data stored in the Reports database. The Reporting Tool includes: • Reports - All M86 Security reports concerning system performance and activity. • Exported Reports Location - connection method and location to which all reports are exported.
658 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Figure 7-22: Reporting Tool Menu See also: Favorites Logs and Reports
View Web Logs
View System Logs
View Audit Logs
Reports
Exported Reports Location
Reports The Reports window provides predefined M86 SWG internal reports concerning data based on the specific scanning server selected, such as Cloud Scanning Server. The Reports are categorized according to the type of data they provide. For example, Productivity, Compliance, Web Security, and Anti-virus. See Reports for a detailed list of all Reports. The Reporting Tool provides data for those Users defined, to a specific administrator, in the Permissions tab. Super
M86 SECURITY, LOGS AND REPORTS 659 LOGS AND REPORTS
Administrators are able to include all Users.
NOTES: Before generating any report make sure that the Send to: Report checkbox is selected in Logging Policy Æ Rule: Logging Action, to ensure that report information is being generated. Access the Reports window by navigating in the Management Console to Logs and Reports Æ Reporting Tool Æ Reports. The main screen appears:
Figure 7-23: Reports Window The left tree pane includes management icons that expedite functionality, as well as a listing of all Report categories and the Reports contained within. The right -click options for each report also include the following:
660 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Figure 7-24: Reports Tree Pane Icon
Icon Name Description
View Clicking the View Report option takes you to the Report Report Parameters screen. It gives you all the default settings information. Default parameters can be changed in the General tab, columns to display can be added or removed in the Columns tab, and filters can be set in the Filters tab.
Duplicate Create the same report, with different filters. give it a Report new name and have 2 of the same report just with different layout or different parameters etc...
Add New This option allows you to set daily, weekly, and Schedule monthly scheduled reports. Reports targets (mail, import), column display, and parameters are defined here. You may have several scheduled instances running for the same report, with different filters/ parameters.
Restore Click this menu option to restore default settings in the Defaults default screen. Will not affect any duplicate reports that have different parameters, only the ‘original’ one.
History View all scheduled instances of a report. History is only available on reports already completed. Click on a particular scheduled report and get only its history.
M86 SECURITY, LOGS AND REPORTS 661 LOGS AND REPORTS
Icon Name Description
Add to Add this particular report to the Favorites folder. The Favorites Favorites folder serves as a repository for a selected group of reports created per Policy Server. It is designed to enable the administrator to view, schedule, or delete frequently used reports without scrolling through all Report Categories, by placing a report shortcut in the Favorites folder.
Delete Click this to delete reports. The Delete Reports option Reports exists only for duplicates made of original M86 Reports. Original M86 Security reports provided with the system cannot be deleted.
Remove Delete a report shortcut in the Favorites folder. From Favorites
Favorites
The Favorites folder serves as a repository for a selected group of reports created per Policy Server. It is designed to enable the administrator to view, schedule, or delete frequently used reports without scrolling through all Report Categories, by placing a report shortcut in the Favorites folder. The Favorites folder itself has no right-click menu options. All functionality pertaining to the Favorites folder is available within each Report folder, on each Report. They include:
Figure 7-25: Right click options for Reports Favorites
662 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Icon Name Description
View Clicking the View Report option takes you to the Report Report Parameters screen. It gives you all the default settings information. To add your own filters, click the View Report button. Will open a window as specified in the View As drop down (such as HTML, Excel etc...) This is the output of the Report. In the drop-down list, you can choose between HTML, PDF, Excel and CSV
Add New Give a schedule Name.(mandatory). You may have Schedule several of the same report running, but filters will be different, You will be sent to the Scheduling screen that has Report Sched, Report Target, Columns, and Filters (Report Parameters) tabs. At lease one time frame must be selected.
Restore Click this menu option to restore default settings in the Defaults default screen. Will not affect any duplicate reports that have different parameters, only the ‘original’ one.
History View all scheduled instances of a report. History is only available on reports already completed. Click on a particular scheduled report and get only that history.
Remove Click this menu option to remove a specific report From shortcut from the Favorites folder. Removing from Favorites Favorites does not affect the original report in any way.
 To add report to Favorites folder:
1. Navigate in the Management Console to Logs and Reports Æ Reporting Tool Æ Reports. 2. Select the required report from the specific Report Category. For example, Compliance Æ Blocked Web Sites. 3. From the right-click menu choose Add to Favorites. 4. A shortcut to this report can now be found in the Favorites folder.
M86 SECURITY, LOGS AND REPORTS 663 LOGS AND REPORTS
5. Clicking the report in the Favorites folder will open the report editing screen, which provides all the same functionality used to configure original reports such as; Filters, Columns, and General report information. 6. For more information on configuring reports see: Reports Categories.
Reports Categories
Category Description
Anti-Virus Generates reports detailing the top viruses blocked by the SWG
Compliance Generates reports detailing the organization’s compliance with various regulatory requirements, based on reports such as potential disclosure of sensitive information, browsing to websites that could expose the company to legal liability, etc.
Instant Generates reports detailing the use of Instant Messaging and Messaging and P2P communication within the P2P organization.
IT Operation Generates reports providing an overview of the network activity, that allow to detect infected machines and network characteristics and bottlenecks.
Productivity Generates reports detailing the employees browsing habits, with targeted reports for special website categories – such as legal liability related, job search, etc.
Web Security Generates reports detailing the security threats blocked by the various security engines of the SWG.
Reports available through the SWG system are separated into categories that are intuitive and a organized. For a detailed listing of Reports, see also: Available Reports
664 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
The only right click option on each category folder is ‘delete’. The Delete Reports option exists only for duplicates made of original M86 Reports. Original M86 Security reports provided with the system cannot be deleted. When clicking on a particular report within a specific category, for example, Compliance Æ Data Leakage Prevention, the following tabs are displayed: • General • Columns • Filters
Figure 7-26: Report tabs The Report tabs screen is displayed whenever a Report is selected from the Reports tree. The following information should be defined in the tabs displayed.
Field Description
Name Predefined Name of Report.
Description Provides a predefined description for the Report.
M86 SECURITY, LOGS AND REPORTS 665 LOGS AND REPORTS
Field Description
Time Period Select the time period. This is the time for which there is logs information for the Report.
Transaction Select a more precise time frame within the Time Time Period defined above.
User Name Select any number of User Groups that you want to run Reports for.
Report Type Select the type of report such as pie chart, bar chart (where relevant) etc.
Top Results Select a number to show the top results in that Report Number (where relevant)
View As This is the output of the Report. In the drop-down list, you can choose between HTML, PDF, Excel and CSV.
General Columns
The Columns tab contains the columns/fields you want to display in the final report. Column options available are dependent on the report selected. For example, in Blocked Web Sites, the column options include: Component size, security rule name, Site, Transaction time, and URL Category. In Infected Users Machines, the column options include: Authenticated User, Transaction time,
666 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Figure 7-27: Report Columns tab Filters
The Filters tab
Figure 7-28: Report Filters tab The following is an example of a report request screen.
M86 SECURITY, LOGS AND REPORTS 667 LOGS AND REPORTS
Figure 7-29: View Reports Click View Report to generate the Report. Below is an example of a report.
NOTES: All generated reports are sorted by the first column.
668 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Figure 7-30: Report Example The right click menu on every report within the Reports tree includes viewing and scheduling options. These options are also available by clicking the left tree pane icons.
M86 SECURITY, LOGS AND REPORTS 669 LOGS AND REPORTS
Figure 7-31: Reports Options The right-click options are described in the following table.
Option Description
Schedule Report Set generation time, destination, and format.
View Report Opens a window listing all of the completed scheduled reports
Duplicate Report General, columns, and filters tabs
Add New Schedule Opens the New Schedule pane, which enables you to schedule a report generation, where you want it to be sent to and in what format. See the Report Schedule, Report Target, Columns, and Report Parameters
Restore Defaults
History
Add to Favorites
Delete Report
See also: Reporting Tool
Exported Reports Location
Schedule Report
670 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Available Reports Schedule Report
For any scheduled report the generation time, output destination, and format can all be set.
Figure 7-32: Schedule Report See also: Reports
Available Reports
Report Schedule Tab
Report Target Tab
Report Format Tab
Report Schedule Tab
Select the Enable Scheduling checkbox at the top of the screen to
M86 SECURITY, LOGS AND REPORTS 671 LOGS AND REPORTS
activate scheduling of Reports.
Figure 7-33: Report Schedule Tab You can schedule the report to run at any or all of the following time options in the Report Schedule tab.
Field Description
Daily at a specific time The report will cover all transactions of the (hh:mm) previous day.
Weekly every on a This report will cover all transactions from the specific day of the week at a previous seven days. specific time (hh:mm)
Monthly at a specific time This will be on the first day of every month at (hh:mm) this specified time. This report will cover all transactions from the previous month.
NOTES: A report time range may span several internal databases, due to size constraints. When this happens, several reports are created, each relating to a different time frame. See also: Schedule Report
672 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Report Target Tab
Report Format Tab
Report Target Tab
The Report Target tab allows you to send reports to one or more of the targets.
Figure 7-34: Report Target Reports can be sent to one or more of the targets detailed in the following table.
Field Description
Enable Available If this is selected, the report will be stored on the Reports appliance and will appear in the Available Reports screen. Note that there is a space limitation of 1 GB for locally saved reports and that older reports will be erased once this limit is reached.
M86 SECURITY, LOGS AND REPORTS 673 LOGS AND REPORTS
Field Description
Export Report If this is selected, the report is exported to the network location defined in Exported Reports Location
Email to Reports can be sent to multiple email addresses. Click on icon to add and delete email addreses.
See also: Schedule Report
Report Schedule Tab
Report Format Tab
Report Format Tab
The options in this section will display differently depending on the options you have chosen in the Report Editor Wizard. The only constant option in this section is View As.
Figure 7-35: Report Format
674 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
Below are some of the most common options displayed.
Field Description
User Name You can select any or all of the Users or User Groups that you want to run Reports for.
Run separately Allows you to run separate reports for each group. for each group
Top results Enables you to choose a specific number of items to be number included in your Report.
Report Type Select the report layout from among the following styles: • Tabular • Tabular plus Bar chart • Tabular plus Pie chart • Pie chart • Bar chart
View As This is the output of the Report. In the drop-down list, you can choose between HTML, PDF, Excel and CSV.
See also: Schedule Report
Report Schedule Tab
Report Target Tab Available Reports
This pane displays all the Reports that you configured in the Schedule Reports screen provided you selected Enable Available Reports as described in Report Target Tab.
M86 SECURITY, LOGS AND REPORTS 675 LOGS AND REPORTS
Figure 7-36: Available Reports See also: Reports
Schedule Report
Report Target Tab
Exported Reports Location This pane defines the method and location to send the exported Scheduled Reports.
Figure 7-37: Exported Scheduled Reports Location Individual reports can be scheduled in the Reports tab to run at various times. The following connection methods are available in the Connection
676 M86 SECURITY, LOGS AND REPORTS LOGS AND REPORTS
method drop-down list and explained in the table below:
Connection Method Description
None An external Reports location method is not used. (This is the default option).
FTP Connects via regular File Transfer Protocol methods.
FTP Passive Connects via File Transfer Protocol; there is a firewall located between the Policy Server and the remote FTP site.
Samba Connects via the Server Message Block (SMB) communication protocol.
SFTP Connects via the Secure File Transfer Protocol
Your selected Connection method determines the content used to define your Report Location, User to connect with and Password fields.
If you selected: Then:
None No information can be entered.
FTP The Report Location must include the server IP address/dir for your selected location, for example, 10.194.5.104/ Sarah_FTP. The User to connect with is the user name used when connecting to the Report Location. The Password should be the password used by the above user.
M86 SECURITY, LOGS AND REPORTS 677 LOGS AND REPORTS
If you selected: Then:
FTP Passive The Report Location must include the server IP address/dir for your selected location, for example, 10.194.5.104/ Sarah_FTP_Passive. The User to connect with is the user name used when connecting to the Report Location. The Password should be the password used by the above user.
Samba The Report Location must include the server IP address and directory for your selected location, in the following format: // address/dir, for example, //192.168.1.10/ archive. The User to connect with must include the workgroup name and the user name used when connecting to the Report Location, in the following format: workgroup/user, for example, marketing/nicole. The Password should be the password used by the above user.
SFTP The Report Location must include the server IP address for your selected location, for example, 10.194.5.104/ The User to connect with is the user name used when connecting to the Report Location. The Password should be the password used by the above user.
Click the Test button to verify the connection. See also: Reporting Tool
Reports
678 M86 SECURITY, LOGS AND REPORTS HELP
Chapter 8: Help
Help Menu
The Help menu contains the following options:
Figure 8-1: Help Menu
• Online Help • Manuals • External Links • About
Online Help The Online Help is composed of detailed information and procedures per screen designed to help you navigate your way around the Management Console and to help you perform configuration and monitoring tasks. In addition to the Online Help found here, it is possible to press on the Help icon (or F1) at the top of each screen to receive a page-sensitive screen highlighting just the information relevant to that screen.
