Web Security Appliance Administration Lab (Version 8.8)
Table of Contents Objectives ............................................................................................................................................... 1 Lab Choices and Dependencies .............................................................................................................. 2 Lab Topology .......................................................................................................................................... 3 Lab Access, Login and Password Information ....................................................................................... 4 Lab 1 – Basic WSA Configuration and Testing ..................................................................................... 6 Lab 2 – Proxy Authentication ............................................................................................................... 10 Lab 3 – Basic Policy Configuration ...................................................................................................... 12 Lab 4 – Enforcing Acceptable Use ....................................................................................................... 15 Lab 5 – Protecting Against Malware .................................................................................................... 18 Lab 6 – Reporting and Web Tracking ................................................................................................... 25 Lab 7 – Adaptive Scanning ................................................................................................................... 27 Lab 8 – Advanced Malware Protection (AMP) .................................................................................... 29 Lab 9 – Time and Volume Based Quotas ............................................................................................. 31 Lab 10: Custom Headers ....................................................................................................................... 33 Lab 11: High Availability ..................................................................................................................... 35 Lab 12: Cisco Advanced Web Reporting (Web Security Appliance and Cloud Web Security) .......... 41
Objectives This hands-on lab will focus on the creation, administration and reporting of policies that control the various aspect of the Cisco Ironport Web Security Appliance. Exercises will simulate the most common configuration, troubleshooting and reporting tasks that are typical in customer installations. Features such as Acceptable Use, Web Security, Application Visibility and On-Box reporting will be covered. At the completion of this lab, you will be able to
• Use the System Setup Wizard to perform initial WSA configuration • Utilize Proxy Authentication • Utilize the WSA policy framework • Enforce acceptable use • Protect against malware • Create meaningful reports • Utilize web tracking & Troubleshoot WSA Configuration • Configure WSA for High Availability • Create Meaningful reports from WSA Advance Reporting Application
Lab Choices and Dependencies There are over 3-4 hours of labs exercises. The choice of which exercises depends upon your background and requirements. Labs 1 and 2 are needed for most subsequent labs. Here are some suggested sequences. Student familiar with the WSA that want to learn the new features available in AsyncOS 7.7: Perform Lab 1, Lab 2, Lab 3, Lab 9 and Lab 10 Student familiar with the WSA that want to learn the new features available in AsyncOS 8.0.5: Perform Lab 1, Lab 2, Lab 3, Lab 5 and Lab 8 Student familiar with the WSA that want to learn the new features available in AsyncOS 8.8: Perform Lab 9 Students familiar with the WSA and would like to learn Advance features working in AsyncOS 8.8: Perform Lab 11, Lab 12 Students requiring basic WSA training: Start with Lab 1 and go as far as you can in the allotted time. If you make it to Lab 5, you have done very well. If you make it through Lab 6, you have completed the basic exercises.
Lab Access, Login and Password Information Student Portal URL: https://labops-out.cisco.com/labops/ilt Student Email: <Your email Address> (First time users need to register) Class Name: Assigned by Proctor POD: Assigned by Proctor Please click on the right POD assigned by Proctor and Lab will get loaded.
Under Topology CLICK ON it will download a RDP Profile. (Please download and RDP client if you don’t have one) Win7-1 Login: Administrator. Password: cisco123 You will connect to this endpoint using Remote Desktop from your laptop. All of the lab exercises can be run from the desktop of the Win 7 image. The reason TUI (and Single Sign-On) will not work from this endpoint is that it belongs to the wrong (GOLD) domain. WSA Login: admin. Password: ironport The WSA can be accessed from the XP desktop:
• SSH access to CLI using PuTTY • WSA GUI using Firefox to access the WSA GUI – use the link on the favorites toolbar
outside.wsa.train Browser access to the lab exercise pages is available via links on the Firefox browsers:
Active Directory Login: Administrator. Password: cisco You will connect to this server via remote desktop from XP – you cannot connect to it directly. The IP address is 172.20.11.210. You will need to connect to this server during Lab 8 when you configure the AD Agent for Transparent User Identification.
In order to complete the lab exercises, you will need to know the following three Active Directory groups:
• engineering • it • hr
You also need to know the following five users: • nina (a member of neither group – remember “nina none”) • angie (a member of the engineering group – remember “angie engineering”) • eyetea (a member of it group– remember “eyetea IT”) • harry (a member of the hr group – remember “harry HR”) • operator (a privileged user with the ability to create computer objects on the AD server).
However, just in case you want to create your own experiments and scenarios, there are two additional groups:
• finance • investment
and four additional users: • fred (a member of the finance group – remember “fred finance”) • ira (a member of the investment group – remember “ira investment”) • beth (a member of both the finance and investment groups – remember “beth both”) • allen (a member of all 5 groups – remember “allen all”)
In this lab exercise, you will perform basic WSA configuration, including the following.
• Run the System Setup Wizard • Configure URL filters to create a simple acceptable use policy • Verify the WSA proxy functionality • View the proxy access log and http headers • View the updater log
Key Note: Browsers will server two roles in this lab:
• Administer the WSA – for this you will use Mozilla Firefox. You will not configure any proxy settings
• Act as the test client – for this you will use Firefox. You will configure an explicit proxy setting.
The choice of these roles is arbitrary. However, this will be the convention used throughout this lab guide. Task A: Run the System Setup Wizard 1. From the Win7 PC, connect to your WSA management GUI as follows.
D. Open Firefox and connect to http://172.20.11.103:8080 Note that this is the home page of the browser.
D. Login with username admin and password ironport.
2. In the WSA GUI, navigate to System Administration > System Setup Wizard. The wizard is divided into four groups (numbered 1 through 4 in the GUI): 1. Start Accept the license agreement by checking the check box and click Begin Setup>> You may or may not see this screen based on whether this was a fresh install, or whether this instance has been recycled for this lab. If you do not see this screen, move on to Step 2. 2. Network This section consists of six separate pages. <Note: We recommend you to copy and paste IP addresses into the relevant section of the System Setup Wizard to eliminate avenues to introduce errors> A. System Settings
Hostname: s100v-alpha.wsa.train DNS Server 1: 172.20.11.210 NTP Server: 128.107.212.175 Time zone: Set the time zone to America United StatesPacific Time (Los Angeles) Appliance Mode: Standard. (Cloud Web Security Connector mode is not covered in this lab). Click Next>>
Look over this page, but leave the setting unchanged Click Next>>
C. Network Interfaces and Wiring
Look over this page, but leave the setting unchanged Note: With AsyncOS 8.8, each interface can have an IPv4 and an IPv6 address. Click Next>>
D. Layer 4 Traffic Monitor Wiring Look over this page, but leave the setting unchanged Click Next>>
E. Routes for Management and Data Traffic (Interface M1: 172.20.11.103)
Default Gateway : 172.20.11.2 Click Next>>
F. Transparent Connection Setting
Look over this page, but leave the setting unchanged Click Next>>
G. Administrative Settings
Password: Cisco123$ Email system alerts to: [email protected] Uncheck AutoSupport (in a production environment, leave this checked) Uncheck Network Participation (in a production environment, leave this checked) [Note: You uncheck these to stop the class S-Series from sending information to Cisco.] Click Next>>
3. Security
A. Under Malware and Spyware Scanning, for Action for Detected Malware, select the Block radio
button. Click Next>> 4. Review Look over your settings, and edit any that looks wrong by clicking Edit on the right hand side. Install your initial configuration by clicking Install This Configuration.
3. At this point the WSA will redirect you to the “System Setup Next Steps”. If you see this page, the WSA is correctly configured.
4. Confirm that the S-Series web proxy is enabled and notice the proxy port numbers, as follows.
A. In the WSA GUI, navigate to Security Services >Web Proxy. B. Under basic settings, you should see:
HTTP Ports to Proxy: 80, 3128 Proxy: Enabled
If for some reason the proxy is disabled, the System Setup Wizard probably did not complete correctly, and will have to be re-run.
A. Select Web Security Manager > Access Policies B. Click on the text Monitor: 79 in the URL Filtering column.
C. Block several categories that you consider inappropriate, by clicking in the Block column. D. Be sure to block Gambling – this will be used in the lab to test acceptable use. E. Click the Submit button at the bottom of the page.
[Submitting changes builds an inactive configuration that can later be committed or abandoned.] F. Click the yellow button in the upper right hand corner of the WSA GUI.
G. Enter a meaningful comment, and then click Commit Changes
Task C: Verify proxy functionality 6. Configure Firefox on your remote desktop to use your S-Series as a proxy:
A. In FF, navigate to Tools> Options > Advanced > Network >Connection Settings > Manual Proxy Configuration
B. For HTTP Proxy, enter your S-Series name or IP address: 172.20.11.103 C. For Port, enter 3128. D. Tick Use this proxy server for all protocols. E. Click OK twice.
