Nice ! If you get time can you please add a basic list/table of contents using time markers simiar to our existing videos? You can look at some of the existing videos to get an idea. Let me know if you have any questions! It is slightly blurry but I can make it out , if this is a major issue for others we can see about fixing it using the conversion process.
... View more
This Video demonstrates the ability to reply to secured messages and including attachments.
Total Runing time 2:12
00:00 - 00:22 Intro
00:23 --00:57 How to reply
00:58 --01:50 Adding an attachment
01:51 --02:12 Closing
Orginal Author: Jacob Sales
... View more
This video describes common third party errors.
Total Run time 2:00 Minutes
00:00 - 00:29 -- Intro
00:30 - 00:46 -- Normal message example
00:47 - 01:09 -- Winmail.dat error
01:10 - 01:31 -- Can not create file error
01:32 - 01:50 -- Support Contact info
01:51 --2:00 -- Closing
Original Author: Jacob Sales
Copyright Cisco System LLC
... View more
Greetings Steven, I am sorry to hear you are having difficulty. This can be a very frustrating experience for not only the sender but the recipient as well. If you own one of our Email Security appliances I would recommend you open a ticket with us so that we can have our Case Operations Group further investigate the IP address in question. This would likely allow us to determine a root cause as to why the IP address is being scored as it is. Because of the nature of our reputation filtering we do not currently utlize any specific global blacklist. While on occasion specifc black lists will mirror a the results found via reputation scoring that is not common. If you do not own an Email Security Appliance but are having issues sending email to someone who does, then we recommend you contact the recipient that owns the Email Security Appliance so that they can proceed in opening a ticket with us. Again this will allow us to escalate the issue to the COG team for further analysis. On the surface it appears this is a somewhat New IP address , the first reported traffic we saw from this IP was on 2013-01-02 while it is rated as poor the volume has been somewhat low. SBRS is a rating of magnitude so if an IP has a poor score for any reason , the more "clean" or "positive" traffic that is allowed to flow from that IP the faster the score will move out of negative territory. The COG team would be able to assess this in greater detail and provide a more detailed explination of how reputation scoring works and how it applies to this specific address. Additionally if there is an error related to this score they can assist with this process as well. Christopher C Smith CSE CSCM PM
... View more
With Juan Ramos Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to configure, troubleshoot, and optimize the Cisco Web Security Appliance (WSA) with Cisco technical support expert Juan Daniel Ramos. The Web Security Appliance easily extends web security to include Anti-Virus, Web Reputation, and Blacklists to reveal hidden security threats on the Internet. Juan Ramos is a senior engineer for the Cisco Web Content Security Team in Research Triangle Park, North Carolina. He has worked as a network security expert both as a customer support engineer and as a liaison between the Cisco Technical Assistance Center and the entities responsible for creating the products used in customer networks. His recent achievements include leading training sessions for new hires and covering web content security on a 24-hour basis during the 2012 London Olympics. Remember to use the rating system to let Juan know if you have received an adequate response to your technical support question. Juan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through December 7, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members. Uncategorized URLs Many service requests are submitted to my team for web sites that do not fall into any predefined category on the Web Security Appliance (WSA). If you need to add your web site to our database, please consider the submission page found at: https://securityhub.cisco.com/web/submited_urls Select the tab entitled 'Lookup or Submit URLs' Enter the URL or URLs in separate lines in the text box Select the radio button entitlted 'ASync OS versions 7.5 and newer, including mixed environments' Press the LOOKUP button If the site does not fall into any particular URL category, select the domain using the checkbox, and select the best category for it under the 'Choose V2 Category' pulldown menu. Hit the Submit key and this creates a request to my Web Categories team to integrate this request to our database. You can also use this page to check the status of your submission after 24 hours. NOTE: The WSA no longer supports the feature entitled 'IronPort URL Filter'; we have since transitioned to the Web Usage Controls feature. Hi Juan, What tips do you have for creating packet captures? I am interesting in knowing how to do this. Thanks a lot, - Lisa Thanks for your question Lisa, If you are logged into the WSA Graphical User Interface, in the upper right hand corner you will see the menu for Support and Help mouse over that section and there will be an option for Packet Capture You will need to select the Edit Settings button to customize the type of capture you will take. I typically select the radio button to run the capture until we reach the 200 MB max file size. I select the M1 interface and [if applicable] the P1/P2 interfaces for capture. T1/T2 interfaces