Ironport WSA AV scanning
Hi Everynone.
Is there any information about maximum filesize that is scanned with antivirus engine in S170 and S370 ?
At the moment I compare WSA with other vendors. Some competitors claim that Ironport does not scan all downloaded objects. It only scans obcjects which were downloaded from sites with poor reputation. Even "good" sites can be infected and such approach can create security hole. Some vendors have dedicated hardware where all objects are scanned.
I also found an information that WSA can work in two modes : Maximum protection and High Performance
I wonder, what is the impact on a performance when WSA works in High Performance mode? Do anyone have any experience on that field (what is the latency, user experience) ?
Best Regards,
Piotr
The maximum scannable file size is 32mb by default.
I have not heard of a Maximum Protection/High Performance mode. But it is true that the WSA only scans objects from netural/poor rated websites. Your concern about good rated websites containing malware is valid. But this is configurable. Obviously it will increase overhead due to the increased scanning of course.
Similar Messages
-
End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA
When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.
Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification. -
ACE working with IronPort WSA server farm
We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
But we don't have this entry in the arp table.
When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
Some have this kind of problem in some ocasion?
Thank you,
EveraldoHi Jorge,
The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
Follow the output the commands:
show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 304
service-policy: WSA-VIPS
class: WSA_VIP_TCP_3128
VIP Address: Protocol: Port:
10.10.193.25 tcp eq 3128
loadbalance:
L7 loadbalance policy: WSA-POLICY
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 3 , hit count : 1260
dropped conns : 4
conns per second : 0
client pkt count : 19271 , client byte count: 2326106
server pkt count : 26140 , server byte count: 16572023
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : WSA-POLICY
class/match : class-default
LB action :
primary serverfarm: WSA_FARM
state: UP
backup serverfarm : -
hit count : 1260
dropped conns : 0
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
switch/WSA# show probe WSA_TCP_3128
probe : WSA_TCP_3128
type : TCP
state : ACTIVE
port : 3128 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 10
pass count: 3 fail count: 30 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WSA_FARM
real : WSA-01[0]
real : WSA-02[0]
10.10.193.37 3128 PROBE 15076 72 15004 SUCCESS
real : WSA-03[0]
real : WSA-04[0]
real : WSA-05[0]
real : WSA-06[0]
real : WSA-07[0]
real : WSA-08[0]
real : WSA-09[0]
real : WSA-10[0]
switch/WSA# show probe WSA_TCP_3128 detail
probe : WSA_TCP_3128
type : TCP
state : ACTIVE
description :
port : 3128 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 10
pass count: 3 fail count: 30 recv timeout: 10
conn termination : FORCED
expect offset : 0 , open timeout : 3
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : WSA_FARM
real : WSA-01[0]
real : WSA-02[0]
10.10.193.37 3128 PROBE 15088 72 15016 SUCCESS
Socket state : CLOSED
No. Passed states : 2 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Mon Sep 3 21:06:47 2012
Last fail time : Mon Sep 3 20:45:05 2012
Last active time : Mon Sep 3 20:45:57 2012
real : WSA-03[0]
real : WSA-04[0]
real : WSA-05[0]
real : WSA-06[0]
real : WSA-07[0]
real : WSA-08[0]
real : WSA-09[0]
real : WSA-10[0]
Thank you,
Everaldo -
IronPort WSA with Authentication unable to access 2 character domain names with 2 character TLDNs
I've discovered an issue requiring user authentication and some of the short url sites likes e2.ma will not load in Internet Explorer explicitly configured to go through an IronPort WSA. In testing with bogus domains (a.to, aa.to) it seems the issue is if the domain name is 1-2 characters and the top level domain name is also 2 characters long. Longer domains (aaa.to) work and return an IronPort error for DNS_FAIL. Does anyone know of a workaround to not have to allow all these as unauthenticated destinations?
Support pointed me towards that KB article as well, but it is for IE 5 (and fixed in IE 6), but IE 8+ uses a TLD list from Microsoft (visible by using res://urlmon.dll/ietldlist.xml) and I don't control the external website. I'm going to try using an IP address surrogate instead of session cookies for these domains and see if that resolves this.