See also: Help Manuals External Links About
M86 SECURITY, ADMINISTRATION 679 HELP
Manuals Three core manuals are provided with the M86 Secure Web Gateway Management Console: Management Console Reference Guide (this manual): This Reference Guide provides an expansive and thorough navigation through the M86 Secure Web Gateway Policy Server Management Console, with detailed examples and tutorials to aid administrators in their daily tasks. Security Policies In-Depth: The M86 Security predefined Security Policies for HTTP and HTTPS are detailed in this manual. Rule demonstrations, courtesy of Malicious Code Research Center (MCRC), provide the administrator with hands-on material with which to validate the Security Rules. Setup and Configuration Guide (Limited Shell): This Guide provides detailed procedures on all aspects of setup and configuration for the M86 Secure Web Gateway System, and includes interoperability details with third-party clients.
See also: Help Online Help External Links About
External Links The following links are supported: MCRC: Directs you to the MCRC subsite on M86 Security.com. Malicious Code Research Center (MCRC) is the leading research department at M86 Security, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as
680 M86 SECURITY, ADMINISTRATION HELP
Spyware, Trojans, Phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for M86 Security’s proactive secure content management solutions. M86 web: Directs you to the M86 website. M86 Security web: Directs you to the M86 Security Website. Access M86 Security Support: Directs you to the Support site on the M86 Security website where you can choose among the many options including opening a Case Form and looking through helpful articles in the Knowledgebase Portal.
See also: Help Online Help Manuals About
About Contains information about the M86 Secure Web Gateway product.
See also: Help Online Help Manuals External Links
M86 SECURITY, ADMINISTRATION 681 HELP
682 M86 SECURITY, ADMINISTRATION REPORTS REPORTS
The following table contains a list of the Reports for 10.0 designed to provide ease-of-use and flexibility. .
Report Description
Anti-Virus
Top Viruses A summary report, displaying the most frequent viruses found by the Sophos/ McAfee/Kaspersky anti-virus engine, sorted by the number of viruses found.
Compliance
Security Policy This report displays all security policy Violations violations. It counts the number of violations per policy rule. Use this report to review your company's compliance with the defined security policy.
Transaction Usage by This report displays the specific hours that Hour users are surfing the Internet, and thereby showing productivity by time, traffic peaks, etc. The information in the Report is dependant on the Logging Policy.
User Transactions with This report displays blocked websites that Legal Liability by might have exposed the company to legal Users (Websense/IBM liability issues.The information in the Proventia) Report is dependant on the Logging Policy.
Potential Disclosure of This report displays all blocked upload Confidential attempts of Microsoft Office documents. Information
M86 SECURITY, ADMINISTRATION 683 REPORTS
Report Description
IT Operation
Infected Users This report displays the IP addresses of Machines computers detected trying to send malicious code, and hence showing which computers need treating. The information in the Report is dependant on the Logging Policy.
Top URLs by Volume This report displays the top URLs visited according to bandwidth consumed. The information in the Report is dependent on the Logging Policy.
Top Users by Volume This report displays the most active users, sorted by total bandwidth consumed. The information in the Report is dependent on the Logging Policy.
Traffic Analysis by This report displays traffic analysis details Content Type by content type, e.g. how many images were sent, how many exes were downloaded, etc. The information in the Report is dependant on the Logging Policy.
Traffic Analysis by This report displays the traffic analysis Hour according to the specific hour of the day, thereby showing when the highest load occurs. The information in the Report is dependant on the Logging Policy.
Traffic Analysis by This report displays the traffic analysis User details according to the most active users. The information in the Report is dependant on the Logging Policy.
Client Computers With This report displays the IP addresses of Trojans computers with Trojans installed on them, detected trying to communicate over the Internet. The information in the Report is dependant on the Logging Policy.
684 M86 SECURITY, ADMINISTRATION REPORTS
Report Description
Instant Messaging and P2P
Instant Messaging This report provides in-depth details as to Activity how many users are Instant Messaging and what specific applications and operations they are using. The information in the Report is dependant on the Logging Policy.
Use of Instant This report displays Instant Messaging Messaging by User Activity per user name.The information in the Report is dependant on the Logging Policy.
Productivity
Most Visited Website This report displays the most visited URLs Domains by users
Risk Assessment - This report allows you to assess Web Business usage usage for business reasons by users. The (Websense / IBM information in the Report is dependant on Proventia) the Logging Policy.
