IOS URL Filtering (FW Feature Set - Websense)

We are considering enabling this feature at our remote sites, with Websense server at corporate location. Has anyone enabled this feature at their remotes? If so, what was the user experience considering the additional latency of WAN? Any feedback would be appreciated.

I've seen WebSense on a LAN only, but I've used SurfControl with local databases and integrated into non-Cisco products. Integrated filtering uses an Internet server for URL filter, so it similar to using a WAN or VPN.
Websense on the LAN didn't slow things down any more than just using 'http inspect' of 'appfw'. Integrated filtering noticeably slows down browsing for non-cached results. Extreme cases like cnn.com or msn.com could take up to 10-12 seconds longer for the first page load. Local caching evens performance out a bit, so it's not that bad.
It really kind of depends on the WAN connection that you are using, the number of users and the response time of the Websense filter server. If latency to the central site is under 100ms and there are less than 20 or so users remotely, your scenario should be fine. Your suggestion is still likely to offer better performance than routing all internet traffic through the central site in a typical setup.

Similar Messages

  • IOS URL filtering - CPU spike

    Hi All,
    whenever I setup URL filtering in 1841 router with policy-map type http and zone-pair command, I experience 100% CPU spike. is there any workaround?
    thanks for any suggestion
    Alex

    Deep packet inspection for URL filtering is pretty much CPU intensive, I am afraid that without HW upgrade, there is nothing you can do about that.
    Do you monitor CPU utilization with correlation to traffic load on device?
    Best Regards
    Please rate all helpful posts and close solved questions

  • IOS Content Filtering - Is No More ?

    Cisco very quickly End of Lifed the IOS Content Filtering offering last year
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
    For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
    Cisco are pushing Scansafe as their current offering, which has probably led toa  falling out with Trend who provided the underlying service for
    IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
    So we are left with a router platform which is fine and  content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
    Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
    (i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
    Or of any alternative simple and cost effective solution we can configure the router to use
    (please tell me we're not back to SurfControl/Websense solutions again..)
    thanks
    Sez

    Approached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
    Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
    Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
    If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
    Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
    I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
    Sez

  • IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?

    I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
    Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
    Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
    I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
    Thanks!
    Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

    Hmm... no thoughts over the weekend. Anyone?

  • Websense URL Filtering is not working in transparent proxy mode

    The "sh ip wccp web-cach detail" show that the redirection to CE cluster (5 of them)is working but the url filtering doesnt work at all. The Websense server is on the same VLAN as all the 5 CE. This thing happened when we reconfigured the wccp router list in all the 5 CE point to the msfc vlan ip from the loopback ip address of the msfc. But the strange thing is the filtering work well when we manually configured the proxy server in the internet explorer point to the CE. Any advise?
    Thanks.
    William

    Problem is due to absense of Host header field . Most of the browsers will send host header field. But in HTTP/1.0 Host header is not a must , though most of the browsers send it.

  • Asking for IOS Feature Set

    Hi!
    Im planning to upgrade the IOs of our Cisco 7206 router. Just would like to clarify if what feature set does C7200-IS-M is? Actual output from "sh ver: (C7200-IS-M) 12.0(6)W5(14).
    Thanks in advance!
    udimpas

    Hello,
    Thanks for the reply. One more clarification, I have checked with the software advisor but IP Plus has a code of IS-MZ for newer versions. Or maybe because early versions(12.0) of IP Plus has a different code?
    Thanks again.
    Regards,
    udimpas

  • Deploying IOS firewall feature set

    Hi All,
    We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.
    Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?
    We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?
    Any help would be really appreciated
    Thanks
    Regards
    Anantha Subramanian Natarajan

    Hello Anantha,
    "Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
    "We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
    If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
    Regards

  • Filtering packets w/ IDS feature set based on TTL?

    Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.
    Mike
    CCNA

    The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:
    Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)
    Drop the packet
    Reset the TCP connection

  • Do I need IOS firewall feature set on Catalyst 6500 for FW blade?