-
IronPort WSA S650 Faild to acquire the server manifest
Hello,
I have a demo WSA S650 from cisco and the appliance can't download the definition updates and asyncos updates.
IronPort WSA S650
According:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/eol_c51-716512.html
The WSA is End of SW Maintenance Releases Date: December 31, 2012
From cisco.com i can't find in download area of new asyncos version S650 series(the section for s650 is gone).
When i try to update the appliance i get the error: Failed to acquire the server manifest
From browser i go to : http://updates.ironport.com/fetch_manifest.html
And after i insert the serial nr and version and i get the error:
An error occurred.
(('base', 'get_server_manifest', '851'), 'phone.base.ManifestError', 'Connection unexpectedly closed.', '[local_manifest|web_fetch_manifest|247] [local_manifest|assemble_manifest|299] [base|get_server_manifest|851]')
I believe that this WSA don't have the rights to download the updates definition webfiltering!It seems that the appliance don't care about update settings.
I have setup that updates to be done by the data interface, all routes are checked and are OK, but the updates is not working.
When i set up only one interface for management and data the updates was done right, so i suppose that the update was done on the management interface even i set up to be done on the data interface. -
QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution
Hi all,
Our customer is a mobile operator. They need a integrated solution for caching, QoS and Loadbalancing in a combination. From my understanding of their goals, they need to providing stable and speedy broadband access as well as good user experience by the differentiation service offering. They need to classify IP traffic and prioritize and control of content-based services for a given subscriber while transparently and dynamically redirect and load balance the application level classified of IP traffic to a proxy caching server regardless of protocols such as http, https, ssl, ftp, flv, mms and rstp, sip, p2p....
Attached pls find the RFP and technical specification for Caching and QoS.
I appreciate your expertise to consult me whether I can propose for them the Cisco ACE standalone appliance or ACE engine module for 7600/6500 for loadbalancing, Cisco IronPort WSA for caching and dual Cisco SCE8000 for QoS as an integrated solution. Is this solution feasible/workable and where could I find the same reference or solution design or technical guidance on this?
Thanks a lot and would like to hear from you at the soonest!
Best regards, -
Any methods to simulate Cisco IronPort WSA appliance for practice
Similar to GNS3 on which we can simulate ASA/Routers, same way any other methods to simulate Cisco IronPort WSA appliance for practice or testing? Please let me know. Thanks.
You can download the virtual WSA. I have not tried it so I'm not sure how it works without a license.
http://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid=282975114&release=7.7.5&relind=AVAILABLE&rellifecycle=GD&reltype=latest -
Request Sub-CA-Certificate for Ironport WSA
How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
Thanks for your help.Here is the solution for this question:
The steps to use the sample inf file are:
run the command: certreq.exe -new certreq.inf cacert.req
submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
install the certificate by running the command: certreq.exe -accept newcacer.cer
export the certificate to a PFX file including the private key
using openssl convert the PFX file to PEM format with the following steps:
* extract the certificate file (the signed public key) from the pfx file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
* extract private key from a pfx file and write it to PEM file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
* remove the password from the private key file:
openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
Sample for the INF-File:
[Version]
Signature="$Windows NT$"
[Strings]
CACN = "Issuing CA"
[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19 -
Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?
Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
How does WSA handle complex protocols (such as ftp) through the proxy server?We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
We have several apps that make use the MS firewall client.
The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have specific ISA rules setup for them too.
I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
Thanks again for your input. -
Is it Support Network News Transfer Protocol On Cisco Ironport WSA S670?
Hi,
I have an issue whith a costumer with Cisco Ironport WSA S670, my question is if the WSA support NNTP?
Thanks
Alex JuacheHi Alejandro,
The WSA does not support NNTP.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator -
IronPort WSA management through Security Management Appliance
Hi,
I have two identically configured (policies) IronPort WSA S670 appliances running 7.5.0-833 and both added in SMA M670 management appliance running 7.9.1-102. Appliance A has McAfee license expired. Newly installed appliance B has Mcafee running for 28 more days. "Sophos" is enabled on both and working good. Config Master 7.5 was built based on the config from appliance A.
