Loading...

Knowledge Center


How to generate and analyze connection traces in McAfee Web Gateway
Technical Articles ID:   KB89213
Last Modified:  12/20/2018

Environment

McAfee Web Gateway (MWG) 7.x

Summary

McAfee recommends that when you troubleshoot connection issues, you use connection traces to record the activities of connections between an appliance and other network components.

This allows the analysis of flows and logins, for example, and can also show the decrypted SSL connection if the SSL Scanner rule set was executed.

Problem

How do I create connection traces to troubleshoot MWG? 

How do I trace a HTTPS connection through MWG, to see requests and responses for the encrypted part?

Solution

Enable the creation of trace files to record activities occurring on connections between an appliance and other network component.
 
IMPORTANT: Make sure you disable connection tracing after you have finished your troubleshooting to prevent full disk issues.

Enable the connection tracing files:
  1. Select ConfigurationAppliances.
  2. On the appliances tree, select the appliance you want to record connection activities on and click Troubleshooting.
     
  3. In the Troubleshooting section, select Enable connection tracing.
    Optional: To trace only activities on a connection to a specific appliance client, select Restrict tracing to only one IP and in the Client IP field enter the client's IP.
     
  4. Click Save Changes.
    Connection trace files are now created.
     
  5. Perform your troubleshooting/reproduce your issue.
    IMPORTANT: McAfee strongly recommends you note all hosts and domains used in the troubleshooting process, including clients and target servers.
     
  6. To view the connection tracing files:
    1. Under the Troubleshooting top-level menu, select the relevant appliance.
    2. Click Connection Tracing.
      You see the trace files listed.
       
    3. Using the items on the toolbar, you can perform several file-related activities, such as view or download a file.

      IMPORTANT: To download all files at once, McAfee recommends you do this from the command-line interface (CLI) and pack them into one archive:
      1. Open a command-line session.
      2. Type cd /opt/mwg/log/debug/ and press ENTER.
      3. Type zip filename.zip connection_tracing/ and press ENTER.
         
  7. Disable the trace file collection.
    1. Return the Troubleshooting section of the appliance configuration and deselect Enable connection tracing box.
      Optional: Remove the entered IP address in the Client IP field for Restrict tracing to only one IP.
       
    2. Click Save changes

Solution

Viewing and troubleshooting the files

The available files depend on the protocol that you trace; depending on the protocol, you will find several files for one connection ID.

For HTTP/HTTPS you should see two files:
  • HTTP-xxxxxx-C.txt is the client side connection
  • HTTP-xxxxxx-S.txt is the server side connection

For FTP you should see four files:
  • FTP-xxxxxx-CC.txt is the client side control connection
  • FTP-xxxxxx-CL.txt is the client side data connection
  • FTP-xxxxxx-SC.txt is the server side control connection
  • FTP-xxxxxx-SD.txt is the server side data connection
FTP and HTTP connection traces

For ICAP you will see one of the following files:
  • ICAP-xxxxxx-C.txt if Web Gateway is the ICAP server, or
  • ICAP-xxxxxx-S.txt if Web Gateway is the ICAP client


Reviewing encrypted and decrypted information

When you check the connection traces you will find all information that was not decrypted between >>> and <<< ,
while information that was sent encrypted will be visible in a decrypted state between [[[ and ]]].

For example:
 



Compare a client side and server side connection:

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.