Note: For your reference, to configure Firefox to use an explicit forward proxy, choose Tools> Internet Options> Connections tab > LAN Settings > Use a Proxy Server. 7. Using FireFox (FF), access some acceptable web site like http://yahoo.com. You should succeed.
8. Using FF, access some unacceptable web site like http://poker.com. You should be blocked.
9. Using FF, try to download the Eicar test virus. This is an industry standard test virus that triggers
Anti-Virus software. A. Using FF, select the Lab Exercise Page link on the Bookmark Toolbar. This will send your
browser to http://outside.wsa.train/index-cust-syw.html.
B. Under Files (HTTP), click the link that says Eicar test virus. It should be blocked. 10. In the Lab Exercise page link Website by Reputation Score, try to access I have a bad reputation
.You should be blocked and End User Notification page should be displayed.
Task D: Reading the proxy access log using the CLI To troubleshooting policy configurations, the most important log is the proxy access log. You will be viewing the access log throughout the lab. At this point, you will be learning how to view this log in real time.
11. Connect to the S-Series via SSH
A. Double click on the desktop icon that says putty.exe. B. There is a predefined Session called s100v-alpha.wsa.train. This will connect you, via SSH, to
your WSA. C. Login to the WSA
Login: admin Password: Cisco123$
12. There are two ways to view logs with the WSA CLI.
• Type tail accesslogs into the WSA CLI. • Type tail to show the list of configured logs, and then enter the number of the log you wish. Using one of these methods, start to tail the access log.
Warning: There will occasionally be a delay of 10 to 30 seconds in the output of the tail accesslogs command, so it may not seem like real time. You will have to be patient.
13. Using FF, visit http://poker.com and look at both the access log and the HTTP headers. You will be
blocked, due to the Access Policy you created in the previous lab. Look for the following strings in the access log entry: • TCP_DENIED – the action or cache result code • 403 – the HTTP response code • BLOCK_WEBCAT – the ACL decision tag
14. Using FF, try to download the eicar test virus again. Look at both the access log and the HTTP
headers. Look for the following strings in the access log entry on WSA: • TCP_DENIED – the action or cache result code • 403 – the HTTP response code • BLOCK_AMW_RESP – the ACL decision tag
15. Using FF, visit http://ihaveabadreputation.com and look at both the access log and the HTTP
headers. You will be blocked, due to the Web Reputation Filters. Look for the following strings in the access log entry: • TCP_DENIED – the action or cache result code • 403 – the HTTP response code • BLOCK_WBRS – the ACL decision tag
In this lab exercise, you will configure, troubleshoot and test WSA proxy authentication. If you want to try to do this lab without instructions, you need to know the following facts
• For the AD server you will authenticate against, use FQDN of pdc.wsa.train. [This is actually an alias for gold-vc.wsa.train, as you will see if you run the WSA authentication troubleshooting tools, but you do not need to know this.]
• For the AD domain, use WSA.TRAIN. • There is domain administrator with username operator and password ironport.
Also, see the information about AD users and groups on Page 3 of the lab document. Task A: Configure proxy authentication 1. In the WSA GUI, navigate to Network > Authentication, and click Add Realm…
1. For Realm Name, enter ADrealm1. 2. For Authentication Protocol and Scheme(s) select Active Directory (Kerberos, NTLMSSP or
Basic Authentication) 3. For Active Directory Server, enter pdc.wsa.train. 4. For Active Directory Domain, enter WSA.TRAIN. 5. Click Join Domain and use the Administrator account (password cisco) as credentials. 6. If everything is successful it will show a message “ Success – Computer Account s100v-alpha$
successfully created”. 7. If not, fix any issues you come across –if you wish, see the solution at the end of this Lab
Document. 8. Under Test current setting click on “Start Test” 9. Once the Test is completed successfully, click the Submit button. 10. If any Error message please troubleshoot and kindly check your hostname and AD server etc. 11. Commit the changes and in Comments section add “AD Realm created”
2. Create a new Identity for the WSA Domain
A. In the WSA GUI, navigate to Web Security Manager > Identification Profiles. B. Click Add Identification Profile... C. For the Name ieFld , use GOLD. Fill in an appropriate description in the Description text box. D. In the Define Members by Subnet, add the IP’s of the XP machine 172.20.11.250,
172.20.11.251 E. For the Identification and Authentication drop-down, select Authenticate Users. F. Automatically under Select a Realm or Sequence will have ADrealm1. G. For Select a Scheme, select Use NTLMSSP or Basic H. Click Submit. I. You will see a warning. Ignore the warning and continue to Step 3.
3. Enable Authentication for the Global Identity A. In the WSA GUI, navigate to Web Security Manager > Identification Profiles. Click Global
Identification Profile. B. Select Authenticate Users from the Identification and Authentication drop-down menu. C. Select All Realms from the Select a Realm or Sequence drop-down menu. D. Select Use NTLMSSP or Basic from the Select a Scheme drop-down menu. E. Click the Submit button in the lower right of the page. Ignore the warning. F. Click the yellow button in the upper right that says Commit Changes >> G. Enter a meaningful comment, such as Configured proxy authentication. H. Click Commit Changes.
Task B: Test your authentication configuration. 4. Test using a few URLs of your choice in the FF browser (If your browser is open, close it and open
it again to flush cache) A. Browse to www.google.com B. When prompted for authentication, log in as WSA\nina, WSA\fred, WSA\ira, or WSA\beth
(You can use WSA.TRAIN instead of WSA if you want in these logins). Password for all accounts is ironport.
C. Verify that the identity of the authenticated user appears in the accesslogs (tail accesslogs)
Note: Since you are not using surrogates, it is relatively easy to clear authentication information:
FF by selecting Tools > Internet Options > General > Browsing History > Delete >Select all > Delete > Apply > Ok
However, if you use surrogates (for example, when you are using transparent proxy mode), it can be challenging to clear authentication information for a client. If you are using cookie surrogates, you may have to also clear cookies. If you exit the browser, you must be sure to exit all windows. Finally, the WSA caches authentication information. You may have to clear the authentication cache using the CLI command authcache > FLUSHALL. When using IP surrogates, this is required.
You have two tasks in this lab. Task A: Configure file size and type restrictions Limit downloads to 1 MB and to block the download of executable Files. However, members of the IT department and Engineering team must be exempt from these restrictions. Task B: Configure user-agent authentication exemption Allow Windows and Adobe Updaters to bypass authentication. You should test this using the Policy Trace tool. If you want to try to do this lab without detailed instructions, you need to know the following: Task A; The IT department members belong to the AD group WSA\it. The Engineering team members belong to the AD group WSA\engineering. Use can use the following users to verify your configuration.
• WSA\angie is a member of the engineering team. • WSA\eyetea is a member of the IT department • WSA\nina is not a member of either group.
Use should verify the policy by attempting to download various files. To find these files: A. Using Firefox, go to the Lab Exercise Page. B. Under Files (HTTP), follow the link Files of various size and type.
Task B: You should test this using the Policy Trace tool. In order to use this tool, you must know the exact user-agent string for one of the update agents. You can use the following user-agent string: Windows-Update-Agent Task A: Configure file size and type restrictions 1. Configure the global policy to limit downloads to 1 MB downloads, and block the download of
executable Files. A. In the WSA GUI, navigate to Web Security Manager > Access Policies. B. Click on the text in the Objects column of the Global Policy group. C. Under Edit Object Blocking Settings, confirm that Define Custom Object Blocking Settings in the
drop-down menu. D. Under Object Blocking Settings set the object size to 1 MB for HTTP/HTTPS and FTP E. Under Block Object Type, click on Executable Code to expand F. Check all three check boxes for executable. G. Click the Submit button in the lower right of the page.
2. Create a Policy group for the IT and Engineering teams A. You should be on the Access Policies GUI page. Click Add Policy... B. Set Policy Name to Developers Policy C. Add a short, meaningful description D. Under Policy Member Definition:
1) Under Identification Profiles and Users select All Identification Profile. 2) Select the Selected Groups and Users radio button. 3) Click on the text that says No groups entered. 4) The groups will populate the Directory search result box. 5) Highlight the engineering group (WSA\engineering) and click the Add > button. 6) Highlight the it group (WSA\it) and click the Add > button. 7) Click the Done button in the lower right of the page.
