IronPort AsyncOS™ 6.
COPYRIGHT Copyright © 2009 by IronPort Systems®, Inc. All rights reserved. Part Number: 421-0533(C) Revision Date: September 22, 2009 The IronPort logo, IronPort Systems, SenderBase, and AsyncOS are all trademarks or registered trademarks of IronPort Systems, Inc. All other trademarks, service marks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners.
Table of Contents 1. Getting Started with the Web Security Appliance . . . . . . . . . . . . . . . 1 What’s New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 New Feature: Rich Acceptable Use Controls with URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 2 What’s New in Version 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitor Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Security Manager Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Services Tab . . . . . . . . . . . . . . . . . . . . . . . .
Accessing the System Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Step 1. Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Step 2. Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Step 3. Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE IronPort Data Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . External DLP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working with Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . .
Blocking Specific Applications and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Blocking on Port 80 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Blocking on Ports Other Than 80 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 9. Working with External Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Matching Client Requests to Data Security and External DLP Policy Groups . . . . . . . . . . . . . . Creating Data Security and External DLP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Controlling Upload Requests Using IronPort Data Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Time Based URL Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Viewing URL Filtering Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Understanding Unfiltered and Uncategorized Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Access Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Access Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 16. Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Authentication Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Application Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How the L4 Traffic Monitor Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 The L4 Traffic Monitor Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Configuring the L4 Traffic Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Configuring L4 Traffic Monitor Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Web Proxy Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working with Log Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Log File Name and Appliance Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rolling Over Log Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring DNS Server(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Internet Root Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Updating and Upgrading from the IronPort Update Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading from a Local Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Update and Upgrade Settings from the Web Interface . . . . . . . . . . . . . . . . . . . Configuring the Update and Upgrade Settings from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Figures Figure 2-1 Web Interface Tabs, Pages, and Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Figure 2-2 The Commit Button: Changes Pending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Figure 2-3 The Commit Button: No Changes Pending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Figure 3-1 Web Security Appliance Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 6-1 Access Policies Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Figure 6-2 Decryption Policies Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Figure 6-3 Defining Policy Group Membership by User Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Figure 6-4 Policy Trace Feature Advanced Section . . . . . . . . .
Figure 11-7 Creating External DLP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 Figure 11-8 Scanning Destinations Settings for External DLP Policies . . . . . . . . . . . . . . . . . . . . . . . . .233 Figure 12-1 Security Services > End-User Notification Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Figure 12-2 Editing End-User Acknowledgment Page Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 20-3 Configuring Custom Log Fields in the W3C Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Figure 21-1 Editing Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Figure 21-2 Editing the Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Figure 21-3 Adding a Route . . . . . . . . . . . . . . . . . . . . .
List of Tables Table 3-1: WCCP Router Configuration Syntax for Enabling the Router . . . . . . . . . . . . . . . . . . . . . . . .36 Table 4-1: System Setup Worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Table 4-2: System Setting Options in System Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Table 4-3: Network Context Options in System Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 7-1: Matching HTTPS and FTP over HTTP Requests to Identities . . . . . . . . . . . . . . . . . . . . . . . 130 Table 7-2: Identity Group Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Table 7-3: Policies Table Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Table 7-4: Policies Table Example 2 . . . . . . . . . . . . . . . . . . . . .
Table 15-3: Anti-Malware Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328 Table 15-4: Anti-Malware Settings for Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Table 15-5: Anti-Malware Scanning Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Table 16-1: Web Security Appliance Authentication Scenarios . . . . . . . . . . . . . . . . . . . . . . . .
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 18-2: System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Table 18-3: Number of Hardware Objects per IronPort Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Table 18-4: Hardware Traps: Temperature and Hardware Conditions. . . . . . . . . . . . . . . . . . . . . . . . . 408 Table 19-1: Viewing Raw Data Entries . . . . . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 1 Getting Started with the Web Security Appliance The IronPort AsyncOS for Web User Guide provides instructions for setting up, administering, and monitoring the IronPort Web Security appliance. These instructions are designed for an experienced system administrator with knowledge of networking and web administration. This chapter discusses the following topics: • “What’s New in This Release” on page 2 • “What’s New in Version 6.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE W H A T ’S N EW I N T H I S R E L E A S E This section describes the new features and enhancements in AsyncOS for Web 6.3. For more information about the release, see the product release notes, which are available on the IronPort Customer Support Portal at the following URL: http://www.ironport.com/support/login.html Note — You need a Support Portal account to access the site.
WHAT’S NEW IN VERSION 6.0 W H A T ’S N EW I N VE R SI O N 6 .0 This section describes new features and enhancements added in the AsyncOS 6.0 for Web release. New Feature: IronPort Data Security AsyncOS for Web 6.0 includes the IronPort Data Security Filters to provide you visibility and control over data leaving your network via the web and FTP.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE New Feature: Native FTP Prior to AsyncOS for Web 6.0, the Web Security appliance supported FTP over HTTP in addition to HTTP and HTTPS. With AsyncOS for Web 6.0, the Web Security appliance supports traffic sent over native FTP. This allows you to control and secure the native FTP traffic in your organization, in addition to HTTP and HTTPS traffic. For example, you can control users who are allowed to download or upload documents over FTP.
ENHANCED: AUTHENTICATION For more information, see “Allowing Users to Re-Authenticate” on page 366. Guest Access (Failed Authentication) Sometimes, users do not have an account in an organization's user directory. Examples of such users include visitors, contractors, interns, and students pursuing a short course. AsyncOS for Web 6.0 allows you to define policies for these users who fail authentication due to invalid credentials.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE versions, you could group users by group object only. The user object contains all the groups to which a user belongs. For more information, see “LDAP Group Authorization” on page 373. Enhanced: Logging AsyncOS 6.0 for Web includes several changes and enhancements to Web Security appliance logging to help you troubleshoot issues more easily. W3C Standard Extended Log File Format Access Logs In AsyncOS for Web 6.
ENHANCED: ACCELERATED ASYNCOS UPGRADES For more information, see “Log File Types” on page 422. Enhanced: Accelerated AsyncOS Upgrades In AsyncOS 6.0 for Web, the IronPort update servers have a distributed architecture so customers can quickly download AsyncOS upgrades wherever in the world they are located. When configuring your system for AsyncOS upgrades, you can choose to stream upgrades directly to your IronPort appliances or set up a local server to host upgrades.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE HO W T O U SE T HI S G U ID E Use this guide as a resource to learn about the features of your IronPort appliance. The topics are organized in a logical order. You might not need to read every chapter in the book. You can also use this guide as a reference book. It contains important information, such as network and firewall configuration settings, that you can refer to throughout the life of the appliance.
TYPOGRAPHIC CONVENTIONS Typographic Conventions Typeface Meaning Examples AaBbCc123 The names of commands, files, and directories; on-screen computer output. Please choose an IP interface for this Listener. The sethostname command sets the name of the IronPort appliance. AaBbCc123 User input, in contrast to onscreen computer output. mail3.example.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Use one of the following methods to contact Cisco IronPort Technical Training Services: Training. For question relating to registration and general training: • http://training.ironport.com • training@ironport.com Certifications. For questions relating to certificates and certification exams: • http://training.ironport.com/certification.html • certification@ironport.
IRONPORT WELCOMES YOUR COMMENTS http://www.ironport.com/support/login.html IronPort Customer Support You can request IronPort product support by phone, email, or online 24 hours a day, 7 days a week. During Customer Support hours — 24 hours a day, Monday through Friday, excluding U.S. holidays — an engineer will contact you within an hour of your request. To report a critical issue that requires urgent assistance outside of Customer Support hours, contact IronPort using one of the following methods: U.S.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WE B S E C UR I TY A P P L IA NC E OV E R V IEW The Web Security appliance is a robust, secure, efficient device that protects corporate networks against web-based malware and spyware programs that can compromise corporate security and expose intellectual property. The Web Security appliance extends IronPort’s SMTP security applications to include protection for standard communication protocols, such as HTTP, HTTPS, and FTP.
CHAPTER 2 Using the Web Security Appliance This chapter contains the following topics: • “How the Web Security Appliance Works” on page 14 • “Administering the Web Security Appliance” on page 15 • “Navigating the Web Security Appliance Web Interface” on page 18 • “Committing and Clearing Changes” on page 24 C H A P T E R 2 : U S I N G T H E W E B S E C U R I T Y A P P L I A N C E 13
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE H O W T HE WE B S E C U R IT Y A P P L I A N CE WO R K S The Web Proxy and the L4 Traffic Monitor are independent services. They are enabled and configured separately to provide the highest level of protection against a broad range of webbased malware threats.
ADMINISTERING THE WEB SECURITY APPLIANCE A D M I NI ST E R I NG T H E WE B S E C UR IT Y A P PL I A N C E You can manage the Web Security appliance using a web-based administration tool. When you first access the appliance, the web interface launches the System Setup Wizard to perform an initial configuration. After running the System Setup Wizard, you can use the web interface or Command Line Interface (CLI) to customize settings and maintain your configuration.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — The hostname parameter is assigned during system setup. Before you can connect to the management interface using a hostname, you must add the appliance hostname and IP address to your DNS server database. For information about how to use and navigate the web interface, see “Navigating the Web Security Appliance Web Interface” on page 18.
REPORTING AND LOGGING If you agree to participate in the SenderBase Network, data sent from your IronPort appliance is transferred securely using HTTPS. Sharing data improves IronPort’s ability to react to webbased threats and protect your corporate environment from malicious activity. Reporting and Logging The Web Security appliance provides several options for capturing data and monitoring system activity. For detailed information about scheduling reports, see “Reporting Overview” on page 414.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE NAV I GA TI N G TH E WE B S E C UR I TY A P P L IA NC E WE B I N TE R F A C E The Web Security appliance web interface is a web-based administration tool that allows you to configure and monitor the appliance. The web interface allows you to configure the appliance similar to the Command Line Interface (CLI). However, some features available in the web interface are not available in the CLI and vice versa.
