I am new to Learner to ASA Firewall. Recently we have purchased ASA 5520 with following version:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
ASA 5520 Adaptive Security Appliance
ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9
I have configured the ASA with basic configuration. Now i want to implement the webfiltering using Websense on ASA firewall. I dont have any idea about the requirement for this configuration.
I have found the configuration line from google but it seems not working.
My ASA is configured with:
I came across with one solution where the websense is configured with DMZ, and i tried in same manner but when i checked the websense server statistics, it shows "DOWN".
I used following line:
url-server (DMZ) vendor websense host 192.168.1.251 timeout 30 protocol TCP version 4 connections 30
filter url 443 192.168.1.0 255.255.255.0 220.127.116.11 255.255.255.255 allow proxy-block longurl-truncate cgi-truncate
filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow
url-cache dst 100
url-block url-mempool 2
url-block url-size 2
url-block block 10
Basically i want to completely block the social websites. I can use the CSC content filtering but when user use the proxy utility then blocked websites gets opened.
Please help me out.
Solved! Go to Solution.
Can you reach (ping) the Websense server from your ASA?
If so, have you added the ASA as an integrated device on the Websense console? (Reference)
@ Marvin Rhoads & jumora:
Thanks for the response. Since i am new to websense i have few questions which i need to know:
1. Do we need to have separate PC to configure as Websense server? If yes then how?
2. Does this websense server will filter the website completely? Since the network users they are pretty smart enough as they use third party PROXY utility to bypass the blocked website.
3. Will it effect the performance of ASA after configuring the websense?
Websense is a third party product that works in conjunction with the ASA so you need to purchase it.
2. The ASA has an option with the websense (url-filtering) configuration to block proxy but now in days people use all type of proxies so you might need to monitor your network connections or block any unknown port to go out through the firewall.
The ASA URL filtering document, you will find the proxy-block option:
Each function has some sort of impact, will it be positive or negative, I've seen a lot of ASA configured with websense without any problems if that is what you are asking.
What do you mean by that question:
Do i need to prepare separate machine as a websense server?
The question is related to websense requirements I believe that there are several options, you get a server or you buy the appliance.
For further details please ask websense vendor.
I mean to say about this line:
url-server (if_name) vendor websense host <IP of Websense server > protocol tcp version
where it says <IP Address of Websense server>, what ip address shall i give here, if it is talking about websense server then i mean to ask, is it require to have a Server or Computer to configure as websense server?
no filter url 443 192.168.1.0 255.255.255.0 18.104.22.168 255.255.255.255 allow proxy-block longurl-truncate cgi-truncate
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url except 192.168.1.251 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate
Please get complete TCP/IP configuration from server and remove and re-add all websense related configuration.
FYI this article is pretty nice: