IOS Content Filtering - Is No More ?

Cisco very quickly End of Lifed the IOS Content Filtering offering last year
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
Cisco are pushing Scansafe as their current offering, which has probably led toa  falling out with Trend who provided the underlying service for
IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
So we are left with a router platform which is fine and  content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
(i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
Or of any alternative simple and cost effective solution we can configure the router to use
(please tell me we're not back to SurfControl/Websense solutions again..)
thanks
Sez

Approached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
Sez

Similar Messages

  • IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?

    I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
    Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
    Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
    I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
    Thanks!
    Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

    Hmm... no thoughts over the weekend. Anyone?

  • [Trend Micro Ios content filtering] parameter-type command under policy map not available

    Hi, all:
    I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
    On this particular testbed, I have a 2900 running:
    System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
    And the following licensing:
    Technology Package License Information for Module:'c2900'
    Technology    Technology-package           Technology-package
                  Current       Type           Next reboot 
    ipbase        ipbasek9      Permanent      ipbasek9
    security      securityk9    Permanent      securityk9
    uc            uck9          Permanent      uck9
    data          datak9        Permanent      datak9
    Configuration register is 0x2102
    CUBE_GOLD_MEX#show ip trm subscription status
           Package Name:  Security & Productivity (Trial)
                 Status:  Active
    Status Update Time:  18:02:51 CST Mon Jul 23 2012
        Expiration-Date:  Mon Aug 20 02:00:00 2012
        Last Req Status:  Processed response successfully
    Last Req Sent Time:  18:02:51 CST Mon Jul 23 2012
    CUBE_GOLD_MEX#
    Also, I have the following config lines on it:
    ip host trps.trendmicro.com 216.104.8.100
    ip name-server 4.2.2.2
    ip cef
    multilink bundle-name authenticated
    parameter-map type urlfpolicy trend tm-pmap
    allow-mode on
    [snip]
    parameter-map type trend-global trend-glob-map
    class-map type inspect match-all http-imap
    match protocol http
    class-map type urlfilter trend match-any drop-category
    match url category Abortion
    match url category Activist-Groups
    match url category Adult-Mature-Content
    match url reputation ADWARE
    match url reputation DIALER
    match url reputation DISEASE-VECTOR
    match url reputation HACKING
    match url reputation PASSWORD-CRACKING-APPLICATIONS
    match url reputation PHISHING
    match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
    match url reputation SPYWARE
    match url reputation VIRUS-ACCOMPLICE
    policy-map type inspect urlfilter trend-policy
    class type urlfilter trend drop-category
    I have not been able to get to the good part of configuring the ZBF.
    I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
    XXXXXX(config)#policy-map type inspect urlfilter trend-policy
    XXXXXX(config-pmap)#?
    Policy-map configuration commands:
      class        policy criteria
      description  Policy-Map description
      exit         Exit from policy-map configuration mode
      no           Negate or set default values of a command
    XXXXXX(config-pmap)#
    I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
    Can anyone provide some assistance?
    TIA.
    c.

    Hi Carlos,
    I am having the same problem.  I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2.  Maybe they forgot it :-)
    I guess I will open a TAC case as I do not want to downgrade...
    I will keep you posted if I find the answer.
    Regards,
    Troy

  • Time pattern to allow user breakthrough URLFilter over IOS content filtering

    hi
    i have a client did request me to create such thing for them over IOS content filtering + Trend Micro based subscrition (till this level i'm pretty not sure it is feasible or what)
    scenario would be:
    like group 1 of users are the martketing subnet, then setting the time from 0800 hour to 1700 hour are prohibited to access any of the block blackilist site (either from local and/or trend micro reputation / category blacklist URL)
    is there any way round i can enable the router to recognize the time then let user to gain access after 1700 hour?
    Can TCL do this? any other way round for this
    thank you
    Noel

    Hi Carlos,
    I am having the same problem.  I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2.  Maybe they forgot it :-)
    I guess I will open a TAC case as I do not want to downgrade...
    I will keep you posted if I find the answer.
    Regards,
    Troy

