Cisco Web Security Appliance S690X User guide

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD

(General Deployment)

First Published: 2020-01-15

Last Modified: 2020-12-10

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network

topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional

and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:

https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (1721R)

CONTENTS

Introduction to the Product and the Release 1

CHAPTER 1

Introduction to the Web Security Appliance 1

What’s New in AsyncOS 12.5 1

Related Topics 3

Using the Appliance Web Interface 3

Web Interface Browser Requirements 3

Enabling Access to the Web Interface on Virtual Appliances 4

Accessing the Appliance Web Interface 5

Committing Changes in the Web Interface 6

Clearing Changes in the Web Interface 6

Supported Languages 6

The Cisco SensorBase Network 7

SensorBase Benefits and Privacy 7

Enabling Participation in The Cisco SensorBase Network 7

Connect, Install, and Configure 9

CHAPTER 2

Overview of Connect, Install, and Configure 9

Comparison of Modes of Operation 10

Task Overview for Connecting, Installing, and Configuring 13

Connecting the Appliance 13

Gathering Setup Information 15

System Setup Wizard 17

System Setup Wizard Reference Information 18

Network / System Settings 18

Network / Network Context 19

Network / Cloud Connector Settings 20

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

iii

Network / Network Interfaces and Wiring 20

Network / Layer 4 Traffic Monitor Wiring 21

Network / Routes for Management and Data Traffic 21

Network / Transparent Connection Settings 21

Network /Administrative Settings 22

Security / Security Settings 23

Upstream Proxies 23

Upstream Proxies Task Overview 24

Creating Proxy Groups for Upstream Proxies 24

Network Interfaces 25

IP Address Versions 25

Enabling or Changing Network Interfaces 26

Configuring Failover Groups for High Availability 27

Add Failover Group 28

Edit High Availability Global Settings 29

View Status of Failover Groups 29

Using the P2 Data Interface for Web Proxy Data 29

Configuring TCP/IP Traffic Routes 30

Outbound Services Traffic 31

Modifying the Default Route 32

Adding a Route 32

Saving and Loading Routing Tables 32

Deleting a Route 32

Configuring Transparent Redirection 33

Specifying a Transparent Redirection Device 33

Using An L4 Switch 33

Configuring WCCP Services 34

Increasing Interface Capacity Using VLANs 38

Configuring and Managing VLANs 38

Redirect Hostname and System Hostname 41

Changing the Redirect Hostname 41

Changing the System Hostname 41

Configuring SMTP Relay Host Settings 41

Configuring an SMTP Relay Host 42

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

iv

Contents

DNS Settings 42

Split DNS 43

Clearing the DNS Cache 43

Editing DNS Settings 43

Troubleshooting Connect, Install, and Configure 44

Connect the Appliance to a Cisco Cloud Web Security Proxy 45

CHAPTER 3

How to Configure and Use Features in Cloud Connector Mode 45

Deployment in Cloud Connector Mode 45

Configuring the Cloud Connector 46

Controlling Web Access Using Directory Groups in the Cloud 49

Bypassing the Cloud Proxy Server 49

Partial Support for FTP and HTTPS in Cloud Connector Mode 49

Preventing Loss of Secure Data 50

Viewing Group and User Names and IP Addresses 50

Subscribing to Cloud Connector Logs 50

Identification Profiles and Authentication with Cloud Web Security Connector 51

Identifying Machines for Policy Application 51

Guest Access for Unauthenticated Users 52

Intercepting Web Requests 53

CHAPTER 4

Overview of Intercepting Web Requests 53

Tasks for Intercepting Web Requests 53

Best Practices for Intercepting Web Requests 54

Web Proxy Options for Intercepting Web Requests 55

Configuring Web Proxy Settings 55

Web Proxy Cache 57

Clearing the Web Proxy Cache 58

Removing URLs from the Web Proxy Cache 58

Specifying Domains or URLs that the Web Proxy never Caches 58

Choosing The Web Proxy Cache Mode 59

Web Proxy IP Spoofing 60

Creating IP Spoofing Profiles 61

Web Proxy Custom Headers 62

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

v

Contents

Adding Custom Headers To Web Requests 62

Web Proxy Bypassing 63

Web Proxy Bypassing for Web Requests 63

Configuring Web Proxy Bypassing for Web Requests 63

Configuring Web Proxy Bypassing for Applications 64

Web Proxy Usage Agreement 64

Domain Map 64

Domain Map for Specific Applications 64

Client Options for Redirecting Web Requests 66

Using PAC Files with Client Applications 66

Options For Publishing Proxy Auto-Config (PAC) Files 66

Client Options For Finding Proxy Auto-Config (PAC) Files 67

Automatic PAC File Detection 67

Hosting PAC Files on the Web Security Appliance 67