E. Click the Submit button in the lower right of the page. 3. Modify the policy group you created in Step 2, to disable object size or type restrictions for
Developers. A. Click on the text in the Objects column of the Developers Policy group B. Under Edit Object Blocking Settings, select Disable Object Blocking for this Policy in the drop-
down menu. C. Click the Submit button in the lower right of the page. D. Click the yellow button in the upper right that says Commit Changes >>. E. Enter a meaningful comment, such as Disabled object blocking for Developer Policy. F. Click Commit Changes.
4. In the WSA CLI, type tail system_logs. Confirm that comment entered in the previous Step is
logged in the System Log. Therefore, if meaningful comments are entered when the changes are committed, the System Log can be used to correlate issues that arise with changes made in the WSA configuration.
5. Use FF to test the Global Policy
C. Clear the authentication setting in FF. D. Go to the Lab Exercise Page. E. Under Files (HTTP), follow the link Files of various size and type. F. Select any file whose footprint is larger than 1 MB – it should be blocked. (When prompted
please Log into the proxy as WSA\nina or WSA\harry) (Note: If you right click on the link to save the file, that you might think you have downloaded a file successfully, but check its size – it will have been truncated.)
G. In the access log, identify the Policy Group, Identity and ACL Decision Tag. H. Try to download a small .exe file – it should be blocked. I. In the access log, identify the Policy Group, Identity and ACL Decision Tag.
6. Use FF to test the Developers Policy.
A. Clear the authentication setting in FF. B. Go to the Lab Exercise Page. C. Under Files (HTTP), follow the link Files of various size and type. (When prompted Log into the
proxy as WSA\angie or WSA\eyetea) D. Try to download a file larger than 1 MB – it should succeed. E. In the accesslogs (CLI), identify the Policy Group, Identity and ACL Decision Tag.
F. Try to download a small .exe file – it should succeed. G. In the accesslogs (CLI), identify the Policy Group, Identity and ACL Decision Tag.
Task B: Configure user-agent authentication exemption The goal is to allow Windows and Adobe Updaters to bypass authentication. 7. Create an identity Update Agents that will be the (new) first Identity on the list
A. In the WSA GUI, navigate to Web Security Manager > Identification Profiles, and click Add Identification Profile.
B. Set the Name to Update Agents. C. Add a short, meaningful description. D. Under User Identification Method and Identification and Authentication, confirm that the Exempt
from Authentication/ Identification is selected. E. Under Membership Definition:
1) Click on Advanced, and then to the right of User Agents, click on the text that says None Selected.
2) Under Common User Agents, click on Others, then check the check boxes for both agents.(Microsoft Updates and Adobe Acrobat Updater)
3) Click Done. F. Click the Submit button in the lower right of the page. G. Click the yellow button in the upper right that says Commit Changes >>. H. Enter a meaningful comment such as Configured update agent authentication exemption. I. Click Commit Changes.
8. Use the Policy Trace Tool to test this transaction
A. In the WSA GUI, navigate to System Administration > Policy Trace. B. Enter a valid URL – but it does not have to be the Microsoft or Adobe update sites. C. Click Find Policy Match – in the Results box you will see that the transaction is blocked, because
authentication is required D. Click on the word Advanced in the Transaction box. E. Enter the (exact!) string Windows-Update-Agent into the User Agent text ieFld. F. Click Find Policy Match – in the Results box you will see the request is allowed, even without
authentication. Observer that the transaction matched the Update Agents Identity Policy. G. Try changing the user-agent string to some random string. H. Click Find Policy Match – in the Results box you will see the request fails because of a proxy
You have four tasks in this lab. Task A: Create a reasonable global acceptable use policy
• Block categories that represent illegal or offensive material. • Set the categories Filter Avoidance and Peer File Transfer to Warn. • Block Social Networking during Peak Business Hours (otherwise Monitor). • Block Shopping during Extended Business Hours (otherwise Warn),
Task B: Blocking IP-based URLs If you want to try to do this lab without detailed instructions, you need to know the following: Task A;
• Extended business hours are Monday through Friday 7 am to 6 pm, and Saturday 8 am to noon. • Peak business hours are Monday through Friday 10 am to 2 pm. • Because your policies are time based, you will also need to use the Policy Trace tool. • Use Response Detail Overrides in the Policy Trace tool. Then you will not have to enter URLs
that match the categories you wish to test.
Task B: You need to create a custom URL category for URLs where the hostname is an IP address. You can find lengthy discussions on the Internet about the best way to craft a RegEx to match IP addresses. But note that the WSA does not allow the full RegEx syntax when working with custom URL categories. For this exercise, many possible RegExes will work – so keep it simple. You can use any IP address to test your policy. For example, you can try going to http://204.15.80.137. Task A: Create a reasonable global acceptable use policy 1. Create two time ranges: Extended Business Hours and Peak Business Hours.
A. In the WSA GUI, navigate to Web Security Manager > Custom policy Elements > Define Time Ranges and Quotas.
B. Click Add Time Range. C. For Time Range Name, enter the name Extended Business Hours. D. Use Time Zone Setting from Appliance E. Under Time Values, check the boxes for the weekdays Monday through Friday. F. Under Time of Day, enter 07:00 to 18:00. G. Click Add Row. H. In the new row, check the Saturday check box. I. In the new row, enter 08:00 to 12:00.
J. Click the Submit button in the lower right of the page. K. Click Add Time Range. L. For Time Range Name, enter the name Peak Business Hours. M. Use Time Zone Setting from Appliance N. Under Time Values, check the boxes for the weekdays Monday through Friday. O. Under Time of Day, enter 10:00 to 14:00. P. Click the Submit button in the lower right of the page. Q. Commit the Changes while giving meaningful comments.
2. Configure the URL filters for the Global Policy (Access Policies group)
A. In the WSA GUI, navigate to Web Security Manager > Access Policies. B. Click on the text in the URL Filtering column of the Global Policy row. C. Block categories that represent illegal or offensive material – there are several such categories. D. Set the categories Filter Avoidance and Peer File Transfer to Warn. E. Under Social Networking Category select Time Range F. Block Social Networking during Peak Business Hours (otherwise Monitor) G. Under Shopping Category select Time Range H. Block Shopping during Extended Business Hours (otherwise Warn). I. Click the Submit button in the lower right of the page. J. Click the yellow button in the upper right that says Commit Changes >>. K. Enter a meaningful comment, such as Created Global AUP. L. Click Commit Changes. M. Check the results by visiting the following URL’s:
a. www.proxify.com (Filter Avoidance) b. www.facebook.com (Social Networking) c. www.amazon.com (Shopping)
OR You can also use our Lab Exercise Page to test the global acceptable use policy A. Go to the Lab Exercise Page. B. Under Links to Websites, follow the link Websites by URL category. C. Try to identify the URL categories using the access log.
3. Use the Policy Trace tool to test the time based policies regarding Social Networking and Gambling.
A. In the WSA GUI, navigate to System Administration > Policy Trace. B. For URL, enter any valid URL, say www.cisco.com. C. For User Name, enter WSA\nina. D. For Authentication Realm, select the realm you created in Lab 2. E. Click on the text Advanced to access the advanced settings. F. Under Request Details, for Time of Request, enter a time inside peak business hours. G. Under Response Detail Overrides, for URL Category, select Social Networking. H. Click the Find Policy Match button. I. Verify that the results match your policy configuration. If not, troubleshoot and fix any errors.
Repeat Steps 4F through 4I for various combinations of request times and URL categories.
Task B: Blocking IP-based URLs 4. Confirm that you can get to http://67.20.81.143
5. Create and deploy a Custom URL Category to block URLs that are based on IP addresses.
Note: How one should use regular expressions to match IP addresses is not trivial. The task is complicated by the fact that IP addresses can be encoded in many ways (e.g. hex, octal, a single integer or four dot separated integers). Furthermore, it is possible for a regular expression, because of how it is composed, to cause performance issues on the WSA. For this exercise, you can use the following simple regular expression that does the job pretty well: http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
A. In the WSA GUI, navigate to Web Security Manager > Custom Policy Element > Custom URL
Categories. B. Click Add Custom Category C. Type in a Category Name, for example IP based URLs. D. Click the Advanced arrow, if the Regular Expression textbox is not visible. E. Type http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in the Regular Expressions box. F. Click the Submit button in the lower right of the page.
6. Set the Global Policy URL Categories to block the Custom URL Category you just made.
A. In the WSA GUI, navigate to Web Security Manager > Web Policies > Access Policies. B. Click the text in the URL Filtering box of the Global Policy group. C. Click the Select Custom Categories button. D. For the custom category you just created, select Include in policy from the Setting Selection
drop-down menu. E. Click the Apply button in the lower right of the page. F. Check in the Block column to the right of the custom category (IP Based URL) G. Submit and commit your changes.