  • IOS content filtering on trend micro subscription

    hi
    i just finish setup the IOS content filtering on C1841. basically it's combo of local filtering and Trend micro subscrition based. all the parameter-map, class-map, policy-map and zone firewall setting is up and ready to go.
    Some question to ask
    1. how do i examine trend micro content filtering on it REPUTATION and CATEGORIES is really working?
    as usual, after setup these command :
    paramater-map type trend-global MY-GLOBAL-PARAM
    server trps.trendmicro.com
    pamater-map type urlfpolicy trend MY-PARAM   
    allow-mode on
    block-pass message "bla-bla-bla"
    class-map type urlfilter trend match-any trend-block-categories
    match url catergory Adult-Mature-Content
    class-map type urlfilter trend match-any trend-block-reputation
    match url reputation ADWARE
    policy-map type inspect urlfilter MY-ACTION
      parameter type urlfpolicy trend MY-PARAM
      class type urlfilter trend trend-block-categories
      reset
      class type urlfilter trendtrend-block-reputation
      reset
    so for my zone firewall policy:
    policy-map type inspect out->in
    class type inspect trafic
    inspect
    service-policy urlfilter MY-ACTION
    then i do apply zone-pair to the outside and inside interface,everything set to go.
    so far what i can block is only using URL-blacklist to block the whole domain. anyway how can totally left to trend micro subscription license to do with it all?
    noel

    Hmm... no thoughts over the weekend. Anyone?

  • Expiring ios content filtering

    hello
    now that IOS Content Filtering using Trend Micro is EOL and replaced by ScanSafe, can someone tell if ScanSafe is a subscription based and what are the new SKUs for ScanSafe
    thanks

    Yeah, Scansafe won't work until you purchase the subscription, and get that activated within the cloud since it is Web Security on the cloud solution.
    Try to contact [email protected], and let them know your country and ask them if they can refer you to a local Sales Rep for ScanSafe.

  • How can I achieve IOS content filtering using a Cisco router

    Good day Everybody.
    I would like to set up content filtering using IOS on my Cisco router. I already know how to do URL filtering but I want to restrict access to sites based on categories.
    Is this possible without having to introduce an external device?

    Natively in IOS this is not possible. However you can configure CWS (Cisco Web Security). The router will forward web requests to a cloud based web security service.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/data_sheet_c78-729637.html

  • IOS content filtering on 29xx

    IOS content fitlering through trend micro has been discontinued on 2800's (now) and 2900's (December 2012).
    1. Is there a replacement solution for cloud based URL filtering on 2800's?
    2. Looking at ScanSafe ISR Web Security on 2900's which I believe will work similar to TRM. I can't seem to find any SKUs for this solution through. Anyone knows anything about this?

    Hmm... no thoughts over the weekend. Anyone?

  • IOS Content Filtering

    Hello, I have just purchased content filtering for an SR520 and an 881.
    I find guides on Cisco.com relating to confiuration of filtering, but nothing with regards to reporting. I'm looking to log every time a page is denied, and what user (or IP) requested the blocked page.

    Yes there is acache you can configure under the parameter-map.
    You can also view it using command shown below
    IOSrouter# sh
    policy-map type inspect zone-pair urlfilter cache detail
    policy exists on zp zp
    Zone-pair: zp
    Service-policy inspect : trend-global-policy
    Class-map: www (match-all)
    Match: protocol http
    Inspect
    Maximum number of bytes in cache: 262144
    Time to live for each cache entry (in hrs): 24
    Total number of bytes used by cache: 453
    Number of bytes used by domain type cache: 353
    Number of bytes used by directory type cache: 100
            URL                                       Age         Idle time/        Cat::Rep
            (Directory cache
    end with /)  (day:h:m:s)
    access #
            yahoo.com                             0:16:47:30           2           56::1                                                                               
    ad.doubleclick.net                
    0:00:00:10           1           72::1                                                                                                                       
    static.eharmony.com/static../
    0:00:00:06  0:00:00:04     12::1
    Unfortunately you can't see who accessed them.
    I hope it helps.
    PK

