Cisco WSA https inspection capability?

Hello, 
does a Cisco WSA has the capability of inspecting HTTPs traffic like Internet-Proxy servers do

yes.
Here's a doc on how to set up the WSA, it has a section on doing HTTPS:
https://supportforums.cisco.com/sites/default/files/attachments/discussion/sba_mid_bn_websecuritydeploymentguide-h1cy11_1.pdf

Similar Messages

  • HTTP Inspection Cisco PIX 525

    I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
    My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"
    My class-maps are: 
    class-map type regex match-any HACKBLOCK_METHOD
    match regex GET
    class-map XXXXTWBLOCK
    match access-list HACKBLOCK_HOSTS
    class-map type regex match-any HACKBLOCK_URL
    match regex HACKBLOCK
    class-map type inspect http match-all HACKBLOCK_FILTER
    match request uri regex class HACKBLOCK_URL
    class-map inspection_default
    match default-inspection-traffic
    My policy-maps are:
    policy-map type inspect http HACKBLOCK_HTTP
    parameters
    class HACKBLOCK_FILTER
      log
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect sip
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect dns
      inspect h323 ras
    class XXXXTWBLOCK
      inspect http HACKBLOCK_HTTP
    policy-map OUTSIDE
    class XXXXTWBLOCK
      inspect http HACKBLOCK_HTTP
    class class-default
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 1200
    As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
    #sh service-pol inspec http
    Global policy:
      Service-policy: global_policy
        Class-map: inspection_default
        Class-map: XXXXTWBLOCK
          Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
            protocol violations
              packet 34206
            class HACKBLOCK_FILTER
              log, packet 0
    enp-amer-clt-pix525-a#
    I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
    Any idea whats going on here and why I am not macthing the HTTP uri's ????
    Thanks,
    Matthias  CCIE# 28445

    I get hits on the ACL.  The issue is that the HTTP inspection does not seem to function.  Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
    access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
    enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
    access-list HACKBLOCK_HOSTS; 1 elements
    access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
    enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
    access-list HACKBLOCK_HOSTS; 1 elements
    access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

  • Default HTTP inspection map

    Hi guys.
    When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
    Its used here as an example on the documentation;
    From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
    However I cannot actually see anywhere what these Default settings are.
    For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
    I cannot find any reference to these.
    If anyone can help that would be great.
    Thanks.
    Mike

    I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
    (Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
    See the following screenshot for what I wan talking about in my first paragraph:

  • CSM 3.3.0, FWSM 4.0(6), HTTP Inspection

    Hi,
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    i have a firewall module (FWSM) ,(version  4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know  does CSM 4.0 has this limitation or is there any solution for this CSM version?

    Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
    There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
    regex ...class-map type inspect http   match header host regex ...
    The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
    I hope it makes sense.
    PK

  • Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

    Hello !
    I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
    If yes, how to do this ? 
    Thank you,
    Stephane Walker

    Hi Stephane
    The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
    Sample configuration for Cisco router
    access-list 110 permit tcp any any eq www
    route-map proxy-redirect permit 10
    match ip address 110
    set ip next-hop xxx.xxx.xxx.xxx
    interface ethernet0/1
    ip policy route-map proxy-redirect
    xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
    The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
    Routers other than Cisco equipment should also have an option to configure policy based routing.
    /Artur
    Ps. It's not possible to place the WSA in-line between clients and the internet.

  • Potential Impact of Disabling Default HTTP Inspection Policy

    I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map.  The software for this firewall is recent 8.2(x).
    Some questions:
    1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration.  All such traffic is inspected by the appliance.  Am I correct in this understanding?
    2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
    3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting?  Would I see any noticeable impact to HTTP traffic by doing this?
    Thank you for your responses in advance.
    Jeff

    Hi,
    These are the response to your queries:-
    1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
    2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do  some extra processing.
    3) No , I think you would reduce the processing for the ASA after disabling this inspection.
    This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
    Also , check this:-
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
    Thanks and Regards,
    Vibhor Amrodia

  • CSW: Filtered Google Images still appearing with HTTPS Inspect configured

    Hi,
    I'm currently testing https Inspect to close a hole in the Google Images search.
    I was under the impression that https inspect would not display any images that are in the a blocked category.
    I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted.  If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
    However, with the cert running on the PC, images are not being filtered within a Google search.  It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not.  I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
    Any help is very appreciated.
    Thanks
    Craig

    Thanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
    I can't see how safe search can be enforced?  I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi.  Even when they are VPN'd, we use split tunnelling so that won't work either.
    Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's?  Or can you?
    Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere.