    Hi all,
    If I install a FW blade in Cat6500, should I need to have the IOS firewall feature set on Cat6500 itself?
    Thanks and Regards,
    mak

    Nope.
    The FWSM uses it's own OS based on PIX OS. While it uses SVIs configured in the MSFC, it otherwise runs autonomously from the Sup and MSFC, even in Native mode.
    Let me know if this helps by rating the post.
    Michael

  • IOS feature set

    Guys I'm sure this is a goofy question but I can't seem to find the answer.
    I am wanting to know where a can find the difference between the different feature sets?
    Example: Entrprise plus, ip, ip plus, remote access server, etc etc
    Is there a feature break down of sorts that I can look to know whether I want the ip or ip plus feature set etc etc
    Thanks
    Jimmy

    Hi
    there are various types of packages which are defined for specific functions for eg. IP routing, Advanced routing, VPN encryption , voice etc.
    Cisco has made different types of packages for different reqirements.For Eg. If a customer is a simple SMB, the he can go for a simple IP feature IOS set.If its an corporate, he needs advanced functionalities such as BGP etc.So he can have IP/PLUS IOS feature set. and so on.....
    Please view the IOS packaging guide at the following link
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html
    The following is the link for router's IOS
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html
    And the following is the link for Switchs
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin0900aecd80281b17.html
    Hope that will help.
    Pls rate helpful posts.
    Regards
    JD

  • [Trend Micro Ios content filtering] parameter-type command under policy map not available

    Hi, all:
    I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
    On this particular testbed, I have a 2900 running:
    System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
    And the following licensing:
    Technology Package License Information for Module:'c2900'
    Technology    Technology-package           Technology-package
                  Current       Type           Next reboot 
    ipbase        ipbasek9      Permanent      ipbasek9
    security      securityk9    Permanent      securityk9
    uc            uck9          Permanent      uck9
    data          datak9        Permanent      datak9
    Configuration register is 0x2102
    CUBE_GOLD_MEX#show ip trm subscription status
           Package Name:  Security & Productivity (Trial)
                 Status:  Active
    Status Update Time:  18:02:51 CST Mon Jul 23 2012
        Expiration-Date:  Mon Aug 20 02:00:00 2012
        Last Req Status:  Processed response successfully
    Last Req Sent Time:  18:02:51 CST Mon Jul 23 2012
    CUBE_GOLD_MEX#
    Also, I have the following config lines on it:
    ip host trps.trendmicro.com 216.104.8.100
    ip name-server 4.2.2.2
    ip cef
    multilink bundle-name authenticated
    parameter-map type urlfpolicy trend tm-pmap
    allow-mode on
    [snip]
    parameter-map type trend-global trend-glob-map
    class-map type inspect match-all http-imap
    match protocol http
    class-map type urlfilter trend match-any drop-category
    match url category Abortion
    match url category Activist-Groups
    match url category Adult-Mature-Content
    match url reputation ADWARE
    match url reputation DIALER
    match url reputation DISEASE-VECTOR
    match url reputation HACKING
    match url reputation PASSWORD-CRACKING-APPLICATIONS
    match url reputation PHISHING
    match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
    match url reputation SPYWARE
    match url reputation VIRUS-ACCOMPLICE
    policy-map type inspect urlfilter trend-policy
    class type urlfilter trend drop-category
    I have not been able to get to the good part of configuring the ZBF.
    I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
    XXXXXX(config)#policy-map type inspect urlfilter trend-policy
    XXXXXX(config-pmap)#?
    Policy-map configuration commands:
      class        policy criteria
      description  Policy-Map description
      exit         Exit from policy-map configuration mode
      no           Negate or set default values of a command
    XXXXXX(config-pmap)#
    I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
    Can anyone provide some assistance?
    TIA.
    c.

    Hi Carlos,
    I am having the same problem.  I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2.  Maybe they forgot it :-)
    I guess I will open a TAC case as I do not want to downgrade...
    I will keep you posted if I find the answer.
    Regards,
    Troy

  • How can I achieve IOS content filtering using a Cisco router

    Good day Everybody.
    I would like to set up content filtering using IOS on my Cisco router. I already know how to do URL filtering but I want to restrict access to sites based on categories.
    Is this possible without having to introduce an external device?