  • IOS web content filtering cannot get trend micro filter

    hi, i just wondering how really i can get my router's content filtering connect to trps.trendmicro.com server again. previously it was success to get connect to the server, after i doing some changes on my zone-pair firewall then it cannot connect to the trend micro server anymore.
    sh ip trm subscription status showing that i successfully connected and registerd
    all the installation guide is doing accordingly,then i turn on my debug crypto pli validation and debug ip trm detail, all showing success connection to trendmicro site.
    parameter-map type trend-global <param> are pointing to the trps.trendmicro.com, my class-map and policy-map didn't have any changes since last success connection.
    zone-pair setting also attach with the right policy-map that serve for service-policy urlfilter <name>
    overall, after my zone-pair firewall is UP again, then my web content filtering is gone, while registeration is made..
    anyone have any idea what really happen?
    thanks
    Noel

    Hi Yongkhang,
    I think in order to figure out what is happening, we need to troubleshoot and see the config, data and other show commands.  I'm not sure if you would feel comfortable posting that here.  Therefore, i think its best to open up a case with tac on it so that it can be troubleshot to see why you cant access the trend micro server.
    can you let me know what you mean by when you turn on your ZBF, your web content filtering is gone.  Are you saying, when you turn on zbf, the web content filtering is no longer blocking or allowing sites?
    have you ran the following debugs?
    debug ip urlfilter detail
    debug ip urlfilter event
    debug ip url filter function-trace
    also, what does this show:
    show policy-map type inspect zone-pair urlfilter
    Are you sure you have the class maps in the proper order since its processed sequentially..
    regards,
    scott

  • Does anyone know how the cutout filter works and is there a way of achieving the same effect without using filters to get more control over final look?

    does anyone know how the cutout filter works and is there a way of achieving the same effect without using filters to get more control over final look?

    Several ways to get similar results.  Image > Adjustments > Posturize with low values similar to what you'd use n Cutout.  This is the most flexible way I can think of as you keep the image in RGB mode with layers intact.  A more radical approach would be to reduce bit depth using Indexed Colour.  You'll need to experiment with settings, try changing Forced to Primaries, and Matte to Foreground Color.  There's no going back from this route, although you can change the mode back to RGB to re-enable layers, adjustment layers etc.
    A nice thing about the Filter gallery filters is that you can change the layer to a Smart object with all the control that gives you.
    Now if only this forum could filter out bizarre content.

  • Exchange 2013 SP1 EDGE role content filtering ?

    Hello,
    Have Exchange 2013 SP1 with CU5 with antispam enabled on mailbox role server. And i wonder if i deploy 2013  Edge role, will i get more granular content filter control, like there is in Office 365? For example: i want to treat empty messages as not
    spam.
    I have read that control of Edge server is done ONLY by powershell. So if edge role is deployed, still there is no content filter control in ECP (like in office365) ??

    Hi,
    The Content Filter agent assigns a spam confidence level (SCL) rating to each message. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam.
    Based on my knowledge, I'm afraid we can't filter the empty messages and treat them as not spam.
    Here is an article about content filtering in Exchange 2013 for your reference.
    Content Filtering
    http://technet.microsoft.com/en-us/library/bb124739(v=exchg.150).aspx
    Best regards,
    If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Belinda Ma
    TechNet Community Support

  • Content Filtering - exe file

    Hi
    we are using SJES 6.2 for our Mailing system and i have following doubts.
    1) In which file & where we are specifying content filtering ??
    2) content filtering means
    if any user sends an exe file or any other specified file to our mail
    server it should be rejected or bounced back to same user .
    3) Plz let me know if anybody knows how to configure content
    filtering ???
    Thanks in Advance

    The only way for Messaging Server itself to do content filtering, such as you request is through the Conversion Channel. This is pretty inefficient.
    What most user do, is use external products, such as SpamAssassin, ClamAV, and such, which do a better job, more efficiently. These two products are free.

