Skip to main content

McAfee Web Gateway

Download With Dependencies

Blacklist/Whitelist handling

Mcafee Web Gateway

This pack includes Cortex XSIAM content.

Skyhigh Secure Web Gateway (SWG) is a cloud-native web security solution that provides an advanced layered protection from threats and data loss with integrated RBI, CASB, and DLP capabilities in the web and cloud. It enables organizations to implement a simplified SSE architecture that delivers security, scalability, and availability for a distributed and remote workforce.

This Skyhigh Secure Web Gateway content pack contains the Skyhigh Secure Web Gateway integration that manages block and allow lists within Skyhigh SWG.

What does this pack do?

Manages the block and allow lists within Skyhigh SWG.

Mcafee Web Gateway

This pack includes Cortex XSIAM content.

Skyhigh Secure Web Gateway (SWG) is a cloud-native web security solution that provides an advanced layered protection from threats and data loss with integrated RBI, CASB, and DLP capabilities in the web and cloud. It enables organizations to implement a simplified SSE architecture that delivers security, scalability, and availability for a distributed and remote workforce.

Configuration on Server Side

You need to configure Web Gateway to forward Syslog messages.

Add a rule for sending access log data


  1. Select PolicyRule Sets.

  2. Click Log Handler, expand the Default rule set, and select the nested Access Log rule set.

  3. Add the following rule to make access log data available to the daemon that sends it to the syslog server.

    Criteria Action Event
    Always Continue Syslog (6, UserDefined.logLine)
  4. Click Save Changes.

Adapt the rsyslog.conf system file for sending access log data

  1. Select ConfigurationFile Editor.
  2. On the files tree, select rsyslog.conf.
  3. Edit the file to adapt it for sending access log data.
    1. Look for the following line:
      ``` text
      *.info;mail.none;authpriv.none;cron.none /var/log/messages
   2. Replace **mail** with **daemon** in this line and insert a **-** (dash) before the path information.
    ``` text
   *.info;daemon.none;authpriv.none;cron.none -/var/log/messages

This modification prevents the syslog daemon from sending data to the var/log/messages partition on the disk of the Web
Gateway appliance system.

  1. You can now direct the data to the intended destination:
    • To send data to a syslog server under TCP, insert - daemon.info @<IP>:<Port>
    • To send data to a syslog server under the UDP protocol, insert - daemon.info @<IP>:514
  • Pay Attention: Timestamp ingestion is currently available for the time_stamp field in %d/%h/%Y %H:%M:%S %z (e.g. 11/Oct/2023:04:50:18 -0500) format.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Go to the Apps column under the Brokers tab and add the Syslog Collector app for the relevant broker instance. If the app already exists, hover over it and click Configure.
  3. Click Add New for adding a new syslog data source.
  4. When configuring the new syslog data source, set the following values:
    | Parameter | Value
    | :--- | :---
    | Vendor | Enter mcafee.
    | Product | Enter webgateway.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedNovember 9, 2020
Last ReleaseFebruary 6, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.