NAVIGATING THE WEB SECURITY APPLIANCE WEB INTERFACE Each tab has a list of menu selections from which you can choose. Each menu selection represents a different page in the web interface that further group information and activities. Some pages are grouped together into categories. You navigate among sections of the web interface by hovering the cursor over each tab heading and clicking a menu option from the menu that appears.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Logging In All users accessing the web interface must log in. Type your username and password, and then click Login to access the web interface. You must use a supported web browser (see “Browser Requirements” on page 20). You can log in with the admin account or any other user account created in the appliance. For more information creating appliance users, see “Administering User Accounts” on page 497. After you log in, the Monitor > Overview page displays.
WEB SECURITY MANAGER TAB • URL Categories • Web Reputation Filters • System Status • Report Scheduling • Archived Reports Web Security Manager Tab Use the Web Security Manager tab to create and configure Access Policies that define which groups can access which types of websites.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • IronPort Data Security Filters • SenderBase Network Tab Use the Network tab to describe the network in which the appliance is located and to define the appliance’s network settings.
SYSTEM ADMINISTRATION TAB • System Setup Wizard • Next Steps C H A P T E R 2 : U S I N G T H E W E B S E C U R I T Y A P P L I A N C E 23
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO M M IT TI N G A N D C L E A R IN G C HA NG E S When you change the configuration of the Web Security appliance, you must commit the changes before they go into effect. Or, you can choose to clear the changes you have made if you do not want to commit them.
COMMITTING AND CLEARING CHANGES IN THE CLI Clearing Changes To clear changes made in the web interface: 1. Click the Commit Changes button. The Uncommitted Changes page appears. 2. Click Abandon Changes. Committing and Clearing Changes in the CLI Commit changes using the commit command. Most configuration changes you make in the Command Line Interface (CLI) are not effective until you issue the commit command. You may include comments up to 255 characters.
IRONPORT ASYNCOS 6.
CHAPTER 3 Deployment This chapter contains the following topics: • “Deployment Overview” on page 28 • “Appliance Interfaces” on page 30 • “Deploying the Web Proxy in Explicit Forward Mode” on page 33 • “Deploying the Web Proxy in Transparent Mode” on page 34 • “Connecting the Appliance to a WCCP Router” on page 35 • “Using the Web Security Appliance in an Existing Proxy Environment” on page 40 • “Deploying the L4 Traffic Monitor” on page 41 • “Physical Dimensions” on page 43 C H A P T E R 3 : D E P L O Y
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE DE PLOYM E NT OV ER V IEW The Web Security appliance is typically installed as an additional layer in the network between clients and the Internet. Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance. When you deploy the Web Security appliance, you can enable one or both of the following features: • Secure web proxy.
PREPARING FOR DEPLOYMENT 2. Does the network have an existing proxy? If yes, it is recommended you deploy the Web Security appliance downstream from an existing proxy server, meaning closer to the clients. The System Setup Wizard refers to this as an upstream proxy configuration. For more information, see “Using the Web Security Appliance in an Existing Proxy Environment” on page 40. 3. Will you enable the L4 Traffic Monitor? L4 Traffic Monitor deployment is independent of the Web Proxy deployment.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE APPLIANCE INTERFACES The Web Security appliance includes six physical Ethernet ports on the back of the system. Each Ethernet port corresponds to a different network interface. The Ethernet ports are grouped into the following types of network interfaces: • Management. The Management interfaces include M1 and M2. However, only the M1 interface is enabled on the appliance. For more information, see “Management Interface” on page 30. • Data.
L4 TRAFFIC MONITOR INTERFACES • P1 only enabled. When only P1 is enabled, connect it to the network for both incoming and outgoing traffic. • P1 and P2 enabled. When both P1 and P2 are enabled, you must connect P1 to the internal network and P2 toward the Internet. Note — You can only enable and configure the P1 interface for data traffic in the System Setup Wizard. If you want to enable the P2 interface, you must do so after system setup in the web interface or using the ifconfig command.
DEPLOYING THE WEB PROXY IN EXPLICIT FORWARD MODE DE P L OYI N G TH E WE B P R O X Y I N E X P LI C IT FO RWA RD M OD E When the appliance is configured as an explicit forward proxy, client applications must be configured to direct its traffic to the appliance.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE DE P L OYI N G TH E WE B P R O X Y I N TR A N S P A RE NT M OD E When the appliance is configured as a transparent proxy, client applications are not aware that their traffic gets redirected to the appliance, and they do not need to be configured to point to the appliance. To deploy the appliance in this mode, you need one of the following types of hardware to transparently redirect web traffic to the appliance: • WCCP v2 router.
CONNECTING THE APPLIANCE TO A WCCP ROUTER CO N NE CT IN G T HE A P P L IA N C E TO A W C CP RO U TE R When you connect the appliance to a WCCP router, you must perform the following tasks: 1. You must create at least one WCCP service on the appliance. For more information, see “Configuring the Web Security Appliance” on page 35. 2. After you create a WCCP service, you must configure the router to work with the Web Security appliance. For more information, see “Configuring the WCCP Router” on page 35.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 3-1 describes each part of the WCCP configuration syntax for enabling WCCP on the router. Table 3-1 WCCP Router Configuration Syntax for Enabling the Router WCCP Configuration Description ip wccp version 2 Defines the version of WCCP to use on the router. You must specify version 2 to work with the Web Security appliance. This command is required. ip wccp service_group password password Specifies a service group to enable on the router.
EXAMPLE WCCP CONFIGURATIONS Example WCCP Configurations This section shows some sample WCCP services defined in the appliance and the corresponding WCCP configuration you should use to configure the router that connects to the appliance. Example 1 Suppose you have the WCCP service shown in Figure 3-3. Figure 3-3 Example WCCP Service — Standard Service, No Password Required In this example, the WCCP service defines the standard service group (also known as a well known service group).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Example 2 Figure 3-4 shows a dynamic service you might create when IP spoofing is enabled and the WCCP service shown in Figure 3-3 on page 37 is defined. Figure 3-4 Example WCCP Service — Dynamic Service for IP Spoofing In this example, the WCCP service defines a dynamic service group with service ID of 90. The redirection basis is on the source port so it can be used for the return path with IP spoofing enabled.
WORKING WITH MULTIPLE APPLIANCES AND ROUTERS Example 3 Suppose you have the WCCP service shown in Figure 3-5. Figure 3-5 Example WCCP Service — Dynamic Service, Password Required In this example, the WCCP service defines a dynamic service group with service ID of 120. The redirection basis is on the destination port, and it has enabled a password for this service group of “admin99” (hidden in the appliance configuration).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE US I NG T H E WE B S E C UR IT Y A P P LI A N C E IN A N E X IS TI N G P RO X Y ENV I RO NM EN T The Web Security appliance is a proxy-compatible device, and is easily deployed within an existing proxy environment. However, it is recommended that you place the appliance downstream from existing proxy servers, meaning closer to the clients.
DEPLOYING THE L4 TRAFFIC MONITOR D E P L OYI N G T H E L 4 TRA FF IC M O N I T O R L4 Traffic Monitor (L4TM) deployment is independent of the Web Proxy deployment. When connecting and deploying the L4 Traffic Monitor, consider the following: • Physical connection. You can choose how to connect the L4 Traffic Monitor to the network. For more information, see “Connecting the L4 Traffic Monitor” on page 41. • Network address translation (NAT).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE switch use software to move packets. Hardware solutions move packets with better performance than software solutions and are less likely to drop packets in the process. Configuring an L4 Traffic Monitor Wiring Type Typically, the L4 Traffic Monitor wiring type is configured during system setup. However, you can configure the wiring type after running the System Setup Wizard on the Network > Interfaces page.
PHYSICAL DIMENSIONS P HY SI C A L D I M E N S I O N S The following physical dimensions apply to the IronPort S660 and S360 Web Security appliances: • Height: 8.656 cm (3.40 inches) • Width: 48.26 cm (19.0 inches) with rails installed (without rails, 17.5 inches) • Depth: 75.68cm (29.79 inches) • Weight: maximum 25.6 kg (56.6 pounds) The following physical dimensions apply to the IronPort S160 Web Security appliance: • Height: 4.2 cm (1.68 inches) • Width: 48.26 cm (19.
CHAPTER 4 Installation and Configuration This chapter contains the following topics: • “Before You Begin” on page 46 • “System Setup Wizard” on page 51 C H A P T E R 4 : I N S T A L L A T I O N A N D C O N F I G U R A T I O N 45
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE BE FO R E YOU B E G I N To use the Web Security appliance, you must run the System Setup Wizard. However, first you must do some steps to prepare the appliance for the System Setup Wizard. For more information about preparing the appliance for installation, see the Web Security appliance QuickStart Guide. You can find this guide and other useful information about the IronPort Web Security appliance Support Portal: http://www.ironport.com/support/login.
GATHERING SETUP INFORMATION • Web proxy in transparent mode. If you want to use one proxy port for all traffic, connect port P1 to an L4 switch or a WCCP router using an Ethernet cable. If you want to use two proxy ports for traffic, connect port P2 to an L4 switch or a WCCP router using an Ethernet cable, and connect port P1 to the internal network. For more information about deploying the Web Proxy in transparent mode, see “Deploying the Web Proxy in Transparent Mode” on page 34.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 4-1 System Setup Worksheet (Continued) DNS Servers: Internet root DNS servers / organization DNS servers Organization DNS Servers: 1. (maximum 3) 2. 3.
GATHERING SETUP INFORMATION Table 4-1 System Setup Worksheet (Continued) Routes Management Traffic Default Gateway: Static Route Table Name: Static Route Table Destination Network: Static Route Table Gateway: Data Traffic Default Gateway: Static Route Table Name: Static Route Table Destination Network: Static Route Table Gateway: Transparent Connection Settings Device Type: Layer 4 switch or No Device / WCCP Router If WCCP v2 Router, enable standard service: Yes / No Standard Service Router Addresse
SYSTEM SETUP WIZARD SY S TE M S E T U P W IZ A R D The IronPort AsyncOS for Web operating system provides a browser-based wizard to guide you through initial system configuration. This System Setup Wizard prompts you for basic initial configuration, such as network configuration and security settings. The System Setup Wizard is located on the System Administration tab. You must run the System Setup Wizard when you first install the Web Security appliance.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE The appliance login screen appears. Enter the username and password to access the appliance. By default, the appliance ships with the following username and password: • Username: admin • Password: ironport Note — Your session will time out if it is idle for over 30 minutes or if you close your browser without logging out. If this happens, you must re-enter the username and password. Step 1.
STEP 2. NETWORK Figure 4-2 System Setup Wizard — Network Tab, System Settings 2. Configure the System Setting options. Table 4-2 describes the System Setting options. Table 4-2 System Setting Options in System Setup Wizard Option Description Default System Hostname The fully-qualified hostname for the Web Security appliance. This name should be assigned by your network administrator. This hostname is used to identify the appliance in system alerts.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 4-2 System Setting Options in System Setup Wizard (Continued) Option Description DNS Server(s): Use these DNS Servers Specifies local DNS servers for domain name service lookups. You must enter at least one DNS server, and up to three total. You can choose to use the Internet root DNS servers or specify your own DNS servers. For more information about configuring DNS settings, see “Configuring DNS Server(s)” on page 484.
STEP 2. NETWORK Note — You can configure the Web Security appliance to interact with multiple proxy servers on the network after you run the System Setup Wizard. For more information about configuring external proxy servers, see “Working with External Proxies Overview” on page 168. 5. If there is an external proxy server on the network, configure the proxy settings. Table 4-3 describes the proxy settings.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 4-4 System Setup Wizard — Network Tab, Network Interfaces and Wiring Page 7. Configure the Network Interfaces and Wiring options. The appliance has network interfaces that are associated with the physical ports on the machine. Table 4-4 describes the Network Interfaces and Wiring options.
STEP 2. NETWORK Table 4-4 Network Interfaces and Wiring Options in System Setup Wizard (Continued) Option Data Description Enter the IP address, network mask, and hostname to use for data traffic. If you configure the M1 interface for management traffic only, you must configure the P1 interface for data traffic. However, you can configure the P1 interface even when the M1 interface is used for both management and data traffic.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 4-5 System Setup Wizard — Network Tab, Routes for Traffic Page 9. Configure the Routes for Management and Data Traffic options. The number of sections on this page depend on how you configured the “Use M1 port for management only” check box on the previous wizard page: • Enabled.
STEP 2. NETWORK Table 4-5 Routes for Management and Data Traffic Options in System Setup Wizard (Continued) Option Description Static Routes Table Optionally, you can add one or more static routes for management or data traffic. To add a static route, enter a name for the route, its destination network, and gateway IP address, and then click Add Route. A route gateway must reside on the same subnet as the Management or Data interface on which it is configured.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 11. Choose one of the following options described in Table 4-6. Table 4-6 Transparent Connection Options in System Setup Wizard Option Description Layer 4 Switch or No Device Choose this option when the Web Security appliance is connected to a layer 4 switch or if you will deploy the Web Proxy in explicit forward mode after running the System Setup Wizard.
STEP 3. SECURITY Table 4-7 describes the Administrative Settings. Table 4-7 Administrative Settings in System Setup Wizard Option Description Administrator Password Enter a password to access the Web Security appliance. The password must be six characters or more. Email System Alerts To Enter an email address for the account to which the appliance sends alerts. For more information about alerts, see “Managing Alerts” on page 505.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 4-8 System Setup Wizard — Security Tab 2. Choose the Security Services options. Table 4-8 describes the Security options. Table 4-8 Security Options in System Setup Wizard Option Description L4 Traffic Monitor Choose whether the Layer-4 Traffic Monitor should monitor or block layer 4 traffic. The L4 Traffic Monitor detects rogue traffic across all network ports and stops malware attempts to bypass port 80.
STEP 4. REVIEW Table 4-8 Security Options in System Setup Wizard (Continued) Option Description Web Reputation Filters Choose whether or not to enable Web Reputation filtering for the Global Policy Group. When you create custom Access Policy groups, you can choose whether or not to enable Web Reputation filtering. IronPort Web Reputation Filters is a security feature that analyzes web server behavior and assigns a reputation score to a URL to determine the likelihood that it contains URL-based malware.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 4-9 System Setup Wizard — Review Tab 2. Review the configuration information. If you need to change an option, click the Edit button for that section. 3. Click Install This Configuration after you confirm the configuration is correct. The Web Security appliance applies the configuration options you selected.
STEP 4. REVIEW If you changed the Management interface IP address from the current value, then clicking Install This Configuration will cause the connection to the current URL to be lost. However, your browser will redirect itself to the new IP address. If you did not change the IP address from the current value, the System Administration > System Setup > Next Steps page appears.
CHAPTER 5 Web Proxy Services This chapter contains the following information: • “About Web Proxy Services” on page 68 • “Configuring the Web Proxy” on page 70 • “Working with FTP Connections” on page 74 • “Bypassing the Web Proxy” on page 80 • “Proxy Usage Agreement” on page 82 • “Configuring Client Applications to Use the Web Proxy” on page 83 • “Working with PAC Files” on page 84 • “Adding PAC Files to the Web Security Appliance” on page 88 • “Advanced Proxy Configuration” on page 90 C H A P T E R 5 :
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A B OU T WE B P RO X Y S E R V IC E S A web proxy is a computer system or software that handles World Wide Web requests of clients by making requests of other servers on the web. The Web Security appliance can act as a web proxy if you enable the Web Proxy feature. The Web Proxy service monitors and controls traffic that originates from clients on the internal network.
WEB PROXY CACHE store in the proxy cache. You can included embedded regular expression (regex) characters in the URL you specify to never cache. Each access log file entry includes transaction result codes that describe how the appliance resolved client requests. Transaction result codes indicate whether the transaction was served from the proxy cache or from the destination server. For more information about transaction result codes, see “Transaction Result Codes” on page 438.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G T HE WE B P RO X Y Web Proxy settings are configured as part of an initial setup using the System Setup Wizard. To enable Web Proxy services or modify proxy settings after an initial configuration, use the Security Services > Proxy Settings page. This page allows you to configure basic and advanced settings to customize proxy services. The Web Proxy settings apply to all connections that go over HTTP or HTTPS.
CONFIGURING THE WEB PROXY 4. Configure the basic and advanced Web Proxy settings defined in Table 5-1. Table 5-1 Web Proxy Settings Property HTTP Ports to Proxy Description Enter which ports the Web Proxy monitors for HTTP requests. Default is 80 and 3128. Caching Choose whether or not the Web Proxy should cache requests and responses. Default is enabled. Proxy Mode Choose how to deploy the Web Proxy: • Transparent mode.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-1 Web Proxy Settings (Continued) Property Description Persistent Connection Timeout Enter how long the Web Proxy keeps open a connection to a client or server after a transaction has been completed. Keeping a connection open allows the Web Proxy to use it again for another request. For example, after a client finishes a transaction with google.com, the Web Proxy keeps the connection to the server google.
CONFIGURING THE WEB PROXY Table 5-1 Web Proxy Settings (Continued) Property Description Headers • X-Forwarded-For. Choose whether or not to forward HTTP “XForwarded-For” headers. Default is Do Not Send. Note: If the network contains an explicit forward upstream proxy that manages user authentication or access control using proxy authentication, you must enable the X-Forwarded-For header to send the client host header to the upstream proxy. • VIA. Choose whether or not to forward HTTP “VIA” headers.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H FTP C ON NE CT I ON S The Web Security appliance Web Proxy provides proxy services for the File Transfer Protocol (FTP) as well as HTTP. FTP is a protocol used to transfer data between computers over a network. The Web Proxy can handle the following FTP transactions: • FTP over HTTP. Most web browsers support FTP transactions, but sometimes the transactions are encoded inside an HTTP transaction.
USING AUTHENTICATION WITH NATIVE FTP • When the FTP Proxy is configured to cache native FTP transactions, it only caches content accessed by anonymous users. • You can configure the FTP Proxy to spoof the IP address of the FTP server. You might want to do this when FTP clients do not allow passive data connections when the source IP address of the data connection (FTP server) is different than the source IP address of the control connection (FTP Proxy).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Working with Native FTP in Transparent Mode When the Web Security appliance is deployed in transparent mode, FTP clients typically are not explicitly configured to use the FTP Proxy. Native FTP connections are transparently redirected to the FTP Proxy and then processed. When a native FTP request is transparently redirected to the FTP Proxy, it contains no hostname information for the FTP server, only its IP address.
CONFIGURING FTP PROXY SETTINGS Figure 5-2 Configuring FTP Proxy Settings 2. Verify the Enable FTP Proxy field is selected. 3. Configure the basic and advanced FTP Proxy settings defined in Table 5-2. Table 5-2 FTP Proxy Settings Property Description Proxy Listening Port Specify the port FTP clients should use to establish a control connection with the FTP Proxy. Caching Choose whether or not to cache contents of data connections from anonymous users.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-2 FTP Proxy Settings (Continued) Property Description Passive Mode Data Port Range Specify a range of TCP ports FTP clients should use to establish a data connection with the FTP Proxy for passive mode connections. Default is 11000-11009. Active Mode Data Port Range Specify a range of TCP ports FTP servers should use to establish a data connection with the FTP Proxy for active mode connections. Default is 12000-12009.
CONFIGURING FTP PROXY SETTINGS Table 5-2 FTP Proxy Settings (Continued) Property Description Data Connection Timeouts Enter how long the FTP Proxy waits for more communication in the data connection from an idle FTP client or FTP server when the current transaction has not been completed.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE B Y P A S SI N G T HE WE B P R O X Y You can configure the Web Security appliance so client requests to or from particular addresses bypass all processing by the Web Proxy. The proxy bypass list only works for requests that are transparently redirected to the Web Proxy using an L4 switch or a WCCP v2 router. When the appliance is deployed in explicit forward mode, or when a client makes an explicit request to the Web Proxy, the request is processed by the Web Proxy.
