This discussion is locked

Ask the Expert: Best Practices for Configuring the Cisco Web Security Appliance (WSA)

Unanswered Question
Nov 26th, 2012

With Juan Ramos

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to configure, troubleshoot, and optimize the Cisco Web Security Appliance (WSA) with Cisco technical support expert Juan Daniel Ramos. The Web Security Appliance easily extends web security to include Anti-Virus, Web Reputation, and Blacklists to reveal hidden security threats on the Internet.

Juan Ramos is a senior engineer for the Cisco Web Content Security Team in Research Triangle Park, North Carolina. He has worked as a network security expert both as a customer support engineer and as a liaison between the Cisco Technical Assistance Center and the entities responsible for creating the products used in customer networks. His recent achievements include leading training sessions for new hires and covering web content security on a 24-hour basis during the 2012 London Olympics.

Remember to use the rating system to let Juan know if you have received an adequate response to your technical support question. 

Juan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Security sub-community discussion forum shortly after the event.   This event lasts through December 7, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Juan Ramos Tue, 11/27/2012 - 08:11

Uncategorized URLs

Many service requests are submitted to my team for web sites that do not fall into any predefined category on the Web Security Appliance (WSA).

If you need to add your web site to our database, please consider the submission page found at:

https://securityhub.cisco.com/web/submited_urls

Select the tab entitled 'Lookup or Submit URLs'

Enter the URL or URLs in separate lines in the text box

Select the radio button entitlted 'ASync OS versions 7.5 and newer, including mixed environments'

Press the LOOKUP button

If the site does not fall into any particular URL category, select the domain using the checkbox, and select the best category for it under the 'Choose V2 Category' pulldown menu.

Hit the Submit key and this creates a request to my Web Categories team to integrate this request to our database.

You can also use this page to check the status of your submission after 24 hours.

NOTE: The WSA no longer supports the feature entitled 'IronPort URL Filter'; we have since transitioned to the Web Usage Controls feature.

jorgegmrs Fri, 11/30/2012 - 14:57

Hello Juan,

I am trying to copy an XML file from one appliance to another properly, and I can't find the proper way to do it?

can you describe how to do this?

Thanks,

Jorge

tdhb..hiq Sun, 12/02/2012 - 11:09


Hi Jorge

When I first imported an IronPort export, I created 2 identical IronPorts, name and IP included.  So the 2nd time I ran the export, I opened it up in a txt editor, and changed any information specific to the proxy.  E.g. server name, IP address. 

Hope that helps until Juan can help.

Cheers

Patrick

Juan Ramos Sun, 12/02/2012 - 19:49

Thanks for your question Jorge,

My first thought would be how the configuration was backed up.

If you save the configuration with the standard settings, it will save a configuration with the passwords masked which makes it unable to transfer to a replacement appliance.

Instead, I prefer to navigate to:

GUI ->

System Administration ->

  Configuration File ->

   Download file to local computer to view or save

Be sure to unmask passwords by unselecting the checkbox to make sure the saved file can be imported without error.

If you mask passwords, it will replace the password and certificate sections with

*****

and the import will fail with this message

------------------------------------------

Error     —     Configuration File was not loaded. File did not contain passwords.

------------------------------------------

The filename will look something like

S660-Serial-Number-Date-Time.xml

when complete

===========VERSIONS MUST MATCH===============================

Like Patrick noted earlier, the XML file is really plain text so you can open and read the file contents.

In my sample file, the contents include this section

------------------------------------------

  Product: IronPort S660 Web Security Appliance

  Model Number: S660

  Version: 6.3.3-015

------------------------------------------

The version of the backup file must match the version of the appliance you are importing this file to.

In this example, if my first WSA is running 6.3.3-015, the second WSA must also run 6.3.3-015.

Otherwise, some key configuration elmements may be lost and/or an error may occur.

=====HARDWARE DIFFERENCES MAY REQUIRE SOME TWEAKING=====

The Sx50 and Sx60 appliances were made with an additional port called M2 which was not used.

The M2 interface is still referenced in the port_interface and ethernet_interface sections of the file.

With this in mind, the Sx70 appliances [which do not have this interface] will produce import errors.

One can simply remove the XML sections pertaining to the M2 interface (in those two sections) and the file should import without error.

=====HARDWARE REPLACEMENT vs. COPY CONFIG=====

If you are replacing one WSA for another or cloning the configuration to another network, the file should import without any modifications.

If you are, however, adding another WSA to your existing network and want to copy the configuration then there are some tweaks needed.

Step 1 - import the file and it should state that the import was successful

Step 2 - DO NOT COMMIT THE CHANGES -

Step 3 - Navigate to the Network --> Interfaces page and change the Layer 3 information and Fully Qualified Domain Name

Step 4 - Navigate to the Network --> Transparent Redirection page and confirm that no adjustments are necessary

Step 5 - Navigate to the Network --> Routes page and confirm that no adjustments are necessary

Step 6 - Navigate to the Network --> Authentication page and change the Redirect Hostname

Step 7 - Navigate to the Network --> DNS page and confirm that no adjustments are necessary

Step 8 - Navigate to the Security Services --> HTTPS Proxy page and confirm that no adjustments are necessary for the certificate section

Step 9 - Check the rest of the configuration to confirm all is well

Step 10 - Commit Changes

Step 11 - Save the file as this will be your new master configuration for this appliance

=====WORST CASE SCENARIO=====

There are rare cases when the configuration file errors with a message similar to:

------------------------------------------

Parse Error on element "euq_db_total_size" line number 1111 column 26 with value "153600": ISQ database size must be an integer from 0 to 143360 MB.

------------------------------------------

Errors like this may occur on customized configurations where the saved value exceeds the acceptable range defined by the import engine.

If you open the file and navigate to line number 1111, you can try saving a copy of the configuration file with that line of configuration removed at your own risk.

If the WSA does not find an entry in the configuration file you are importing, it will retain the previous (or default) setting for that configuration.

=====FINAL THOUGHTS=====

TAC engineers typically do not troubleshoot configuration files for customers because there are so many variables that can lead to a corrupt file.

The M-Series appliances are specifically designed to push configuration changes to multiple WSA proxies so we trust these devices a lot more to make sure it is done right.

I hope this helps,

Juan

whitlelisa Wed, 11/28/2012 - 19:06

Hi Juan,

What tips do you have for creating packet captures? I am interesting in knowing how to do this.

Thanks a lot,

- Lisa
Juan Ramos Thu, 11/29/2012 - 05:55

Thanks for your question Lisa,

If you are logged into the WSA Graphical User Interface, in the upper right hand corner you will see the menu for

Support and Help

mouse over that section and there will be an option for

Packet Capture

You will need to select the

Edit Settings

button to customize the type of capture you will take.

I typically select the radio button to run the capture until we reach the 200 MB max file size.

I select the M1 interface and [if applicable] the P1/P2 interfaces for capture.

T1/T2 interfaces are only selected when I want to troubleshoot Cisco Layer 4 Traffic Monitor issues.

I then select the Custom Filter option and define my capture settings.

If you are familiar with tcpdump on UNIX then you will feel comfortable with the parameters needed to isolate traffic.

I usually set up capture filters in this format

host EnterClientIP or host EnterDestinationIP or udp port 53

Here is an example of a real capture filter:

------------------------------------------

host 10.1.1.1 or host 192.168.2.1 or host 172.16.4.4 or udp port 53

------------------------------------------

In  the above filter, I am isolating any traffic to or from three IP  addresses and include any UDP traffic on port 53 (typically reserved for  DNS).

Submit and commit changes before starting the capture.

The capture is saved in .pcap format and is easily read with free programs such as WireShark (www.wireshark.org).

Packet captures help me all the time to isolate issues between the client-proxy and proxy-Internet sockets. 

With this information, I can then determine the source of customer symptoms such as

Gateway Timeouts

HTML Redirects failing

Partially loading web pages

DNS failures on the proxy

I  always run a simulatenous capture with Wireshark running on the client  machine I am testing from to add more depth to my network  troubleshooting.

Thanks,

Juan

whitlelisa Mon, 12/03/2012 - 10:59

Thanks for your prompt response, Juan. I appreciate it.  I wonder how I can optimize the proxy performance. Do you have any tips or documentation for this?

- Lisa

Juan Ramos Mon, 12/03/2012 - 18:10

No worries Lisa,

Every deployment is different so I can only offer some things to consider. Not every tip here will apply to your configuration.

---------From the GUI------------------

Network

--> DNS

consider adding another DNS server address like 8.8.8.8 (GOOGLE) as a priority 2.  If you have any sites that fail to resolve using your local DNS servers, the GOOGLE server may resolve the site's new IP address and proceed with the connection.  This typically helps for sites that frequently change their IP addresses like those that are Akamai load-balanced.

Network

--> Authentication

  --> Edit Global Settings

   --> confirm redirect hostname is not a Fully Qualified domain name

This is an often overlooked setting as the authentication redirection HTTP 401 or 407 response will include a link similar to

http://ironport-hostname/BD00001blah/www.cisco.com

It is imperative to your performance that the redirect hostname is just the hostname of the interface handling authentication and that your clients can resolve this hostname.

