The Cisco Web Security Appliance (S Series) is a network perimeter device that protects your internal users from threats on the internet. It can also perform additional tasks such as URL filtering, anti-virus, policy groups and usage quotas. The WSA does not claim to be a replacement for a traditional firewall and should not be used as such. It is more accurate to think of the WSA as a proxy device though it can do much more than a traditional proxy. The WSA runs a proprietary OS based on FreeBSD called AsyncOS. Three models are available:
- IronPort S670 - 10,000+ users ( http://www.cisco.com/en/US/products/ps11285/index.html )
- IronPort S370 - <10,000 users ( http://www.cisco.com/en/US/products/ps11284/index.html )
- IronPort S160 - <1,000 users ( http://www.cisco.com/en/US/products/ps10609/index.html )
In addition to this there are two additional products for centralized management of the WSA:
- Sawmill for Cisco IronPort (third party reporting tool)
- M-Series - Centralized management of multiple S-Series platforms
Management of the device is done via console or the M1 interface. Default IP address of the M1 interface is 192.168.42.42 with a default gateway of 192.168.42.1. You can connect via SSH, http (port 8080) or https (port 8443) with the credentials:
username: admin
password: ironport
[edit]Proxy Modes
The WSA can proxy HTTP and FTP traffic and operates in two different modes:
- Transparent Mode (client is unaware that proxying is taking place and traffic is redirected transparently)
- Explicit Mode (client is explicitly configured with the WSA address either manually or via PAC files)
[edit]WSA Policies
Policies can be thought of a set of rules that you wish to apply to a user or group of users that governs how their traffic is treated. You can test policy configuration with the Policy Trace Tool (System Administration --> Policy Trace). Policies can contain the following:
- Application (port and protocol)
- URL Filtering
- Applications (block specific categories of applications such as WebEx, IM etc.)
- Objects (size and MIME types of objects)
- WBRS and Anti Malware Filtering
If traffic is not matched by a particular policy it will hit the default policy at the bottom of the list which is called the "Global Policy".
[edit]Useful CLI Commands
commit - commit the configuration that has been changed
interfaceconfig - configure IP addresses / management port numbers etc.
ntpconfig - configure ntp servers
resetconfig - restore default configuration to the appliance.
settime - set the time
settz - set the time zone
status - show system status
testauthconfig - used to test the LDAP or NTLM authentication configuration
[edit]Access Log Explanations
With the CLI command tail accesslogs you can see a realtime view of traffic and why it is being processed or dropped. The following is a list of the keywords and their meaning:
ALLOW_CUSTOMCAT - Custom category has been matched and the object is allowed.
ALLOW_WBRS - Web Based Reputation Score high enough to bypass AV scanning
BLOCK_ADMIN_FILE_TYPE - MIME type of object has caused it to be blocked.
BLOCK_ADMIN_IDS - Ironport Data Security has blocked metadata object (DLP) based on file type or size.
BLOCK_ADMIN_SIZE - Access to object blocked because of the object file size.
BLOCK_ADMIN_SIZE_IDS - Ironport Data Security has blocked metadata object (DLP) based on file size.
BLOCK_AMW_REQ - Blocked by outbound malware scanning.
BLOCK_AMW_RESP - DVS scanning has blocked malware.
BLOCK_AVC - Predefined application has been matched and the object is blocked.
BLOCK_CONTINUE_CUSTOMCAT - Custom category has been matched and the user will be warned.
BLOCK_CONTINUE_WEBCAT - Predefined category has been matched and the user will be warned.
BLOCK_CUSTOMCAT - Custom category has been matched and the user will be blocked.
BLOCK_CUSTOMCAT_IDS - Custom category has been matched and the user will be blocked (DLP).
BLOCK_SEARCH_UNSAFE - Unsafe search, access to the object will be blocked.
BLOCK_UNSUPPORTED_SEARCH_APP - Unsupported search engine, action is to block.
BLOCK_WBRS - Web Based Reputation Score low enough to block without AV scanning.
BLOCK_WBRS_IDS - Web Based Reputation Score has blocked object (DLP).
BLOCK_WEBCAT - Predefined or no URL category matched, action is to block.
BLOCK_WEBCAT_IDS - Predefined or no URL category matched, action is to block (DLP).
DECRYPT_ADMIN - Decrypted because of policy default or invalid certificate handling.
DECRYPT_CUSTOMCAT - Decrypted because of custom URL category.
DECRYPT_WBRS - Decrypted because of Web Based Reputation Score.
DECRYPT_WEBCAT - Decrypted because of predefined URL category.
DEFAULT_CASE - Predefined or no URL category matched, action is to monitor.
DROP_ADMIN - Dropped because of policy default or invalid certificate handling.
DROP_WBRS - Dropped because of Web Based Reputation Score.
DROP_WEBCAT - Dropped because of predefined URL category.
MONITOR_AMW_RESP - DVS scanning yielded positive verdict - action is to monitor.
REDIRECT_CUSTOMCAT - Custom category matched, action is to redirect.
PASSTHRU_ADMIN - Passed through because of default policy.
PASSTHRU_CUSTOMCAT - Passed through because of custom URL category.
PASSTHRU_WBRS Passed through because of Web Based Reputation Score.
PASSTHRU_WEBCAT Passed through because of predefined URL category.
TCP_DENIED - Access to the web page has been denied
HTTP return codes are categorized as follows:
1xx Informational
2xx Success
3xx Redirection
4xx Client Error
5xx Server Error
