Skip to content
Find out how we support MDR.

Skyhigh Security Secure Web Gateway

Log collector

Skyhigh Security Secure Web Gateway (formerly McAfee Web Gateway) is a high-performance gateway with threat protection in one appliance.

You can integrate it with Sophos Central so that it sends data about web access requests to Sophos.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure Secure Web Gateway to send data to the log collector.


A VM can host integrations for multiple products, but can't host more than one integration of the same product.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.
  3. Click Skyhigh Security Secure Web Gateway.

    If you've already set up connections to Secure Web Gateway, you see them here.

  4. In Integrations, click Add integration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from Secure Web Gateway. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Enter an integration name and description.
  2. Enter Virtual appliance name and Virtual appliance description.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure Secure Web Gateway to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It might take a few minutes for the OVA file to be ready.

Deploy the VM


The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Secure Web Gateway

You now configure Secure Web Gateway to send data from its access log to us, using syslog forwarding.

To configure Secure Web Gateway, do as follows:

  1. In Secure Web Gateway, add a rule that makes access log data available to the syslog daemon.
  2. Adapt the rsylog.conf system file to let the daemon send data to a syslog server.

You must do this on every Secure Web Gateway you want to send access log data. You can also send other log data.

The data includes the date and time of a web access request, the user who sent the request, the requested URL, and other information.

You must send the data in TCP protocol and CEF format.

See About Sending access log data to a syslog server.