Now, when i want to push the Config Master to both the associated WSA, it fails on appliance B as "McAfee" is disabled in Config Master but enabled on it. The setting "Security Services Display" in M670 was changed to enable "McAfee" but now appliance A fails giving a mis-match error on publishing.
How to workaround this ? Can McAfee license/feature key on appliance B be expired / disabled now without waiting 28 days to let it expire.
Thanks,
Rick.Hello Rick,
You can disable Mcafee globally on the SMA by going to :
GUI -> Web -> Utilities -> Security Services Display -> Edit Display Settings-> Under Configuration Master 7.5 ->
Do your Web Appliances have McAfee Anti-Malware enabled? -> Uncheck the box and submit.
Also, Disable Mcafee on the appliance that thas 28 days of the licenses left, This way Mcafee will be disabled on all your boxes.
I hope this helps.
Regards,
-Puja -
Ironport WSA - Management interface
Hello,
I have installed one Ironport WSA appliance for my customer.
I would configure the following interface :
-M1 : for the management
-P1 : for the production interface
-T1 : for L4 inspection
I have specified a default route for M1 and P1.
When I tryed to ping Internet or perform an update of the WSA, I watched the request exit by the M1 interface.
It doesn't work because the management network can't exit in Internet (it's the policy of the customer).
-It's normal that the upgrade of WSA and the ping exit by the M1 interface ?
-If I want perform authentication in NTLM (with an AD domain) the request with the server and the client is performed with P1 or M1 ?
-The upgrade of antivirus & sensor base use M1 or P1 ?
-I thinked that M1 was only used for the management of the WSA (SSH and HTTPS).
-How the WSA appliance can manage two default routes ?
Can you give me more information about M1 and P1 and the role of each one ?
Best Regards
CédricYou can change the route that the update and upgrades use by going to System Adminstration>Upgrade and Update Settings. Then click on the "Edit Update Settings". You can pick the routing table/interface here. By default its set to the managment interface.
I'm fairly sure that the NTLM traffice from the WSA to the domain is via the managment interface.
P1 is for the proxy traffic. Whatever way you get internet traffice to the box, it goes through P1, in and out (unless you use P2)
M1 is for all of the other stuff: web management, ssh, updates, ldap/ntauth, etc. -
IronPort WSA S170 and Context directory agent
Hello people and experts,
I need your consultation regarding IronPort and CDA deployment.
I couldn't find any information in internet...
So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
Please advise.The CDA eliminates the need for NTLM authentication. Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X. When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address. Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.
-
I'm hoping for some help with trying to authenticate Apple iOS devices via an Ironport S650.
I'm authenticating devices to the corporate network successfully with NPS, however I'm frequently encountering authentication failures.
In the authlogs I am seeing a number of messages such as:
Tue Nov 20 14:08:14 2012 Info: PROX_AUTH : - : Login for user []\[[email protected]]@[DN6FXBA4DFJ1] failed due to [No such user]
Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : NTLM CRAP authentication for user [DOMAIN]\[ipad] returned NT_STATUS_INVALID_WORKSTATION (PAM: 7)Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : Login for user [DOMAIN]\[ipad]@[DN6FXBA4DFJ1] failed due to [Invalid workstation}
I have configured the iPad to use the proxy server on port 80 and entered a valid username (iPad) and password. On launching Safari, I am repeatedly prompted for a username and password still.
Having done a little more reading, I gather that this is just the first of many issues I may encounter. As such, I'm keen to know if anybody has successfully deployed iPads connecting to the web via an Ironport appliance and if so what you would recommend.
Thanks,
NeilHi Neil,
How to process Apple QuickTime (MAC/OSX) requests via Cisco Ironport Web Security
Appliance (WSA) if NTLM authentication is required?