Specifying PAC Files in Client Applications 68

Configuring a PAC File Location Manually in Clients 68

Detecting the PAC File Automatically in Clients 69

FTP Proxy Services 69

Overview of FTP Proxy Services 69

Enabling and Configuring the FTP Proxy 69

SOCKS Proxy Services 71

Overview of SOCKS Proxy Services 71

Enabling Processing of SOCKS Traffic 72

Configuring the SOCKS Proxy 72

Creating SOCKS Policies 72

Troubleshooting Intercepting Requests 73

Acquire End-User Credentials 75

CHAPTER 5

Overview of Acquire End-User Credentials 75

Authentication Task Overview 75

Authentication Best Practices 76

Authentication Planning 76

Active Directory/Kerberos 77

Active Directory/Basic 78

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

vi

Contents

Active Directory/NTLMSSP 79

LDAP/Basic 79

Identifying Users Transparently 80

Understanding Transparent User Identification 80

Rules and Guidelines for Transparent User Identification 82

Configuring Transparent User Identification 83

Using the CLI to Configure Advanced Transparent User Identification Settings 83

Configuring Single-Sign-on 84

Creating a Service Account in Windows Active Directory for Kerberos Authentication in High

Availability Deployments 84

Authentication Realms 86

External Authentication 86

Configuring External Authentication through an LDAP Server 87

Enabling RADIUS External Authentication 87

Creating an Active Directory Realm for Kerberos Authentication Scheme 87

How to Create an Active Directory Authentication Realm (NTLMSSP and Basic) 91

Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic)

91

About Using Multiple NTLM Realms and Domains 91

Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 92

Creating an LDAP Authentication Realm 93

Using Multiple NTLM Realms and Domains 98

About Deleting Authentication Realms 98

Configuring Global Authentication Settings 98

Authentication Sequences 103

About Authentication Sequences 103

Creating Authentication Sequences 104

Editing And Reordering Authentication Sequences 105

Deleting Authentication Sequences 105

Failed Authentication 105

About Failed Authentication 105

Bypassing Authentication with Problematic User Agents 106

Bypassing Authentication 107

Permitting Unauthenticated Traffic While Authentication Service is Unavailable 108

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

vii

Contents

Granting Guest Access After Failed Authentication 108

Define an Identification Profile that Supports Guest Access 108

Use an Identification Profile that Supports Guest Access in a Policy 108

Configure How Guest User Details are Logged 109

Failed Authorization: Allowing Re-Authentication with Different Credentials 109

About Allowing Re-Authentication with Different Credentials 109

Allowing Re-Authentication with Different Credentials 110

Tracking Identified Users 110

Supported Authentication Surrogates for Explicit Requests 110

Supported Authentication Surrogates for Transparent Requests 110

Tracking Re-Authenticated Users 111

Credentials 111

Tracking Credentials for Reuse During a Session 112

Authentication and Authorization Failures 112

Credential Format 112

Credential Encryption for Basic Authentication 113

About Credential Encryption for Basic Authentication 113

Configuring Credential Encryption 113

Troubleshooting Authentication 113

Classify End-Users for Policy Application 115

CHAPTER 6

Overview of Classify Users and Client Software 115

Classify Users and Client Software: Best Practices 116

Identification Profile Criteria 116

Classifying Users and Client Software 117

Enable/Disable an Identity 122

Identification Profiles and Authentication 123

Troubleshooting Identification Profiles 124

SaaS Access Control 125

CHAPTER 7

Overview of SaaS Access Control 125

Configuring the Appliance as an Identity Provider 126

Using SaaS Access Control and Multiple Appliances 127

Creating SaaS Application Authentication Policies 128

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

viii

Contents

Configuring End-user Access to the Single Sign-on URL 130

Integrate the Cisco Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC) 131

CHAPTER 8

Overview of the Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC) Service

131

About pxGrid 133

About the ISE/ISE-PIC Server Deployment and Failover 133

ISE/ISE-PIC Certificates 134

Using Self-signed Certificates 134

Using CA-signed Certificates 134

Fallback Authentication 135

Tasks for Integrating the ISE/ISE-PIC Service 135

Generating Certificate through ISE/ISE-PIC 136

Configuring ISE/ISE-PIC server for Web Security Appliance Access 137

Connect to the ISE/ISE-PIC Services 137

Import the Self-signed Web Security Appliance Client Certificate to ISE/ISE-PIC Standalone