HOW THE PROXY BYPASS LIST WORKS How the Proxy Bypass List Works When the Web Proxy receives an HTTP or HTTPS request, it checks both the source and destination IP address to see if it is in the proxy bypass list. If it is, the packet is sent to the next hop on the network. (In some cases, the packet is sent back to the transparent redirection device that redirected the packet, if the packet arrived on a WCCP service using GRE.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE P RO X Y U S A G E A GR E E M E N T You can configure the Web Security appliance to inform users that it is filtering and monitoring their web activity. The appliance does this by displaying an end-user acknowledgement page when a user first accesses a browser after a certain period of time. When the end-user acknowledgement page appears, users must click a link to access the original site requested or any other website.
CONFIGURING CLIENT APPLICATIONS TO USE THE WEB PROXY CO N FI GU R IN G C L IE NT A P P L IC A T IO N S T O US E T HE WE B P RO X Y Web browsers and other user agents sometimes need to know how to connect to the Web Proxy in order to access the World Wide Web. When you deploy the Web Security appliance in explicit forward mode, you must configure client applications so they use the Web Proxy.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H PAC F ILES A proxy auto-config (PAC) file is a text file that defines how web browsers can automatically choose the appropriate proxy server for fetching a given URL. When you use a PAC file, you only need to configure each browser once with the PAC file information. Then, you can edit the PAC file multiple times to add, delete, or change Web Proxy connection information without editing each browser.
CREATING A PAC FILE FOR REMOTE USERS However, you can make PAC files more complex. For example, you can create a PAC file that instructs the browser to connect directly to the website under certain conditions, such as matching on a particular host name or IP address, and to use the proxy server in all other cases. You can create a PAC file that instructs applications to go directly to the website for servers on your intranet.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Web server. You can place the PAC file on a web server that each client machine can access. For example, you can place the PAC file on an Apache or Microsoft IIS web server. Enter the URL in the browser configuration. • Web Security appliance. You can place the PAC file on the Web Security appliance. You might want to put the PAC file on the Web Security appliance to verify every client machine can access it within the network.
SPECIFYING THE PAC FILE IN BROWSERS 4. Configure the web server to set up .dat files with the following MIME type: application/x-ns-proxy-autoconfig Note — If you place wpad.dat on the Web Security appliance, the appliance does this for you already.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A D DI N G PAC F I L E S T O T HE WE B SE CU R IT Y A P P L I A N CE You can configure browsers to explicitly use the Web Proxy by using proxy auto-config (PAC) files. When you use PAC files, you can place them on the Web Security appliance, and then configure the browsers by either entering the URL of a PAC file on the appliance or by configuring the browsers to automatically detect the PAC file using the Web Proxy Autodiscovery Protocol (WPAD).
WPAD COMPATIBILITY WITH NETSCAPE AND FIREFOX PAC server port, you must first delete port 80 from the HTTP Ports to Proxy field if configured. 3. Click Browse to upload a PAC file from your local machine to the appliance. 4. Navigate to the PAC file location, select it, and click Open. 5. If you want to add another PAC file, click Add Row, and repeat steps 3 through 4. 6. Submit and commit your changes.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A D V A NC E D PR OX Y C ON FI G U R AT I O N AsyncOS includes the advancedproxyconfig CLI command so you can configure more advanced Web Proxy configurations, such as authentication and DNS parameters. The advancedproxyconfig command includes the following subcommands: • Authentication.
AUTHENTICATION OPTIONS Authentication Options Table 5-3 describes the authentication options for the advancedproxyconfig CLI command.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-3 advancedproxyconfig CLI Command—Authentication Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Should the Group Membership attribute be used for directory lookups in the Web UI (when it is not used, empty groups and groups with different membership attributes will be displayed)? Yes, No No No Choose whether or not AsyncOS should use the group membership attribute when doing a directory lookup.
AUTHENTICATION OPTIONS Table 5-3 advancedproxyconfig CLI Command—Authentication Options (Continued) Option Valid Values Default Value Enter the redirect port for secure authentication. 1 to 65535 443 Must Restart Web Proxy? Description Yes/No Enter the port to use for redirecting requests using HTTPS. IronPort recommends using a port greater than 1023.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-3 advancedproxyconfig CLI Command—Authentication Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Enter the hostname to redirect clients for authentication. String Appliance host name No Enter the short host name of the network interface on which the Web Proxy listens for incoming connections.
CACHING OPTIONS Table 5-3 advancedproxyconfig CLI Command—Authentication Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Enter re-auth on request denied option [disabled / embedlinkinblockpage]? disabled/ embedlin kinblockp age disabled No This setting allows users to authenticate again if the user is blocked from a website due to a restrictive URL filtering policy.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-4 advancedproxyconfig CLI Command—Caching Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Would you like to allow ETAG mismatch on client revalidations? Yes, No No No In some cases, the server might report different ETags for the same version of the same file. This can be seen, for example, with clustered IIS servers.
CACHING OPTIONS Table 5-4 advancedproxyconfig CLI Command—Caching Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Enter the Heuristic age to cache errors (HTTP_SERVICE_UNAVAI L, HTTP_GATEWAY_TIMEO UT etc) (in seconds): Time in seconds 300 No Heuristic age to cache errors (HTTP_SERVICE_UNAVAIL, HTTP_GATEWAY_TIMEOUT etc).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE DNS Options Table 5-5 describes the DNS options for the advancedproxyconfig CLI command. Table 5-5 advancedproxyconfig CLI Command—DNS Options Option Valid Values Default Value Must Restart Web Proxy? Description Enter the time to cache successful DNS results if DNS does not provide TTL (in seconds): 0 - 86400 300 No Time to cache successful DNS results if DNS does not provide TTL.
NATIVEFTP OPTIONS NATIVEFTP Options Table 5-6 describes the NATIVEFTP options for the advancedproxyconfig CLI command. Table 5-6 advancedproxyconfig CLI Command—NATIVEFTP Options Option Valid Values Default Value Must Restart Web Proxy? Description Would you like to enable FTP proxy? Yes, No Yes Yes Choose whether or not to enable the FTP Proxy. Enter the ports that FTP proxy listens on.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-6 advancedproxyconfig CLI Command—NATIVEFTP Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Would you like to enable server IP spoofing? Yes, No No Yes Choose whether or not the FTP Proxy should spoof the FTP server IP address. You might want to do this for FTP clients that do not allow transactions when the IP address is different for the control and data connections.
FTPOVERHTTP OPTIONS FTPOVERHTTP Options Table 5-7 describes the FTPOVERHTTP options for the advancedproxyconfig CLI command. Table 5-7 advancedproxyconfig CLI Command—FTPOVERHTTP Options Option Valid Values Default Value Must Restart Web Proxy? Description Enter the login name to be used for anonymous FTP access: String anonymous No Anonymous FTP login name. Enter the password to be used for anonymous FTP access: String proxy@ No Anonymous FTP login password.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WCCP Options Table 5-9 describes the WCCP options for the advancedproxyconfig CLI command. Table 5-9 advancedproxyconfig CLI Command—WCCP Options Option Valid Values Default Value Must Restart Web Proxy? Description Enter the log level for debugging WCCP: 0 - 10 0 Yes WCCP log level Miscellaneous Options Table 5-10 describes the miscellaneous options for the advancedproxyconfig CLI command.
MISCELLANEOUS OPTIONS Table 5-10 advancedproxyconfig CLI Command—Miscellaneous Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Enter minimum idle timeout for checking unresponsive upstream proxy (in seconds). Time in seconds 10 No The minimum amount of time the Web Proxy waits before checking if an upstream proxy is still unavailable. Enter maximum idle timeout for checking unresponsive upstream proxy (in seconds).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 5-10 advancedproxyconfig CLI Command—Miscellaneous Options (Continued) Option Valid Values Default Value Must Restart Web Proxy? Description Do you want to pass HTTP X-Forwarded-For headers? Yes, No Yes No Choose whether or not the Web Proxy retains any “X-Forwarded-For” header included in the requests it receives.
CHAPTER 6 Working with Policies This chapter contains the following information: • “Working with Policies Overview” on page 106 • “Policy Types” on page 107 • “Working with Policy Groups” on page 110 • “Policy Group Membership” on page 113 • “Working with Time Based Policies” on page 116 • “Working with User Agent Based Policies” on page 118 • “Tracing Policies” on page 121 C H A P T E R 6 : W O R K I N G W I T H P O L I C I E S 105
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H PO LI C IE S O VE R V I EW The Web Security appliance allows you to define policies to enforce your organization’s acceptable use policies by controlling access to the Internet. You can create groups of users and apply different levels and types of access control to each group.
POLICY TYPES POL I CY TY P E S The Web Security appliance uses multiple types of policies to enforce organizational policies and requirements. • Identities. “Who are you?” • Decryption Policies. “To decrypt or not to decrypt?” • Routing Policies. “From where to fetch content?” • Access Policies. “To allow or block the transaction?” • IronPort Data Security Policies. “To block the upload of data?” IronPort Data Security Policies actions are defined on the Web Security appliance.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Configure Decryption Policy groups on the Web Security Manager > Decryption Policies page. For more information about Decryption Policy groups, see “Decryption Policies” on page 179. Routing Policies Routing Policies determine to where to pass the client request, either to another proxy or to the destination server.
EXTERNAL DLP POLICIES Configure External DLP Policy groups on the Web Security Manager > External DLP Policies page. For more information about External DLP Policy groups, see “Data Security and External DLP Policies” on page 213.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H PO LI C Y G RO UP S A policy group is an administrator defined configuration that allows you to apply acceptable use policies to specific categories of users. After you create policy groups, you can define the control settings for each group. You can create as many user defined policy groups as required to enforce the proper access control. The Web Security appliance displays policy groups together in a policies table.
