URL Filtering

ivana.bagaric1 · ‎05-19-2017

Hi Support Team,

We would like to set up URL Filtering on ESA-C370. When I tried to enable URL Filtering I got the message:

Cisco Web Security Services connection status: Connection could not be established due to Authentication failure. Please check client cerificate.

We have the ESA Inbound Essentials SW Bundle licenses (AS+AV+OF).

For enable this feature, do we need only OF licenses or license for Web Security Essentials (with OF)?

Thank you.

Best regards

exMSW4319 · ‎05-19-2017

I'm not an expert on the feature, but it sounds as if your ESA can't get out of your network to query URLs with Cisco. You might want to check the network requirements. A proxy doing SSL interception might require that your ESA trust its certificate. I'm not sure if that's possible, but see what else you already have working under Security Services, Service Updates.

Libin Varghese · ‎05-19-2017

Hi Ivana,

You could try confirming if you are able to telnet to the cloud server using the below command

"telnet v2.sds.cisco.com 443"

You could turn off verification of client certification using command "websecurityadvancedconfig" and ensure the configuration is per recommendation, however I would suggest enabling and commit changes to check if the error is temporary network issue.

(Machine Cisco.Lab> websecurityadvancedconfig

Enter URL lookup timeout (includes any DNS lookup time) in seconds:
[15]>

Enter the URL cache size (no. of URLs):
[810000]>

Do you want to disable DNS lookups? [N]>

Enter the maximum number of URLs that should be scanned:
[100]>

Enter the Web security service hostname:
[v2.sds.cisco.com]>

Enter the threshold value for outstanding requests:
[5]>

Do you want to verify server certificate? [Y]>

Enter the default time-to-live value (seconds):
[30]>

Do you want to rewrite all URLs with secure proxy URLs? [Y]>

Do you want to include additional headers? [N]>

Enter the default debug log level for RPC server:
[Info]>

Enter the default debug log level for URL cache:
[Info]>

Enter the default debug log level for HTTP client:
[Info]>

Thank You!

LIbin Varghese

ivana.bagaric1 · ‎05-23-2017

Hello,

Thank you very much for you help. I turned off verification server cerificate using command "websecurityadvancedconfig"

Do you want to verify server certificate? [Y]> N

Now, everything works fine.

Best regards,

Ivana

Sriram Subramanian · ‎05-19-2017

Hello,

Sometimes when you first enable the URL Filtering service under Security Services, Cisco Web Security Services connection status could fail but if you refresh the page , the service should auto connect.

You can find the URL Filtering Best Practice Guide here:

URL Defense Guide (cisco.com)

Greg Muszynski · ‎09-14-2018

@Sriram Subramanian wrote:

Hello,

Sometimes when you first enable the URL Filtering service under Security Services, Cisco Web Security Services connection status could fail but if you refresh the page , the service should auto connect.

Yup, wow, that's all it was, after I refreshed the page by clicking on a different menu item then coming back to Security Services / URL Filtering, the Cisco Web Security Services connection status: showed Connected

Greg Muszynski · ‎09-15-2018

after refreshing the page a few times the error goes away and it's all good now, it just too a while, I found the answer on this forum, thank you forum