  • How to check if Cisco WSA is already blocking the malicious sites?

    How to check if Cisco WSA is already blocking the malicious sites? 

    Depends on what you mean, but in general what you did will not work.
    The usual intent of RMI is to have several processs running and all of them use one process as the repository.
    A static value is only visible in one VM instance thus it will not be visible in another process.
    So in that situation you could check if the the server socket that the RMI using is open. But just catching the exception, presuming that you catch the correct one, is also sufficient.

  • Cisco WSA Versus Proxy

    Hello Experts,
    Can anyone tell me what is difference between Cisco WSA and Proxy-Server ?    and which one ideal to use ?
    Thanks,
    Waheed

    Hi Imran,
    The main difference between the two is the Cisco WSA is an appliance or a hardware while proxy server is a software. Other features are also offered by each security solutions. Best recommendation depends on what features are you looking for. Kindly email me ([email protected]) for more information and so I can also provide you options that you have.
    Hope to hear from you soon.
    Regards,
    Alyza

  • Cisco website HTTP 404 error (broken link)

    Attempting to download your firmware for Linksys WRT54GS hardware Ver 6 generates an HTTP 404 (page not found)
    error.
    Cisco link :
    http://homedownloads.cisco.com/downloads/firmware/FW_WRT54GSv5v6_1.52.8.001_US_20091005,0.bin
    From Cisco page:
    http://homesupport.cisco.com/en-us/wireless/lbc/WRT54GS
    GCN91F5D8994

    May it's not working due to the temporary outage on the website.
    Try to download and upgrade the firmware once again after some time

  • Toying with https inspection. Do access lists now have to be in decryption policies?

    Hello,
    I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
    Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.
    I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

    Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
    At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
    When would the "decrypt" option be a good idea?

  • Disable http inspection in global_policy FWSM

    I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
    Looking into the config on the FWSM i see that under the global_policy we are inspecting http
    policy-map global_policy
     class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
      inspect http
    I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
    Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
    I don't really understand what the inspection engine does?

    Well,
    I removed the http inspection and it broke all inbound and outbound web services!
    Then I discover this
    url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
    filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
    This web-sense server is down and no longer used.
    But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
    I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
    Thanks
    Roger

  • HTTPS Inspection and MAC OS X Clients

    Hi together,
    we want to enable HTTPS Inspection at our TMG Cluster....but the counterpart is, Mac OS X Clients wont be able to connect to SSL Sites after we activate it.
    So i am aware of this blogpost
    http://blogs.technet.com/b/isablog/archive/2012/04/20/mac-os-clients-fail-to-access-ssl-websites-after-you-enable-https-inspection-in-forefront-tmg-2010.aspx
    We had a certificate generated by our own internal CA, generated like described in this blogpost
    http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx
    After we faced the problems with os x we didnt do more research and renewed the certificate with the options of the second blogpost but as Windows Server 2008 CA Cert.
    But still, MAC OS X (Safari) cant reach HTTPS Sites, Firefox on MAC OS X works fine.
    I`ve downloaded the certificates to check if it is ASCII or Unicode...here are the results:
    Aussteller:
    CN=TMG HTTPS CNG Inspection
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 40 (40/64 Zeichen)
    2.5.4.3 Allgemeiner Name (CN)="TMG HTTPS CNG Inspection"
    Antragsteller:
    CN=*.facebook.com
    O=Facebook, Inc.
    L=Menlo Park
    S=CA
    C=US
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/2 Zeichen)
    2.5.4.6 Land/Region (C)="US"
    55 53 US
    55 00 53 00 U.S.
    [1,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/128 Zeichen)
    2.5.4.8 Bundesland oder Kanton (S)="CA"
    43 41 CA
    43 00 41 00 C.A.
    [2,0]: CERT_RDN_PRINTABLE_STRING, Länge = 10 (10/128 Zeichen)
    2.5.4.7 Ort (L)="Menlo Park"
    4d 65 6e 6c 6f 20 50 61 72 6b Menlo Park
    4d 00 65 00 6e 00 6c 00 6f 00 20 00 50 00 61 00 M.e.n.l.o. .P.a.
    72 00 6b 00 r.k.
    [3,0]: CERT_RDN_PRINTABLE_STRING, Länge = 14 (14/64 Zeichen)
    2.5.4.10 Organisation (O)="Facebook, Inc."
    46 61 63 65 62 6f 6f 6b 2c 20 49 6e 63 2e Facebook, Inc.
    46 00 61 00 63 00 65 00 62 00 6f 00 6f 00 6b 00 F.a.c.e.b.o.o.k.
    2c 00 20 00 49 00 6e 00 63 00 2e 00 ,. .I.n.c...
    [4,0]: CERT_RDN_UTF8_STRING, Länge = 14 (14/64 Zeichen)
    2.5.4.3 Allgemeiner Name (CN)="*.facebook.com"
    So i think the problem is the last one while this is still as utf8 issued...but why? Shouldn`t this also a printable/ASCII one? How can i fix it?
    The template which generated the TMG Certificate has the following settings:
    General
    Validity: 10 Years
    Renewal period: 2 Years
    Issuance Requirements
    Suspended Templates
    Extensions
    Application Policies: Code Signing (Codesignatur), Private Key Archival (Archivierung des privaten Schlüssels), Server Authentication (Serverauthentifizierung)
    Basic Constraints: everything is checked
    Certificate Template Information: -
    Key Usage: Digital signature, Signature is proof of origina (nonrepudiation), Certificate signing, CRL signing, Make this Extension critical
    Have you any ideas why i still get utf8 subjects?
    Thanks for your help in advance

    Hi Vasu,
    isn`t this needed to issue a cng certificate (
    http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx ) ?
    I give it a try and give you a Status update.
    Regards
    edit
    so while it isnt possible to use sha256, i am unable to issue cng certificates after using a 2003 based CA Template. So this cant be a solution.... 

  • Dropbox and HTTPS inspection

    Greetings, community!
    We have a trouble with Dropbox application connection to their servers through our TMG servers array.
    HTTPS-Inspection is enabled.
    So, the error in the logs is:
    Failed Connection Attempt
    Log type: Web Proxy (Forward)
    Status: 0x80090325
    Rule: Allow Web Access for All Users
    Source: Internal (10.0.128.15:53328)
    Destination: External (108.160.165.11:443)
    Request: client60.dropbox.com:443
    Filter information: Req ID: 0ab2df8b; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protocol: https-inspect
    User: anonymous
    Additional
    information
    Object source: Internet (Source is the Internet. Object was added to the cache.)
    Cache info: 0x0
    Processing time: 0 MIME type:
    I try to:
    1. Disable HTTPS-Inspection for *.dropbox.com destination
    2. Enable direct access to *.dropbox.com
    Same trouble.
    Does anyone seen same problem?

    Hi,
    your clients are configured as Webproxy clients (TMG proxy in browser specified)?
    Dropbox may not use the proxy settings from your browser.
    Please try to set the proxy on the client with NETSH WINHTTP SET PROXY
    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570

  • Cisco WSA S170 AsynOS 7.5.2 LDAP group query debug

    Dear support forum members,
         I have some problems with the Cisco WSA S170 (AsynOS 7.5.2). It looks like a bug. I have two users in my Active Directory(AD), both of them are members of the InternetGrp6 AD group, both of them are in the same organization unit in the AD tree, but WSA could not identify that one of them member of the InternetGrp6.
         I understand that WSA do this over the LDAP query to AD controller, but I could not found the way how do I debug LDAP query. This will give me ability to find out what happened during the user group LDAP query.
    Thanks in advance!
    Best regards,
    Alexander.
    P.S. Sorry for my English.

    Hi,
    First of all I would like to thank you for assistance!
    It is a pity, but I received  "Unknown command: ldapsearch" in the SSH CLI session.
    AsyncOS 7.5.2 for Web build 304 installed.
    Best regards,
    Alexander.

Maybe you are looking for

  • Web camera video quality in Flex

    Hi, I have a flex app which turns on a web camera and shows the video from the camera. The problem is that the video resolution is a bit choppy or pixilated. I know it's not because of the quality of the webcam since the video is very clear on other

  • Database Performance Problem

    Hi, I am running Oracle10g in Windows and i have SGA - 289406976 Fixed Size- 1248576 Variable Size - 96469696 Database Buffer - 184549376 Redo Buffer - 7139328 i am enclosing the init.ora file for better understanding # Cache and I/O db_block_size=81

  • Strange arrow showing on sub-folders after moving from the main one

    I put all my desktop located files into ONE folder. Then I needed quicker access to some of the folders so I moved them back to my desktop. Now they all have a little arrow in the bottom left corner. Why is this? Is it important? When I put them into

  • DataTable question

    Hi, I have three datables and my requirement is I want to show all the dataTables on a single pane and pane should have a scrollbar.For example in the dataTable one I have three records and in the second dataTable I have 2 records and in the third da

  • I can't play any FB games with Adobe 11. Need 10.3. Where is it?

    I cannot play any FB games with Adobe 11. None load. I need 10.3 where is it? ''moderator edited the title of this thread''