---------From the command line------------------

rangerequestdownload

this command will enable support for client browsers that request a web resource like a video or file in sections (ex. first 900 bytes, then another 900 bytes, etc.).  Specifically, the HTML GET request will include a header called

Ranges:

and will specify ranges such as

0-900

The WSA produces a warning for this command because the scanning engine expects to scan a file in its entirety before confirming that it is clean.  If the file is split into different requests, there is the rare potential that a threat can be let through.

Consider this if you believe your Host based anti-virus is up to date and ready to block any infected attachments.

etherconfig

--> media

  confirm that the interfaces are set to <1000baseTX full-duplex>.  The M1 and P1/P2 interfaces are set to Autoselect by default but if the output shows FastEthernet or half-duplex, then we need to inspect the switchport or network cable. I believe autonegotiation is a requirement for using 1000BASE-T to use all four twisted wire pairs.

etherconfig

--> mtu

  consider lowering the MTU size under the default 1500 bytes (possibly between 1460-1480).  If you have transparent redirection enabled with WCCP, there is some additional overhead added to create frames that are about 1514 bytes.  In my experience, there are some non-Cisco network devices that have trouble with these jumbo frames due to the Do Not Fragment bit set.  End-users experience latency and the interfaces may records discarded frames.

advancedproxyconfig

--> MISCELLANEOUS

  --> look for the option "Would you like proxy to perform dynamic adjustment of TCP receive window size?"

   and set the option to N

In some rare cases, the WSA-Internet socket has a much faster data rate than the client-WSA socket.  This can sometimes lead to poor performance due to TCP retransmissions and lost frames inside the packet capture.  This setting change will shift the responsibility of managing the TCP sliding window to the client thereby forcing a more stable connection.

---------Baseline Now...Baseline Often------------------

As your network grows and users shift from text based web browsing to video, you will need to test data rates across each LAN segment or functional organization within your company.

These baseline packet captures and speed tests can help you forecast networking budgets needs in the future to keep your end-users happy.

I really do not recommend speed test web sites because they use non-standard methods like opening up 20 requests for the same non-object.

Instead, please consider these file download links:

http://tools.cisco.com/squish/3BC54 - downloads a 32 MB QuickTime installer file

and

http://tools.cisco.com/squish/F77B4 - downloads a 266 MB Microsoft installer file

I use the QuickTime most often since both Microsoft and Apple have good bandwidth and if your network is slow then these files will definitely show it.

The WSA does introduce a negligible delay, but typically the root cause of latency is seen from the addition or configuration change of a network device within the topology.

Thanks,

Juan

Juan Ramos Tue, 12/04/2012 - 04:23

System administration

--> Log Subscriptions

  --> accesslogs

under the Custom Fields section add

%u

to include the user agent string from now on.  It will come in handy when you see GET requests to odd sites NOT coming from the end-user from their web browser.  Applications such as Adobe Acrobat Updater, Trend Micro Antivirus, Java, and Microsoft Network Connectivity Status Indicator (NCSI) will make web requests but do not know how to authenticate and fail.

The user agent string will help identify these issues.

john.ventura73 Fri, 12/07/2012 - 08:09

Hello Juan,

I am tryng to troubleshoot a TCP packet issue. I would like to see the TCP handshake messages in the WSA, but I can't.  Why doesn't my WSA packet capture show the full TCP handshake and other client sourced packets?

Thank you.

- John

Juan Ramos Fri, 12/07/2012 - 09:59

Thanks for your question John,

I assume that your packet capture has a filter applied and that your deployment is Transparent (most likely via WCCP on an ASA firewall).

If this is the case, then your packet capture would only show

SYN+ACK

instead of the full three-way handshake.

This is per design because the traffic sourcing from the client is technically not coming from the M1/P1/P2 interfaces.

When you have WCCP transparent redirection, the proxy creates a Service ID which must also be configured on the ASA firewall (for example) for WCCP.

My best analogy would be like walkie-talkies needing to be on the same frequency/channel to communicate with your peer.

With this in mind, a secure tunnel is created between the two and traffic coming out of the tunnel is encrypted.

This encryption prevents the proxy from including this in a filtered capture because a tunnel interface is created and it is not selectable in the Packet Capture page.

---------Workaround---------

If you are able to capture within a few seconds to reproduce this issue, you may wish to consider applying NO FILTER to the capture and saving/running it.

This will include the tunnel interface which will then show the full TCP handshake.

The only problem this creates is that you will then have to filter the capture to isolate the traffic created just by your test machine and saving the trimmed capture in a new file. 

With Wireshark, you can find instructional videos online or the Wireshark user guide to best filter traffic.

Hope this helps,

Juan

Actions

Login or Register to take actions

This Discussion

Posted November 26, 2012 at 9:33 AM
Stats:
Replies:11 Avg. Rating:5
Views:3212 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 387
2 98
3 91
4 25
5 24
Rank Username Points
5
5