Cisco WSA

Asfandyar70754 · ‎01-16-2022

Hey guys,

I have been going through Cisco WSA and had few questions and would love to get your insight on these,

Where can I find the logs for the transactions occurred by clients.
Can you please guide how to integrate/register my WSA with my Cisco Web Security Management Appliance.
L4 monitoring, how does it works and where can I check it live.
Cisco AnyConnect, why do I need to it in my WSA.
Why do I need to integrate my WSA with Cisco ISE.

I do understand these questions need are a bit detailed but would really appreciate your insight on these.

balaji.bandi · ‎01-16-2022

Where can I find the logs for the transactions occurred by clients.

BB - Logs stored in WSA for now you can view the Logs subscription - or command level grep and option 1 will give you real time logs.

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010111.html

Can you please guide how to integrate/register my WSA with my Cisco Web Security Management Appliance.

BB - follow below guide to add WSA to SMA :

https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma12-0/user_guide/b_SMA_Admin_Guide_12_0/b_SMA_Admin_Guide_12_0_chapter_010111.html

L4 monitoring, how does it works and where can I check it live.

BB - configuration guide help you :

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_12-0/user_guide/b_WSA_UserGuide_12_0.html

Cisco AnyConnect, why do I need to it in my WSA.

BB - not sure we understand your question here .

Why do I need to integrate my WSA with Cisco ISE.

BB - for many reasons, you may use SGT

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-741637.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Asfandyar70754 · ‎01-18-2022

Hello Balaji,

Thank you for the response. This helped a lot

Ken Stieers · ‎01-16-2022

1. Logs are availing via the GUI under System Administration/Log Subscriptions. You have to enable FTP on the WSA so that you can get to them from here. You can also see the logs in the CLI, I usually use grep…

2. Integration with SMA: on the SMA, under Centralized Services/Security Appliance you add your devices. Under Centralized Services/Centralized configuration Manager, you enable centralized configuration. On the Web tab, under Utilities/Security Services Display, you enable the services you’re actually using on the WSA for each version you may have (its picky). On Utilities/Configuration Managers, you initialize the various config masters you need. Once that’s lined up the Configuration Manager <version> pages have the policy configurations. Set you polices as normal, then push them to the WSAs using Utilities/Publish to web appliances.

3. L4 monitoring requires you to span a switch port so the WSA’s LT4M port sees all traffic headed to/from the internet. Its sort of like an IPS… stuff it doesn’t like it will reset the connection.

4. When you have users that connect to your network via Anyconnect, and their traffic back out to the internet gets put through the WSA, the WSA doesn’t get their login the same way (see next question). With the Anyconnect Secure Mobility, the firewall is sending the login info to your WSA so the WSA can tie username to ip.

5. The link to Cisco ISE, or ISE-PIC, is for passive identification of users. When a user logs into the network via ISE/802.1x, or into Windows, with ISE pxGrid/Passive Identity, ISE will grab the user/ip info and feed it to WSA. This is useful specifically when you think of Windows users when you require authenticated connections through the WSA. Users login to their machine, they open a cloud based app that doesn’t do authentication in its web requests, it will fail. We see this with some of our engineering apps where the license is cloud based, but the connection can't handle an authentication request. We also saw this with content in email that used web pieces, it wouldn’t fill in until the user had opened a browser and gone to an internet site so the WSA could authenticate them. With ISE/ISE-PIC, ISE grabs the login event from the domain controllers and tells the WSA “userx logged in from 10.10.10.10” so now that user is considered authenticated by the WSA and things work as expected... (in the past WSA used to do this with the CDA vm, but that is EOL or very close to EOL).

Asfandyar70754 · ‎01-18-2022

Hello Ken,

Thank you for your response, this has helped a lot.

I had one more question regarding WCCPv2 mode, I wanted to know where do I need to configure WCCP redirection, on my core switch or on my internet firewall.

Ken Stieers · ‎01-18-2022

You can configure WCCP on either one. I do it on the firewall.

Asfandyar70754 · ‎01-18-2022

Thanks Ken.

I do have one more question and would love your insight on that too, Which mode should one opt for?

I have seen in quite some banks opting the explicit mode but going through the documents WCCP seem a bit convenient option.

I need to implement WSA in a bank and around 150-200 users will be allowed to access/use internet (not all users), so what option should I opt for?

Can you lay out some pros and cons for both.

TIA

balaji.bandi · ‎01-18-2022

WCCP was not an great experience for me (personally), i will use explicit mode or any L4 traffic redirectors.

S195 should be able to help you :

https://www.cisco.com/c/en_uk/products/security/web-security-appliance/index.html#~models

If that is small user based i will consider VM as an option to start off, any issue you still migrate to appliance.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Asfandyar70754 · ‎01-31-2022

Hello Balaji,

Your last response cleared things up for me.

Right now the Appliance is configured but still in testing phase, so I came across HTTPS proxy and I wanted to know how it is better or what it does that is different that access policy in Explicit mode.(Right now I am using WSA in Explicit mode).

balaji.bandi · ‎01-31-2022

here is the good packet flow explained :

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

FredrikW73 · ‎02-01-2022

Access policy can not process HTTP headers, body content or full URL if the traffic is TLS encrypted (i.e. HTTPS) that info is simply not available. It will have to base is decisions only on domain name (from certificate or SNI) and the reputation for that. Also no Anti-Malware scaning will take place.

If you enable the HTTPS proxy you have the option to decrypt TLS-based traffic and the Decryption Policy will be used for HTTPS traffic instead. Traffic that is decrypted in the Decryption Policy will be sent into the Access Policy for further processing. Other options (instead of decrypting) is to drop or allow traffic without decryption, in both these cases traffic will not be processed by the Access Policy.

Ken Stieers · ‎01-18-2022

It's a balancing act. How do you configure all of your workstations/servers/apps/etc. to know to use the proxy, vs. the network doing it, and now dealing with stuff that JUST DOESN'T WORK with the proxy. The other tweak there is with explicit, is how you deal with authentication... With WCCP you'll want some way to do passive auth (CDA, or ISE-PIC), with explicit, it can be in the config at the workstation or app level.
I've been very successful with WCCP, we run it on the inside interface of our ASAs. I've done load balanced configs, I've done different subnets get different WSAs. Mostly without issue once the ASA code got fixed I the mid 8.x era... I haven't done it on FTD.

alirafaleiro · ‎01-27-2022

Cisco WSA is an all-in-one highly secure web gateway that brings you strong protection, complete control, and investment value. It also offers an array of competitive web security deployment options, each of which includes Cisco's market-leading global threat intelligence infrastructure.