Deployment 139

Import the Self-signed Web Security Appliance Client Certificate to ISE/ISE-PIC Distributed

Deployment 140

Configuring logging for ISE/ISE-PIC 141

Acquiring ISE/ISE-PIC ERS Server Details from ISE/ISE-PIC 142

VDI (Virtual Desktop Infrastructure) User Authentication in ISE/ISE-PIC Integrations 142

Troubleshooting Identity Services Engine Problems 143

Classify URLs for Policy Application 145

CHAPTER 9

Overview of Categorizing URL Transactions 145

Categorization of Failed URL Transactions 146

Enabling the Dynamic Content Analysis Engine 146

Uncategorized URLs 146

Matching URLs to URL Categories 147

Reporting Uncategorized and Misclassified URLs 147

URL Categories Database 147

Configuring the URL Filtering Engine 148

Managing Updates to the Set of URL Categories 148

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

ix

Contents

Understanding the Impacts of URL Category Set Updates 149

Effects of URL Category Set Changes on Policy Group Membership 149

Effects of URL Category Set Updates on Filtering Actions in Policies 149

Merged Categories - Examples 152

Controlling Updates to the URL Category Set 152

Manually Updating the URL Category Set 153

Default Settings for New and Changed Categories 153

Verifying Existing Settings and/or Making Changes 153

Receiving Alerts About Category and Policy Changes 154

Responding to Alerts about URL Category Set Updates 154

Filtering Transactions Using URL Categories 154

Configuring URL Filters for Access Policy Groups 155

Exceptions to Blocking for Embedded and Referred Content 156

Configuring URL Filters for Decryption Policy Groups 158

Configuring URL Filters for Data Security Policy Groups 159

YouTube Categorization 160

Enabling the YouTube Categorization Feature 161

Creating and Editing Custom URL Categories 162

Address Formats and Feed-file Formats for Custom and External URL Categories 166

External Feed-file Formats 167

Filtering Adult Content 168

Enforcing Safe Searches and Site Content Ratings 169

Logging Adult Content Access 170

Redirecting Traffic in the Access Policies 170

Logging and Reporting 171

Warning Users and Allowing Them to Continue 171

Configuring Settings for the End-User Filtering Warning Page 171

Creating Time Based URL Filters 172

Viewing URL Filtering Activity 173

Understanding Unfiltered and Uncategorized Data 173

URL Category Logging in Access Logs 173

Regular Expressions 173

Forming Regular Expressions 174

Guidelines for Avoiding Validation Failures 174

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

x

Contents

Regular Expression Character Table 176

URL Category Descriptions 177

Create Policies to Control Internet Requests 193

CHAPTER 10

Overview of Policies: Control Intercepted Internet Requests 193

Intercepted HTTP/HTTPS Request Processing 194

Managing Web Requests Through Policies Task Overview 195

Managing Web Requests Through Policies Best Practices 195

Policies 195

Policy Types 195

Policy Order 198

Creating a Policy 199

Adding and Editing Secure Group Tags for a Policy 202

Adding Routing Destination and IP Spoofing Profile to Routing Policy 203

Policy Configuration 204

Access Policies: Blocking Objects 205

Archive Inspection Settings 208

Block, Allow, or Redirect Transaction Requests 209

Client Applications 210

About Client Applications 210

Using Client Applications in Policies 211

Defining Policy Membership Using Client Applications 211

Defining Policy Control Settings Using Client Applications 211

Exempting Client Applications from Authentication 212

Time Ranges and Quotas 212

Time Ranges for Policies and Acceptable Use Controls 212

Creating a Time Range 212

Time and Volume Quotas 213

Volume Quota Calculations 214

Time Quota Calculations 214

Defining Time and Volume Quotas 214

Access Control by URL Category 215

Using URL Categories to Identify Web Requests 215

Using URL Categories to Action Web Request 215

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xi

Contents

Remote Users 216

About Remote Users 216

How to Configure Identification of Remote Users 217

Configuring Identification of Remote Users 217

Display Remote User Status and Statistics for ASAs 218

Troubleshooting Policies 219

Create Decryption Policies to Control HTTPS Traffic 221

CHAPTER 11

Overview of Create Decryption Policies to Control HTTPS Traffic 221

Managing HTTPS Traffic through Decryption Policies Task Overview 222

Managing HTTPS Traffic through Decryption Policies Best Practices 222

Decryption Policies 222

Enabling the HTTPS Proxy 224

Controlling HTTPS Traffic 225

Configuring Decryption Options 227

Authentication and HTTPS Connections 228

Root Certificates 228

Managing Certificate Validation and Decryption for HTTPS 229

Valid Certificates 229

Invalid Certificate Handling 230

Uploading a Root Certificate and Key 230

Generating a Certificate and Key for the HTTPS Proxy 231

Configuring Invalid Certificate Handling 231

Options for Certificate Revocation Status Checking 232

Enabling Real-Time Revocation Status Checking 232

Trusted Root Certificates 233

Adding Certificates to the Trusted List 233

Removing Certificates from the Trusted List 234

Routing HTTPS Traffic 234

Troubleshooting Decryption/HTTPS/Certificates 234

Scan Outbound Traffic for Existing Infections 235

CHAPTER 12

Overview of Scanning Outbound Traffic 235

User Experience When Requests Are Blocked by the DVS Engine 235

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xii

Contents

Understanding Upload Requests 236

Criteria for Group Membership 236

Matching Client Requests to Outbound Malware Scanning Policy Groups 236

Creating Outbound Malware Scanning Policies 237

Controlling Upload Requests 238

Logging of DVS Scanning 239

Configuring Security Services 241

CHAPTER 13

Overview of Configuring Security Services 241

Overview of Web Reputation Filters 242

Web Reputation Scores 242

Understanding How Web Reputation Filtering Works 242

Web Reputation in Access Policies 243

Web Reputation in Decryption Policies 243

Web Reputation in Cisco Data Security Policies 244

Overview of Anti-Malware Scanning 244

Understanding How the DVS Engine Works 244

Working with Multiple Malware Verdicts 244

Webroot Scanning 245

McAfee Scanning 245

Matching Virus Signature Patterns 246

Heuristic Analysis 246

McAfee Categories 246

Sophos Scanning 246

Understanding Adaptive Scanning 246

Adaptive Scanning and Access Policies 247

Enabling Anti-Malware and Reputation Filters 247

Clearing the Advanced Malware Protection Services Cache 248

Configuring Anti-Malware and Reputation in Policies 249

Anti-Malware and Reputation Settings in Access Policies 249

Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Enabled 250

Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Disabled 251

Configuring Web Reputation Scores 252

Configuring Web Reputation Score Thresholds for Access Policies 252

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xiii

Contents

Configuring Web Reputation Filter Settings for Decryption Policy Groups 252

Configuring Web Reputation Filter Settings for Data Security Policy Groups 253

Integrating the Appliance with AMP for Endpoints Console 253

Maintaining the Database Tables 255

The Web Reputation Database 255

Logging of Web Reputation Filtering Activity and DVS Scanning 255

Logging Adaptive Scanning 256

Caching 256

Malware Category Descriptions 256

File Reputation Filtering and File Analysis 259

CHAPTER 14

Overview of File Reputation Filtering and File Analysis 259

File Threat Verdict Updates 259

File Processing Overview 260

Supported Files for File Reputation and Analysis Services 261

Archive or Compressed File Processing 262

Privacy of Information Sent to the Cloud 263

Configuring File Reputation and Analysis Features 263

Requirements for Communication with File Reputation and Analysis Services 263

Routing Traffic to File Reputation and File Analysis Servers Through a Data Interface 264

Configuring an On-premises File Reputation Server 265

Configuring an On-Premises File Analysis Server 265

Enabling and Configuring File Reputation and Analysis Services 266

Important! Changes Needed in File Analysis Setting 270

(Public Cloud File Analysis Services Only) Configuring Appliance Groups 270

Which Appliances Are In the Analysis Group? 271

Configuring File Reputation and Analysis Service Action Per Access Policy 271

Ensuring That You Receive Alerts About Advanced Malware Protection Issues 272

Configuring Centralized Reporting for Advanced Malware Protection Features 272

File Reputation and File Analysis Reporting and Tracking 273

Identifying Files by SHA-256 Hash 273

File Reputation and File Analysis Report Pages 273

Viewing File Reputation Filtering Data in Other Reports 274

About Web Tracking and Advanced Malware Protection Features 274

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xiv

Contents

Taking Action When File Threat Verdicts Change 275

Troubleshooting File Reputation and Analysis 276

Log Files 276

Several Alerts About Failure to Connect to File Reputation or File Analysis Servers 276