USING THE POLICIES TABLES Figure 6-1 Access Policies Table Click to edit user defined policy group membership. Global policy group (not editable). Click to customize policy control settings. Figure 6-2 shows the Decryption Policies table. Figure 6-2 Decryption Policies Table Click to edit user defined policy group membership. Global policy group (not editable). Click to customize policy control settings. Any policy group that you create is added as a new row in the policies table.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE address, authentication group or user name, or URL category. The properties you can define for a policy depends on the policy type. Click the policy group name to edit the group membership requirements, such as client IP address and authentication requirements. A page is displayed where you can configure membership requirements.
POLICY GROUP MEMBERSHIP P OL I C Y GR O UP M E M BE R SH I P All policy groups define which transactions apply to them. When a client sends a request to a server, the Web Proxy receives the request, evaluates it, and determines to which policy group it belongs. The Web Proxy applies the configured policy control settings to a client request based on the client request’s policy group membership. Transactions belong to a policy group for each type of policy that is enabled.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Is this user allowed to directly connect to the web server, or must it connect to another proxy server first? • Is this user allowed to upload this data? The Web Proxy can only authorize a user to access an Internet resource after it authenticates who the user is. The Web Proxy authenticates users when it evaluates Identity groups, and it authorizes users when it evaluates all other policy group types.
POLICY GROUP MEMBERSHIP RULES AND GUIDELINES Typically, you use All Identities in a policy while also configuring an advanced option, such as a particular user agent or destination (using a custom URL category). This allows you to create a single rule that makes an exception for a specific case instead of creating multiple rules to make the exception for the specific case.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K I N G W IT H T I M E B A S E D POL I C I E S The Web Security appliance provides the means to create time based policies by specifying time ranges, such as business hours, and using those time ranges to define access to the web. You can define policy group membership based on time ranges, and you can specify actions for URL filtering based on time ranges.
CREATING TIME RANGES 3. In the Time Range Name field, enter a name to use for the time range. Each time range name must be unique. 4. In the Time Zone section, choose whether to use the time zone setting on the Web Security appliance or a different time zone setting you configure. 5. In the Time Values section, define at least one row that specifies the days of the week and time of day to include in this time range. a. In the Day of the Week section, select at least one day. b.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H U SE R A G E N T B A SE D POL I C IE S The Web Security appliance provides the means to create policies to define access to the web by the client application (user agent), such as a web browser, making the client request. You can define policy group membership based on user agents, and you can specify control settings based on user agents.
CONFIGURING USER AGENTS FOR POLICY GROUP MEMBERSHIP Figure 6-3 Defining Policy Group Membership by User Agent On this page, you can select as many user agents as desired. The web interface includes some of the more common user agents that you can select using a check box. You can also type a regular expression to define any user agent necessary. For each user agent you select in the Common User Agents section, AsyncOS for Web creates a regular expression to define the user agent.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Exempting User Agents from Authentication To exempt a user agent from authentication: 1. Create an Identity policy group with membership that is based on the user agent to exempt. For more information about creating Identities, see “Creating Identities” on page 138. 2. Do not require authentication for the Identity policy group. 3. Place the Identity policy group above all other Identity policy groups that require authentication. 4. Submit and commit your changes.
TRACING POLICIES TR A C IN G PO L IC IE S The Web Security appliance web interface includes a tool that traces a particular client request and details how the Web Proxy processes the request. The Web Proxy evaluates the request against all committed Access, Decryption, and Routing Policies and calculates other attributes, such as the web reputation score. The policy trace tool allows administrators to troubleshoot when end users ask questions about Web Proxy behavior.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 2. In the URL field, enter the URL in the client request to simulate. 3. Optionally, in the Client IP Address field, enter the IP address of the machine to simulate. Note — If no IP address is specified, AsyncOS uses localhost. 4. Optionally, you can simulate an authentication user by entering the following authentication requirements in the User area: • User Name. Enter the user name of the authentication user. • Authentication Realm. Choose an authentication realm.
TRACING POLICIES 6. Configure the transaction request information to simulate as desired. Table 6-1 describes the request side advanced settings you can configure. Table 6-1 Policy Trace Advanced Settings for Requests Setting Description Forward Connection Port Select a specific proxy port to use for the trace request to test policy group membership based on proxy port. User Agent Specify the user agent to simulate in the request.
CHAPTER 7 Identities This chapter contains the following information: • “Identities Overview” on page 126 • “Evaluating Identity Group Membership” on page 127 • “Matching Client Requests to Identity Groups” on page 132 • “Allowing Guest Access to Users Who Fail Authentication” on page 135 • “Creating Identities” on page 138 • “Configuring Identities in Other Policy Groups” on page 142 • “Example Identity Policies Tables” on page 145 C H A P T E R 7 : I D E N T I T I E S 125
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE ID E N T IT IE S O VE R V I EW To control web traffic on the network and protect your network from web based threats, the Web Proxy needs to identify who is trying to access the web. Users can be identified by different criteria, such as their machine address or authenticated user name. The Web Proxy can apply different actions to transactions based on who is submitting the request.
EVALUATING IDENTITY GROUP MEMBERSHIP E V A L U A TI N G I DE N T IT Y G RO U P M E M B E R S HI P When a client sends a request to a server, the Web Proxy receives the request, evaluates it, and determines to which Identity group it belongs. To determine the Identity group that a client request matches, the Web Proxy follows a very specific process for matching the Identity group membership criteria. During this process, it considers the following factors for group membership: • Subnet.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE If they do not match, the Web Proxy compares the client request to the next Identity group. It continues this process until it matches the client request to a user defined Identity group, or if it does not match a user defined Identity group, it matches the global Identity policy. When the Web Proxy matches the client request to an Identity group or the global Identity policy, it assigns the Identity group to the transaction.
HOW AUTHENTICATION AFFECTS HTTPS AND FTP OVER HTTP REQUESTS Consider the following rules and guidelines when creating and ordering Identity groups: • Identity group order. All Identity groups that do not require authentication must be above Identity groups that require authentication. • Cookie-based authentication. When the appliance is configured to use cookie-based authentication surrogates, it does not get cookie information from clients for HTTPS and FTP over HTTP requests.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • No information available from a previous HTTP request. When the Web Proxy has no credential information for the client, then it fails the HTTPS request. • Cookie-based authentication surrogates and transparent requests. When the appliance uses cookie-based authentication, the Web Proxy does not get cookie information from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the cookie.
HOW AUTHENTICATION SCHEME AFFECTS IDENTITY GROUPS How Authentication Scheme Affects Identity Groups You define the authentication scheme for each Identity group, not at each realm or sequence. That means you can use the same NTLM realm or a sequence that contains an NTLM realm and use it in Identity groups that use either the NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes. The Web Proxy communicates which scheme(s) it supports to the client application at the beginning of a transaction.
MATCHING CLIENT REQUESTS TO IDENTITY GROUPS Figure 7-2 Policy Group Flow Diagram for Identities - No Surrogates and IP-Based Surrogates Receive request from client. Compare the client request against the next (or first) Identity group in the policies table.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 7-3 Policy Group Flow Diagram for Identities - Cookie-Based Surrogates Receive request from client. Compare the client request against the next (or first) Identity group in the policies table.
ALLOWING GUEST ACCESS TO USERS WHO FAIL AUTHENTICATION A L L O W I N G G U E S T A C C E S S T O U S E R S W H O FA I L A UT H E N T I C A T I O N You can grant limited access to users who fail authentication due to invalid credentials. By default, when a client passes invalid authentication credentials, the Web Proxy continually requests valid credentials, essentially blocking access to all Internet resources.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — If an Identity allows guest access and there is no user defined policy group that uses that Identity, users who fail authentication match the global policy for that policy type. For example, if MyIdentity allows guest access and there is no user defined Access Policy that uses MyIdentity, users who fail authentication match the global Access Policy.
ALLOWING GUEST ACCESS TO USERS WHO FAIL AUTHENTICATION Guests of this Identity are authorized to access the web. 4. Submit and commit your changes. Note — You can configure the Web Proxy to request authentication again if an authenticated user is blocked from a website due to restrictive URL filtering. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL Category” global authentication setting. For more information, see “Allowing Users to Re-Authenticate” on page 366.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE C R E A T I N G I D E N T I T IE S You can create Identities based on combinations of several criteria, such as client subnet or the URL category of the destination site. You must define at least one criterion for Identity membership. When you define multiple criteria, the client request must meet all criteria to match the Identity.
CREATING IDENTITIES Note — Each Identity group name must be unique. 4. In the Insert Above field, choose where in the policies table to place the Identity group. When configuring multiple Identity groups, you must specify a logical order for each group. Carefully order your Identity groups to ensure that correct matching occurs and position groups that do not require authentication above the first policy group that does require authentication.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE For more information, see “Allowing Guest Access to Users Who Fail Authentication” on page 135. 10. Optionally, expand the Advanced section to define additional membership requirements. 11. To define Identity group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears. Table 7-2 describes the advanced options you can configure for Identity groups.
CREATING IDENTITIES Table 7-2 Identity Group Advanced Options (Continued) Advanced Option Description User Agents Choose whether or not to define policy group membership by the user agent used in the client request. You can select some commonly defined browsers, or define your own using regular expressions. Choose whether this policy group should apply to the selected user agents or to any user agent that is not in the list of selected user agents.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G I DE NT I TI E S I N O T HE R PO L I CY GR OU P S Every non-Identity policy group specifies at least one Identity group as part of its policy group membership. You can configure a non-Identity policy group to use multiple Identity groups, and you can specify which users or groups of users are authorized to access the web using the policy group.
CONFIGURING IDENTITIES IN OTHER POLICY GROUPS Note — If an Identity group becomes disabled, then that Identity group is removed (not disabled) from any non-Identity policy group that used it. If the Identity group becomes enabled again, the non-Identity policy groups that previously used the Identity do not automatically include the enabled Identity. Identity groups become disabled due to a deleted authentication realm or sequence. To configure Identity group information in a policy group: 1.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Identity. For more information, see “Allowing Guest Access to Users Who Fail Authentication” on page 135. • All users (authenticated and unauthenticated users). You can configure this policy group to apply to every user in every Identity group. This option only appears when you choose All Identities. When you apply the policy group to all users, you must specify at least one advanced option to distinguish this policy group from the global policy. 6.
