Pix web filtering using Websense

Similar Messages

• ASA5505 WEB FILTERING

  Hi Experts,
  i am going to implement a ASA5505 in one of my offices. I would like to use web filtering feature on it.
  Will it cause any performance degradation in ASA? will it utilized more memory?
  Thanks
  Vipin

  Hi,
  Web filtering with Websense or blocking certain sites using MPF? In either case, only an excesive amount of traffic will cause the CPU to go high. It is really hard to calculate the amount of CPU or memory that this process may take, but I am assuming only high amount of traffic could cause a degration on the performance on the ASA.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
  Mike

• Can Cisco connect be used for small business web filtering?

  I am searching for a web filtering solution for our small church.  The core requirement is to use a hardware-based solution to filter all internet traffic.  Our current wiring looks like this: [ISP router] --> [switch] --> [Open Mesh wireless access points].  Can I connect a Linksys EA2700/3500/4500/6500 between the [ISP router] and the [Switch], disable the Linksys wireless, and use Cisco Connect to filter all the internet traffic?
  More info: We will only have a handful of wired/wireless devices which we have control over.  We expect most of the rest of the traffic to be generally outside our control via personally owned devices connecting thru the public wifi.  Therefore any solution which requires installation of software on individual devices will not work.
  (If there are other threads on this topic I'd be more than happy to read them, I just couldn't find any.)
  Thanks!!

  Hey
  check this article:
  http://www.oracle.com/technology/pub/articles/cunningham-database-xe.html
  Regards

• How to use Web Filters methodology  with Internal ITS with NW2004s

  ITS 6.2 will no longer be supported going forward with the upcoming NW2004s. Only internal ITS will be supported with 2004s. However, since PAS APIs are not available with Internal ITS, Can any one give some clue on how we can use the Web Filters methodology for use with Internal ITS with 2004s.

  A long time ago, but yesterday i have had time to try again to setup the MacMini server properly. But no luck.
  sudo changeip -checkhostname
  gives me:
  Primary address          = 192.168.1.** (i don't know it's save enough to put this IP complete on the net)
  Current HostName      = server.beeldenstorm.be
  The DNS hostname is not available, please repair DNS and re-run this tool.
  dirserv:success           = "success"
  So their is something wrong. But how to repair the DNS?
  MacMini server is working properly on our local network, but outside not. I have done the port forwarding.
  Another problem is that i have read that for the server to work properly we have to use fix IP address.
  So, that's what i am doing. But in that way their is no internet connection at all.
  So, no updates and ... .
  Lookup and Ping test, outside our local network:
  http://beeldenstorm.be/doc/lookup-and-ping.pdf
  Why is this so irritating and are there soo many problems on forums?
  I know: because most of us are not network/server specialists.
  But Apple sells this server app like a app for everybody, easy to install?
  Thanks for help.

• Websense web filtering not working with 2911 with zone based firewall

  Hi,
  Any one ran into this issue
  We use websense for guest wifi but i dont see requests hitting websense server
  config is below
  class-map type inspect match-any test-1
   match protocol http
  policy-map type inspect Wifi-test
   class type inspect  test-1
    inspect
  urlfilter websense-parmap
   class class-default
    drop
  parameter-map type urlfilter websense-parmap
   server vendor websense 10.10.1.4
   source-interface GigabitEthernet0/2
   allow-mode on
   cache 100
  zone-pair security Wifi-in-out source Wifi destination outside
  service-policy type inspect Wifi-test
  interface GigabitEthernet0/1
   description Internet
   ip address 192.168.10.1 255.255.255.0
   ip nbar protocol-discovery
   ip nat inside
   ip virtual-reassembly in
   zone-member security Wifi
  interface GigabitEthernet0/2
   description LAN
   ip address 10.10.4.1 255.255.255.0
  zone-member security inside

  Hi Stan,
  You should be able to adapt this config example to your environment.
  Andy-
  class-map type inspect match-any http-cm
   match protocol http
  parameter-map type urlfpolicy websense websense-parm
   server <websense server IP>
   source-interface <lan interface>
   allow-mode on
   truncate hostname
  class-map type urlfilter websense match-any websense-cm
   match server-response any
  policy-map type inspect urlfilter websense-pm
   parameter type urlfpolicy websense websense-parm
   class type urlfilter websense websense-cm
    server-specified-action
  policy-map type inspect Inside->Internet-pm
   description Inside trusted to Internet
   class type inspect http-cm
    inspect
    service-policy urlfilter websense-pm
   class type inspect Inside->Internet-cm
    inspect
   class class-default
    drop
  zone-pair security Inside->Internet source Inside destination Internet
   service-policy type inspect Inside->Internet-pm
  ! to check status & url block counts
  show policy-map type inspect zone-pair Inside->Internet urlfilter

• Resizing pixs for web page use

  I have resized the photos to use on MS Frontpage but when the thumbnails are clicked on to be enlarged in the web page they are still too large. How do I make photos usable for web page use?

