01-16-2022 05:06 AM
Hey guys,
I have been going through Cisco WSA and had few questions and would love to get your insight on these,
I do understand these questions need are a bit detailed but would really appreciate your insight on these.
01-16-2022 06:35 AM
BB - Logs stored in WSA for now you can view the Logs subscription - or command level grep and option 1 will give you real time logs.
BB - follow below guide to add WSA to SMA :
BB - configuration guide help you :
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_12-0/user_guide/b_WSA_UserGuide_12_0.html
BB - not sure we understand your question here .
BB - for many reasons, you may use SGT
01-18-2022 03:08 AM
Hello Balaji,
Thank you for the response. This helped a lot
01-16-2022 09:18 AM
1. Logs are availing via the GUI under System Administration/Log Subscriptions. You have to enable FTP on the WSA so that you can get to them from here. You can also see the logs in the CLI, I usually use grep…
2. Integration with SMA: on the SMA, under Centralized Services/Security Appliance you add your devices. Under Centralized Services/Centralized configuration Manager, you enable centralized configuration. On the Web tab, under Utilities/Security Services Display, you enable the services you’re actually using on the WSA for each version you may have (its picky). On Utilities/Configuration Managers, you initialize the various config masters you need. Once that’s lined up the Configuration Manager <version> pages have the policy configurations. Set you polices as normal, then push them to the WSAs using Utilities/Publish to web appliances.
3. L4 monitoring requires you to span a switch port so the WSA’s LT4M port sees all traffic headed to/from the internet. Its sort of like an IPS… stuff it doesn’t like it will reset the connection.
4. When you have users that connect to your network via Anyconnect, and their traffic back out to the internet gets put through the WSA, the WSA doesn’t get their login the same way (see next question). With the Anyconnect Secure Mobility, the firewall is sending the login info to your WSA so the WSA can tie username to ip.
5. The link to Cisco ISE, or ISE-PIC, is for passive identification of users. When a user logs into the network via ISE/802.1x, or into Windows, with ISE pxGrid/Passive Identity, ISE will grab the user/ip info and feed it to WSA. This is useful specifically when you think of Windows users when you require authenticated connections through the WSA. Users login to their machine, they open a cloud based app that doesn’t do authentication in its web requests, it will fail. We see this with some of our engineering apps where the license is cloud based, but the connection can't handle an authentication request. We also saw this with content in email that used web pieces, it wouldn’t fill in until the user had opened a browser and gone to an internet site so the WSA could authenticate them. With ISE/ISE-PIC, ISE grabs the login event from the domain controllers and tells the WSA “userx logged in from 10.10.10.10” so now that user is considered authenticated by the WSA and things work as expected... (in the past WSA used to do this with the CDA vm, but that is EOL or very close to EOL).
01-18-2022 03:11 AM
Hello Ken,
Thank you for your response, this has helped a lot.
I had one more question regarding WCCPv2 mode, I wanted to know where do I need to configure WCCP redirection, on my core switch or on my internet firewall.
01-18-2022 03:50 AM
01-18-2022 04:02 AM
Thanks Ken.
I do have one more question and would love your insight on that too, Which mode should one opt for?
I have seen in quite some banks opting the explicit mode but going through the documents WCCP seem a bit convenient option.
I need to implement WSA in a bank and around 150-200 users will be allowed to access/use internet (not all users), so what option should I opt for?
Can you lay out some pros and cons for both.
TIA
01-18-2022 06:53 AM
WCCP was not an great experience for me (personally), i will use explicit mode or any L4 traffic redirectors.
S195 should be able to help you :
https://www.cisco.com/c/en_uk/products/security/web-security-appliance/index.html#~models
If that is small user based i will consider VM as an option to start off, any issue you still migrate to appliance.
01-31-2022 09:37 PM
Hello Balaji,
Your last response cleared things up for me.
Right now the Appliance is configured but still in testing phase, so I came across HTTPS proxy and I wanted to know how it is better or what it does that is different that access policy in Explicit mode.(Right now I am using WSA in Explicit mode).
01-31-2022 11:54 PM
here is the good packet flow explained :
02-01-2022 02:19 AM - edited 02-01-2022 02:24 AM
Access policy can not process HTTP headers, body content or full URL if the traffic is TLS encrypted (i.e. HTTPS) that info is simply not available. It will have to base is decisions only on domain name (from certificate or SNI) and the reputation for that. Also no Anti-Malware scaning will take place.
If you enable the HTTPS proxy you have the option to decrypt TLS-based traffic and the Decryption Policy will be used for HTTPS traffic instead. Traffic that is decrypted in the Decryption Policy will be sent into the Access Policy for further processing. Other options (instead of decrypting) is to drop or allow traffic without decryption, in both these cases traffic will not be processed by the Access Policy.
01-18-2022 07:46 AM
01-27-2022 12:36 AM - edited 02-02-2022 10:22 PM
Cisco WSA is an all-in-one highly secure web gateway that brings you strong protection, complete control, and investment value. It also offers an array of competitive web security deployment options, each of which includes Cisco's market-leading global threat intelligence infrastructure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide