DATA SHEET

McAfee Web Gateway

Security. Connected Intelligence. Performance.

Organizations can do more over the web today than ever before. Today’s web offers a McAfee Web Gateway
dynamic, real-time user experience. However, the web has also become a more dangerous
Available in multiple hardware
place, with increasingly sophisticated attacks released every day. McAfee® Web Gateway
■■

models and as a virtual machine

is a critical defense for any organization to protect against emerging malware threats. It supporting VMware and Microsoft
Hyper-V
empowers organizations with secure internet access while greatly reducing risk through an ■■
Integrated with complementary
advanced security approach that combines powerful, local intent analysis with cloud-based McAfee solutions including
protection powered by McAfee Labs. McAfee Endpoint Security, McAfee
Advanced Threat Defense, and
McAfee Threat Intelligence
As internet use and sophistication increases, so does Comprehensive Inbound and Outbound Exchange
the need for advanced web security. Even seemingly Protection ■■
Common criteria EAL2+ and FIPS
“safe” sites can be targeted for malware distribution. 140-2 Level 2 certified
McAfee Web Gateway delivers comprehensive security
In today’s world, simply blocking known viruses or ■■
Support for multiple cryptographic
for all aspects of web traffic in one high-performance
key storage options, including
restricting access to known bad websites is not enough. appliance software architecture. For user-initiated Gemalto SafeNet Hardware
Reactive techniques, such as signature-based antivirus web requests, McAfee Web Gateway first enforces an Security Module (HSM), Thales
and category-only URL filtering—while necessary—are organization’s internet use policy. For all allowed traffic, nShield HSM, and Thales PCIe
insufficient to protect access to cloud applications or it then uses local and global techniques to analyze the cards
combat today’s exploits. nature and intent of all content and active code entering ■■
Rated number one anti-malware in
the network via the requested web pages, providing a secure web gateway (AV-TEST)
Since these solutions focus on known content and
malicious objects or executables, they can’t prevent immediate protection against malware and other hidden
today’s attacks that hide malicious code within threats. And, unlike basic packet inspection techniques,
seemingly trustworthy HTTP or HTTPS traffic or provide McAfee Web Gateway can examine secure sockets
protection against unknown or emerging threats. layer (SSL) traffic to provide in-depth protection against
malicious code or control applications that have been Connect With Us
The ability to enable secure, granular access to cloud
applications while proactively blocking unknown as well hidden through encryption.
as known threats is crucial.

1 McAfee Web Gateway

 DATA SHEET

Inbound protection also mitigates risks for organizations We combine this analysis with McAfee antivirus and
hosting websites that accept data or document uploads global reputation technologies from McAfee Labs to
from external sources. In reverse-proxy mode, McAfee quickly block known malware and malicious sites. Use
Web Gateway scans all content before it is uploaded, of multiple technologies enables McAfee Web Gateway
securing both the server and the content. to provide greater protection while optimizing security
on a single platform with different, yet complementary,
To secure outbound traffic, McAfee Web Gateway
technologies—something many organizations demand
uses industry-leading McAfee Data Loss Prevention
for their layered defense security approaches.
technology to scan user-generated content on all key
web protocols, including HTTP, HTTPS, and FTP. It ■■ McAfee antivirus with real-time McAfee Global
also protects against loss of confidential, sensitive, or Threat Intelligence (McAfee GTI) file reputation:
regulated information leaking from the organization Cloud-based McAfee GTI file reputation look-up closes
through social networking sites, blogs, wikis, or online the gap between virus discovery and system update/
productivity tools such as web-based mail, organizers, protection.
and calendars. McAfee Web Gateway further safeguards ■■ McAfee GTI web reputation and web
against unauthorized data leaving the organization categorization: McAfee Web Gateway delivers
through bot-infected machines attempting to phone web filtering functionality and protection through
home or transmit sensitive data. the powerful combination of both reputation and
McAfee Web Gateway Delivers the Industry’s category-based filtering. McAfee GTI creates a
Best Protection profile of all internet entities—websites, email, and
IP addresses—based on hundreds of different
As the number one-rated1 web security solution in
attributes gathered from the massive, global data
malware protection, McAfee Web Gateway uses a
collection capabilities of McAfee Labs. It then assigns
patented approach to signatureless intent analysis with
a reputation score based on the security risk posed,
the McAfee Gateway Anti-Malware Engine. Proactive
enabling administrators to apply very granular rules
intent analysis filters out previously unknown, or zero-
about what to permit or deny.
day malicious content from web traffic in real time. By
scanning a web page’s active content, emulating and
■■ Geolocation: McAfee Web Gateway features
understanding its behavior, and predicting its intent, geolocation, enabling geographic visibility and policy
McAfee Web Gateway prevents the delivery of zero-day management based on the web traffic and user’s
malware to endpoints, dramatically reducing the costs originating country.
associated with system cleanup and remediation.