7. Click on the Lab Exercise Website by URL Category www.cisco.com (Based on IP address)
Note: This should be blocked and End User Notification page will be displayed.
8. Confirm that you CANNOT get to http://67.20.81.143. Try to find the first 4 letters of the custom URL category in the access log. It will look like the following in the accesslogs in the CLI: 1320375494.257 0 172.20.11.250 TCP_DENIED/403 1564 GET http://204.15.80.137/favicon.ico "WSA\allen@ADRealm" NONE/- - BLOCK_CUSTOMCAT_11-Developers_Policy-DefaultGroup-NONE-NONE-NONE-NONE <C_IP_b,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> -
Task A: Confirm global setting for Web Reputation Filters and DVS engine
• Confirm that Web Reputation Filters, Webroot, McAfee and Sophos all have valid feature keys. • Confirm that Web Reputation Filters, Webroot, McAfee and Sophos are all enabled globally. • Confirm that McAfee Heuristic Scanning is enabled globally.
Task B: Test Web Reputation Filters
• Use the access log and end-user notifications to identify web threat details. • Use the access log and on-box reporting to identify the WBRS for various sights. • Confirm that McAfee Heuristic Scanning is enabled globally.
Task C: Block encrypted files for everyone except members of the HR team Task D: Enable and test outbound malware scanning Task E: Utilize HTTPS Inspection If you want to try to do this lab without detailed instructions, you need to know the following: Task A: To find links to websites with varying reputation:
A. Using Firefox, go to the Lab Exercise Page. B. Under Links to Websites, follow the link Websites by Web Reputation Score.
Task B: The members of the HR team belong to the AD group WSA\hr.
• WSA\harry is a member of the HR team. • WSA\nina is not a member of the HR team.
To test your policy, there is a ZIP file called Confidential.zip, which contains three encrypted files. Here is how you can find this file:
A. Using Firefox, go to the Lab Exercise Page. B. Under Files (HTTP), follow the link Malware files.
Task C: There is a malware file called CP22.exe in the Tools folder on your desktop. We have a tool to test uploads:
A. Using Firefox, go to the Lab Exercise Page. B. Under Data Security and Outbound Malware Scanning, click on HTTP link.
Task D: Here is how you can find malware to test HTTPS inspection:
A. Using Firefox, go to the Lab Exercise Page. B. Under Files(HTTPS), follow the link Malware files.
Task A: Confirm global setting for Web Reputation Filters and DVS engine 1. Confirm licensing.
A. In the WSA GUI, navigate to System Administration > Feature Keys. B. Confirm that Cisco Web Reputation Filters, Webroot, McAfee and Sophos all have valid feature
keys. 2. Verify global settings for Web Reputation Filters and DVS engine.
A. Navigate to Security Services > Anti-Malware and Reputation. B. Confirm that Web Reputation Filtering is enabled. C. Confirm that Sophos, McAfee, and Webroot, are enabled. D. Confirm that McAfee Heuristic Scanning is enabled.
Task B: Test Web Reputation Filters 3. Test WBRS using the Module 6 Lab web page links for low, medium and high WBRS sites
A. Using Firefox, go to the Lab Exercise Page. B. Under Links to Websites, follow the link Websites by Web Reputation Score. C. Visit several websites on this page, and look in the accesslogs for the WBRS
1) Mouse-over the link to see the URL, for example, http://www.cisco.com. 2) Click on the link to load the page. 3) Wait about 30 seconds or so. 4) Search for the URL in the access log with the grep command. For example, you can see that
www.cisco.com has a WBRS of 6.5 (may change over time), so malware scanning was bypassed s100v-alpha.wsa.train> grep www.cisco.com accesslogs 1320468757.586 169 172.20.11.250 TCP_MISS/200 6249 GET http://www.cisco.com/ - DIRECT/www.cisco.com text/html ALLOW_WBRS_11-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_comp,6.5,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",295.81,0,-,"-","-"> - . . .
4. Now focus on the Web Reputation thread details of sites with WBRS from -10 through -6.
<Note: A few websites on the Lab Exercise page may have a revised WBRS score, because of which it no longer may be in the range of -10 to -6. Visit a few more URL’s such as http://mjner.com/ www.ihaveabadreputation.com> A. Mouse-over the link to see the URL, for example, http://login.tracking101.com/ B. Click on the link to load the page.
C. Wait about 30 seconds or so. D. Search for the URL in the access log with the grep command. For example, you can see that
http://login.tracking101.com/ has a WBRS of -7.6, so the transaction was blocked (ACL tag BLOCK_WBRS). Note also that this was classiieFd as a site serving adware: s100v-alpha.wsa.train> grep tracking101 accesslogs 1443743884.745 240 172.20.11.250 TCP_DENIED/403 0 GET http://login.tracking101.com/ - NONE/- - BLOCK_WBRS_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE <IW_adv,-7.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_adv,-,"-","adware","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -
Task C: Block encrypted files for everyone except members of the HR team 5. Confirm that the Global Access Policy is configured to block encrypted files.
A. In the WSA GUI, navigate to Web Security Manager > Access Policies. B. Click on the text in the Web Reputation and Anti-Malware Filtering column of the Global Policy
row. C. Confirm that all the categories of malware are set to Block. Note that one malware category is
Encrypted File. If they are set to Monitor, you made a mistake when you ran the System Setup Wizard. You can correct this mistake by clicking on the two Select all links in the Block column (there are two such links).
D. Submit any changes you may have made. 6. Create an Access Policy for HR team.
A. In the WSA GUI, navigate to Web Security Manager > Access Policies. B. Click Add Policy. C. Set Policy Name to HR. D. Add a short, meaningful description. E. Under Policy Member Definition:
1) Under Identification Profiles and Users, select the Selected Groups and Users radio button. 2) Click on the text that says No groups entered. 3) The groups will populate the Directory search result box – or you can type in the desired r. 4) Highlight the hr group WSA\hr, or type it in, and then click the Add > button.
[Or you can type in the desired group name and then click the Add > button.] 5) Click the Done button in the lower right of the page.
F. Submit your changes. 7. Modify the HR Access Policy you created in the previous step.
A. Click on the text in the Web Reputation and Anti-Malware Filtering column of the HR policy row.
B. Near the top of the page, under Web Reputation and Anti-Malware Settings, select Define Web Reputation and Anti-Malware Custom Settings from the drop-down menu.
C. Near the bottom of the page, change the action for Encrypted File from Block to Monitor. D. Submit your changes.
8. Commit the changes made in the three previous steps.
A. Click the yellow button in the upper right that says Commit Changes >>. B. Enter a meaningful comment, such as Configured HR Access Policy. C. Click Commit Changes.
9. Confirm that Nina cannot download encrypted files.
A. Clear authentication setting in Firefox. B. Go to the Lab Exercise Page. Log into the proxy as WSA\nina. C. Under Files (HTTP), follow the link Malware files. D. Left click on Confidential.zip. The transaction will be blocked. E. Click the Back button in Firefox. F. Right click on Confidential.zip, and select Save Link As. Click Save to save the file to your
Desktop. G. Double click on the file on your desktop to open it. Notice that it has been corrupted. If you
check the size of the downloaded file, you will see it has been truncated from about 300 KB to about 1.6 KB, or sometimes, even 0 bytes depending on the version of Firefox you are running.. What you have seen is that depending on how you attempt to download a file: • Sometimes the HTTP transaction is blocked in the browser, and a 403 HTTP return code is
sent to the browser. • Sometimes the download agent is interrupted while the download is taking place, truncating
the file.
10. Confirm that Harry can download encrypted files. A. Clear the cache and the authentication sessions in Firefox. B. Left click on Confidential.zip. You will be asked to authenticate. C. Log into the proxy as WSA\harry. D. You should now be able open the ZIP file. E. Confirm that the ZIP file contains encrypted files.
There really isn’t any need to open the files, but if you want to confirm that they are not corrupted, note that the password to open them is ironport.
11. Inspect the relevant access log entries. The easiest way to do this is with the grep command.
Task D: Enable and test outbound malware scanning 12. In the WSA GUI, navigate to Web Security Manager > Outbound Malware Scanning.
13. Enable scanning for outbound malware to all destinations.
A. Click on the text that says Scan: None in the Destinations column. B. For Destinations to Scan, select the Scan all uploads radio button. C. Submit your changes.
14. Click on the text in the box in the Anti-Malware Filtering column.
A. Confirm that the uploads will be scanned by both Webroot and Sophos. Note that you could choose Webroot and McAfee, but you cannot use all three engines at once. This restriction also applies to the inbound malware scanning you configured in Task C of this lab, unless Adaptive Scanning is enabled (more on that later).