    Natively in IOS this is not possible. However you can configure CWS (Cisco Web Security). The router will forward web requests to a cloud based web security service.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/data_sheet_c78-729637.html

  • Time pattern to allow user breakthrough URLFilter over IOS content filtering

    hi
    i have a client did request me to create such thing for them over IOS content filtering + Trend Micro based subscrition (till this level i'm pretty not sure it is feasible or what)
    scenario would be:
    like group 1 of users are the martketing subnet, then setting the time from 0800 hour to 1700 hour are prohibited to access any of the block blackilist site (either from local and/or trend micro reputation / category blacklist URL)
    is there any way round i can enable the router to recognize the time then let user to gain access after 1700 hour?
    Can TCL do this? any other way round for this
    thank you
    Noel

    Hi Carlos,
    I am having the same problem.  I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2.  Maybe they forgot it :-)
    I guess I will open a TAC case as I do not want to downgrade...
    I will keep you posted if I find the answer.
    Regards,
    Troy

  • IOS content filtering on trend micro subscription

    hi
    i just finish setup the IOS content filtering on C1841. basically it's combo of local filtering and Trend micro subscrition based. all the parameter-map, class-map, policy-map and zone firewall setting is up and ready to go.
    Some question to ask
    1. how do i examine trend micro content filtering on it REPUTATION and CATEGORIES is really working?
    as usual, after setup these command :
    paramater-map type trend-global MY-GLOBAL-PARAM
    server trps.trendmicro.com
    pamater-map type urlfpolicy trend MY-PARAM   
    allow-mode on
    block-pass message "bla-bla-bla"
    class-map type urlfilter trend match-any trend-block-categories
    match url catergory Adult-Mature-Content
    class-map type urlfilter trend match-any trend-block-reputation
    match url reputation ADWARE
    policy-map type inspect urlfilter MY-ACTION
      parameter type urlfpolicy trend MY-PARAM
      class type urlfilter trend trend-block-categories
      reset
      class type urlfilter trendtrend-block-reputation
      reset
    so for my zone firewall policy:
    policy-map type inspect out->in
    class type inspect trafic
    inspect
    service-policy urlfilter MY-ACTION
    then i do apply zone-pair to the outside and inside interface,everything set to go.
    so far what i can block is only using URL-blacklist to block the whole domain. anyway how can totally left to trend micro subscription license to do with it all?
    noel

    Hmm... no thoughts over the weekend. Anyone?

  • Basic URL filtering

    Hi,
    I need to buy a firewall with some basic URL filtering. I only need to deny access to some URL and not using a service like Websense or something like that.
    I would like to do this with an ISR, like 2800 family, because I don't need anti-x features but only basic firewalling, VPN, and Voice features.
    The other option is to use ASA 5520, but I would like to make the simple URL filtering without the need to use CSC module.
    Is there any way to to this?
    Mario.

    There is no need to go for an ASA. A 2800 isr will do.
    Refer the following url's for more details,
    http://cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html
    http://cisco.com/en/US/products/ps6643/products_white_paper0900aecd804abb11.shtml

Maybe you are looking for

  • Getting p2pp burn boot check failed.Windows 7 not getting started Recovery restpration completion

                                          PLEASE HELP Hi,I am trying to do factory recovery of my HP DV6 laptop using original HP recovery disc.My laptop has Windows 7 (64Bit) OS. I am doing below steps By pressing F10,entering BIOS mode, changed the BOO

  • Procedure to know No of delta records

    Hi All, There were some changes done in CRMPRD for the DS:Business datasource. So we want to compare the changes is DELTA records in CRM loaded to BI server. Now, Is there any way to know the no. of delta records in the R/3 production(here CRM) for p

  • After calling SPROXY on R/3 4.7 System, it writes No connetion to int.buil.

    Hi, I called SPROXY transaction in R/3 4.7 system to define proxy to sen data over PI system. It writes "No Connection to Integration Builder" at the top of proxy area. What must i do? Thanks.

  • Substrating a value from its previous value

    suppose i have the data in a column like col 200 230 250 290 300 then the output should show col output 200 Null 230 30 250 20 290 40 300 10 can anybody help?

  • Delivery date fields

    Hai all, i need a help from u ppl, i know how to capture delivery date of sales order header,but i want to know from where we can capture item level delivery dates. i want to find delivery date of each item from a single sales order. Thanks in advanc