McAfee Web Gateway
High-performance on-premises web security.
Web Gateway Support
Licensing
To ensure a smooth deployment of McAfee Web Gateway, it is important to have your license ready. Some of the McAfee Web Gateway features and configuration options will not be available without the license. In case you have not yet received a file with a license key from McAfee, you can use a temporary key to activate a McAfee Web Gateway appliance. Learn more.
Where can I download my license file?
To download a license file, log in to the Content & Cloud Security Portal and click the Licenses tab to see all your available licenses. If you do not have a login, call or email McAfee Customer Service and they can create one for you.
What happens when my license expires?
The answer depends on what type of license you have. There are two different types:
- Purchased: After your license expires, you will not be able to download any new updates for the filtering engines, but you will still be able to use the rule engine and filter traffic. McAfee Web Gateway will still serve requests.
- Evaluation: After your license expires, your updates will not download and filtering will not work. You cannot use the engines within McAfee Web Gateway and it will not serve requests.
How do I renew my license?
Contact your sales representative. If you do not know who your sales representative is, call or email customer service.
Install & Upgrade
To accommodate the needs of different user groups, McAfee has implemented a two-branch release approach for McAfee Web Gateway:
- Main release branch
- Default version on all new McAfee Web Gateway appliances
- Provides feature releases once yearly
- Maintenance releases are provided throughout the year (every two months)
- Controlled release branch
- Provides three feature releases per year (once every four months)
- Geared toward early adopters
- Patch releases are made available between feature releases or rolled into the next feature release
- Customers must actively decide to switch to this branch
Review the Overview and FAQ for more information about the Main and Controlled releases implementation.
Download the McAfee Web Gateway Appliance ISO images from the Content & Cloud Security Portal.
Clean Install
McAfee defines a clean installation as a deployment where there are no elements of McAfee software pre-existing on the system. See “Upgrade” if there is pre-existing software. Review the supported environments documentation to ensure that the environment is compatible before deploying McAfee Web Gateway. This article covers requirements for McAfee Web Gateway Appliance, McAfee Web Gateway Virtual Appliance, and McAfee Web Gateway on blade server.
Review the release notes for new features and resolved issues with McAfee Web Gateway 8.0.x.
Review the two guides below for information about how to install McAfee Web Gateway Appliance and for additional details regarding system requirements:
- Web Gateway 8.0.x Installation Guide: System Requirements
- Install Web Gateway virtual appliance with Hyper-V
For McAfee Web Gateway appliance models WBG-4500-D, WBG-5000-D, WBG-5500-D with McAfee BIOS version 37 or greater, McAfee Technical Support recommends you use the McAfee Web Gateway software releases as mentioned in this article.
Upgrade McAfee Web Gateway Hardware
To determine if you need to upgrade your hardware, verify the appliance model you have. The model number is located on a label on top of the hardware chassis. If you have an older model (A, B, or E in the model short code), you must upgrade the memory to meet McAfee recommendations or install a PCI card which provides fiber connectivity and use of Hardware Security Module (HSM). Refer to this guide for more information.
In there is an issue when upgrading the hardware, install the getlogs package to collect hardware logs. The getlogs script can run while your McAfee Web Gateway appliance is in production, as there is no technical need to take it offline. Learn how to submit a hardware issue to the McAfee Web Gateway Technical Support team.
Upgrade Web Gateway Software
Refer to the End-of-Life (EOL) page for more information about hardware and software EOL dates. Plan your current McAfee Web Gateway software upgrade with these dates in mind.
When upgrading to a new version of the McAfee Web Gateway appliance software, the workflow is different for Main and Controlled releases. Other factors include the version you upgrade from and if you use the McAfee Web Gateway interface or a system console. Review the workflow to understand the McAfee Web Gateway upgrade path.
