ASA Context Aware Security (CX) Vs URL filetering (websense)
Fellas,
I'm new to ASA and PIX. I have PIX with websense for URL filtering. We are upgrading to ASA 5585-X wih CX context aware module. Will I still be needing Websense, since we have CX. What would be the best soultions? Thanks in Advance.
Happy New Year!
This is not a popular thing for a reseller like me to say, but I am not a fan of the CX module. It does a little bit of a lot of things, but doesn't do particularly well at any of them; that is to say, it is not for example a replacement for a proper e-mail filter or web filter or IPS.
I would stick with Websense versus moving to the CX module. I have had a lot of clients try - against my suggestion - to use just the CX module and every one of them has come back to their URL filtering boxes. With that said, I might recommend trying IronPort instead - it may sound a bit biased coming from someone on the Cisco forums, but I really have found it to be a substantially suprerior platform for most (not all, but most) installations.
Similar Messages
-
With Namit Agarwal and Rahul Govindan
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
This is a continuation of the live webcast.
Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
Remember to use the rating system to let Namit and Govindan know if you have received an adequate response.
Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides from the live webcast
Video Recording of the live webcast
Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcastHello Namit and Rahul,
Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
1) How is ASA CX different from other UTM solutions ?
2) How is dynamic application inspection of CX better than other inspection engines ?
3) What features or functionalities on the CX are available by default ?
4) what are the different ways we can run or install CX on the ASA platform ?
5) What VPN features are supported with multi context ASA in the 9.x release ?
6) What are the IPv6 Enhancements in the ASA version 9.x ?
Request you to please provide your responses to them individually.
Thanks. -
Allocate-interface to an existing ASA context
We have a active/active context firewall and would like to add an sub-interface to the exisitng context. Can someone share the link on how to do this?
All cisco documentation is for creating a context and allocating interface from scratch but I could not find any document for adding an interface to an exisiting context.
-MohanAh, now I understand your question better.
Yes, you can just add the "allocate-interface " to the Context configurations while its in production. All that this command will do at this point is add another interface under the Context.
After you have added the interface with the "allocate-interface" command under the Context and move to the Context with the command "changeto context ", you will only see a interface with blank configuration and ALL of the configuration you had there before adding the new interface.
After this you simply start configuring the interface with "description", "nameif", "security-level", "ip address" and so on and start creating rules for it.
The situation that the Cisco quote above refers to is the following situation
You have a ready made configuration file for your ASA context
You load that file to the Flash of the ASA
You want to apply the configuration on the Flash to the Context you created One reason for having a ready configuration might be that your previous ASA has broken down and you are now in the process of recovery with a replacement device and have all the configuration backups and are loading them to the ASA and creating all the Context that were on the previous ASA
IF you were to create the Context and immediately issue the "config-url" thats configuration refers to certain interfaces THEN naturally the ASA couldnt insert those old backup configurations to the Context as it didnt have those interfaces attached yet.
This is why that in the above case you would first attach the interfaces to the context and THEN insert the Flash filesystem path where the already ready configuration would be located that the Context could use to fully configure and restore the Context.
Now consider the more typical situation while configuring Contexts
You already have an Context with a "config-url" set where the Context configuration gets saved.
When you add a new interface to the Context, nothing happens to the current configuration or firewall operation
Because the current configuration doesnt refer to the new interface in any way it wont naturally get any configurations when you attach it to the Context.
When you move under the Context, you can just start configuring the interface settings and configuration related to that interface
AFTER you issue "write mem" command and save the configuration, it will be saved to the file/path configured in the "config-url" configuration and will after this naturally contain the new interfaces (and all related configurations) in its configurations.
So in shorts
If you are adding new interfaces to production firewalls you can just use the "allocate-interface" command.
If you have a ready made configuration before creating the actual context THEN you will have to make sure that the context has the interfaces attached BEFORE you attach the "config-url" configuration witth the ready made file OR IF NOT it will only apply configuration for the interfaces which are attached before this. And naturally the global configurations that dont apply to any specific interface
Hopefully I wasnt too complex with the writing. Im pretty tired at the moment and hard to concentrate
Please rate if you have found the information helpfull And also ask more if needed.