  What version of Elements are you using? How are you now going about creating the thumbnails and larger images? What size are you making the large ones? I suspect all you need to do is change the width and height parameters to something smaller.

• Global Web Filtering Options

  I am looking for a global web filtering solution for our business but am having trouble finding a solution that will work acceptably for us globally.
  The problem is that our campany has hundreds of very small offices (mostly only 2-3 users with the odd larger office) located in remote locations all around the world where WAN links are very expensive and slow.
  We use all small office type cisco routers in our remote offices of various types (such as 800 series) and are rolling out WAAS/WAVE solutions to optimise our slow WAN links as much as possible, and all sites have site-to-site VPNs from the routers to our UK-based data centres.
  Currently we use Websense configured on the local routers at a few of our offices with a regional server in places such as the UK for most of Europe, and Mobile for most of the US for example.
  We could expand this to all locations, including Australasia, Middle East, Far East and Africa etc. but due to the remote locations we would need many local servers in many countries as the infrastructure to have just one regional Websense server isn't good enough in these areas and web performance would be too slow to be useable due to the latency to the Websense server location. It simply isn't financially feasible to put in hundreds of servers at lots of 2-3 man offices in the middle of no-where so I've been looking at other options.
  I was hoping a hosted solution would be the answer, but I've looked at WebSense's hosted service and it doen't appear to cover all regions (just has server farms in US/Europe which is no good for Africa etc.) I've also looked at Symantec MessageLabs but this has the same problem as there is no coverage in the Middle East/Asia/Africa etc and it proxies all web traffic so performance at these sites would probably be appaling with the limited bandwidth on top of the latency to the closest MessageLabs servers.
  I've now seen that Cisco have a new IOS Content Filter which uses Trend database servers. This sounded promising as it appears to cache the URL checks on the router making the server location less of an issue. But I'd still like to know where in the world they cover (I've seen reference to only 4 data centres globally). My other concern with this solution is whether it integrates into AD, so we can apply policies based on the user accounts like we do currently with the WebSense solution. The last thing is the price of this solution as it appears to be licensed based on the number of routers rather than the number of users. As our users are so spread out with only 2-3 users per router on average this is likely to mean for us this solution will be ridiculously expensive, can anyone advise if this is the case?
  My question therefore is can anyone advise on a solution for this that will work with our Cisco infrastructure in all our offices without having to purchase lots of servers for remote locations? I've seen that other vendors such as the Astaro Security Gateway have web filtering built into their products without the need for external servers, but I'd prefer to stick with Cisco if at all possible.
  Many thanks for any advice/help anyone can give me in this area.
  Paul

  Hi Paul,
  IOS Content filtering is licensed on a per router basis, you are right. So, probably that would not scale for you.
  Cisco has other solutions with Web Filtering and Ironport engines. The challenge in your setup is that each remote site would need to "call" to a central web filtering location that will be making the decision on allowing or no. Or you would need a service that scales well on a per contintent basis. There are some new Cisco web filtering options that could scale with servers almost everywhere in the world. But I don't think you can get a consice answer from this forum about your potential choices here.
  You local Cisco team will be able to provide you with these options. You are welcome to give them my email if they need to talk to me internally.
  I hope it helps a little.
  PK

• Web filtering/monitoring

  Dear All,
  We have one customer they need web filtering and monitoring product. Please advice me what can be the best solution. They have around 300 users. Can we give them iron port or ASA.
  Your consideration in this regard will highly be commendable.
  Thanks & Regards,
  Malik

  Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
  You can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
  When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.

• Overly restrictive Web filtering

  During the day, I'm connected to the Internet behind a very restrictive content filtering appliance. I'd like the ability to simply check my .Mac email and my GMail accounts during lunch, but those sites are blocked.
  What I'm envisioning is using a Web browser at my office (MSIE or Firefox) to connect to a server at my home on port 80 or 443. (Obviously, I'd like my home server to require some kind of authentication to prevent abuse, etc.) My home server would fetch content on my behalf from these other services on whatever ports are necessary (probably 80, 443, etc.) and funnel them back to me.
  I think the answer to my question lies in running my own proxy server at home, but I'm not sure of what my options are. Has anybody out there done something similar to his? I'm hoping for some starting points at the very least.... Thanks!

  Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
  You can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
  When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.

• [sce8000 web filtering / parental controls]

  Hi, All:
  In a couple of Cisco URLs it says that the SCE8000 integrates with Websense (and AdvancedMobile) to support url filtering and parental controls. See here:
  http://www.cisco.com/en/US/partner/prod/collateral/ps7045/ps6129/ps6257/ps6135/white_paper_c11-606444.html
  http://www.cisco.com/en/US/prod/collateral/ps7045/ps6129/ps6133/ps9591/siminn_cs.pdf
  Can you please confirm this is true and tell me exactly which Websebse product is supported? is it websense web filter or websense web security?
  I contacted a Websebse rep yesterday and they are not aware of being able to integrate with the sce8000 and don't know the product that integrates with the sce8000.on the web i found mentions of websense CPA and the sce8000 , which websense tells me is a completely different product than web filter or web security.
  please advice,
  c.

  Carlos,
  I'm not sure whether websense has declared EoS for CPA, but better contact following Knepher, Jonathan [mailto:[email protected]
  further contact your local cisco team, as there were plans of Cisco Business unit to integrate SCE with Cisco WSA for content filtering, further you can also look for bright cloud webroot solution as there were plans to integrate this with SCE8K by end of this quarter.

• Web Filtering Cisco ASA 5510

  Hello !
  I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
  What u guys recommand !
  Thanks

  Hi Neji,
  Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
  Block URLs using Regular Experessions (Regex)
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
  CSC module:
  http://www.cisco.com/en/US/products/ps6823/index.html
  How to enable the CSC module:
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
  ASA CX module (ASA 5512,5525,5545,5545,5555)
  http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
  Scansafe:
  http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
  Configuration Cisco Cloud Web Security
  http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
  Ironport:
  http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
  How to integrate the ASA with Ironport (WCCP):
  https://supportforums.cisco.com/docs/DOC-12623
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Web-filtering on ASA5512X

  Hi,
  I want to know that how we can achieve web-filtering in ASA5512-X having 9.1(2).
  Can we do web-filtering by configuration or some module ?
  Regards,
  Rahul Chhabra
  Network Engineer
  Spooster IT Services

  The right way to do it is by using the FirePOWER sw-module. But limited filtering is also possible with the L7-inspection which is build into the ASA.

• Web Filtering Proxy Suggestions

  I'm looking into web-filtering & monitoring software to run in a small business (5 -10 users). Either for use on OS X Server or separate mac machine. Only basic requirements are online-updatable web site classifications and time controls. Anybody currently use anything which I can add to my list, in case I miss something?
  Thanks
  -david
  PS. I'm also looking at hardware based solutions for larger businesses (20-50 users) but this is maybe off-topic for an Apple forum... however...

  dfelicia wrote:Surely more than I need, but this is tempting me: http://www.amazon.com/gp/product/B006TO … B006TODPPS
  The price seems a bit high to me. I "only" paid around  $350 for my Core i3-540 system including a Lian Li PC-Q07B Mini-ITX case, 4GB G.Skill DDR3 ECO Ram and a 500GB 2,5" harddrive.

• ISA570 - SPAM and Web Filtering Only

  I want to use my new IAS570 for SPAM and Web filtering but not as a firewall or VPN endpoint at this time.  I want to contune to use my existing firewall for the other 2 services.  Is it possible to do this and does the ISA570 need an external IP address in order to leverage the other functions?

  Steve,
  I believe you can accomplish what you are wanting by enabling Routing Mode (Networking -> Routing -> Routing Mode).  Routing mode basically turns off NAT on the device but allows the other security functions to still continue working.  So for example, this would be your configuration to add the ISA.
  Placement
  Internet -> Current Firewall -> ISA -> Network Switch(s) -> Workstations/Servers
  Example configs
  Current Firewall
  Outside IP - 1.1.1.1 /24
  Inside IP - 10.0.0.1 /24
  ISA
  WAN1 IP - 10.0.0.2 /24
  WAN Gateway - 10.0.0.1
  LAN IP - 10.1.0.1 /24
  Workstation/Server Gateway - 10.1.0.1
  Additional Configuration
  ISA
  Networking -> Routing -> Routing Mode
  Enable
  Firewall -> Access Control -> ACL Rules
  Add ACL Rule to Permit Any Any and ensure it's at the top of the list
  Security -> Dashboard
  Disable everything except SPAM and Web Filtering
  The ISA doesn't require you to configure an External IP on it.  You just need to ensure it has Internet Access to it can continue to get updates for the services you are utilizing.
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• How to web filtering via two network cards?

  I have Installed Server 2008 and two network cards
  on my pc. One LAN card for clients access and one for internet router. I need to share internet connection to my client computers with
  web filtering. So how to do that? I need to block some sites to client access.

  Hi,
  According to your description, my understanding is that you want to use the WS 2008 to share Internet connection and provide web filtering function for internal clients.
  Internal clients –(NIC1) WS 2008(NIC2) – Internet router – Internet network
  Manually assign IP address, default gateway, DNS server, etc. on NIC2. Manually assign IP address, DNS server, etc. on NIC1.
  Install Network Policy and Access Services – Routing and Remote Access Services. Detailed steps reference:
  Install and Enable the Routing and Remote Access Service
  https://technet.microsoft.com/en-us/library/cc770798(v=ws.10).aspx
  Then open Routing and Remote Access and start configuration. Enable NAT on NIC2 to transfer IP address. Detailed steps reference:
  Enable and Configure NAT
  https://technet.microsoft.com/en-us/library/dd469812.aspx
  Windows Server itself does not support web-based filter, third-party tools with application-layer firewall might be needed to realize this function. Configure WS as a router, it supports IP packet filtering, which specifies which type of traffic is allowed
  into and out of the router. Reference：
  https://technet.microsoft.com/en-us/library/cc732746(v=ws.10).aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]