2 McAfee Web Gateway

 DATA SHEET

For both web categorization and web reputation, response through efficient correction of compromised
organizations can choose between on-premises and systems. Through McAfee Threat Intelligence Exchange,
cloud lookups, or a combination of both. Cloud lookups McAfee solutions—including McAfee Web Gateway—
eliminate protection gaps between discovery/change share intelligence with each other to bridge these gaps.
and system updates, along with delivering broad McAfee Web Gateway delivers immense value in this
coverage through data on hundreds of millions of unique process by creating and sharing new file reputations
malware samples. for zero-day malware discovered by the Gateway
Anti-Malware engine, allowing, for example, endpoint
Advanced Threat Analysis integration
devices to be protected before a new .DAT is released.
McAfee Web Gateway integrates with McAfee Advanced Additionally, more threats are stopped by McAfee Web
Threat Defense—our advanced malware detection Gateway with expanded threat intelligence delivered
technology that combines customizable sandboxing with from McAfee Threat Intelligence Exchange.
in-depth static code analysis. McAfee Advanced Threat
Defense and the in-line scanning capabilities of the Insight and protection within encrypted traffic
Gateway Anti-Malware Engine in McAfee Web Gateway Sophisticated cybercriminals have turned to SSL
provide the strongest protection available for internet- traffic (HTTPS and HTTP/2) as a backdoor through
delivered threats. Organizations that want a lower cost, the enterprise security barrier. Ironically, a protocol
simplified advanced threat analysis option can integrate designed to provide security must also be assessed for
McAfee Cloud Threat Detection, a cloud-based sandbox risk. McAfee Web Gateway integrates malware detection,
with multiple additional threat analysis layers. SSL inspection, and certificate validation together for a
comprehensive approach to encrypted traffic inspection.
Threat Intelligence sharing
Today, many security tools exist in silos and are not built There’s no need for an additional investment in SSL
to share threat intelligence, despite the fact that key scanning hardware—McAfee Web Gateway performs
intelligence is available at the endpoint, network, security all of this in a single hardware or virtual appliance
information and event management (SIEM) solution, architecture. McAfee Web Gateway directly scans all SSL
gateway, and more. When shared, this intelligence traffic to ensure the complete security, integrity, and
can be utilized for better protection against threats, privacy of encrypted transactions.
detection of existing breaches, and improved incident

3 McAfee Web Gateway

 DATA SHEET

Organizations that want to take the initiative to go Protection for off-network users
deeper into their inspection of SSL traffic can offload As the workforce becomes more distributed and
the entire stream of unencrypted traffic or individual mobile, the need for web filtering and protection while
streams by policy through the SSL tap within McAfee seamlessly transitioning from the office to the road
Web Gateway. This software-enabled feature allows becomes increasingly important. McAfee Client Proxy,
a full or partial mirror of decrypted SSL traffic to be a tamper-resistant client agent, enables roaming users
sent to additional security solutions such as intrusion to seamlessly authenticate and redirect to either
prevention systems (IPS) or network-based data loss an on-premises McAfee Web Gateway located in a
prevention (DLP) solutions. demilitarized zone (DMZ) or the McAfee Web Gateway
Data loss prevention Cloud Service. This enables internet access policy
enforcement and full security scanning to be applied to
McAfee Web Gateway protects organizations from
roaming or remotely located users, even if their internet
outbound threats—such as leakage of confidential
access is via a public portal, such as at a coffee shop,
information—by scanning outbound content over all key
hotel, or other Wi-Fi hotspot.
web protocols, including SSL. This makes it a powerful
tool for preventing intellectual property loss, ensuring McAfee Web Gateway also allows enterprises to extend
and documenting regulatory compliance, and providing and enforce their security policies on mobile devices by
forensic data in the event of a breach. Leveraging the directing web traffic to McAfee Web Gateway. Through
power of the McAfee Data Loss Prevention solution set, our partnerships with mobile device management
McAfee Web Gateway includes built-in, predefined DLP providers AirWatch and MobileIron, McAfee Web
dictionaries and enables custom dictionaries to be created Gateway ensures that Apple iOS and Google Android
through keyword matching and/or regular expressions. mobile devices are secured with advanced anti-malware
protection and corporate web filtering policies.
For organizations that utilize cloud-based storage, built-
in file encryption protects data that is uploaded to file
sharing/collaboration sites against unauthorized access.
Users cannot retrieve and view the data without going
through McAfee Web Gateway.

4 McAfee Web Gateway

 DATA SHEET

Ultimate Flexibility with McAfee Web Gateway McAfee Web Gateway authentication engine allows
McAfee Web Gateway features a powerful, rules-based administrators to implement flexible rules, including
engine for policy flexibility and control. To streamline the use of multiple authentication methods. For
policy creation, McAfee Web Gateway offers an extensive example, McAfee Web Gateway can try to transparently
prebuilt rules library with common policy actions. authenticate a user and, based on the result, prompt the
Organizations can pick and choose various rules, easily user for credentials, use another authentication method,
modify these rules, and share their own rules through apply a restrictive policy, or simply deny access.
our online community. For advanced administration, a McAfee Web Gateway Identity, an optional add-on,
unique combination of context-based rule criteria and includes single sign-on (SSO) connectors for hundreds
shared lists opens the door to unlimited possibilities of popular cloud-based applications. McAfee Web
for problem solving and web security optimization. Gateway Identity provides the ability to improve security
Interactive rules tracing simplifies rules debugging. and reduce password-related help desk calls using an
McAfee Web Gateway extends control to cloud SSO launch pad where users can access authorized
applications, enabling granular, proxy-based control over cloud applications with one click. Support for both
how web applications are used. Organizations can apply HTTP power-on self-test (POST) and security assertion
thousands of controls to cloud applications, enabling markup language (SAML) connectors provide coverage
or disabling specific functionality as needed, controlling for a wide range of applications. Provisioning connectors
who uses a web application and how it is used. Do you enable system administrators to create and terminate
want to enable access to Dropbox but not allow uploads? user accounts on select Software-as-a-Service (SaaS)
No problem. applications.

Flexibility and control also extend to user authentication McAfee Web Gateway extends access control to
and access. McAfee Web Gateway supports streaming content through native streaming proxy
numerous authentication methods, including NT LAN support as well, providing bandwidth savings and
manager (NTLM), remote authentication dial in user reduced latency. Additional bandwidth controls can be
service (RADIUS), Active Directory (AD)/lightweight set to enforce minimums, maximums, and prioritization
directory access protocol (LDAP), eDirectory, cookie for defined classes of traffic, allowing organizations to
authentication, Kerberos, or a local user database. The optimize use of their available bandwidth.

5 McAfee Web Gateway

 DATA SHEET

Agile Infrastructure and Performance with With support for numerous integration standards,
McAfee Web Gateway McAfee Web Gateway is designed to work in your unique
McAfee Web Gateway is a high-performance, enterprise- environment. From the web cache communication protocol
grade proxy offered in a scalable family of appliance (WCCP), internet content adaptation protocol (ICAP/ICAPS),
models with integrated high availability, virtualization and WebSocket protocol to the socket secure (SOCKS)
options, and hybrid deployment with McAfee Web protocol, McAfee Web Gateway efficiently communicates
Gateway Cloud Service. McAfee Web Gateway delivers with other network devices and security appliances.
deployment flexibility and performance, along with the Additionally, McAfee Web Gateway offers IPv6 support,
scalability to support hundreds of thousands of users in helping larger organizations and federal institutions
a single environment. comply with regulations. McAfee Web Gateway
You can mix deployment options as well. For example, bridges the gap between internal IPv4 and external
you can route all web traffic to the on-premises appliance IPv6 networks and applies all available security and
for on-network users, and route all off-network users infrastructure features and functions to the traffic.
to the cloud service, dramatically reducing the cost of Unified Platform for the Future
backhauling traffic over multiprotocol label switching
McAfee Web Gateway combines and integrates
(MPLS) lines or virtual private network (VPN). Automated
numerous protections that would otherwise require
policy synchronization and reporting for hybrid on-
multiple standalone products. URL filtering, antivirus,
premises and cloud deployments help streamline
zero-day anti-malware, SSL scanning, data loss
management, ensure consistent policy enforcement, and
prevention, and central management—all are unified
simplify reporting, tracking, and investigation.
in one appliance software architecture. Managing
McAfee Web Gateway offers numerous implementation deployments is unified across all form factors, so one
options—from explicit proxy to transparent bridge and policy can be extended to on-premises appliances,
router modes—to ensure that your network architecture clusters of appliances, virtual appliances, and the cloud
is supported. service all from one single management console.

6 McAfee Web Gateway

 DATA SHEET

Security Risk Management and Reporting Licensing

The popular and respected security management For the ultimate in deployment flexibility and to help
technology, McAfee ePolicy Orchestrator® (McAfee future-proof your investment, McAfee offers all features
ePO™) software, is supported by McAfee Web Gateway of the McAfee Web Gateway and McAfee Web Gateway
as a single source for all security reporting. Cloud Service in a single suite: McAfee Web Protection.
Deploy on premises, in the cloud, or both for added
McAfee ePO software delivers detailed web security
flexibility and high availability—the choice is yours. You’ll
reporting through the McAfee Content Security Reporter
find award-winning McAfee anti-malware protection and
extension. McAfee Content Security Reporter gives you
comprehensive web filtering with either option.
information and forensic tools to understand how your
organization is using the web, comply with regulations, McAfee Web Gateway hardware is sold separately.
identify trends, isolate problems, and tailor your filtering
settings to enforce your web security policies. McAfee
Content Security Reporter offers an external, stand-
alone reporting server designed to offload resource-
intensive data processing and storage from the existing
McAfee ePO server, enabling it to scale to meet the
reporting needs of even the largest global organizations.

1. I n tests conducted by AV-TEST, McAfee Web Gateway detected 94.5% of

zero-day malware, 99.8% of malicious Windows 32 portable executable
(PE) files, and 98.63% of non-PE files. “McAfee Web Gateway Security
Appliance Test,” AV-TEST GmbH.

2821 Mission College Boulevard McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in
Santa Clara, CA 95054 the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC. 4174_1118
888 847 8766 NOVEMBER 2018
www.mcafee.com

7 McAfee Web Gateway