- Jouni -
Urgent requirement : security error accessing url and http error: standalone flex
Hi,
I have a requirement to create record from standalone flex. I am using Flex builder 3.
I used Flex-force toolkit to login to salesforce. The swf file generated when used internal to salesforce it works great.
But my requirement is to run it from public sites page / standalone pages. How will I configure it? I am getting error 'security error accessing url', default HTTP
The requirement is on priority, please help me to resolve this issue.
The login code is also furnished below. please help.
Full error details:
(com.salesforce.events::ApexFaultEvent)#0
bubbles = false
cancelable = true
context = (null)
currentTarget = (null)
eventPhase = 2
fault = (mx.rpc::Fault)#1
content = (null)
errorID = 0
faultCode = "Channel.Security.Error"
faultDetail = "Destination: DefaultHTTP"
faultString = "Security error accessing url"
message = "faultCode:Channel.Security.Error faultString:'Security error accessing url' faultDetail:'Destination: DefaultHTTP'"
name = "Error"
rootCause = (flash.events::SecurityErrorEvent)#2
bubbles = false
cancelable = false
currentTarget = (flash.net::URLLoader)#3
bytesLoaded = 0
bytesTotal = 0
data = (null)
dataFormat = "text"
eventPhase = 2
target = (flash.net::URLLoader)#3
text = "Error #2170: Security sandbox violation: file:///C|/Users/R/DOCUME%7E1/FLEXBU%7E1/TESTLO%7E1/BIN%2DRE%7E1/TESTLO%7E1.SWF cannot send HTTP headers to https://login.salesforce.com/services/Soap/u/14.0?1000.1153011256829."
type = "securityError"
headers = (null)
message = (mx.messaging.messages::ErrorMessage)#4
body = (null)
clientId = "DirectHTTPChannel0"
correlationId = "B8A1B02E-CE17-DCBA-4894-F2E4CBEB7C04"
destination = ""
extendedData = (null)
faultCode = "Channel.Security.Error"
faultDetail = "Destination: DefaultHTTP"
faultString = "Security error accessing url"
headers = (Object)#5
DSStatusCode = 0
messageId = "41F6A90D-ECAE-EA2D-7C84-F2E4DABD72F3"
rootCause = (flash.events::SecurityErrorEvent)#2
timestamp = 0
timeToLive = 0
messageId = "41F6A90D-ECAE-EA2D-7C84-F2E4DABD72F3"
statusCode = 0
target = (null)
token = (mx.rpc::AsyncToken)#6
message = (mx.messaging.messages::HTTPRequestMessage)#7
body = "<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/"><se:Header xmlns:sfns="urn:partner.soap.sforce.com"/><se:Body><login xmlns="urn:partner.soap.sforce.com" xmlns:ns1="sobject.partner.soap.sforce.com"><username>uname</username><password>pwdandsec token</password></login></se:Body></se:Envelope>"
clientId = (null)
contentType = "text/xml; charset=UTF-8"
destination = "DefaultHTTP"
headers = (Object)#8
DSEndpoint = "direct_http_channel"
httpHeaders = (Object)#9
Accept = "text/xml"
SOAPAction = """"
X-Salesforce-No-500-SC = "true"
messageId = "B8A1B02E-CE17-DCBA-4894-F2E4CBEB7C04"
method = "POST"
recordHeaders = false
timestamp = 0
timeToLive = 0
url = "https://login.salesforce.com/services/Soap/u/14.0?1000.1153011256829"
responders = (Array)#10
[0] (::SalesForceResponder)#11
result = (null)
type = "fault"
Login code:
[Bindable] public var sfdc:Connection = new Connection();
private function login():void {
Security.loadPolicyFile("http://salesforce.com/services/crossdomain.xml");
var lr:LoginRequest = new LoginRequest();
lr.username = "uname";
lr.password = "pwdtoken";
sfdc.protocol = "https";
sfdc.serverUrl = "https://login.salesforce.com/services/Soap/u/14.0";
lr.callback = new AsyncResponder(loginSuccess, loginFault);
sfdc.login(lr);This is resolved.
I have copied the crossdomain.xml file to tomcat Root folder
and the issue is resolved. -
Cisco ASA 5510 Content Security bundle
Hello,
please help me to understand if i buy the Cisco ASA 5510 Content Security bundle for my network found there is 1 yr subscription for the content
security features. what are services included in it. Does URL blocking and filtering includ in this subscription or its a seperate features.
Thanks,
Saroj PradhanHere is the license for CSC module and it lists what is included in Basic and Plus CSC license:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc -
Flex encounters "Security error accessing url.Unable to load WSDL"
i have created a flex application which connects to SAP via web service.
when i try to run my flex application i encounter the following error.
"Security error accessing url.Unable to load WSDL"
i went through various posts relating a BSP application and crossdomain.xml
i have created the crossdomain.xml file in the application and
i tried those options and still not able to figure out the problem.
the security error is because of the absence of the crossdomain.xml file, and in which path should i be saving the file?
Kindly help me solve the problem.
Thanks in advance.Have you seen this blog
"Crossdomain.xml" in ABAP Web AS Server cache -
Security error accessing url (Unable to load WSDL)
Hi folks.
I have a Flex project that use a WCF webservice. In my localhost everything is allright, but I want to upload my flex project to a web host (http://www.dorj.ir) and upload my WCF webservice to a server that has a valid IP...
After going to http://www.dorj.ir, you can see this error
Security error accessing url
Unable to load WSDL. If currently online, please verify the URI and/or format of the WSDL (http://ip/service.svc?wsdl)
I put the crossdomain.xml file in the root of my server:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="http://www.dorj.ir" />
<allow-http-request-headers-from domain="http://www.dorj.ir" headers="SOAPAction"/>
</cross-domain-policy>
But I have the same error, yet...!
what should I do?!Have you seen this blog
"Crossdomain.xml" in ABAP Web AS Server cache -
Warning System spameater Unable to connect to Cisco Web Security Service.; URL Filter...
My C670 ESA's have been throwing these alerts intermittently for the past few days, anyone else seeing them?
The Warning message is:
Unable to connect to Cisco Web Security Service.
URL Filtering will not work correctly.
Please verify all network, proxy and firewall settings.
Connection to "v2.sds.cisco.com" failed.
The last error seen on this connection: "Request failed with code: 28 (Connection time-out)"
Version: 8.5.6-092
Looks like it is open on port 443 and currently up. Hitting it with a browser gives me:
https://v2.sds.cisco.com/
After an error or two they go away and appear OK.
Checking the logs I don't see a way to verify URL lookups are working, is there a way?
Also, I setup URL filtering six months ago and had it set to only trigger on (-10)-(-9.5) and saw about an 80% false positive. It has improved over the past six months drastically but still catching mostly advertising URLs and allowing all phishing URLs right through. I've yet to see it block a phishing URL.
JasonAfter lots of trial and error, I was able to eliminate this problem. What I wound up doing is defining the XE service again in the listener.ora file:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = XE)
(ORACLE_HOME = C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server)
I know that typically you should not have to do this, especially since I already had defined DEFAULT_SERIVCE_LISTENER = (XE) at the bottom of the listener.ora file. Explicitly defining the XE service in the listener.ora file allows the listener to find it while the system is running under the Cisco AnyConnect VPN. The only hiccup I found by doing this is that the XE service is discovered twice by the listener when the system is NOT running under the Cisco AnyConnect VPN. It still works OK. The listener just seems to ignore the repeated definition of the XE service (see output below):
C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server\bin>lsnrctl service
LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-JUN-2013 10:03:15
.......(omitted output).......