EXAMPLE IDENTITY POLICIES TABLES E X A M P L E I D E N T I T Y POL I C I E S TA B L E S This section shows some sample Identity groups defined in an Identity policies table and describes how the Web Proxy evaluates different client requests using each Identity policies table. Example 1 Table 7-3 shows an Identity policies table with three user defined Identity groups. The first Identity group applies to a particular subnet and does not require authentication.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE section. Then it determines that the second Identity group requires authentication, so it tries to authenticate the user against the authentication server(s) defined in RealmA. If the user exists in RealmA, the Web Proxy assigns the second Identity group to the transaction. If the user does not exist in RealmA, AsyncOS terminates the client request because the client failed authentication. • Any client on a subnet other than 10.1.1.
EXAMPLE 2 Table 7-4 Policies Table Example 2 (Continued) Order Subnet(s) Authentication Required? Realm or Sequence Advanced Options Global Identity policy All Yes All Realms N/A (none by default) In this scenario, when a client sends a request for a URL, the Web Proxy evaluates the first Identity group and determines that the Identity group applies to all subnets and has no advanced options configured.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE When you configure the appliance in this way, any client that sends a request for a URL must exist in either realm in the sequence (RealmA or RealmB) in order to pass authentication at the Identity level. Once an Identity has been assigned to the client request, the Web Proxy can compare the client request against the other policy types and determine which policy group, such as an Access Policy group, to match and then apply those control settings.
CHAPTER 8 Access Policies This chapter contains the following information: • “Access Policies Overview” on page 150 • “Evaluating Access Policy Group Membership” on page 152 • “Creating Access Policies” on page 154 • “Controlling HTTP and Native FTP Traffic” on page 157 • “Blocking Specific Applications and Protocols” on page 162 C H A P T E R 8 : A C C E S S P O L I C I E S 149
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A C CE SS PO L IC I E S O VE R VI EW AsyncOS for Web uses multiple web security features in conjunction with its Web Proxy and DVS engine to control web traffic, protect networks from web-based threats, and enforce organization acceptable use policies. You can define policies that determine which HTTP connections are allowed and blocked. To configure the appliance to handle HTTP requests, perform the following tasks: 1. Enable the Web Proxy.
UNDERSTANDING THE MONITOR ACTION Note — The preceding actions are final actions that the Web Proxy takes on a client request. The Monitor action that you can configure for Access Policies is not a final action. For more information, see “Understanding the Monitor Action” on page 151. After the Web Proxy assigns an Access Policy group to an HTTP or decrypted HTTPS request, it compares the request to the policy group’s configured control settings to determine which action to apply.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE E V A L U A TI N G A C CE SS PO L I CY G R OU P M E M B E R S HI P After the Web Proxy assigns an Identity to a client request, the Web Proxy evaluates the request against the other policy types to determine which policy group it belongs for each type. When HTTPS scanning is enabled, it applies HTTP and decrypted HTTPS requests against the Access Policies.
MATCHING CLIENT REQUESTS TO ACCESS POLICY GROUPS Figure 8-1 Policy Group Flow Diagram for Access Policies Receive request from client. Compare the client request against the next (or first) policy group in the policies table.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE C R E A T I N G A C C E S S PO L I C I E S You can create Access Policy groups based on combinations of several criteria, such as one or more Identities or the URL category of the destination site. You must define at least one criterion for policy group membership. When you define multiple criteria, the client request must meet all criteria to match the policy group. However, the client request needs to match only one of the configured Identities.
CREATING ACCESS POLICIES 7. To define policy group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears. Table 8-1 describes the advanced options you can configure for Access Policy groups. Table 8-1 Access Policy Group Advanced Options Advanced Option Description Protocols Choose whether or not to define policy group membership by the protocol used in the client request. Select the protocols to include.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 8-1 Access Policy Group Advanced Options (Continued) Advanced Option Description Time Range Choose whether or not to define policy group membership by a defined time range. Choose the time range from the Time Range field and then choose whether this policy group should apply to the times inside or outside the selected time range. For more information on creating time based policies, see “Working with Time Based Policies” on page 116.
CONTROLLING HTTP AND NATIVE FTP TRAFFIC CO N TR OL L I N G HT T P A ND N A T I VE F TP TR A F F IC After the Web Proxy assigns an HTTP, native FTP, or decrypted HTTPS request to an Access Policy group, the request inherits the control settings of that policy group. The control settings of the Access Policy group determine whether the appliance allows, blocks, or redirects the connection. Configure control settings for Access Policy groups on the Web Security Manager > Access Policies page.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 8-3 Applying Access Policy Actions Receive request from client. Is the request on a blocked HTTP CONNECT port? Yes No, continue to monitor. Is the request coming from a blocked custom user agent? Yes No, continue to monitor. Is the request coming from a blocked suspect user agent? Yes No, continue to monitor. Is the request using a blocked protocol? Yes, action is Allow. No, continue to monitor. Yes Yes, action is Block.
APPLICATIONS Figure 8-3 on page 158 shows two different decision points that involve the web reputation score of the destination server. The web reputation score of the server is evaluated only once, but the result is applied at two different points in the decision flow.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE category. You can use custom URL categories to create block and allow lists based on destination. For more information about enabling a URL filtering engine and working with URL categories, see “URL Filters” on page 267. Object Blocking You can use the settings on the Access Policies > Objects page to configure the proxy to block file downloads based on file characteristics, such as file size and file type.
WEB REPUTATION AND ANTI-MALWARE Web Reputation and Anti-Malware The Web Reputation and Anti-Malware Filtering policy inherits global settings respective to each component. To customize filtering and scanning for a particular policy group, you can use the Web Reputation and Anti-Malware Settings pull-down menu to customize monitoring or blocking for malware categories based on malware scanning verdicts and to customize web reputation score thresholds.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE BL O C K IN G S P E C IF I C A P P L I CA TI ON S A ND P R O TO CO L S AOL Messenger, BitTorrent, Skype—the Web Security appliance can control and block access to these types of applications. You can configure how the appliance manages these kinds of applications based on the port being used: • Port 80. You can control how the Web Security appliance manages these applications using Access Policies, but only as they are accessed via HTTP tunneling on port 80.
BLOCKING ON PORT 80 Once you view the Access Policies: Applications: Policy_Name page, add user agent patterns (also called signatures) to the Block Custom User Agents section of the page. Figure 8-6 Entering Agent Patterns to Block Enter agent patterns for the applications you want to block. Example Patterns Note — You can click the Example User Agent Patterns link for a list of some example user agent patterns. Table 8-2 provides a list of common patterns.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 8-2Common Application Agent Patterns (Continued) Application Search in Setting HTTP header Signature Trillian Request headers User-Agent Trillian/ Windows Messenger Request headers User-Agent MSMSGS Yahoo Messenger Request headers Host msg.yahoo.com Yahoo Messenger Request headers User-Agent ymsgr This is not a comprehensive list, as signatures change occasionally, and new applications are developed.
BLOCKING ON PORTS OTHER THAN 80 restrict access on specific ports. However, the restriction is global, so it will apply to all traffic on that port.
CHAPTER 9 Working with External Proxies This chapter contains the following topics: • “Working with External Proxies Overview” on page 168 • “Routing Traffic to Upstream Proxies” on page 169 • “Adding External Proxy Information” on page 171 • “Evaluating Routing Policy Group Membership” on page 173 • “Creating Routing Policies” on page 175 C H A P T E R 9 : W O R K I N G W I T H E X T E R N A L P R O X I E S 167
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H EX TE R NA L PR OX IE S OV ER V I EW The Web Security appliance is a proxy-compatible device, and is easily deployed within an existing proxy environment. However, it is recommended that you place the appliance downstream from existing proxy servers, meaning closer to the clients. You can configure the appliance to work with multiple existing, upstream proxies.
ROUTING TRAFFIC TO UPSTREAM PROXIES RO U TI NG TR A F FI C T O U P ST RE A M P R OX I E S When the Web Proxy does not deliver a response from the cache, it can direct client requests directly to the destination server or to an external proxy on the network. You use Routing Policies to create rules that indicate when and to where to direct transactions. A Routing Policy determines to where to pass the client request, either to another proxy (as defined by the proxy group) or to the destination server.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — If your network contains an upstream proxy that does not support FTP connections, then you must create a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP connections.
ADDING EXTERNAL PROXY INFORMATION A D D I N G E X T E R N A L P R O X Y I N F O R M A TI O N To define external proxy information, you create a proxy group. A proxy group is an object that defines a list of proxies and their connection information and the load balancing technique to use when distributing requests to proxies in the group. You can create multiple proxy groups and can define multiple proxies within a group.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 5. In the Failure Handling field, choose how the Web Proxy should handle transactions when all proxies in the group fail. 6. Submit and commit your changes.
EVALUATING ROUTING POLICY GROUP MEMBERSHIP E V A L U A TI N G R OU TI N G POL I CY GR O UP M E M BE R SH IP After the Web Proxy assigns an Identity to a client request, it evaluates the request against the other policy types to determine which policy group it belongs for each type. Any request that does not get terminated due to failed authentication gets evaluated against the Routing Policies to determine from where to fetch the data.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 9-2 Policy Group Flow Diagram for Routing Policies Receive request from client. Compare the client request against the next (or first) policy group in the policies table.
CREATING ROUTING POLICIES C R E A T I N G R O U TI N G PO L I C I E S You can create Routing Policy groups based on combinations of several criteria, such as Identity or the port used to access the Web Proxy. You must define at least one criterion for policy group membership. When you define multiple criteria, the client request must meet all criteria to match the policy group.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 7. To define policy group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears. Table 9-1 describes the advanced options you can configure for policy groups. Table 9-1 Policy Group Advanced Options Advanced Option Description Protocols Choose whether or not to define policy group membership by the protocol used in the client request. Select the protocols to include.
