WSA WBRS Scanning

iwearing · ‎11-29-2019

Hi,

On a WSA with WSA Essentials Licensing (No AV Scanning) I am looking for clarification what happens with URL WBRS Scores between (-6 +6) with a default scan action when no AV/Anti-Malware Licences are enabled on the WSA.

Documentation states the Request is passed to the DVS engine for further malware scanning.

thanks

Ian

balaji.bandi · ‎12-25-2019

its all depends on your Access Policy you configured :

More FAQ can be found here :

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/214699-web-reputation-score-wbrs-and-web-cate.html#anc0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shgrover · ‎12-29-2019

Hello iwearing,

The WBRS score means the following:

-10 to -5.9 Block

-6 to +6 Neutral

+6 to +10 Allow

The main idea of the access policies or decryption policies is to figure out an ALLOW or Block action.

If we hit the Web reputation engine and we haven't been able to assign an ALLOW or BLOCK action to the URL and WBRS score is between -6 to +6 which has a status of NEUTRAL and as you mentioned there is no other scanning, then the URL will be allowed and the ACL DECISION TAG in the access logs would be DEFAULT_CASE_12.

You can check the Reputation of any URL at "www.talosintelligence.com". It will show the reputation as POOR,NEUTRAL and GOOD. The exact WBRS score of a URL can be checked in the accesslogs provided your box is updated.

Hope this answers your question.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question