Environment:
Cisco Ironport Web Security Appliance (WSA)
NTLM authentication using the schemes "NTLMSSP" or "Basic or NTLMSSP"
Mac OS X 10.5 (Leopard) / Mac OS X 10.6 (Snow Leopard)
Apple QuickTime (verified 7.6.5 / 7.6.6)
Symptoms:
The Mac OS X version of QuickTime fails to pass the NTLM authentication challenge and to fetch streaming
content via WSA if either the NTLM scheme "NTLMSSP" or "Basic or NTLMSSP"
has been selected. Executing QuickTime in embedded (browser) or standalone mode makes no difference.
Solution:
QuickTime for Mac OS X does not support the NTLM authentication schemes "NTLMSSP" and "Basic or NTLMSSP".
QuickTime will establish connections once one of the following workarounds has been applied:
(A) Disable authentication (Not recommended)
(B) Change the global authentication scheme to NTLM "Basic (only)".
(C) Create an authentication exception for the OSX QuickTime player using the
custom user agent "QuickTime" or "QuickTime/VERSION" (QuickTime/7.6.6 for example). -
Hi All,
We are using ironport S670 with AsyncOS version 6.3.7-018 . We are planning to upgrade the Async OS to new version 7.5.0-826. As we are new to this WSA we need the procedure and steps to upgrde.
Kindly someone helps us upgrading.
GuruIf you go to the bottom of the email that you got from Cisco... its there...(I've copied the relevent section below)
You REALLY need to read the release notes... There's a fair number of changes that you need to know about.
For further information about this release, please refer to the AsyncOS Release Notes. The release notes are available on our Support Portal:
WSA: http://www.cisco.com/en/US/products/ps10164/prod_release_notes_list.html
SMA: http://www.cisco.com/en/US/products/ps10155/prod_release_notes_list.html
If you do not have a Cisco.com User ID use this link to register.
You will need to use your new or existing Cisco.com User ID. Once you have received your Cisco User ID, please link it to your Cisco Service Contract Number.
Instructions for linking your account are located at: http://www.ironport.com/support/vod2.html.
Your Cisco Service Contract Number is xxxxxxx
If you are concerned about an issue not listed there, please contact your authorized support provider to make an inquiry.
How to Upgrade
Prior to upgrading to this release, please read the Release Notes referenced above and save a copy of the configuration file somewhere other than on your appliance.
Once you have read the Release Notes you may log into the command line of your IronPort Appliance as the 'admin' user, and type 'upgrade', or use the WebUI upgrade functionality in the 'System Administration' tab.
You may upgrade directly to the highest version available in the displayed list.
**NOTE** It is important that you follow the upgrade instructions available in the Release Notes. If you do attempt to upgrade and do not see the desired release version available, your appliance is likely not on a version allowed to upgrade directly. See 'Upgrade Paths' below.
Upgrade Paths
Please refer to the Release Notes for qualified upgrade paths.
If your systems are on any other AsyncOS release, you will need to perform multiple upgrades as specified in the release notes. Only the immediate next step in the upgrade path will be shown to you, with the next revision being shown once you are at the approved level.
Maybe you are looking for
-
Memory lead in Adobe Reader 9.3
Appears like there is a memory leak in Adobe reader 9.3.0 on Windows Vista. When I open a large document (>36MB) Adobe starts hogging memory - over 1.4GB - and choking the PC) and then it hangs the computer. As soon as adobe is killed (the Program i.
-
Can anyone helo me with the following issues with Mail? 1) I have my emails being sent out while i am still drafting the emails. I can see the progress of my draft as i will receive tens of this email each with different stage of my draft in the sent
-
Install SCCM Client Post Install via MDT 2013
I want to know best practice on how to install the SCCM client via MDT 2013 as a post install task sequence? Im deploying a lot of machines via MDT offline USB.... Is it grabbing the ccmsetup folder and using the following command line? ccmsetup.exe
-
Hi, I have three T-log files in my database, Now I want to delete 2 Transaction log files. Can I do the below action: 1. dbcc shrinkfile(log1,truncateonly) 2 dbcc shrinkfile(log2,truncateonly) 2. Then remove the file using command or SSMS. Regards
-
Repair request spare parts costs transfer to COPA
I have system configured that when I have repair request and I need to deliver a spare parts the cost of this are issued and booked with Outbound delivery document to FI. There is no costs on a repair request order. I wonder if it is any way to book