Accepted Solutions
Policy code modification is currently required. To keep the modification to a minimum I would suggest the following procedure for mapping process name and MCP Policy name directly to group names and using systemname and hostos matched against a list of regex strings to map to a single group name for each list match. (The concept could be extrapolated to use any value supplied in systeminfo to set User Groups.) At a high level here are the steps
1) Create regex lists that will be checked against the system info supplied by MCP to apply specific policies. (This step not necessary if you just want to use the property value as your added group name. My code below does just that for process name and MCP policy name, I would recommend using regex list for matching on OS or system name as described below)
2) Create a new branch at the top of the policy and insert policy code to set User Groups based on regex list matches, or system info directly
3) Use those groups in your scoping for the policy rule branches.
4) (optional) If you want a match to a given branch to terminate the top level branch rather than executing the remaining branches in the branch edit the policy code to change the end statements to reference the top level rule branch name.
Here are the details:
1) Create regex lists for use in mapping groups:
From MVISION Cloud Management Console go to Policy > Web Policy > List Catalog > Regular Expression and select Add New List from the menu (*** to the right of the Regular Expression list type)
Give the list a descriptive name and enter the relevant regular expressions that you want to apply a special policy to (in this example host OS will be matched for the purposes of a setting group that will be used in policy scoping.
2) Create a new policy branch and modify policy code:
From MVISION Cloud Management Console go to Policy >Web Policy > Policy > Getting Started > Advanced Editing in Code View and in the lower right hand corner of the screen click on "here".
Edit the code to add an INCLUDE statement to the list of INCLUDES near the bottom of the code. Place the statement before global bypass with the name of your new branch.
Save and publish, then activate Code View for the newly created branch.
Edit the first line of code to give yourself an activate button, operate on web request only and customize the branch name if desired.
ROUTINE Set_Groups_From_MCP ON (Web.Request) [enabled="true"] { // Add Groups From MCP Context
Add the policy code by inserting your modified version of the code after the first line and before the routine end signified by } (replace items in red to match list names and group name strings):
-------------------Code to insert----------------------------
IF MWG.AuthenticationMethod != "SWPS" THEN {
END
}
// Initialize variables
VECTOR<STRING> userGroups=MWG.UserGroups
STRING systemName=MWG.ClientSystemInfo.GetAsString ("systemname")
VECTOR <STRING> mcpPolicyV=MWG.ClientSystemInfo.GetAsString ("policyname")
VECTOR <STRING> mcpProcessV=MWG.ClientProcessName
STRING hostOSName=MWG.ClientSystemInfo.GetAsString ("hostosname")
RegExJSi.List systemNameRegex = list_SystemNameRegex1
RegExJSi.List hostOSNameRegex = list_HostOSRegex1
VECTOR <STRING> systemGroupV="SystemGroup1"
VECTOR <STRING> hostOSGroupV="HostOSGroup1"
// Only add groups once per request or connection
IF MWG.CommandName != "CONNECT" AND MWG.Protocol(MWG.Url) != "http" THEN {
END
}
// Add group indicating MCP policy name
IF NOT IsEmpty(mcpPolicyV) THEN {
userGroups = Join(userGroups, mcpPolicyV)
}
// Add group indicating process name
IF NOT IsEmpty(mcpProcessV) THEN {
userGroups = Join(userGroups, mcpProcessV)
}
// Add group based on system name
IF systemNameRegex.Matches(systemName) THEN {
userGroups = Join(userGroups, systemGroupV)
}
// Add group based on host OS
IF hostOSNameRegex.Matches(hostOSName) THEN {
userGroups = Join(userGroups, hostOSGroupV)
}
MWG.SetUserGroups(userGroups)
----------------End Code to Insert-------------
The above code will add groups when MCP is used. The groups added will be the process name, the MCP policy name, SystemGroup1 (if the system name matches the regex list) and HostOSGroup1 (if the host OS name matches the regex list). You could have a regex list that includes *.microsoft?windows*. and then put "Windows" as a group name instead of "HostOSGroup1"
3) Use those groups and or User Names in your scoping for the policy rule branches.
Now that we have the groups set from MCP supplied context, they can easily be applied for scoping of any policy rules through the standard UI.
Here is scoping Global Bypass branch based on process name matching in a string list containing approved browser process names.
You could obviously do the inverse not in list and apply to a cloned rule branch..
Note that each remaining branch in the same filter will still run if the scoping matches for the respective branch. See step 4 if you don't want this operation.
4) (Optional) Terminate top level branch (filter)
What if you don't want remaining branches of a filter to execute even if their scoping matches?
You have to dive back into policy code to do this but it is fairly simple. I will use my Web Filtering branch as an example. First you need to get the name of the top level filter.
Open code view for the top level filter and note the name:
Replace the statement END with END(<top level branch name>) in any conditionals that you want to end the top level branch (routine) rather than just the current routine.(which is what a simple END with no variable would do).
