Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
4
Replies

WSA Virtual Appliance deployment in monitor mode

mehedimec
Level 1
Level 1

‎08-28-2019 07:27 AM

Hi Team,

 

Our router does not support WCCP and we also do not have L4 switch. We are planning to deploy the WSA virtual appliance as a tapping device in monitoring mode. For that we are considering to mirror our network traffic in a specific port (e.g. 37008) and want WSA will listen on that port. Is it possible to deploy WSA in such way? I do not find any option to mention a listening port in WSA GUI. 

 

For your information, I just configured it partially from system setup wizard and in the transparent redirection device option (in connection setting) I have selected Layer 4 switch or no device option.

 

 

 

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-28-2019 09:30 AM

have you configured we traffic tap settings

 

check under network --> web traffic tap

 

enable and select the interface to tap the traffic.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ken Stieers
VIP
VIP
In response to balaji.bandi

‎08-28-2019 09:39 AM

That's not what the tap does.

The tap lets you send traffic that the WSA gets OUT to another device. That traffic is UNENCRYPTED so that the WSA does decryption and can feed something like a DLP appliance.





Taken from the user guide.


Web Traffic Tap feature allows you to tap the HTTP and HTTPS web traffic that passes through the appliance
and copy it to a Web Security appliance interface in-line with the real time data traffic. You can select the
Web Security appliance interface to which the tapped traffic data is sent. If the tapped traffic includes HTTPS
data, the appliance decrypts them based on the decryption policies before sending them to the tap interface.
See Decryption Policies , on page 216.
The selected tap interface must be directly connected to an external security device for analysis, forensics,

and archiving. Alternatively, it may be connected to a L2 switch on a dedicated VLAN.


0 Helpful

Ken Stieers
VIP
VIP

‎08-28-2019 09:41 AM

WCCP, Policy Based Routing or explicit forwarding are your only options to get traffic to the WSA.

What firewall are you using?

What router are you using?




0 Helpful

mehedimec
Level 1
Level 1
In response to Ken Stieers

‎08-31-2019 01:56 AM

We are using MikroTik Router and are not currently using any firewall device 

 

We are deploying the WSA (virtual appliance) for research purpose and our intention is to monitor the inbound and outbound traffic without blocking any malicious or suspicious traffic. Is not there any scope to listen from any specific switch port (port no. 37008) where mirror traffic are sent? if not then what will be the option to send traffic through WSA?

0 Helpful
Customers Also Viewed These Support Documents