Service "XE" has 2 instance(s).
Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
Instance "xe", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
Service "XEXDB" has 1 instance(s).
Instance "xe", status READY, has 1 handler(s) for this service...
Handler(s):
"D000" established:0 refused:0 current:0 max:1022 state:ready
DISPATCHER <machine: DEV-M-137GF, pid: 5544>
(ADDRESS=(PROTOCOL=tcp)(HOST=DEV-M-137GF.paychex.com)(PORT=58257))
The command completed successfully
If anyone has a cleaner solution for this problem, please let me know. Otherwise, I am moving forward with what I did.
Thanks.....Paul -
How to make transparancy context-aware when green screening.
I am using After Effects CS6 about 1 month and face a problem. I have successfully green screened marionettes so I can place in a video without showing the string, which is also green. The string did become transparent within the mask but within the marionette body, it just turned brown and moves like string. Question: Does anyone know how I can alter the string to be context aware?
That could be a tough one; there isn't any way to make a chroma key contextually aware. You can animate the beginning and ending points of the Simple Wire Removal effect that comes with AE to see if it does an adequate repair job for you.
-
MSE 7.4 Base Location Services and Context Aware Licences?
Hi! I have a question for MSE Base Location Services and Context Aware Licences. Do I need to add Base Location Services and Context Aware Licences in L-MSE-PAK or just enough Base Location Services Licences? What is the difference in these licenses?
I know that the Base Location Services license is determined by the number of access points, and Context Aware license is determined by the number of devices.
Please help me with this issue.OK, for example, a customer bought a Context Aware license. Can he activate it in MSE 7.4 or need to install MSE 7.3 with Context Aware license and then upgrade to MSE 7.4?
-
"Security error accessing url" - Accessing HTTP service running on another machine
Flex app is hosted as web service and is trying t access data
from HTTP Service
running on different machine. It throws following error
[RPC Fault faultString="Security error accessing url"
faultCode="Channel.Security.Error" faultDetail="Destination:
DefaultHTTP"]
at
mx.rpc::AbstractInvoker/
http://www.adobe.com/2006/flex/mx/internal::faultHandler
at mx.rpc::Responder/fault()
at mx.rpc::AsyncRequest/fault()
at ::DirectHTTPMessageResponder/securityErrorHandler()
at
flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunctio
n()
at flash.events::EventDispatcher/dispatchEvent()
But when I run the HTTP Services (data provider) on same
machine application
works fine.
Already used crossdomain.xmlSorted the cross domain problem by using mx:Webservice rather
than an httpservice. -
"Security error accessing url" error in Intranet Flex Development
Hi,
I have a simple Flex application with a Tree control that load data from a XML file on my intranet site using HTTPService. The Tree control pull in data without any problem if I ran the Flex app locally, however I would get "Security error accessing url" if I copied the Flex application to my intranet server and access it. The Flex SWF files and the XML file are in the same directory.
I thought there shouldn't be any cross domain security issue since both files are in the same domain/directory.
Any idea what is going on?
Thanks
xkxTnTThanks Guys for trying..
I figured out the problem - I initially create the project without server configuration, so the SWF runs off my local file system, I later set the server to local ColdFusion MX 7 server, the SWF still ran without problem, I then copied them to the production server and got the security error message.
Yes, I am pretty sure they are the same domain - the SWF files in in http://intranet/Flex and the url for HTTPService is http://intranet/Flex/data.xml.
I later solved the problem by creating a new project with server set to local ColdFusion server, copied the exact same code and data file, it ran find on http://localhost/Flex, and again ran without problem after deploying to the intranet server http://intranet/Flex.
I guessed Flash Builder compiled the code a little differently depending on the project configuration (server or no-server)? Not know the detail, or why does it even matter..
xkxTnT -
Security error accessing url with crossdomain.xml in InDesign FlexUI
I'm evaluating Flex as a UI component in an InDesign script. Part of what it needs to do involves retrieving some data from a web server to be displayed in a datagrid. I've written a server running on localhost that will provide this data. Everything works fine when I run the component from Flash Builder or from the HTML wrapper page that is generated during the release build, but once I copy the .swf to the InDesign scripts folder and load it as part of a ScriptUI component, I get a fault response ("security error accessing url") when connecting to the server. I'm running this bit of code in from my Flex client:
var h:HTTPService = new HTTPService();
h.url = "http://localhost:8080/elements";
h.method = "GET";
h.addEventListener("result", getElementsResult);
h.addEventListener("fault", getElementsFault);
h.send();
From what I've read, I may need a crossdomain.xml file at the root of my host, so I've added that to the server and can see that it is being accessed whenever the flex component attempts to connect to the service.
My crossdomain.xml file is:
<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
which seems to be correct, from what I understand. I've also tried quite a few other variations (setting explicit site-control policies, etc.). I'm quite new to Flex/Flash and I'm basically stuck at this point. Where might I be going wrong?I think sleeping on this one helped... I found that if I serve the .swf from my web server then everything works out fine. Loading it from the local filesystem seems to have been the problem.
-
Hello,
I have MSE 3310 ,which is connected toWCS.
The problem that I can not see the exact location for the devices on the heatmap.
they told me that they have already registered the Context- aware.
can you help me please with this.
What do I need to see the locations of the devicesPlease try to follow the quick start example: http://otn.oracle.com/products/text/x/Samples/Quick_Start/index.html
-
Disappearing context aware tool bar
Where do I report a bug?
I've assigned InDesign to a 'Desktop' formerly called 'Space'. Mac Lion 10.7.4 Done via the InDesign icon in the dock. Right click the icon > Options > Assign to: Desktop 2,3, whatever.
So I've bobbed out of InDesign into Firefox or Mail on a different desktop. When I click the InDesign icon in the Dock to return to InDesign, the screen slides to the space ok, but InDesign appears without the top context aware tool/attributes bar... not sure what it's called but the one immediately below the 'ID' bar in the default 'Essentials' workspace. Blimey, takes some explaining doesn't it. Anyway it's missing - there's a gap across the top of the screen below the 'ID' bar. If I slide (4 finger gesture) to the default desktop, there the missing bar is for the briefest moment!!!! Clearly while the main app is happy to reside in the Desktop/space... the toolbar gets mightly confused.
If I cmd+tab between applications, it also does it (though I'm not sure it's consistent), but if I use the gesture to move from desktop/space to InDesign Desktop, it seems fine (though I've not tested this rigorously).
InDesign CS6Lots of problems, apparently, with Spaces...
anyway, you can report a bug at Adobe - Feature Request/Bug Report Form
Maybe you are looking for
-
How to handle same product with different part numbers and pricing in SAP.
I am a new user and want to learn if the following scenario can be handled by SAP. Our business buys a product from a supplier which has 2 different part numbers and prices. It is the same product. One is the primary product whilst the other is avail
-
Please help me get RAID 1 working on FM2-A75MA-E35
I can't for the life of me figure out what I'm doing wrong. Not trying to use EFI. Not even sure why I'd want to. I have two identical SSD's and I want to mirror them. The motherboard recognizes them fine. I go into settings/advanced/intergrated peri
-
Procob32, procob18_32 don't exist.
Our Database Version is AIX 5L, 9.2.0.8 64bit VERSION. In $ORACLE_HOME/bin procob32, procob18_32 don't exist. How can I create the procdb32? Aren't they install option? I also have installed "enterprise database custom option all' , then proc exist n
-
My iPhone 3GS keeps rebooting and won't stop.
I recently updated my iPhone 3GS 16GB to the latest iOS 6.0.0 version and I am experiencing some problems. I turned off the device before replacing sim-card. After the repacement of the sim card, I booted the iphone. It showed the apple logo, then to
-
mine is OS X Version 10.9.5. i got so many mails that Yosemite is not proper! what would you suggest me? would you rather i upgraded to Yosemite or not?