Review best practices prior to your upgrade. These resources provide a step-by-step approach and outline disaster recovery scenarios:
- Best practices for updating McAfee Web Gateway 7.x
- Upgrading to a new version provided as a Main release
If you have an issue during an upgrade, refer to the following documentation:
Policy & Rule Configuration
McAfee Web Gateway enforces web security policies, which protect the network against threats arising from the web. A web security policy is made up of rules grouped in rule sets with certain actions applied to the rule. For more information about policy configuration and working with rule sets, refer to these McAfee Web Gateway product guides:
Common Rule Use Cases
- Global whitelisting: Excludes objects from web filtering
- SSL scanning: Ensures that SSL-secured web traffic can be processed and made available to other filtering functions on McAfee Web Gateway
- Application filteringa: Ensures that the users of your network cannot access unwanted applications, such as Facebook, Xing, and others
- URL filtering: Ensures that your network users can’t access web objects that are considered risky or that contain inappropriate subject matter
- Streaming media filtering: Blocks web objects if the probability that they are streaming media reaches or exceeds a configured level
If a policy or rule configuration issue occurs, use the following tools available on the McAfee Web Gateway GUI:
- Rule tracing: Used to debug issues with rule processing. Rule tracing covers all activities in processing cycles that were performed for a request, including the request, response, and embedded object cycles. Tracing results can be viewed separately for different cycles.
- Connection tracing: Review the article below if you want to troubleshoot connection issues. You can use connection traces to record the activities of connections between an appliance and other network components. This allows the analysis of flows and logins and shows the decrypted SSL connection if the SSL Scanner rule set was executed.
McAfee Client Proxy
McAfee Client Proxy software allows redirection of web traffic to a proxy, protecting the endpoint from security threats that arise when accessing the web from inside or outside the network. Review the key features of McAfee Client Proxy.
To get acquainted with the software, review the documentation below:
- Supported platforms, environments, and operating systems for McAfee Client Proxy
- McAfee Client Proxy Technical FAQ
Common Use Cases
- Proxy server list: Configures proxy server list and rules to redirect web traffic to a proxy server
- Client settings: Determines the location of the endpoint and when to redirect web traffic
- Bypass list: Allows proxy server to be passed and go directly to the internet
- Block list: Configures the list of processes that McAfee Client Proxy software blocks from accessing the internet
If you install McAfee Client Proxy on a client with a third-party endpoint protection product, refer to this article for required exclusions.
If there is an issue with McAfee Client Proxy and you need to collect additional logs for troubleshooting, refer to this article for steps on how to enable debug logs.
Logging & Reporting
Logging helps record web filtering and other processes on the McAfee Web Gateway appliance. Review the log files with recordings to find reasons for failures and troubleshoot issues. Learn more. Data on McAfee Web Gateway syslog log files can also be sent to McAfee Enterprise Security Manager. Learn more.
Review best practices to monitor file system usage in the “/opt” partition on McAfee Web Gateway. This partition is used for storing system files while the appliance software is also installed. This means that a full opt partition impacts the performance of the appliance.
Review the best practices guides below for syslog server configuration and implementation:
- Best practices: Sending access log data to a syslog server
- Best practices: Implementing TLS-secured usage of syslog data
If you use McAfee Content Security Reporter, which uses the default data format for logging, review these resources:
Root Certificate Expiration
The McAfee product line uses TLS for secure communication. Two certificates validate McAfee TLS chains, including a primary expiring in 2038 and a secondary expiring on May 30, 2020. If either certificate, or both, are present in your environment, TLS will function correctly prior to May 30, 2020. After May 30, 2020, only the primary certificate will be valid. Out of an abundance of caution McAfee is informing customers of this impending event.
Generally, certificates are auto-updated through operation systems and customers will not be impacted. However, in environments where automatic management of root certificates is disabled and the primary certificate has not been manually deployed, customers will potentially be impacted. KB92937 provides information on how to verify and install the primary certificate.
Failure to have a valid certificate will cause product issues including reduced detection efficacy.
The primary certificate that needs to be validated is in a customer's environment as below:
Subject : CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Thumbprint : 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Expiration : 2038-01-18
Subscribe to KB92937 to receive updates.
Web Gateway Support
Licensing
To ensure a smooth deployment of McAfee Web Gateway, it is important to have your license ready. Some of the McAfee Web Gateway features and configuration options will not be available without the license. In case you have not yet received a file with a license key from McAfee, you can use a temporary key to activate a McAfee Web Gateway appliance. Learn more.
Where can I download my license file?
To download a license file, log in to the Content & Cloud Security Portal and click the Licenses tab to see all your available licenses. If you do not have a login, call or email McAfee Customer Service and they can create one for you.
What happens when my license expires?
The answer depends on what type of license you have. There are two different types:
- Purchased: After your license expires, you will not be able to download any new updates for the filtering engines, but you will still be able to use the rule engine and filter traffic. McAfee Web Gateway will still serve requests.
- Evaluation: After your license expires, your updates will not download and filtering will not work. You cannot use the engines within McAfee Web Gateway and it will not serve requests.
How do I renew my license?
Contact your sales representative. If you do not know who your sales representative is, call or email customer service.
Install & Upgrade
To accommodate the needs of different user groups, McAfee has implemented a two-branch release approach for McAfee Web Gateway:
- Main release branch
- Default version on all new McAfee Web Gateway appliances
- Provides feature releases once yearly
- Maintenance releases are provided throughout the year (every two months)
- Controlled release branch
- Provides three feature releases per year (once every four months)
- Geared toward early adopters
- Patch releases are made available between feature releases or rolled into the next feature release
- Customers must actively decide to switch to this branch
Review the Overview and FAQ for more information about the Main and Controlled releases implementation.
Download the McAfee Web Gateway Appliance ISO images from the Content & Cloud Security Portal.
Clean Install
McAfee defines a clean installation as a deployment where there are no elements of McAfee software pre-existing on the system. See “Upgrade” if there is pre-existing software. Review the supported environments documentation to ensure that the environment is compatible before deploying McAfee Web Gateway. This article covers requirements for McAfee Web Gateway Appliance, McAfee Web Gateway Virtual Appliance, and McAfee Web Gateway on blade server.
Review the release notes for new features and resolved issues with McAfee Web Gateway 8.0.x.
Review the two guides below for information about how to install McAfee Web Gateway Appliance and for additional details regarding system requirements:
- Web Gateway 8.0.x Installation Guide: System Requirements
- Install Web Gateway virtual appliance with Hyper-V
For McAfee Web Gateway appliance models WBG-4500-D, WBG-5000-D, WBG-5500-D with McAfee BIOS version 37 or greater, McAfee Technical Support recommends you use the McAfee Web Gateway software releases as mentioned in this article.
Upgrade McAfee Web Gateway Hardware
To determine if you need to upgrade your hardware, verify the appliance model you have. The model number is located on a label on top of the hardware chassis. If you have an older model (A, B, or E in the model short code), you must upgrade the memory to meet McAfee recommendations or install a PCI card which provides fiber connectivity and use of Hardware Security Module (HSM). Refer to this guide for more information.
In there is an issue when upgrading the hardware, install the getlogs package to collect hardware logs. The getlogs script can run while your McAfee Web Gateway appliance is in production, as there is no technical need to take it offline. Learn how to submit a hardware issue to the McAfee Web Gateway Technical Support team.
Upgrade Web Gateway Software
Refer to the End-of-Life (EOL) page for more information about hardware and software EOL dates. Plan your current McAfee Web Gateway software upgrade with these dates in mind.
When upgrading to a new version of the McAfee Web Gateway appliance software, the workflow is different for Main and Controlled releases. Other factors include the version you upgrade from and if you use the McAfee Web Gateway interface or a system console. Review the workflow to understand the McAfee Web Gateway upgrade path.