B. Confirm that all categories of malware are being blocked.
15. Commit your changes.
16. Test outbound Malware Scanning. A. Using Firefox, go to the Lab Exercise Page. B. Under Data Security and Outbound Malware Scanning, click on HTTP link. C. Using the tool on this page, upload the file Desktop/Tools/CP22.exe.
There are three Browse buttons on the upload tool. You will only need one, unless you want to try uploading multiple files. 1) Click Browse.
2) Browse to the Tools folder, select CP22.exe. Click Open. 3) Click Send POST.
D. Notice that the upload is blocked.
17. Inspect the relevant entry in the access log. S100v-alpha.wsa.train> tail accesslogs 1443746271.021 6 172.20.11.250 TCP_DENIED/403 0 POST http://outside.wsa.train/cgi-bin/itts_wsa_DataSecurity.cgi "WSA\harry@ADRealm1" NONE/- - BLOCK_AMW_REQ_8-DefaultGroup-GOLD-DefaultGroup-NONE-NONE-NONE <IW_comp,ns,13,"Comedy-Planet",0,363786,2116,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"Adware","Comedy-Planet",-,"-",-,-,"-","-"> -
Task E: Utilize HTTPS Inspection 18. Demonstrate the need for HTTPS inspection. Confirm that files downloaded using HTTPS are not
being inspected. A. Using Firefox, go to https://secure.eicar.org/eicar.com.txt B. This will trigger a successful file download of the EICAR virus test file.
19. Enable and configure the HTTPS proxy.
A. In the WSA GUI, navigate to Security Services > HTTPS Proxy. B. Click the Enable and Edit Settings button and accept the license agreement. C. Select the for Use Generated Certificate and Key radio button. D. Click Generate New Certificate and Key. Input values such as:
1) Common name: s100v-alpha.wsa.train 2) Organization: IT 3) Organizational Unit: Security 4) Country: US (or any two-letter country code, in UPPERCASE) 5) Expiration Date: Any value from 1 to 120 months
20. Installing the certificate in your browser will stop the browser from generating warnings when the S-Series is performing HTTPS inspection. A. Save the certificate by clicking the text Download Certificate in the HTTPS Proxy Settings box.
Select the Save option and save it on the desktop.
B. Install this certificate in Firefox as follows: 1) In Firefox, navigate to:
Tools > Options >Advanced > Certificates > View Certificates > Authorities > Import. Select the certificate you downloaded from the WSA, and click Open.
2) Check Trust this CA to identify websites. 3) Click OK three times.
21. Back in the WSA GUI, under Invalid Certificate Options, set Unrecognized Root Authority to
Monitor. This is required, as the CA for the lab exercise page is not yet part of the WSA trusted CA store.
22. Submit your changes. Read the Confirm Enabled dialog box carefully. Click Continue. Then commit your changes.
23. Confirm that files downloaded using HTTPS are now being scanned for malware.
A. Clear your Firefox browser cache. (you may be prompted again for auth. Use WSA\harry for auth)
B. Go to https://secure.eicar.org/eicar.com.txt. You will get a block page now 24. Inspect the relevant access log entries. Note that there are two transactions associated with HTTPS
inspection. The first shows the decision to decrypt: 1443747208.073 584 172.20.11.250 TCP_MISS_SSL/200 39 CONNECT tunnel://secure.eicar.org:443/ "WSA\harry@ADRealm1" DIRECT/secure.eicar.org - DECRYPT_WBRS_7-DefaultGroup-GOLD-DefaultGroup-NONE-NONE-DefaultGroup <IW_csec,0.8,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_csec,-,"-","-","Unknown","Unknown","-","-",0.53,0,-,"-","-",-,"-",-,-,"-","-"> - The second shows how the decrypted traffic is handled: 1443747208.421 347 172.20.11.250 TCP_DENIED_SSL/403 0 GET https://secure.eicar.org:443/eicar.com.txt "WSA\harry@ADRealm1" DIRECT/secure.eicar.org application/octet-stream BLOCK_AMW_RESP_12-HR-GOLD-DefaultGroup-NONE-NONE-DefaultGroup <IW_csec,0.8,0,"-",0,0,0,27,"-",0,1,6,"EICAR test file",-,-,"-","-",-,-,IW_csec,-,"Virus","-","Unknown","Unknown","-","-",0.00,0,-,"Unknown","-",-,"-",-,-,"-","-"> -
Lab 6 – Reporting and Web Tracking In this lab you will utilize the reporting and web tracking capabilities of the WSA. If you want to try to do this lab without instructions, you don’t need any additional information. Simply apply the reporting and web tracking capabilities of the WSA to extract information about the activities that you have performed in Lab exercises 1 through 5. Task A: Utilize reporting 1. In the WSA GUI, navigate to Reporting > URL Categories.
A. Identify the top URL category by total transactions B. Identify the top URL category by blocked and warned transactions C. For the table URL Categories Matched, replace Bandwidth Used with % Bandwidth Used
1) In the lower right hand column of the table, click on the text that says Columns… 2) Uncheck the box that says Bandwidth Used. Check the box that says% Bandwidth Used. 3) Click Done.
D. Sort the table by % Bandwidth Used, by clicking on the header of the appropriate column. E. Sort the table by Blocked by URL Category, and click on the category name (probably
Gambling) in the left hand column. F. Note the top site and top user in this category (by total transactions). G. In the table Web Users, click on the name of the top user. Note the detailed information
provided for this user.
2. In the WSA GUI, navigate to Reporting > Application Visibility. A. Confirm that the table Application Types Matched shows Media. B. Confirm that the table Applications Matched shows Windows Media. C. Drill down on Windows Media (or any other application) to see the following:
1) Who viewed this media 2) When the media was viewed 3) What web sites the media was viewed from
3. In the WSA GUI, navigate to Reporting > Malware.
A. Note that EICAR-AV-Test is listed in the Malware Threats table. This is because you tried to download eicar.com.txt.
B. Note that Comedy-Planet is listed in the Malware Threats table. This is because you tried to upload CP22.exe.
C. Drill down to see who attempted to upload Comedy-Planet, and when. 4. Briefly look at some other reports such the following.
A. Reporting > Client Malware Threat B. Reporting > Users C. Reporting > Web Sites D. Reporting > Web Reputation Filters
5. In the WSA GUI, navigate to Reporting > Web Tracking. In the Search box: A. For Time Range, select Day. B. Leave User/Client IP blank. C. For Website, enter outside.wsa.train. D. For Transaction Type, select All Transactions. E. Click the Search button. F. In the Results table, click the text that says Display Details… G. For at least one transaction, click the text that says RELATED TRANSACTIONS. H. Note that the HTML components (images, Javascript, etc.) associated with the page are
displayed.
6. Modify the web tracking search as follows. In the Search box: A. Change Website to blank. B. Change Transaction Type to Blocked. C. Click the Search button. D. In the Results table, click the text that says Display Details… E. Note the reasons that the transaction was blocked, as well as the details about the threat.
7. Modify the web tracking search as follows. In the Search box:
A. Change Transaction Type back to All Transactions. B. Click Advanced to search transactions using advanced criteria.
1) Under Malware Threat, select the Filter by Malware Category radio button. 2) Select Encrypted File from the drop-down menu.
C. Click the Search button. D. In the Results table, click the text that says Display Details… E. In the Results box, you should see:
1) Harry was allowed to download an encrypted file. 2) Nina’s attempt to download an encrypted file was blocked. If you do not see this, perhaps you did not complete Task C of Lab 5.
8. Modify the web tracking search as follows. In the Search box: A. Click Advanced to search transactions using advanced criteria.
1) Under Policy, select the Filter by Policy radio button. 2) Enter HR into the Filter by Policy text ieFld.
B. Click the Search button. C. In the Results table, click the text that says Display Details… D. In the Results box, you should see:
1) Harry was allowed to download an encrypted file. 2) There should be no information about Nina.
The goal of this lab is to compare pre-7.5 malware scanning with the Adaptive Scanning feature available in 7.5. You will emulate pre-7.5 behavior on the 7.5 WSA by disabling Adaptive Scanning. If you want to try to do this lab without instructions, here is the information you need to know:
• There is a website on the internet called ihaveagoodreputation.com, with a Web Reputation Score (WBRS) of 9.5.
• DNS is configured in the lab to redirect traffic to ihaveagoodreputation.com to an internal website that we have malware on.
