Accepted Solutions
Hi @Ced W
As Ken mentioned it is very important to see what will be your proxy Deployment (Transparent or Explicit)
Usually, P1 is used for inside and P2 is for outside, but it is not a MUST. And Management for the Management,
On the other hand, I would suggest to check the version which you are planning to use to make sure you have complete overview of the changes and limitations.
The Sx96 ( S196 ) will ship with AsyncOS 15.2 here is the release notes : Release Notes for AsyncOS 15.2 for Cisco Secure Web Appliance - Cisco
The Secure Web Appliance S196, S396, S696, and S696F support Cisco AsyncOS version 15.2 and later
So you need to have the Smart License account and active Smart License.
If you have the GUI access, you will be able to license the device and run SystemSetup wizard.
In order to separate Management traffic via Data traffic (P1,P2) you can Navigate to GUI > Network > Interfaces > Edit Settings and choose: Restrict M1 port to appliance management services only
And if you need to separate the P1 and P2 interface traffic, you can do it by defining different Route in the Data Routing Table.
like 0.0.0.0/0 for your Internet Gateway and 10.0.0.0/8 to your inside Router.
And You mentioned: ...install to turn up new proxy servers
If there are more than one new WSA or you are already having some WSA in your network, you need to consider the load balancing or failover scenarios.
We have Failover Option in the SWA, you can review : Configuring Failover Groups for High Availability from the user guide.
regarding the Load Balancing , you can do it by any load balancer or with WCCP ( If you are using transparent redirection )
About the TAP Interface, you just need one interface (Lets say T1) which is connected same broadcast domain as your other network security device.
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks for the info
Since you just have P1 in your design
if you choose restrict M1 port, then you will see 2 routing table
you need to define 2 default gateways there, one for Managment and the other for data
since it is just P1, you can redirect all the traffic to your Inside Router (IR1) then it will forward the internet traffic to the Outside router and client's traffic to Clients .
and for management interface , again since they are in a separate subnet, separate router, you can define a separate default gateway.
in transparent deployment , depends on how you are configuring it ( WCCP or Policy based routing -PBR ) the logic will be
1) if any traffic comes from "client Interface" , and is going to internet port 80 or 443 ( or whatever port your company use like 8080, 8443 ... ) redirect them to WSA
2) if any traffic comes from "WSA interface" , and is going to internet port 80 or 443 ( or whatever port your company use like 8080, 8443 ... ) they dont need to redirect, send them to internet router ,
3) return path, depends if you are using IP spoofing or not, in general , you redirect all the return traffic sourced from Internet , source Port 80,443 to WSA ,
then WSA will send the traffic to client Ip as destination IP
so need to define source interface and traffic pattern ( Src-port or Dst-port ) and how to route them.
there are some other destinations which you can create some manual route entry, for example:
[1] you need access to Active directory via Management,
[2] you need access to DLP server via Management interface
[3] you need the access to DNS via Management Interface .
...
you can define the route for them, and some of them like Active directory you can choose which interface from GUI
same for smart license, you can choose "test interface" which is the interface WSA should use to access smart license.
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