Most Visited Website This report displays the most visited Categories (Websense website categories by users, thereby / IBM Proventia) showing the type of content users are looking at. The information in the Report is dependant on the Logging Policy.
Risk Assessment - This report allows you to assess the Employment employment risk based on the number (Websense / IBM and frequency of employment websites Proventia) visited by users. The information in the Report is dependant on the Logging Policy.
Risk Assessment - This report allows you to assess the legal Legal Liability risks based on the type and frequency of (Websense / IBM websites visited by users. The information Proventia) in the Report is dependant on the Logging Policy.
M86 SECURITY, ADMINISTRATION 685 REPORTS
Report Description
Risk Assessment - This report allows you to assess the Productivity Loss productivity risk based on the type and (Websense / IBM frequency of websites visited by users. Proventia) The information in the Report is dependant on the Logging Policy.
Top URLs by Hits This report displays the most visited URLs. The information in the Report is dependent on the Logging Policy.
Top Users by Hits This report displays the most active users, sorted by number of web requests (hits). The information in the Report is dependent on the Logging Policy.
Website Categories This report displays website categories Violating Policy that violated the security policy, indicating (Websense / IBM potentially malicious site categories that Proventia) users requested to visit. The information in the Report is dependant on the Logging Policy.
Web Security
Adware Sites This report displays the number of adware Accessed by User sites accessed by the user.
Anti-Virus (Sophos / This report displays the name and amount Kaspersky / McAfee) of viruses detected and blocked by Kaspersky /Sophos / McAfee with their original URL.
Blocked Active This is a summary report, displaying Content blocked active content types and the number of times that each type was requested.
Known Threats - This report displays the malicious code Signature Based detected by the SWG's third-party engines and lists.
Policy Rules Violations This report displays the number of violations for each Security rule.
686 M86 SECURITY, ADMINISTRATION REPORTS
Report Description
Potentially Malicious This report displays the websites Websites (Websense / according to URL categories that were IBM Proventia) blocked for being potentially malicious.
Security Policy This report displays the URLs that were Violations - (Script blocked due to script behavior policy Behavior) violations.
Security Policy This report displays the URLs that were Violations - (Binary blocked due to binary behavior policy Behavior Profile) violations.
Repaired Pages with This report displays the list of URLs that Suspicious Code were repaired by the HTML Repair feature. (Note that the HTML Repair feature must be enabled for this report to display the relevant information.)
Security Policy This report shows and counts all URLs Violations by URL that were blocked per Security rule
Spyware Sites This report shows and counts the number Accessed by User of spyware sites accessed by the user.
Top Domain Names by This report displays top domain names Security Rule blocked for every security rule. The security rules are sorted by the total number of blocks and sorted further by the number of transactions for each domain.
Unknown Threats - This report displays all threats that were Behavior Based detected by the SWG’s behavior based proprietary technology.
M86 SECURITY, ADMINISTRATION 687 REPORTS
688 M86 SECURITY, ADMINISTRATION END USER MESSAGES END USER MESSAGES
The following Message Texts are used in the Page Blocked End User Messages sent when a URL is blocked (or coached)
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Active Content List Blacklisted active content: Block ActiveX, Java
Application Level This page (or part of it) Block Application Level Vulnerability has been blocked Vulnerabilities Detected because it attempts to exploit an application level vulnerability. Transaction ID is
Archive Assembly The item you requested Error contained a forbidden object. Transaction blocked. Transaction ID is
Binary VAD Binary content was Block Binary VAD Violation blocked due to discovered Vulnerabilities exploit. The violation is
Blacklisted URL Access Denied! Access to Block Access to this URL:
Blocked Adware Access Denied! The Block Access to Adware URL requested URL is an Sites Adware site.Transaction ID is
M86 SECURITY, END USER MESSAGES 689 END USER MESSAGES
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Blocked Binary Potential Binary Exploit Block Binary Exploits in Exploit In Textual detected! An attempt was Textual Files File made to download a textual file with binary content. Transaction ID is
Blocked since AV The file you are trying to Block Unscannable could not scan download could not be (Sophos/McAfee/ scanned by AV. Kaspersky) Transaction ID is
Blocked Spyware Access Denied! The Block Access to Spyware URL requested URL is a Sites Spyware site. Transaction ID is
Blocked URL Forbidden URL. URL Block Access to High-Risk Category Category is Site Categories
Certificate The detected certificate Block Certificate Validation validation mismatch is Validation Errors Mismatch
Container Type Forbidden container type:
Container Violation Container Violation: Block Potentially Malicious
690 M86 SECURITY, END USER MESSAGES END USER MESSAGES
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Corrupted The file you are trying to Container download is corrupted. Transaction ID is
Data Leakage Forbidden operation. Data Leakage Prevention Prevention Content is blocked due to supposed data leakage. Transaction ID is
Digital Signature Active content was Block Binary Objects Violation blocked due to digital without a Digital Certificate signature violation. The Block Binary Objects with violation is Invalid Digital Certificate
Emergency Policy Due to an elevated Active security risk, only access to specified sites is currently allowed. Transaction ID is
Fatal Error The service is unavailable, please try again later. If the problem persists, please contact the administrator.
File Extension Forbidden file extension: Block Blacklisted File
File Spoofed as An attempt was made to Archive Detected spoof an ordinary file as an archive file. Transaction ID is
M86 SECURITY, END USER MESSAGES 691 END USER MESSAGES
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Forbidden Content Forbidden content size: Size
Forbidden Forbidden direction: < Direction direction>. Transaction ID is
Forbidden Header Forbidden header field: Field
Hash Scanner Known malicious content Block Known Malicious found in list Content
Instant Messenger Access Denied! Use of Block IM Tunneling Detected
Internal Error The service is unavailable, please try again later. If the problem persists, please contact the administrator.
Malicious Behavior Malicious Behavior Block Malicious Scripts by Detected Detected! The page or file Behavior you requested contains Block Malicious ActiveX, malicious code. Java Applets and Transaction ID is
692 M86 SECURITY, END USER MESSAGES END USER MESSAGES
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Mobile Malicious Active content violation. Code: Binary The violation is
Mobile Malicious Found behavior blocking Code: Scripts violation. The violation is
Multiple Forbidden file extension: Block Files with Extensions multiple extensions. Suspicious Multiple Transaction ID is
Old or Unsafe An old or unsafe browser Browser is used. Transaction ID is
Outgoing Microsoft Transmission of Office Block Outgoing Microsoft Office File Documents is blocked. Office Documents Detection File type:
Partial Download Access Denied! Partial Detected download detected. Transaction ID is
Policy Violation Policy Violation. Transaction ID is
Potential Shellcode Potential shellcode exploit Detected detected. Transaction ID is
M86 SECURITY, END USER MESSAGES 693 End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Revoked Cloud User has been restricted User from using the Cloud
Service Stopped Service is stopped. Transaction ID is
Spoofed Content An attempt was made to Block Spoofed Content Detected download a spoofed file. The spoofing type is:
Spoofed Spoofed Executable Executable Detected! An attempt was Detected made to download a disguised executable file. Transaction ID is
Spyware Behavior Spyware Behavior Block Known Spyware Detected Detected! The requested (CLSID) file or page contains Spyware:
Spyware Object Spyware Detected! An Block Known Spyware Detected attempt to download a (ACL) forbidden Spyware program has been blocked.
Suspected Trojan Suspected Trojan traffic Detect Known Trojan Traffic Detected detected. Access to the Network Activity Internet is blocked. END USER MESSAGES
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Suspicious File Forbidden File Type! An Block Microsoft Office Type Detected attempt was made to Documents containing download a forbidden file Macros and/or Embedded type. Transaction ID is Files
Temporarily User is temporarily Blocked Cloud Blocked from using the User Cloud
Temporary Error The service is unavailable, please try again later. If the problem persists, please contact the administrator.
Time Frame Forbidden time:
Type Detector Forbidden data type. The Block Unscannable data type is Archives
Unscannable Unscannable content Block Unscannable Content Detected detected! The page or file ActiveX, Java Applets and you requested contains Executables unscannable ActiveX, Java Applets or Executables. Transaction ID is
URL List Found item in a forbidden URL list. The URL is
M86 SECURITY, END USER MESSAGES 695 END USER MESSAGES
End User Page Block Message Security Policy Rule it Message Text Applies to (if any)
Virus Detected Virus Detected! The page Block Known Viruses or file you requested is (Sophos/McAfee/ infected with the following Kaspersky) virus
Wrong The service is unavailable, Configuration Error please try again later. If the problem persists, please contact the administrator.
696 M86 SECURITY, END USER MESSAGES