Save and Publish
Policy code modification is currently required. To keep the modification to a minimum I would suggest the following procedure for mapping process name and MCP Policy name directly to group names and using systemname and hostos matched against a list of regex strings to map to a single group name for each list match. (The concept could be extrapolated to use any value supplied in systeminfo to set User Groups.) At a high level here are the steps
1) Create regex lists that will be checked against the system info supplied by MCP to apply specific policies. (This step not necessary if you just want to use the property value as your added group name. My code below does just that for process name and MCP policy name, I would recommend using regex list for matching on OS or system name as described below)
2) Create a new branch at the top of the policy and insert policy code to set User Groups based on regex list matches, or system info directly
3) Use those groups in your scoping for the policy rule branches.
4) (optional) If you want a match to a given branch to terminate the top level branch rather than executing the remaining branches in the branch edit the policy code to change the end statements to reference the top level rule branch name.
Here are the details:
1) Create regex lists for use in mapping groups:
From MVISION Cloud Management Console go to Policy > Web Policy > List Catalog > Regular Expression and select Add New List from the menu (*** to the right of the Regular Expression list type)
Give the list a descriptive name and enter the relevant regular expressions that you want to apply a special policy to (in this example host OS will be matched for the purposes of a setting group that will be used in policy scoping.
2) Create a new policy branch and modify policy code:
From MVISION Cloud Management Console go to Policy >Web Policy > Policy > Getting Started > Advanced Editing in Code View and in the lower right hand corner of the screen click on "here".
Edit the code to add an INCLUDE statement to the list of INCLUDES near the bottom of the code. Place the statement before global bypass with the name of your new branch.
Save and publish, then activate Code View for the newly created branch.
Edit the first line of code to give yourself an activate button, operate on web request only and customize the branch name if desired.
ROUTINE Set_Groups_From_MCP ON (Web.Request) [enabled="true"] { // Add Groups From MCP Context
Add the policy code by inserting your modified version of the code after the first line and before the routine end signified by } (replace items in red to match list names and group name strings):
-------------------Code to insert----------------------------
IF MWG.AuthenticationMethod != "SWPS" THEN {
END
}
// Initialize variables
VECTOR<STRING> userGroups=MWG.UserGroups
STRING systemName=MWG.ClientSystemInfo.GetAsString ("systemname")
VECTOR <STRING> mcpPolicyV=MWG.ClientSystemInfo.GetAsString ("policyname")
VECTOR <STRING> mcpProcessV=MWG.ClientProcessName
STRING hostOSName=MWG.ClientSystemInfo.GetAsString ("hostosname")
RegExJSi.List systemNameRegex = list_SystemNameRegex1
RegExJSi.List hostOSNameRegex = list_HostOSRegex1
VECTOR <STRING> systemGroupV="SystemGroup1"
VECTOR <STRING> hostOSGroupV="HostOSGroup1"
// Only add groups once per request or connection
IF MWG.CommandName != "CONNECT" AND MWG.Protocol(MWG.Url) != "http" THEN {
END
}
// Add group indicating MCP policy name
IF NOT IsEmpty(mcpPolicyV) THEN {
userGroups = Join(userGroups, mcpPolicyV)
}
// Add group indicating process name
IF NOT IsEmpty(mcpProcessV) THEN {
userGroups = Join(userGroups, mcpProcessV)
}
// Add group based on system name
IF systemNameRegex.Matches(systemName) THEN {
userGroups = Join(userGroups, systemGroupV)
}
// Add group based on host OS
IF hostOSNameRegex.Matches(hostOSName) THEN {
userGroups = Join(userGroups, hostOSGroupV)
}
MWG.SetUserGroups(userGroups)
----------------End Code to Insert-------------
The above code will add groups when MCP is used. The groups added will be the process name, the MCP policy name, SystemGroup1 (if the system name matches the regex list) and HostOSGroup1 (if the host OS name matches the regex list). You could have a regex list that includes *.microsoft?windows*. and then put "Windows" as a group name instead of "HostOSGroup1"
3) Use those groups and or User Names in your scoping for the policy rule branches.
Now that we have the groups set from MCP supplied context, they can easily be applied for scoping of any policy rules through the standard UI.
Here is scoping Global Bypass branch based on process name matching in a string list containing approved browser process names.
You could obviously do the inverse not in list and apply to a cloned rule branch..
Note that each remaining branch in the same filter will still run if the scoping matches for the respective branch. See step 4 if you don't want this operation.
4) (Optional) Terminate top level branch (filter)
What if you don't want remaining branches of a filter to execute even if their scoping matches?
You have to dive back into policy code to do this but it is fairly simple. I will use my Web Filtering branch as an example. First you need to get the name of the top level filter.
Open code view for the top level filter and note the name:
Replace the statement END with END(<top level branch name>) in any conditionals that you want to end the top level branch (routine) rather than just the current routine.(which is what a simple END with no variable would do).
Save and Publish
You Deserve an Award
Community Help Hub
- Find Forum FAQs
- Learn How to Earn Badges
- Ask for Help
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Join the Community
- Get helpful solutions from product experts.
- Stay connected to product conversations that matter to you.
- Participate in product groups led by employees.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