Review best practices prior to your upgrade. These resources provide a step-by-step approach and outline disaster recovery scenarios:
- Best practices for updating McAfee Web Gateway 7.x
- Upgrading to a new version provided as a Main release
If you have an issue during an upgrade, refer to the following documentation:
Policy & Rule Configuration
McAfee Web Gateway enforces web security policies, which protect the network against threats arising from the web. A web security policy is made up of rules grouped in rule sets with certain actions applied to the rule. For more information about policy configuration and working with rule sets, refer to these McAfee Web Gateway product guides:
Common Rule Use Cases
- Global whitelisting: Excludes objects from web filtering
- SSL scanning: Ensures that SSL-secured web traffic can be processed and made available to other filtering functions on McAfee Web Gateway
- Application filteringa: Ensures that the users of your network cannot access unwanted applications, such as Facebook, Xing, and others
- URL filtering: Ensures that your network users can’t access web objects that are considered risky or that contain inappropriate subject matter
- Streaming media filtering: Blocks web objects if the probability that they are streaming media reaches or exceeds a configured level
If a policy or rule configuration issue occurs, use the following tools available on the McAfee Web Gateway GUI:
- Rule tracing: Used to debug issues with rule processing. Rule tracing covers all activities in processing cycles that were performed for a request, including the request, response, and embedded object cycles. Tracing results can be viewed separately for different cycles.
- Connection tracing: Review the article below if you want to troubleshoot connection issues. You can use connection traces to record the activities of connections between an appliance and other network components. This allows the analysis of flows and logins and shows the decrypted SSL connection if the SSL Scanner rule set was executed.
McAfee Client Proxy
McAfee Client Proxy software allows redirection of web traffic to a proxy, protecting the endpoint from security threats that arise when accessing the web from inside or outside the network. Review the key features of McAfee Client Proxy.
To get acquainted with the software, review the documentation below:
- Supported platforms, environments, and operating systems for McAfee Client Proxy
- McAfee Client Proxy Technical FAQ
Common Use Cases
- Proxy server list: Configures proxy server list and rules to redirect web traffic to a proxy server
- Client settings: Determines the location of the endpoint and when to redirect web traffic
- Bypass list: Allows proxy server to be passed and go directly to the internet
- Block list: Configures the list of processes that McAfee Client Proxy software blocks from accessing the internet
If you install McAfee Client Proxy on a client with a third-party endpoint protection product, refer to this article for required exclusions.
If there is an issue with McAfee Client Proxy and you need to collect additional logs for troubleshooting, refer to this article for steps on how to enable debug logs.
Logging & Reporting
Logging helps record web filtering and other processes on the McAfee Web Gateway appliance. Review the log files with recordings to find reasons for failures and troubleshoot issues. Learn more. Data on McAfee Web Gateway syslog log files can also be sent to McAfee Enterprise Security Manager. Learn more.
Review best practices to monitor file system usage in the “/opt” partition on McAfee Web Gateway. This partition is used for storing system files while the appliance software is also installed. This means that a full opt partition impacts the performance of the appliance.
Review the best practices guides below for syslog server configuration and implementation:
- Best practices: Sending access log data to a syslog server
- Best practices: Implementing TLS-secured usage of syslog data
If you use McAfee Content Security Reporter, which uses the default data format for logging, review these resources:
Root Certificate Expiration
The McAfee product line uses TLS for secure communication. Two certificates validate McAfee TLS chains, including a primary expiring in 2038 and a secondary expiring on May 30, 2020. If either certificate, or both, are present in your environment, TLS will function correctly prior to May 30, 2020. After May 30, 2020, only the primary certificate will be valid. Out of an abundance of caution McAfee is informing customers of this impending event.
Generally, certificates are auto-updated through operation systems and customers will not be impacted. However, in environments where automatic management of root certificates is disabled and the primary certificate has not been manually deployed, customers will potentially be impacted. KB92937 provides information on how to verify and install the primary certificate.
Failure to have a valid certificate will cause product issues including reduced detection efficacy.
The primary certificate that needs to be validated is in a customer's environment as below:
Subject : CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Thumbprint : 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Expiration : 2038-01-18
Subscribe to KB92937 to receive updates.