  • Cisco Content Engine for Content Filtering

    Hi All,
    I am looking for a low end solution for Content Filtering and would like to use Cisco Content Engine.
    1. The documentation said that Websense, Secure Computing SmartFilter (does not require separate SmartFilter) & N2H2 support is there on the CE. I used configurator on CE 510, but it did not give me option for any of those. I would appreciate any input in this regard.
    2. Also, I assume that once I get a Content Engine, I don't need to use Microsoft Proxy any more, please confirm.
    regards,
    Ahmer Ghazi

    You would have to Install the Smartfilter software on the Content engine that would work with the ACNS software running on the CE. SmartFilter software operates inside your network to control user access to external Internet resources and allows you to restrict access to World Wide Web pages, newsgroups, and FTP sites.
    For more details refer:
    http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns41/smrtfltr/sf_chap1.htm
    The Content Engine does the job of storing content locally and serving it to the users, so you would not need to use the Microsoft Proxy.

  • Web Content Filtering / Virus Scanning appliance

    Hello all,
    I'm in the market for a content / url / virus scanning device for our network. We are currently using MXLogic's Web Defense service and while it's very cheap it is not suiting our needs. What I'm looking for is an appliance that will do content filtering but also virus / malware / spyware scanning on web traffic. I'd also need to be able to setup policies / groups for different set's of users. For instance the folks who purchase the products we sell need to be able to see our vendors media (streaming video) content while our sales folks don't. I can't currently do this with MXLogic, it's all or nothing.
    Our firewall is an ASA5510 and I've looked at the Content Security SSM-10 module with the plus license and while the pricing is definitely attractive I have a few questions about it. Does it integrate with MS Active Directory? In other words and it filter based on groups and policies or is it more IP / ACL based? Also does it perform well?
    I've also looked at the IronPort product cisco sell's and have similar questions regarding that mainly what are folks experience with it, is it something you would recommend?

    Hi Allen,
    To answer your questions related to the CSC module:
    1. No, the CSC module does not integrate with Active Directory. This is something that Trend Micro has in the works, but as of now there is no ETA for this functionality.
    2. The CSC module will perform fairly well if used in the environment it was designed for. I would recommend taking a look at the CSC sizing guide to see if the CSC-SSM-10 would be something that is scalable enough for your network:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.html
    I cannot speak to the performance/functionality of IronPort as I have not used it personally, but I have heard good things. Also, external appliances from Websense seem to be a popular choice when you need a product that is a bit more scalable or granular than what the CSC module can provide.
    Hope that helps.
    -Mike

Maybe you are looking for

  • USB 6009 Python Control

     Hello,  I am attempting to use python (with ctypes) to control my USB-6009.  The goal is to write out an analog voltage and then read in the voltage through an analog input with ability to change the number of points averaged and the number of times

  • Is there a way? Some iPhone/iPhoto questions

    to order the photos so that the latest photos in the past 12 mos are displayed? The default seems to be oldest first, making it a chore to see recent photos. I have about 4600 photos on there and it's a lot of trouble to see the recent ones. Also, im

  • Hot to get the deleted Standard Role in ABAP Stack ??

    Hello All, When I was testing a role in PFCG, unfortunately I deleted a standard SAP role. Now I need to bring it back or recreate the same one. Can any one advice me who can I get it back please. And one more thing here that when I am trying to copy

  • Tolerance check

    Dear All, Is it possible to restrict during goods receipt the number times a over or under delivery tolerance can be accepted. We are having a scenario where in the client want to accept over delivery tolerance for a given material only 3 times and n

  • Why does my iPod always break down in July?

    I have had my main iPod for a few years now, and every year it seems to have a problem! (main meaning it started off a couple of years ago as a smaller iPod, then thay changed it for a 40G, then that went wrong in July, and replaced it with a 60G) ev