Questions asked during the Live Expert Webcast on July 22, 2014 with Cisco subject matter expert Kureli Sankar explaining how to integrate Cisco Cloud Web Security (CWS) with the Cisco Integrated Services Router Generation 2 (ISR G2). Additionally, attendees will learn how the ISR G2 works with Cisco CWS and the necessary steps required as well as things to take into consideration when deploying Cisco CWS with Cisco ISR G2.
You would need your own scancenter account and then you can do the exact demo our expert Kureli is doing. Typically SEs get their own account and the way to get an account is through sending a request as detailed in:
There is something called NFR accounts to registered partners. The wiki page talks about how that is done.
Q: Is there any collaboration with Cisco PSIRT and scansafe virus detection?
A: Absolutely, our SIO and PSIRT Team monitors the the process. When "heartbleed" came into action we got the information at early stage and we were able to come up with fixes and patches. Yes collaboration between both teams enables a swift and prompt action.
Q: As soon as I enable content scan internet access becomes slow. How do I troubleshoot it?
A: We have come across couple of cases describing the above mentioned issue.As Geographical Identification of Primary and Secondary tower is done by ISR. Sometimes while recording the locations there could be a mis-match entry of tower location for eg. ISR shows Primary tower in "Florida" geographically but physically it may be connected to a tower somewhere in "California", hence a mis-match configuration results in slow access of internet as an extra hop is added. User need to get in sync with CWS team. So that such mis-match could be rectified and avoided.
Q: When I reboot the router the towers do not come back up. It takes a while and I have to remove and re-add the parameter-map.
A:This is a rare issue which occurs due to Crypto ISN module used in ISR G2 router. The issue is already resolved and patched in v15.4 which will be available very soon.
Q: I configured CWS but the towers always show down. How can I troubleshoot?
A: This is a very simple issue, this happens when we have mis-configuration of source interfaces on ISR which reaches to tower. The interfaces checks the tower's availability by sending ICMP echo packet on port 80.
Q: Is there a free trial where I can test CWS for a certain number of days, weeks or months?
A: Yes there is a 45 days Evaluation license available for the users. User need to reach to Cisco Local Account team for the same.
Q: Is CWS compatible with ZBF? How about IOS-IPS?
A: Yes, CWS is compatible with ZBF and IOS IPS.
Q: Why do I get some other country’s/region home page when I use the CWS service?
A: If user is in US ideally he should get US google or yahoo page. You get different page because might be that Country doesn't support tower allocation and unwillingly user has to send traffic through other country. Country which doesn't support are China,UAE.
Q: I am not able to access the Intranet websites, when CWS is turned on?
A: For this you need to add your "intranet" websites under "white list".
Q: What’s the maximum concurrent session we support with CWS solution?
A: Approximately 32000 concurrent sessions can be achieved.
Q: I have an existing proxy in my setup, does CWS Solution will work on top of it ? Or I need any change in my existing network?
A: You would require change in setup because once CWS receives the packet it transfers them towards the towers and changes the destination IP along with port number (80,443 to 80). If you have proxy then proxy will change destination IP and will send data on 8080. So changes should be made in ISR to read traffic coming from 8080 also else it will keep denying. User would require a NAT device inside for the conversation.
Q:Does IPV6 support CWS Solution?
A: Currently IPV6 is not supported. Product Management team is already working over it.
Hi,Good day I was trying to set-up Cisco ESA C390 in one our data center but I'm having issues establishing connections to external and public mail servers. Below is the error when I tested SMTP ping via CLI: Starting SMTP test of host alt1.gmai...
Hi All I would like to know if the firepower 4100 setup in Active-Passive, so if the uplink switch in VSS, combine 2x 40G uplink to the Firepower pair. QuesionFirepower Active-Passive setup, what would the real time interface bandwidth would be ...