are only selected when I want to troubleshoot Cisco Layer 4 Traffic Monitor issues. I then select the Custom Filter option and define my capture settings. If you are familiar with tcpdump on UNIX then you will feel comfortable with the parameters needed to isolate traffic. I usually set up capture filters in this format host EnterClientIP or host EnterDestinationIP or udp port 53 Here is an example of a real capture filter: ------------------------------------------ host 10.1.1.1 or host 192.168.2.1 or host 172.16.4.4 or udp port 53 ------------------------------------------ In the above filter, I am isolating any traffic to or from three IP addresses and include any UDP traffic on port 53 (typically reserved for DNS). Submit and commit changes before starting the capture. The capture is saved in .pcap format and is easily read with free programs such as WireShark (www.wireshark.org). Packet captures help me all the time to isolate issues between the client-proxy and proxy-Internet sockets. With this information, I can then determine the source of customer symptoms such as Gateway Timeouts HTML Redirects failing Partially loading web pages DNS failures on the proxy I always run a simulatenous capture with Wireshark running on the client machine I am testing from to add more depth to my network troubleshooting. Thanks, Juan Hello Juan, I am trying to copy an XML file from one appliance to another properly, and I can't find the proper way to do it? can you describe how to do this? Thanks, Jorge Hi Jorge When I first imported an IronPort export, I created 2 identical IronPorts, name and IP included. So the 2nd time I ran the export, I opened it up in a txt editor, and changed any information specific to the proxy. E.g. server name, IP address. Hope that helps until Juan can help. Cheers Patrick Thanks for your question Jorge, My first thought would be how the configuration was backed up. If you save the configuration with the standard settings, it will save a configuration with the passwords masked which makes it unable to transfer to a replacement appliance. Instead, I prefer to navigate to: GUI -> System Administration -> Configuration File -> Download file to local computer to view or save Be sure to unmask passwords by unselecting the checkbox to make sure the saved file can be imported without error. If you mask passwords, it will replace the password and certificate sections with ***** and the import will fail with this message ------------------------------------------ Error — Configuration File was not loaded. File did not contain passwords. ------------------------------------------ The filename will look something like S660-Serial-Number-Date-Time.xml when complete ===========VERSIONS MUST MATCH=============================== Like Patrick noted earlier, the XML file is really plain text so you can open and read the file contents. In my sample file, the contents include this section ------------------------------------------ Product: IronPort S660 Web Security Appliance Model Number: S660 Version: 6.3.3-015 ------------------------------------------ The version of the backup file must match the version of the appliance you are importing this file to. In this example, if my first WSA is running 6.3.3-015, the second WSA must also run 6.3.3-015. Otherwise, some key configuration elmements may be lost and/or an error may occur. =====HARDWARE DIFFERENCES MAY REQUIRE SOME TWEAKING===== The Sx50 and Sx60 appliances were made with an additional port called M2 which was not used. The M2 interface is still referenced in the port_interface and ethernet_interface sections of the file. With this in mind, the Sx70 appliances [which do not have this interface] will produce import errors. One can simply remove the XML sections pertaining to the M2 interface (in those two sections) and the file should import without error. =====HARDWARE REPLACEMENT vs. COPY CONFIG===== If you are replacing one WSA for another or cloning the configuration to another network, the file should import without any modifications. If you are, however, adding another WSA to your existing network and want to copy the configuration then there are some tweaks needed. Step 1 - import the file and it should state that the import was successful Step 2 - DO NOT COMMIT THE CHANGES - Step 3 - Navigate to the Network --> Interfaces page and change the Layer 3 information and Fully Qualified Domain Name Step 4 - Navigate to the Network --> Transparent Redirection page and confirm that no adjustments are necessary Step 5 - Navigate to the Network --> Routes page and confirm that no adjustments are necessary Step 6 - Navigate to the Network --> Authentication page and change the Redirect Hostname Step 7 - Navigate to the Network --> DNS page and confirm that no adjustments are necessary Step 8 - Navigate to the Security Services --> HTTPS Proxy page and confirm that no adjustments are necessary for the certificate section Step 9 - Check the rest of the configuration to confirm all is well Step 10 - Commit Changes Step 11 - Save the file as this will be your new master configuration for this appliance =====WORST CASE SCENARIO===== There are rare cases when the configuration file errors with a message similar to: ------------------------------------------ Parse Error on element "euq_db_total_size" line number 1111 column 26 with value "153600": ISQ database size must be an integer from 0 to 143360 MB. ------------------------------------------ Errors like this may occur on customized configurations where the saved value exceeds the acceptable range defined by the import engine. If you open the file and navigate to line number 1111, you can try saving a copy of the configuration file with that line of configuration removed at your own risk. If the WSA does not find an entry in the configuration file you are importing, it will retain the previous (or default) setting for that configuration. =====FINAL THOUGHTS===== TAC engineers typically do not troubleshoot configuration files for customers because there are so many variables that can lead to a corrupt file. The M-Series appliances are specifically designed to push configuration changes to multiple WSA proxies so we trust these devices a lot more to make sure it is done right. I hope this helps, Juan Thanks for your prompt response, Juan. I appreciate it. I wonder how I can optimize the proxy performance. Do you have any tips or documentation for this? - Lisa No worries Lisa, Every deployment is different so I can only offer some things to consider. Not every tip here will apply to your configuration. ---------From the GUI------------------ Network --> DNS consider adding another DNS server address like 18.104.22.168 (GOOGLE) as a priority 2. If you have any sites that fail to resolve using your local DNS servers, the GOOGLE server may resolve the site's new IP address and proceed with the connection. This typically helps for sites that frequently change their IP addresses like those that are Akamai load-balanced. Network --> Authentication --> Edit Global Settings --> confirm redirect hostname is not a Fully Qualified domain name This is an often overlooked setting as the authentication redirection HTTP 401 or 407 response will include a link similar to http://ironport-hostname/BD00001blah/www.cisco.com It is imperative to your performance that the redirect hostname is just the hostname of the interface handling authentication and that your clients can resolve this hostname. ---------From the command line------------------ rangerequestdownload this command will enable support for client browsers that request a web resource like a video or file in sections (ex. first 900 bytes, then another 900 bytes, etc.). Specifically, the HTML GET request will include a header called Ranges: and will specify ranges such as 0-900 The WSA produces a warning for this command because the scanning engine expects to scan a file in its entirety before confirming that it is clean. If the file is split into different requests, there is the rare potential that a threat can be let through. Consider this if you believe your Host based anti-virus is up to date and ready to block any infected attachments. etherconfig --> media confirm that the interfaces are set to <1000baseTX full-duplex>. The M1 and P1/P2 interfaces are set to Autoselect by default but if the output shows FastEthernet or half-duplex, then we need to inspect the switchport or network cable. I believe autonegotiation is a requirement for using 1000BASE-T to use all four twisted wire pairs. etherconfig --> mtu consider lowering the MTU size under the default 1500 bytes (possibly between 1460-1480). If you have transparent redirection enabled with WCCP, there is some additional overhead added to create frames that are about 1514 bytes. In my experience, there are some non-Cisco network devices that have trouble with these jumbo frames due to the Do Not Fragment bit set. End-users experience latency and the interfaces may records discarded frames. advancedproxyconfig --> MISCELLANEOUS --> look for the option "Would you like proxy to perform dynamic adjustment of TCP receive window size?" and set the option to N In some rare cases, the WSA-Internet socket has a much faster data rate than the client-WSA socket. This can sometimes lead to poor performance due to TCP retransmissions and lost frames inside the packet capture. This setting change will shift the responsibility of managing the TCP sliding window to the client thereby forcing a more stable connection. ---------Baseline Now...Baseline Often------------------ As your network grows and users shift from text based web browsing to video, you will need to test data rates across each LAN segment or functional organization within your company. These baseline packet captures and speed tests can help you forecast networking budgets needs in the future to keep your end-users happy. I really do not recommend speed test web sites because they use non-standard methods like opening up 20 requests for the same non-object. Instead, please consider these file download links: http://tools.cisco.com/squish/3BC54 - downloads a 32 MB QuickTime installer file and http://tools.cisco.com/squish/F77B4 - downloads a 266 MB Microsoft installer file I use the QuickTime most often since both Microsoft and Apple have good bandwidth and if your network is slow then these files will definitely show it. The WSA does introduce a negligible delay, but typically the root cause of latency is seen from the addition or configuration change of a network device within the topology. Thanks, Juan System administration --> Log Subscriptions --> accesslogs under the Custom Fields section add %u to include the user agent string from now on. It will come in handy when you see GET requests to odd sites NOT coming from the end-user from their web browser. Applications such as Adobe Acrobat Updater, Trend Micro Antivirus, Java, and Microsoft Network Connectivity Status Indicator (NCSI) will make web requests but do not know how to authenticate and fail. The user agent string will help identify these issues. Hello Juan, I am tryng to troubleshoot a TCP packet issue. I would like to see the TCP handshake messages in the WSA, but I can't. Why doesn't my WSA packet capture show the full TCP handshake and other client sourced packets? Thank you. - John Thanks for your question John, I assume that your packet capture has a filter applied and that your deployment is Transparent (most likely via WCCP on an ASA firewall). If this is the case, then your packet capture would only show SYN+ACK instead of the full three-way handshake. This is per design because the traffic sourcing from the client is technically not coming from the M1/P1/P2 interfaces. When you have WCCP transparent redirection, the proxy creates a Service ID which must also be configured on the ASA firewall (for example) for WCCP. My best analogy would be like walkie-talkies needing to be on the same frequency/channel to communicate with your peer. With this in mind, a secure tunnel is created between the two and traffic coming out of the tunnel is encrypted. This encryption prevents the proxy from including this in a filtered capture because a tunnel interface is created and it is not selectable in the Packet Capture page. ---------Workaround--------- If you are able to capture within a few seconds to reproduce this issue, you may wish to consider applying NO FILTER to the capture and saving/running it. This will include the tunnel interface which will then show the full TCP handshake. The only problem this creates is that you will then have to filter the capture to isolate the traffic created just by your test machine and saving the trimmed capture in a new file. With Wireshark, you can find instructional videos online or the Wireshark user guide to best filter traffic. Hope this helps, Juan This document was generated from the following discussion: Ask the Expert: Best Practices for Configuring the Cisco Web Security Appliance (WSA)
... View more
Greetings Milen, I wanted to follow up with on this issue to see if it was resolved? You can always open a ticket directly from the forum post which will allow you to export all the information within the post directly into a ticket that will be assigned to a engineer. You can do this by going to the actions menu located in the upper right hand corner of the forums and select "Open Service Request for Thread" Addtiionally if you already have a ticket open related to this issue you can still open a ticket from the forum post and simply reference that ticket number. My hope is that your issue has already been resolved however I did want to post this information so that others are aware of this process. Christopher C Smith CSCM PM
... View more
This video explains the process of replacing a Cisco Email Security appliance that is part of a centralized management cluster. Specifics covered include removing the failed appliance from the existing centralized management cluster. Saving and exporting the configuration file from the failed appliance using the GUI. Importing/loading the configuration file to the new replacement appliance using the GUI. Using the CLI to check the status of connectivity of the new appliance to the existing centralized managment cluster. 00:00--00:20 Intro and description 00:21--00:40 Pre-requisits, Requirements 00:41--00:58 Using the version command to verify version on both appliances 00:59--01:16 Using the "Clusterconfig" command and "removemachine" commands 01:17--01:36 Save and export the configuration file from old appliance/ensure removal 01:37--02:37 Using the GUI to Save the configuration file from the OLD appliance. 02:38--04:11 Loading/Restoring the config file on the replacement appliance. 0412:--05:02 Adding the new replacement appliance to the existing CMS Cluster 05:03--05:50 Using the connstatus command to verify cluster connectivity. 05:51---6:06 Closing Notes: This video assumes that you have connectivity to the replacement applinace so that you may access the GUI. Original Authors: Donny Lee (APAC) Jerry Orona (SB-US)
... View more
Description: Cisco Cloud Web Security Portal Overview.
Run time: 9:17
02:15--04:21 Overview specifics and common settings.
04:22--08:08 Overview of interface and basic use.
08:09--09:09 Working with accounts.
... View more
Description: How to configure passive identity managment (PIM)
00:00--01:57 Overview and Prerequisites
01:58--02:55 Overview of PIM Configuration continued.
02:56--07:34 Example demo of configuring PIM
07:35--08:14 Testing the configuration.
... View more
Description: Cloud Web Security, How to configure a PAC (Proxy Auto Configuration) File.
08:19--08:37 Overview of the "IF" statement.
08:38--14:39 Detailed description of PAC file internals.
... View more
Description: Cisco Cloud Web Security, How to find the NetBIOS domain name.
Run time: 2:34
00:00-01:00 Overview , Explanation of NetBIOS domain names
01:00--01:17 Description of Method 1 to determine NetBIOS domain name.
01:18--01:32 Description of Method 2 to determine NetBIOS domain name.
01:33--02:05 Example of Method 1
02:06--02:30 Example of Method 2
... View more
Description: Cisco Cloud Web Security, How to host a PAC file in the cloud.
00:00--01:51 Overview and Description.
01:52--04:13 Overview, configuration examples
04:14--06:10 Testing, configuration and examples of loading PAC file.
06:11--07:44 Testing uploaded PAC file.
... View more