CREATING ROUTING POLICIES Table 9-1 Policy Group Advanced Options (Continued) Advanced Option Description Time Range Choose whether or not to define policy group membership by a defined time range. Choose the time range from the Time Range field and then choose whether this policy group should apply to the times inside or outside the selected time range. For more information on creating time based policies, see “Working with Time Based Policies” on page 116.
CHAPTER 10 Decryption Policies This chapter contains the following information: • “Decryption Policies Overview” on page 180 • “Digital Cryptography Terms” on page 184 • “HTTPS Basics” on page 186 • “Digital Certificates” on page 188 • “Decrypting HTTPS Traffic” on page 191 • “Enabling HTTPS Scanning” on page 197 • “Evaluating Decryption Policy Group Membership” on page 201 • “Creating Decryption Policies” on page 203 • “Controlling HTTPS Traffic” on page 207 • “Importing a Trusted Root Certificate” on pa
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE D E C R Y P T I O N POL I C I E S O V E R V IE W HTTPS is a web protocol that acts as a secure form of HTTP. HTTPS encrypts HTTP requests and responses before they are sent across the network. Common thinking is that any connection to a site using HTTPS is “safe.” HTTPS connections are secure, not safe, and they do not discriminate against malicious or compromised servers.
DECRYPTION POLICY GROUPS the terms and definitions used in this book, see “Digital Cryptography Terms” on page 184. For an overview of HTTPS the protocol, see “HTTPS Basics” on page 186. Decryption Policy Groups Decryption Policies define how the appliance should handle HTTPS connection requests for users on the network. You can apply different actions to specified groups of users. You can also specify which ports the appliance should monitor for HTTPS transactions.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE For information about creating and using policy groups, see “Working with Policies” on page 105. Note — The next two sections contain information about digital cryptography and HTTPS for reference only. Personally Identifiable Information Disclosure If you choose to decrypt an end-user’s HTTPS session, then the Web Security appliance access logs and reports may contain personally identifiable information.
UNDERSTANDING THE MONITOR ACTION Note — Figure 8-3 on page 158 shows the order the Web Proxy uses when evaluating control settings for Access Policies.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE D I G IT A L C R Y P T OG RA P HY TE R M S To understand how encryption and decryption works, you need to understand a little bit about cryptographic encoding techniques. Figure 10-1 describes some terms used in cryptography that are discussed in this chapter. Table 10-1 Cryptography Terms and Definitions Term Certificate authority Definition An entity which issues digital certificates for use by other parties.
DIGITAL CRYPTOGRAPHY TERMS Table 10-1 Cryptography Terms and Definitions (Continued) Term Definition Public key infrastructure (PKI) An arrangement that binds public keys with respective user identities by means of a certificate authority. X.509 is a standard that is an example PKI. X.509 specifies standards for public key certificates and an algorithm for validating certification paths. Private key cryptography A system that uses the same key for encoding and decoding text.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE HT T P S BA SIC S HTTPS is a web protocol that acts as a secure form of HTTP. HTTPS is secure because the HTTP request and response data is encrypted before it is sent across the network. HTTPS works similarly to HTTP, except that the HTTP layer is sent on top of a security layer using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
SSL HANDSHAKE 3. Authenticate the identity of each side. Typically, only the server gets authenticated while the client remains unauthenticated. The client validates the server certificate. For more information about certificates and using them to authenticate servers, see “Digital Certificates” on page 188. 4. Generate temporary symmetric keys to encrypt the channel for this session.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE D I G IT A L C E R TI F I C A T E S A digital certificate is an electronic document that identifies and describes an organization, and that has been verified and signed by a trusted organization. A digital certificate is similar in concept to an identification card, such as a driver’s license or a passport. The trusted organization that signs the certificate is also known as a certificate authority.
VALIDATING CERTIFICATE AUTHORITIES Figure 10-2 Certification Path Example In Figure 10-2, the certificate for the URL investing.schwab.com was signed by certificate authority “VeriSign Class 3 Extended Validation SSL CA,” which in turn was signed by certificate authority VeriSign. By definition, root certificates are always trusted by applications that follow the X.509 standard. The Web Security appliance uses the X.509 standard. Standard web browsers ship with a set of trusted root certificates.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Validating Digital Certificates Certificates can be valid or invalid. A certificate may be in invalid for different reasons. For example, the current time may be before or after the certificate validity period, the root authority in the certificate may not be recognized, or the Common Name of the certificate does not match the hostname specified in the HTTP “Host” header.
DECRYPTING HTTPS TRAFFIC DE CR Y P TI N G H TT P S TR A F F IC The request and response data is encrypted for HTTPS connections before it is sent across the network. Because the data is encrypted, third parties can view the data, but cannot decrypt it to read its contents without the private key of the HTTPS server. Figure 10-3 shows an HTTPS connection between a client and a HTTPS server.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE to perform the SSL handshake with the client, it must send the client its own digital certificate. However, the client expects the certificate of the requested server, so the appliance mimics the requested server’s certificate by specifying a root certificate authority uploaded or configured by an appliance administrator. For more information about how the server mimics the server’s certificate, see “Mimicking the Server Digital Certificate” on page 192.
WORKING WITH ROOT CERTIFICATES • Basic Constraints • Subject Alternative Name • Key Usage • Subject Key Identifier • Extended Key Usage For example, the appliance removes the Authority Key Identifier and the Authority Information Access X509v3 extensions. Working with Root Certificates The Web Security appliance mimics the HTTPS server to which a client originally sent a connection request.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE certificate along with the mimicked certificate to the client application. That way, as long as the intermediate certificate is signed by a root certificate authority that the client application trusts, the application will trust the mimicked server certificate, too.
CONVERTING CERTIFICATE AND KEY FORMATS Figure 10-6 Certificate Issued by Web Security Appliance Requested HTTPS server. Root certificate information either generated or uploaded in the Web Security appliance. Validity period specified in either the generated or uploaded root certificate. You can choose how to handle the root certificates issued by the Web Security appliance: • Inform users to accept the root certificate.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Use the following OpenSSL command to convert a DER formatted certificate file to a PEM formatted certificate file: openssl x509 -inform DER -in cert_in_DER -outform PEM -out out_file_name You can also convert key files in DER format into the PEM format by running a similar OpenSSL command.
ENABLING HTTPS SCANNING E N A B L IN G H TT P S S CA NN IN G To monitor and decrypt HTTPS traffic, you must enable HTTPS scanning on the Security Services > HTTPS Proxy page. When you enable HTTPS scanning, you must configure what the appliance uses for a root certificate when it sends self-signed server certificates to the client applications on the network.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 3. Verify the Enable HTTPS Proxy field is enabled. 4. Enter the ports the appliance should check for HTTPS traffic in the Transparent HTTPS Ports field. Port 443 is entered by default. Note — This field only appears when the appliance is deployed in transparent mode. 5. Choose which root certificate to use for signing self-signed certificates the appliance sends to clients: • Generated certificate and key. Go to step 6 on page 198. • Uploaded certificate and key.
ENABLING HTTPS SCANNING c. In the Generate Certificate and Key dialog box, enter the information to display in the root certificate. Note — You can enter any ASCII character except the forward slash ( / ) in the Common Name field. d. Click Generate. The Web Security appliance generates the certificate with the data you entered and generates a key. The generated certificate information is displayed on the Edit HTTPS Proxy Settings page.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — After you upload the certificate and key, you can download the certificate to transfer it to the client applications on the network. Do this using the Download Certificate link in the uploaded key area. 8. In the Invalid Certificate Handling section, choose how the appliance handle HTTPS traffic when it encounters invalid server certificates. You can drop, decrypt, or monitor HTTPS traffic for the following types of invalid server certificates: • Expired.
EVALUATING DECRYPTION POLICY GROUP MEMBERSHIP E V A L U A TI N G D E CR Y P T IO N POL I C Y G RO UP M E M BE R SH I P After the Web Proxy assigns an Identity to a client request, it evaluates the request against the other policy types to determine which policy group it belongs for each type. When HTTPS scanning is enabled, it applies HTTPS requests against the Decryption Policies. When HTTPS scanning is not enabled, it evaluates HTTP requests against the Access Policies.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 10-7 Policy Group Flow Diagram for Decryption Policies Receive request from client. Compare the client request against the next (or first) policy group in the policies table.
CREATING DECRYPTION POLICIES C R E A T I N G D E C R Y P T I O N POL I C I E S You can create Decryption Policy groups based on combinations of several criteria, such as Identity or the URL category of the destination site. You must define at least one criterion for policy group membership. When you define multiple criteria, the client request must meet all criteria to match the policy group.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 7. To define policy group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears. Table 10-2 describes the advanced options you can configure for Decryption Policy groups. Table 10-2 Decryption Policy Group Advanced Options Advanced Option Description Proxy Ports Choose whether or not to define policy group membership by the proxy port used to access the Web Proxy.
CREATING DECRYPTION POLICIES Table 10-2 Decryption Policy Group Advanced Options (Continued) Advanced Option Description Subnets Choose whether or not to define policy group membership by subnet or other addresses. You can choose to use the addresses that may be defined with the associated Identity, or you can enter specific addresses here.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 10. Submit and commit your changes.
CONTROLLING HTTPS TRAFFIC CO N TR OL L I N G HT T P S TR A F F IC After the Web Security appliance assigns an HTTPS connection request to a Decryption Policy group, the connection request inherits the control settings of that policy group. The control settings of the Decryption Policy group determine whether the appliance allows, drops, or passes through the connection. For more information about the actions the appliance can take on an HTTPS request, see “Decryption Policy Groups” on page 181.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Default action. You can configure the action the appliance should take when none of the other settings apply. Click the link under the Default Action column for the policy group you want to configure. Note — The configured default action only affects the transaction when no decision is made based on URL category or Web Reputation score.