The idea is to compare what happens when adaptive scanning is enabled (default) and disabled. • When Adaptive Scanning is enabled, malware from ihaveagoodreputation.com should be
blocked. • When Adaptive Scanning is disabled, malware from ihaveagoodreputation.com should be not
be blocked. 1. First observe how adaptive scanning affects the configuration of the WSA. Adaptive Scanning is
enabled be default. A. In the WSA GUI, navigate to Web Security Manager > Access Policies. B. Click on the Web Reputation and Anti-Malware Filtering settings for the Global Policy. C. Note (see figure below):
1) You can enable or disable Web Reputation Filtering, but cannot change the thresholds. 2) You can enable or disable Anti-Malware Scanning, but cannot choose the engines.
2. Show how adaptive scanning functions when proxy load is low.
A. In FireFox, browse, to ihaveagoodreputation.com. This site has a Web Reputation Score (WBRS) of 9.5.
B. Click on the link to Malware files C. Click on the eicar.com.txt link. You should be blocked. Since the proxy load is low, the object
is scanned, even though the reputation of the website is very high. Note: You can see the WBRS of 9.5 in the access log: 1337726500.940 122 172.20.11.250 TCP_DENieD/403 0 GET http://ihaveagoodreputation.com/malware/eicar.com.txt "WSA\allen@ADrealm" DIRECT/ihaveagoodreputation.com application/octet-stream BLOCK_AMW_RESP_11-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <nc,9.5,0,"-",0,0,0,27,"-",0,1,6,"EICAR test file",-,-,"-","-",-,-,nc,-,"Virus","-
3. Disable Adaptive Scanning. This will make the WSA imitate the pre-7.5 versions.
A. In the WSA GUI, navigate to Security Services > Anti-Malware and Reputation. B. Click Edit Global Settings. C. Uncheck the Enable Adaptive Scanning checkbox. D. Submit and commit your changes.
4. Observer how adaptive scanning being disabled affects the configuration of the WSA. A. In the WSA GUI, navigate to Web Security Manager > Access Policies B. Click on the Web Reputation and Anti-Malware Filtering settings for the Global Policy. C. Note (see figure on next page):
3) You can enable or disable Web Reputation Filtering, and can change the thresholds. 4) You can enable or disable Anti-Malware Scanning, and can choose between Sophos and
McAfee (but cannot choose both).
5. In Firefox, go back to ihaveagoodreputation.com, and under Malware Files try downloading the
eicar.com.txt file. You will not be blocked. This is the pre-7.5 WSA behavior. Objects downloaded from websites with WBRS from 6.0 to 10.0 are not scanned.
Lab 8 – Advanced Malware Protection (AMP) In this lab you will configure and test Advanced Malware Protection (AMP) on the WSA. Before we begin this tutorial, as an optional exercise, we recommended that you watch a video on the AMP integration on the WSA. This video walks through the configuration steps (similar to what we have in this module) and the basic use-cases addressed by AMP. After watching the video, proceed to TASK A. Video Link (shortened link for YouTube video): http://bit.ly/1FMpzMW <Note: Play this video on your own machine rather than in the Windows RDP session for better visual experience.> Task A: Enable AMP File Reputation and File Analysis 1. In the WSA GUI, navigate to Security Services > Anti Malware and Reputation.
A. Click Edit Global Settings… B. Under Advanced Malware Protection Services, check the check box for Enable File Reputation
Filtering. Accept the agreement on the next screen. C. Once again, click Edit Global Settings… D. Under Advanced Malware Protection Services, click on the check box for File Analysis. Accept
the agreement on the next screen. E. Submit and Commit Changes F. Click on Update Now
G. Submit & Commit Changes
Task B: Configure AMP controls in Access Policies 2. In the WSA GUI, navigate to Web Security Manager > Access Policies.
A. For the Global Policy Row at the bottom of the table, click on the text in the Anti-Malware and Reputation column.
B. Under Advanced Malware Protection Settings, check the check box for Enable File Reputation Filtering and File Analysis.
C. For Known Malicious and High-Risk Files, set the check mark to Block. D. Click Submit at the bottom of the page. E. Commit the changes all the way through. (Click on Commit Changes on 2 separate pages.)
Task C: Test File Reputation Filtering 3. Clear the Firefox cache, shut down Firefox, open it back up, navigate to the Lab exercise page and
log in as WSA\nina (password: ironport) 4. If you have completed Lab 3, Task A, you will have configured the WSA to block executables as
part of the Global Policy. You will need to allow executables to proceed with this lab. To do so, in another tab, go to Web Security Manager > Access Policies, for the Global Policy, click on the text under Objects, uncheck all 3 executable file-types. Submit all the way through.
5. If you don’t have accesslogs running in a separate putty window, you may do so at this stage. For more information of how to tail accesslogs, please refer Lab 1, Steps 11 and 12.
6. Open a new Tab in the Firefox window. A. Click on the bookmarks for Lab Exercise Page B. Under Files (HTTP), click on the link for Malware Files. C. Click on the link for Tool.exe. There will be an EUN showing it will be blocked by AMP. D. Please go to the following website and try to download the Zombie.pdf file which is malicious
PDF and has got a backdoor. E. Link: http://mysite.science.uottawa.ca/rsmith43/zombies.pdf (alternatively, you can google
zombies.pdf and click the first link) of the search result) F. It will be blocked by the AMP.
Note: The browser may attempt to load the PDF application but WSA will block all content and PDF will not render in the browser.
G. Check the Access logs and AMP reports for more details.
Task D: AMP File Reputation Reports 7. In the WSA GUI, navigate to Reporting > Advanced Malware Protection.
A. Check the 2 transactions which were blocked for tool.exe and zombie.pdf B. Check the different reporting widgets for blocked/monitored files. In the table for Malware
Threat Files, click on the first SHA in the table. C. The report for the specific SHA will give all the users that have tried downloading file(s)
matching the selected SHA. D. The Files Matched table at the bottom of the page shows the 2 files that match the selected SHA
and were attempted for download. Click on the transactions blocked for either of the files for detailed web tracking report for each transaction matching the file.
1. How to setup Time and Volume based quota Profiles. 2. Apply these Profiles to Access Policy. 3. Applying these profiles to Decryption policies. 4. Track usage of users. 5. Setup warning (EUN) for users approaching the Quota limit. 1: How to setup Time and Volume based quota Profiles.
Create three Quotas: Overall Web Surfing Usage, Social Networking Usage & Streaming Video Usage. • In the WSA GUI, navigate to Web Security Manager > Define Time Ranges and Quotas. • Click Add Quota. • For Quota Name, enter the name Overall Web Surfing Usage. • Under Reset Time/Time range, check the boxes for the Reset this Quota Daily at: 12:00 AM. • Under Quotas, select the checkbox for Time Quota enter 15 mins. • Click Submit. • Click Add Quota • For Quota Name, enter the name Social Networking Usage. • Click on Select a Pre-defined Time range button, select the Peak Hours (this may not appear as
an option if you have NOT completed lab 2-4. If that’s the case, disregard and continue to the next step .
• Under Quotas, select the checkbox for Time Quota and select 5 mins. • Click the Submit button in the lower right of the page. • Click on Add Quota. • For Quota Name, enter the name Streaming Video Usage. • Under Reset Time/Time range, check the boxes for the Reset this Quota Daily at: 12:00 AM.
Under the Quota button select the Volume Quota for 5 MB. • Click the Submit button in the lower right of the page. • Click on Commit Changes and in the comments Quota based restriction.
2: Mapping the Time and Volume Quotas to the Access Policies: • In the WSA GUI, navigate to Web Security Manager >Access Policies • Click on URL Filtering in the Developer Policy (You may not have the developer policy if you
have not completed the previous labs. In that case, use the URL Filtering column of the Global Policy)
• Under Predefined URL Category Filtering Scroll down to Social Networking and now select Quota Based.
• Under Social Networking > Pre-defined Quota profile select Social Networking Usage. • Scroll further down to Streaming Video and select Quota Based. • Under Streaming Video > Pre-defined Quota Profile select Streaming Video Usage. • Scroll Further down to Overall Web Activities Quota and then select the Overall Web Surfing
Usage. • Click on Submit button • In the WSA GUI, navigate to Web Security Manager >Access Policies • Go to ApplicationsEdit Application SettingsDefine Application custom settings (Does
not apply to Global Policy) • Under Media Disable Bandwidth Limit • Click on Submit and Commit Changes 3: Mapping the Time and Volume Quotas to the Decryption Policies: • In the WSA GUI, navigate to Web Security Manager >Decryption Policies • Click on URL Filtering in the Developer Policy • Under Predefined URL Category Filtering decrypt the following categories • Under Social Networking > Decrypt • Scroll further down to Streaming Video • Under Streaming Video >Decrypt • Scroll Further down to Overall Web Activities Quota and then select the Overall Web Surfing
Usage. • Click on Submit button and Commit changes
4: Setup warning (EUN) for users approaching the Quota limit.
