BlueCoat Proxy Splash Page For FireEye Integration

Hello again. If you are here, you are probably looking for some HowTo help on FireEye Integration With BlueCoat Proxy, or perhaps you have already completed that and are looking for a good splash page to use for FireEye blocks. Either way, I thank you for stopping by, and hope to be of some assistance if possible.

When I started working on the integration it was actually fairly simplistic, in that the proxy is just using the FireEye output as an input for the Central Policy file, which we then use to block URL’s in the comprehensive BlueCoat policy (I am talking the whole policy when combined VPM, Central, Local, Forward). What I also found out is that FireEye is not integrating this as well as they could have when it comes to the “return exception” that BlueCoat uses to provide the user with input on why it was blocked, which is a pain in my rear, as we now have to jump through a few more hoops to get less functionality. Let me explain….

So, the way FireEye provides the input to BlueCoat, it does so using the “define condition” command in CPL vs using “define category” – see below:

FireEye to Proxy Syntax - Define Condition

There are 2 problems with the way this is going.

Problem 1:
The “define condition FireEye_Callbacks” option that FireEye is using here is a variable that is not viewable in the VPM (like “define category FireEye_Callbacks” would be), so you cant use it as a source for any existing malware blocking rules or whatever else you might want to do with it in the VPM.

Problem 2:
The syntax that FireEye has used to have BlueCoat use a specific return exception is forcing the usage of the BlueCoat default of “exception(content_filter_denied)”, which as you can see below, is pretty lackluster (ugly).

BlueCoat Return Exception - content_filter_denied

After finding this, I pleaded with FireEye professional services to change things a bit, and even want as far as to tell them exactly what changes to make to get their BlueCoat integration to be much more friendly, useable, powerful, flexible, . Instead of rewriting it all, here is the email thread:

My question/suggestion/plea to FireEye:

My question/suggestion/plea to FireEye

FireEye’s reply to my question/suggestion/plea:

FireEye's reply to my question/suggestion/plea

So the general consensus was that “We don’t have the ability to change the on box BlueCoat integration.” Alas, it was not to be, yet I will still be pushing for this integration as there are many clients using BlueCoat and other web proxy products that could benefit from a little more flexibility.

OK-OK-OK, enough crying and complaining from me… On to the solution.

The solution is that we need to modify the default “exception(content_filter_deny)” to look like the rest of our “branded” splash pages (compliments of ME…). Now if you remember back to some earlier posts Creating A Splash Page and Splash Page Updates, we know that we need to get into the exceptions file and do some editing. We need to stick our splash page CSS/HTML in “exception.content_filter_denied”, between the pages for “exception.connect_method_denied” and “exception.content_filter_unavailable”.

  (exception.connect_method_denied
     (contact)
     (details "Your request attempted a CONNECT to a port $(quot)$(url.port)$(quot) that is not permitted by default.")
     (format)
     (help "This is typically caused by an HTTPS URL that uses a port other then the default of 443.")
     (summary "Access Denied")
     (http
       (code "403")
       (contact)
       (details)
       (format)
       (help)
       (summary)
     )
   )
 (exception.content_filter_denied
     (contact)
     (details)
     (format)
     (help)
     (summary "Access Denied")
     (http
       (code "403")
       (contact)
       (details)
       (format <

*********OUR HTML CONTENT GOES HERE*********

<-/HTML->
 --2281cba6.a097c--
         )
         (help)
         (summary)
       )
     )
   )
 (exception.content_filter_unavailable
     (contact)
     (details "Your request was denied because an external content filtering service was not available.")
     (format)
     (help "This could be caused by transient network problems, or a configuration error.")
     (summary "Access Denied")
     (http
       (code "403")
       (contact)
       (details)
       (format)
       (help)
       (summary)
     )
   )

As I am modifying splash pages all the time, I thought now would be a good time to add a new feature to them – color gradient. I built this out of necessity, as the corporate communications team wanted any notifications to users to follow a certain flow, and use certain colors, etc. I am sure other companies are doing this too, so wanted to share in case they might help someone in need. Here is what the new splash looks like. This one is specific to the FireEye block, though, because I found that the $cs-categories variable was not able to show anything for FireEye because they use the “define condition” vs “define category” in the syntax they provide to BlueCoat via the Central Policy file. But the way I figure, its not a huge deal if it is hard coded, as there are only 2 things FireEye is blocking on and they are both malicious, so I added them both.

If you want to use this on your site, just view the source code from the page in the link above, and copy/paste/whatever you like – make it your own. Post back to me with a splash page you have created if you dont mind. I am always excited to see what others are doing!

Thanks again all!