API Key Error (On-Premises File Analysis) 276

Files are Not Uploaded As Expected 277

File Analysis Details in the Cloud Are Incomplete 277

Alerts about File Types That Can Be Sent for Analysis 277

Managing Access to Web Applications 279

CHAPTER 15

Overview of Managing Access to Web Applications 279

Enabling the AVC Engine 280

AVC Engine Updates and Default Actions 280

User Experience When Requests Are Blocked by the AVC Engine 281

Policy Application Control Settings 281

Range Request Settings 282

Rules and Guidelines for Configuring Application Control 282

Configuring Application Control Settings in an Access Policy Group 283

Controlling Bandwidth 284

Configuring Overall Bandwidth Limits 284

Configuring User Bandwidth Limits 285

Configuring the Default Bandwidth Limit for an Application Type 285

Overriding the Default Bandwidth Limit for an Application Type 285

Configuring Bandwidth Controls for an Application 286

Controlling Instant Messaging Traffic 286

Viewing AVC Activity 287

AVC Information in Access Log File 287

Prevent Loss of Sensitive Data 289

CHAPTER 16

Overview of Prevent Loss of Sensitive Data 289

Bypassing Upload Requests Below a Minimum Size 290

User Experience When Requests Are Blocked As Sensitive Data 290

Managing Upload Requests 291

Managing Upload Requests on an External DLP System 291

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xv

Contents

Evaluating Data Security and External DLP Policy Group Membership 292

Matching Client Requests to Data Security and External DLP Policy Groups 292

Creating Data Security and External DLP Policies 293

Managing Settings for Upload Requests 295

URL Categories 295

Web Reputation 296

Content Blocking 296

Defining External DLP Systems 296

Configuring External DLP Servers 297

Controlling Upload Requests Using External DLP Policies 299

Logging of Data Loss Prevention Scanning 299

Notify End-Users of Proxy Actions 301

CHAPTER 17

End-User Notifications Overview 301

Configuring General Settings for Notification Pages 302

End-User Acknowledgment Page 302

Access HTTPS and FTP Sites with the End-User Acknowledgment Page 303

About the End-user Acknowledgment Page 303

Configuring the End-User Acknowledgment Page 304

End-User Notification Pages 305

Configuring On-Box End-User Notification Pages 306

Off-Box End-User Notification Pages 307

Displaying the Correct Off-Box Page Based on the Reason for Blocking Access 307

URL Criteria for Off-Box Notification Pages 307

Off-Box End-User Notification Page Parameters 308

Redirecting End-User Notification Pages to a Custom URL (Off-Box) 309

Configuring the End-User URL Filtering Warning Page 309

Configuring FTP Notification Messages 310

Custom Messages on Notification Pages 310

Supported HTML Tags in Custom Messages on Notification Pages 310

Caveats for URLs and Logos in Notification Pages 311

Editing Notification Page HTML Files Directly 312

Requirements for Editing Notification HTML Files Directly 312

Editing Notification HTML Files Directly 312

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xvi

Contents

Using Variables in Notification HTML Files 313

Variables for Customizing Notification HTML Files 314

Notification Page Types 316

Generate Reports to Monitor End-user Activity 325

CHAPTER 18

Overview of Reporting 325

Working with Usernames in Reports 325

Report Pages 326

Using the Reporting Pages 326

Changing the Time Range 327

Choosing a Time Range for Reports 327

Searching Data 328

Choosing Which Data to Chart 328

Custom Reports 329

Modules That Cannot Be Added to Custom Reports 329

Creating Your Custom Report Page 329

Subdomains vs. Second-level Domains in Reporting and Tracking 330

Printing and Exporting Reports from Report Pages 330

Exporting Report Data 330

Using the Interactive Report Pages on the New Web Interface 331

Enabling Reporting 332

Scheduling Reports 332

Adding a Scheduled Report 333

Editing Scheduled Reports 333

Deleting Scheduled Reports 334

Generating Reports On Demand 334

Archived Reports 334

Troubleshooting L4 Traffic Monitor Reports 335

Web Security Appliance Reports 337

CHAPTER 19

Overview Page 337

Users Page 339

User Details Page 339

User Count Page 340

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xvii

Contents

Web Sites Page 340

URL Categories Page 340

URL Category Set Updates and Reports 341

Application Visibility Page 341

Anti-Malware Page 342

Malware Category Report Page 342

Malware Threat Report Page 342

Advanced Malware Protection Page 343

File Analysis Page 343

AMP Verdict Updates Page 343

Client Malware Risk Page 343

Client Detail Page for Web Proxy - Clients by Malware Risk 343

Web Reputation Filters Page 344

L4 Traffic Monitor Page 344

SOCKS Proxy Page 345

Reports by User Location Page 345

Web Tracking Page 346

Searching for Transactions Processed by the Web Proxy 346

Searching for Transactions Processed by the L4 Traffic Monitor 348

Searching for Transactions Processed by the SOCKS Proxy 349

System Capacity Page 349

System Status Page 349

Web Security Appliance Reports on the New Web Interface 353

CHAPTER 20

Understanding the Web Reporting Pages on the New Web Interface 353

About Time Spent 355

Overview Page 356

Application Visibility Page 357

Layer 4 Traffic Monitor Page 359

SOCKS Proxy Page 361

URL Categories Page 362

Reducing Uncategorized URLs 363

URL Category Set Updates and Reports 363

Using The URL Categories Page in Conjunction with Other Reporting Pages 363

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xviii

Contents

Reporting Misclassified and Uncategorized URLs 364

HTTPS Reports Page 364

Users Page 365

User Details Page (Web Reporting) 366

Web Sites Page 368

Advanced Malware Protection Page 369

Advanced Malware Protection - AMP Summary Page 370

Advanced Malware Protection - File Analysis Page 370

Anti-Malware Page 371

Malware Category Report Page 372

Malware Threat Report 372

Malware Category Descriptions 372

Client Malware Risks Page 374

Web Reputation Filters Page 374

(Web Reports Only) Choosing Which Data to Chart 376

Web Tracking on the New Web Interface 377

Searching for Transactions Processed by Web Proxy Services 377

Malware Category Descriptions 379

Searching for Transactions Processed by the Layer 4 Traffic Monitor 381

Searching for Transactions Processed by the SOCKS Proxy 381

Working with Web Tracking Search Results 381

Displaying More Web Tracking Search Results 382

Understanding Web Tracking Search Results 382

Viewing Transaction Details for Web Tracking Search Results 382

About Web Tracking and Upgrades 383

Scheduling and Archiving Web Reports on the New Web Interface 383

Scheduling Web Reports on the New Web Interface 383

Adding Scheduled Web Reports on the New Web Interface 383

Editing Scheduled Web Reports on the New Web Interface 384

Deleting Scheduled Web Reports on the New Web Interface 384

Archiving Web Reports on the New Web Interface 384

[New Web Interface] Generating Web Reports on Demand 384

System Status Page on the New Web Interface 385

Status 386

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xix

Contents

Services 387

Detecting Rogue Traffic on Non-Standard Ports 391

CHAPTER 21

Overview of Detecting Rogue Traffic 391

Configuring the L4 Traffic Monitor 391

List of Known Sites 392

Configuring L4 Traffic Monitor Global Settings 392

Updating L4 Traffic Monitor Anti-Malware Rules 393

Creating a Policy to Detect Rogue Traffic 393

Valid Formats 394

Viewing L4 Traffic Monitor Activity 394

Monitoring Activity and Viewing Summary Statistics 394

L4 Traffic Monitor Log File Entries 395

Monitor System Activity Through Logs 397

CHAPTER 22

Overview of Logging 397

Common Tasks for Logging 398

Best Practices for Logging 398

Troubleshooting Web Proxy Issues Using Logs 398

Log File Types 399

Adding and Editing Log Subscriptions 404

Deanonymizing W3C Log Fields 408

Pushing Log Files to Another Server 409

Archiving Log Files 409

Log File Names and Appliance Directory Structure 410

Reading and Interpreting Log Files 410

Viewing Log Files 411

Web Proxy Information in Access Log Files 411

Transaction Result Codes 415

ACL Decision Tags 416

Interpreting Access Log Scanning Verdict Entries 421

W3C Compliant Access Log Files 428

W3C Field Types 428

Interpreting W3C Access Logs 428

User Guide for AsyncOS 12.5 for Cisco Web Security Appliances - GD (General Deployment)

xx

Contents

Page is loading ...

Related papers

Other documents