• In the WSA GUI, navigate to Security Services >End User Notification • Click on Edit Settings • Scroll Down to Time and Volume Quotas Expiry Warning Page • Check the The percentage of each volume quota reaches and set it to 10% • Check the The amount of time left on each time quota reaches and set it to 2 mins. • Click on Preview Time and Quota Expiry Warning Pages. • Submit the changes. • Commit the changes
14: Verify the Settings
• Close your existing Firefox browser • Open the Firefox browser again and login using the WSA\eyetea (Member of the IT department)
password ironport • Now in the browser go to www.google.com and also browse to www.youtube.com and play any
video. • Parallel do a SSH to the WSA and login using U: admin password: Cisco123$ • Run a command quotaquery • Search for user eyetea (This will tell the quota remaining for that specific user) • Login to Facebook and browse through for more than 5 mins and you will get an EUN page • Browse through a couple of other videos on Youtube. You may get the revolving cursor
suggesting that the video is loading, but continue clocking on some other videos. As soon the usage hits the warning limit you will get an EUA stating you are approaching your quota limit.
• Goto CLI of WSA and again run the command Qutoquery > resetall (Y) • Refresh your facebook page and view any youtube video. You will be able to do both as the
Lab 10: Custom Headers In this lab, we will set up the WSA to insert custom headers in outgoing requests for specific domains. We will be using YouTube for Schools for testing this feature. To demonstrate insertion of custom headers, we will be using YouTube for Schools. For more information about it, please visit www.youtube.com/schools . Typically a school or school district signs up for a YouTube for School account to limit access to only educational content on YouTube.com. YouTube issues a unique key to the school admin. This key needs to be inserted into every web request from the school to Youtube, so that Youtube.com can filter out any inappropriate content. For this lab, you can either sign up for a new YouTube for School account and get a new key, or use an existing key, which was issued specifically for this lab. The header:key pair is X-YouTube-Edu-Filter:V2YHohtt7u8nWHdSoT6WFQ Task 1: Watch a non-educational video 1. In your Firefox browser, go to www.youtube.com 2. Search for a video that would be inappropriate in a school setting. We recommend going with search
terms such as ‘Gangnam Style’ or ‘Justin Beiber’, which are wildly popular among school kids. 3. Once the video starts streaming, pause it. We will need this video to test the Custom Headers feature. Task 2: Configure the WSA for Custom Headers 4. In the ssh session to the WSA, issue the command advancedproxyconfig
• If you have closed the previous session, start a new ssh session using putty from the desktop
5. Configuring the WSA A. Type in CUSTOMHEADERS. (You can start with CUST and then hit TAB for auto-complete) B. Type in NEW C. Paste the following string in the custom HTTP header field
X-YouTube-Edu-Filter:V2YHohtt7u8nWHdSoT6WFQ D. For suffix of domains, type in www.youtube.com, www.ytimg.com E. Hit Return/Enter twice to return to the main prompt. F. Commit your changes by typing in commit. Enter a meaningful description for the changes.
Task 3: Watch the video from Task 1 again 6. In your Firefox browser, go to the video you had paused from task 1. Hit refresh. The video will be
blocked by the YouTube Education Filter. 7. Try searching with the same search term you used in Task 1. This time around you will observe that
the search results are different with all of the content being served from sources classified as educational.
8. Click on the YouTube logo in the upper left corner of your browser window. You will be redirected
to the YouTube EDU homepage. Task 4: Packet Capture on the WSA (Optional) 9. From the WSA GUI, go to Support and Help > Packet Capture 10. Click Start Capture 11. Quickly navigate to www.youtube.com from your Firefox browser and search for any video (You
can reuse the search terms from Task 1). Play any video. 12. Alternatively, go to google.com and search using the same search terms. You can filter the results by
selecting the video tab. Play any of the listed videos. 13. Go back to the WSA GUI and stop the packet capture. 14. Download the pcap to your desktop and open it using Wireshark. 15. In Wireshark, filter with http 16. View the communication from the WSA (172.20.11.103) to the YouTube Servers. You should be
able to locate the X-YouTube-Edu-Filter header in one of the GET requests (screenshot below)
Lab 11: High Availability Introducing 'High Availability' on the WSA with the release of Async OS 8.5. Option to create multiple failover groups with a WSA as the master and multiple WSAs as backup for efficient load balancing and failover.
• How to setup High Availability on a Master and a Backup WSA • Send traffic to the HA Virtual IP (VIP) • Disable Master and see HA in action as Backup becomes the Master • Enable Master and see how the Master reclaims its role • Troubleshooting/CLI commands
A: Configuring the WSA s100v-alpha.wsa.train as a MASTER: 1: Navigate to NetworkHigh Availability 2: Click on Add Failover Group 3: Under Failover Group ID type in 10 4: Under Description type “Master” 5: In the Hostname mention “s000v-alpha.wsa.train” 6: Under Virtual IP Address and Netmask please type “172.20.11.105/24” 7: In the Interface please select “Management” 8: Under Priority please select “Master” 9: Please click on Submit 10: Under High Availability Global Settings click on Edit settings. 11: Change the Failover HandlingPreemptive and click on Submit.
12: Now click on the Commit Changes in order for these settings to take effect.
B: Configuring the WSA s200v-alpha.wsa.train as BACKUP: From the Win7 PC, connect to your WSA management GUI of s200v-alpha.wsa.train as follows.
a. Open Firefox and connect to http://172.20.11.107:8080 OR please click on “WSA Backup” in the bookmark toolbar of Firefox browser.
b. Login with username admin and password ironport. ** Please run the setup wizard again for s200v using the WSA GUI **
c. Navigate to System Administration > System Setup Wizard. The wizard is divided into four groups (numbered 1 through 4 in the GUI):
1. Start Accept the license agreement by checking the check box and click Begin Setup>> You may or may not see this screen based on whether this was a fresh install, or whether this instance has been recycled for this lab. If you do not see this screen, move on to Step 2. 2. Network This section consists of six separate pages. <Note: We recommend you to copy and paste IP addresses into the relevant section of the System Setup Wizard to eliminate avenues to introduce errors> H. System Settings
Hostname: s200v-alpha.wsa.train DNS Server 1: 172.20.11.210 NTP Server: 128.107.212.175 Time zone: Set the time zone to America United StatesPacific Time (Los Angeles) Appliance Mode: Standard. (Cloud Web Security Connector mode is not covered in this lab). Click Next>>
I. Network Context Look over this page, but leave the setting unchanged Click Next>>
J. Network Interfaces and Wiring
Look over this page, but leave the setting unchanged Note: With AsyncOS 8.8, each interface can have an IPv4 and an IPv6 address. Click Next>>
K. Layer 4 Traffic Monitor Wiring Look over this page, but leave the setting unchanged Click Next>>
L. Routes for Management and Data Traffic (Interface M1: 172.20.11.103)
Default Gateway : 172.20.11.2 Click Next>>
M. Transparent Connection Setting
Look over this page, but leave the setting unchanged
Password: Cisco123$ Email system alerts to: [email protected] Uncheck AutoSupport (in a production environment, leave this checked) Uncheck Network Participation (in a production environment, leave this checked) [Note: You uncheck these to stop the class S-Series from sending information to Cisco.] Click Next>>
3. Security
B. Under Malware and Spyware Scanning, for Action for Detected Malware, select the Block radio
button. Click Next>> 4. Review Look over your settings, and edit any that looks wrong by clicking Edit on the right hand side. Install your initial configuration by clicking Install This Configuration.
16. At this point the WSA will redirect you to the “System Setup Next Steps”. If you do not see this page, hit the WSA Backup bookmark again.
17. Confirm that the S-Series web proxy is enabled and notice the proxy port numbers, as follows.
C. In the WSA GUI, navigate to Security Services >Web Proxy. D. Under basic settings, you should see:
HTTP Ports to Proxy: 80, 3128 Proxy: Enabled
If for some reason the proxy is disabled, the System Setup Wizard probably did not complete correctly, and will have to be re-run.
C: Configuring the WSA s200v-alpha.wsa.train as BACKUP: 1: Navigate to NetworkHigh Availability 2: Click on Add Failover Group 3: Under Failover Group ID type in 10 4: Under Description type “Backup” 5: In the Hostname mention “s000v-alpha.wsa.train” 6: Under Virtual IP Address and Netmask please type “172.20.11.105/24” 7: In the Interface please select “Management” 8: Under Priority please select “Backup” with Priority as 10. 9: Please click on Submit 10: Under High Availability Global Settings click on Edit settings. 11: Change the Failover HandlingPreemptive and click on Submit.
12: Now click on the Commit Changes in order for these settings to take effect. 13: Please ping the VIP (172.20.11.105) to check the configuration is perfect.
D: Tail the access-logs on Master and Backup and Change the proxy to VIP
1: Click on Putty on the Desktop 2: Click on S100v-alpha.wsa.train and S200v-alpha.wsa.train 3: Login to both the appliances 4: Please type the following command “ tail accesslogs” on both the Appliances (s100v and S200v) 5: Go to the Internet browserTools Internet Options Connections Lan Settings Under Proxy Server Change the IP address to 172.20.11.105. Make sure you have the IP address of the VIP and NOT the primary or the backup WSA. 6: Browse few websites (www.google.com, www.yahoo.com etc) using the changed proxy settings and kindly check the access logs on both the appliances.
E: Testing the failover works by disabling the Failover Group on Master (Replicating that in the real world when the Master WSA goes down) A: Open the GUI interface of s100v-alpha.wsa.trian (172.20.11.103) B: Go to NetworkHigh Availability C: Edit Failover Group 10 Uncheck Enable Failover group Submit D: Verify in the Latest StatusDisabled (It should show Disabled) E: Commit Changes F: Open the GUI Interface of S200v-alpha.wsa.train G: Go to Network High Availability H: Click on “refresh status” I: Under “latest status” it will show Master
J: Go to the SSH session of s200v and validate that the traffic is hitting the backup Appliance by browsing couple of websites. K: Also verify that no traffic is hitting the master (Checking the SSH window of S100v)
F: When Master WSA Comes backup online, how change of role works 1: Log on to GUI Interface of S100v-alpah.wsa.train 2: Go to NetworkHigh Availability 3: Edit Failover Group 10 Check Enable Failover group Submit Note: As we have got the Failover Handling to Preemptive, the Master WSA when it gets back online it will take the precedence and become Master again. 4: Commit Changes
5: Click on refresh Status
6: Within few seconds the S100v now becomes Master again and the S200v becomes backup
1: SSH to s100v appliance and S200v 2: Type in command “failoverconfig” 3: Verify your settings 4: Type in TESTFAILOVERGROUP and Enter 10 (Failover group)
Note: These will be the Logs which you will see which will indicate CARP IN and CARP OUT for backup and Master.
Lab 12: Cisco Advanced Web Reporting (Web Security Appliance and Cloud Web Security) Polls log data collected from a Cisco Web Security Appliance and Cloud Web Security. Provides reports and dashboards to get insight into large volume of WSA and CWS
logs. WSA vs CWS in terms of sending logs:-
1. WSA – On-Premise It pushes logs using FTP, Syslog and SCP. 2. CWS – push the data to data storage and expose it through API.
Note: Video on Cisco Advanced Web Reporting https://www.youtube.com/watch?v=uydUBGNOpN0
Step 1: Please open the Firefox on Windows 7 and click on the Favorites in the Toolbar as “WSA Advance Reporting” (http://localhost:8888). Note: You may need to clear your explicit proxy settings in Firefox to NOT go to the WSA. Also, PDF generation will only work with Firefox and NOT with Internet Explorer.
Step 2: Please enter the credentials as Username: admin and Password: Splunk@dmin.
Step 3:Verify the connection settings of WSA and CWS: For WSA - Click on Settings (on the Top)DataData InputsFiles & Directories Check if the following values match C:\LogsSet Hostconstant Value, Host ieFld
ValueWSA1, Set Source TypeManual, Source typewsa_accesslogs, IndexDefault. Click Save on the bottom of the page. For CWS- Click on the Settings (on the Top)Data Data InputsCisco CWS Log .
Make sure the following fields match. CWS Client ID 2161402506 S3_key A_W-7XFVEGCUPHPQQR1Y S3_Secret 0D9TiZhisdLf13dCAMqvQVkgxVievsnQv4iWiA==
Note: The CWS Client ID, S3_key and S3_secret will be provided to a customer once they sign up for the either the Hybrid SKU or the CWS Log extraction SKU. Extracting meaningful Reports from Advance Web Reporting (WSA and CWS)
A: Overview
Step 1: Under Overview Page please click on the first column (DAY) and then under Presents click on the Last 30 days. Step 2: Wait for couple of seconds in order for the progress bar to load the different widgets Data completely. If you don’t see any data, set the time picker to Advanced, and set the earliest field to -1000d. This will force the app the load all events for the last 1000 days. Step 3: Browse through the complete page to check the Total Web Proxy Activity, Suspected Transactions Activity, Top URL Categories by Total Transactions, Top Malware Categories and Top Users by blocked or Warned Transactions. Note: This is a unified report for Cloud and On-Premises Web Security. WSA Overview Report: Step 1: Now under Overview Page Select Data Range from 15 September to 30th September 2015 and then click on apply. Step 2: Under Data Source WSA and Host All Hosts (All WSA appliances) Step 3: Export this report to PDF
CWS Overview Report: Step 1: Now under Overview Page Select Data Range from 15th September to 3rd October 2015 and then click on apply. Note: Alternatively, you could also set the time picker to Advanced, and set the Earliest field to -1000d. This will force the app the load all events for the last 1000 days. Step 2: Under Data Source CWS Step 3: Export this report to PDF.
B: Users Menu Step 1: Please click on the User on the top menu and then select the Time Range from 1st September
2015 to 30th September 2015. Note: Alternatively, you could also set the time picker to Advanced, and set the Earliest field to -1000d. This will force the app the load all events for the last 1000 days.
Step 2: Scroll Down to the Users and sort by the maximum Bandwidth Used. Step 3: Click on the <Top user> which has consumed the maximum Bandwidth. Step 4: This will take us to User Drilldown option for the <TOP USER> Step 5: Export this report in a PDF format. C: Websites Menu Step 1: Please click on the Websites on the Top Menu and then select the Time Range from 1st
September 2015 to 30th September 2015. Note: Alternatively, you could also set the time picker to Advanced, and set the Earliest field to -1000d. This will force the app the load all events for the last 1000 days.
Step 2: Scroll down under Domain Matched and sort by the maximum Time_Spent. Step 3: Click on the <Top domain> which has spent the maximum time on that specific domain. Step 4: This will take us to the Domain Drill down for the Specific Domain and give us more
information on the Top Users by total Transactions and also the Trend for those transactions. Step 5: Export this report in a PDF format. D: URL Category Menu Step 1: Please click on the URL Categories on the Top Menu and then select the Time Range from 1st
September 2015 to 30th September 2015. Note: Alternatively, you could also set the time picker to Advanced, and set the Earliest field to -1000d. This will force the app the load all events for the last 1000 days.
Step 2: Scroll down under URL Categories Matched and sort by the Bandwidth Saved by blocking. Step 3: Click on the <Top URL Category>which has saved the maximum Bandwidth. Step 4: This will take us to the URL Categories Drill down for the Specific Domain and Specific User. Step 5: Export this report in a PDF format. E: Application Visibility Menu Step 1: Please click on the Application Visibility on the Top Menu and under Presents for a Week. Step 2: Scroll down under Application Type Matched and sort by the Bandwidth Used. Step 3: Click on the <Top Application Type>which has used the maximum Bandwidth. Step 4: This will take us to the Application type Drill down for the top application matched and Top
User Matched. Step 5: Export this report in a PDF format. F: Other Dashboards Security Reports – Anti-Malware Step 1: Click on the Other Dashboards Security Anti-Malware. Set the Time Range from 1st
September 2015 to 30th September 2015. Note: Alternatively, you could also set the time picker to Advanced, and set the Earliest field to -1000d. This will force the app the load all events for the last 1000 days.
Step 2: Scroll down to the Malware Threats and sort is based on Bandwidth Saved by blocking Step 3: Click on the <Top Malware> and it will take to the Malware Drill down page Step 4: Export this report to PDF. Security Reports – Advance Malware Protection Step 1: Click on the Other Dashboards Security Advance Malware Protection. Set the Time Range
from 1st September 2015 to 30th September 2015. Note: Alternatively, you could also set the time picker to Advanced, and set the Earliest field to -1000d. This will force the app the load all events for the last 1000 days.
Step 2: Scroll down to the Malware Threats Files and sort is based on Transaction Blocked Step 3: Click on the <Top Malware Threat File> and it will take to the Advance Malware protection
Drill down page Step 4: Export this report to PDF.
Web Tracking (We can track all the data using Web Tracking) Step 1: Click on the Other Dashboard Web Tracking Proxy Services Present Week/Day. Step 2: Please select the Advanced Step 3: Under URL Category Computer and Internet Step 4: Export this report to PDF. This Concludes our Cisco Advance Web Reporting Capabilities.