CONTROLLING HTTPS TRAFFIC Figure 10-9 Applying Decryption Policy Actions Receive HTTPS request from client. Yes, action is Drop. Is the URL category of the request URL in the Decryption group’s list of custom URL categories? Yes, action is Decrypt. Yes, action is Pass-Through. No, continue to monitor. No, action is Drop. Is the server certificate valid? No, action is Decrypt. Yes, or No, action is Monitor. Yes, Drop.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 10-9 shows two different decision points that involve the web reputation score of the destination server. The web reputation score of the server is evaluated only once, but the result is applied at two different points in the decision flow. For example, note that a web reputation score drop action overrides any action defined for predefined URL categories.
IMPORTING A TRUSTED ROOT CERTIFICATE IM P OR T IN G A TR US TE D R OO T C E R T IF IC A T E When the Web Proxy receives a connection request for an HTTPS server, it validates the trustworthiness of the destination server by verifying the root certificate authority that signed the server certificate. If the Web Proxy does not recognize the root certificate that signed the server certificate, then it does not trust the server certificate.
CHAPTER 11 Data Security and External DLP Policies This chapter contains the following information: • “Data Security and External DLP Policies Overview” on page 214 • “Working with Data Security and External DLP Policies” on page 216 • “Evaluating Data Security and External DLP Policy Group Membership” on page 219 • “Creating Data Security and External DLP Policies” on page 221 • “Controlling Upload Requests Using IronPort Data Security Policies” on page 225 • “Defining External DLP Systems” on page 229 •
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE D A T A S E C UR I T Y A ND E X T E R N A L D L P POL I C I E S O V E R V IE W In the Information Age, your organization’s data is one of its most prized possessions. Your organization spends a lot of money making data available to your employees, customers, and partners. Data is always on the move by traveling over the web and email.
USER EXPERIENCE WITH BLOCKED REQUESTS consist of relatively small POST requests that are harmless, but can take up many lines in the log files. This creates a lot of “noise” in the logs that can make it difficult to find and troubleshoot the true data security violations, such as users uploading company files using their personal email account.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H D A T A SE C U RI T Y A N D E X TE R NA L D L P PO L IC IE S IronPort Data Security Policies and External DLP Policies define how the Web Proxy handles HTTP requests and decrypted HTTPS connections for transactions that upload data to a server (upload requests). However, IronPort Data Security Policies use logic defined on the Web Security appliance and External DLP Policies use logic defined on the DLP system.
EXTERNAL DLP POLICY GROUPS • Allow. The Web Proxy bypasses the rest of the Data Security Policy security service scanning and then evaluates the request against the Access Policies before taking a final action. For IronPort Data Security Policies, Allow bypasses the rest of data security scanning, but does not bypass External DLP or Access Policy scanning.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE For more information about configuring External DLP Policy groups, see “Controlling Upload Requests Using External DLP Policies” on page 232.
EVALUATING DATA SECURITY AND EXTERNAL DLP POLICY GROUP MEMBERSHIP E V A L U A TI N G D A TA S E C UR I TY A ND E X T E R N A L DL P POL I C Y GR O UP M E M BE R S H I P Each client request is assigned to an Identity and then is evaluated against the other policy types to determine which policy group it belongs for each type. The Web Proxy evaluates upload requests against the Data Security and External DLP Policies.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 11-1 Policy Group Flow Diagram for Data Security and External DLP Policies Receive request from client. Compare the client request against the next (or first) policy group in the policies table.
CREATING DATA SECURITY AND EXTERNAL DLP POLICIES C R E A T I N G D A T A S E C UR IT Y A ND E X T E R N A L D L P POL I C I E S You can create Data Security and External DLP Policy groups based on combinations of several criteria, such as one or more Identities or the URL category of the destination site. You must define at least one criterion for policy group membership. When you define multiple criteria, the upload request must meet all criteria to match the policy group.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 7. To define policy group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears. Table 11-1 describes the advanced options you can configure for Data Security and External DLP Policy groups.
CREATING DATA SECURITY AND EXTERNAL DLP POLICIES Table 11-1 Data Security and External DLP Policy Group Advanced Options (Continued) Advanced Option Description Proxy Ports Choose whether or not to define policy group membership by the proxy port used to access the Web Proxy. Enter one or more port numbers in the Proxy Ports field. Separate multiple ports with commas. For explicit forward connections, this is the port configured in the browser.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 11-1 Data Security and External DLP Policy Group Advanced Options (Continued) Advanced Option Description User Agents Choose whether or not to define policy group membership by the user agent used in the client request. You can select some commonly defined browsers, or define your own using regular expressions. Choose whether this policy group should apply to the selected user agents or to any user agent that is not in the list of selected user agents.
CONTROLLING UPLOAD REQUESTS USING IRONPORT DATA SECURITY POLICIES CO N TR OL L I N G UP L O A D RE Q U E S TS U S IN G I RO N PO R T D A T A SE CU RI T Y POL I CI E S Each upload request is assigned to a Data Security Policy group and inherits the control settings of that policy group. The control settings of the Data Security Policy group determine whether the appliance blocks the connection or evaluates it against the Access Polices.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 11-3 Applying Data Security Policy Actions Receive upload request from client. Is the request body size smaller than the minimum request Yes body size (as determined by datasecurityconfig)? No Yes Is the request body size larger than the maximum allowed (as determined by the Content-Length header)? No Yes, action Yes, action is Block Is the URL category of the request URL in the policy group’s is Allow.
WEB REPUTATION monitor or block content by category. You can also create custom URL categories and choose to allow, monitor, or block traffic for a website in the custom category. For more information about working with URL categories, see “Configuring URL Filters for Data Security Policy Groups” on page 277. Web Reputation The Web Reputation setting inherits the global setting.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — Only enter file names with 8-bit ASCII characters. The Web Proxy only matches file names with 8-bit ASCII characters. Figure 11-4 on page 228 shows the IronPort Data Security Policies > Content page where you configure the content control settings.
DEFINING EXTERNAL DLP SYSTEMS DE FI N IN G E X TE R NA L D L P S Y ST E M S The Web Security appliance can integrate with multiple external DLP servers from the same vendor by defining multiple DLP servers in the appliance. Define DLP systems and global settings that affect integration with all DLP systems on the Network > External DLP Servers page. Figure 11-5 Network > External DLP Servers Page You can define the load balancing technique the Web Proxy uses when contacting the DLP systems.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 3. Enter the information in Table 11-2. Table 11-2 External DLP Server Settings Setting Description External DLP Servers Enter the following information to access an ICAP compliant DLP system: • Server address and port. The host name or IP address and TCP port for accessing the DLP system. • Reconnection attempts. The number of times the Web Proxy tries to connect to the DLP system before failing. • DLP Service URL.
DEFINING EXTERNAL DLP SYSTEMS Table 11-2 External DLP Server Settings (Continued) Setting Description Failure Handling Choose whether upload requests are blocked or allowed (passed to Access Policies for evaluation) when the DLP server fails to provide a timely response. Default is allow (“Permit all data transfers to proceed without scanning”). 4. Optionally, you can add another DLP server by clicking Add Row and entering the DLP Server information in the new fields provided. 5.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N TR OL L I N G UP L O A D RE Q U E S TS U S IN G E X TE R NA L D L P PO L IC I E S Each upload request is assigned to an External DLP Policy group and inherits the control settings of that policy group. The control settings of the External DLP Policy group determine whether or not to send the upload request to the external DLP system for scanning.
CONTROLLING UPLOAD REQUESTS USING EXTERNAL DLP POLICIES Figure 11-8 Scanning Destinations Settings for External DLP Policies 4. In the Destination to scan section, choose one of the following options: • Do not scan any uploads. No upload requests are sent to the configured DLP system(s) for scanning. All upload requests are evaluated against the Access Policies. • Scan all uploads. All upload requests are sent to the configured DLP system(s) for scanning.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE L OG G IN G The access logs indicate whether or not an upload request was scanned by either the IronPort Data Security Filters or an external DLP server. The access log entries include a field for the IronPort Data Security scan verdict and another field for the External DLP scan verdict based. For more information, see “Understanding Web Reputation and Anti-Malware Information” on page 442.
LOGGING Table 11-3 Data Security Log Fields (Continued) Field Value Description <> File name, file type, file size for each file uploaded at once Note: This field does not include text/plain files that are less than the configured minimum request body size, the default of which is 4096 bytes. For more information on configuring the minimum request body size, see “Bypassing Upload Requests Below a Minimum Size” on page 214.
CHAPTER 12 Notifying End Users This chapter contains the following information: • “Notifying End Users of Organization Policies” on page 238 • “Configuring General Settings for Notification Pages” on page 240 • “Working With IronPort End-User Notification Pages” on page 242 • “Working with User Defined End-User Notification Pages” on page 249 • “End-User Acknowledgement Page” on page 252 • “Configuring the End-User URL Category Warning Page” on page 256 • “Working with IronPort FTP Notification Messages”
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE NO T IF YI N G E N D U SE R S O F OR G A N IZ A T IO N PO L IC IE S The Web Security appliance helps your organization implement and enforce policies for accessing the web. When a policy blocks a user from a website, you can configure the appliance to notify the user why it blocked the URL request. Web users see a webpage that explains that they were blocked from accessing a website and why they were blocked. These pages are called end-user notification pages.
NOTIFYING END USERS OF ORGANIZATION POLICIES end-user acknowledgement page when a user first accesses a browser after a certain period of time. When the end-user acknowledgement page appears, users must click a link to access the original site requested or any other website. Language and logo settings apply to the end-user acknowledgement page as well as the notification pages. For more information about configuring the end-user acknowledgement page, see “End-User Acknowledgement Page” on page 252.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G G E N E R A L S E T T IN GS FO R N OT I FI C A TI O N PA G E S You can configure the following general settings: • Language. You can configure a different language for HTTP and FTP end-user notification pages. The HTTP language setting applies to all HTTP notification pages (acknowledgement, IronPort end-user, end-user URL category warning, and user defined end-user), and the FTP language applies to all FTP end-user notification messages. • Logo.
CONFIGURING GENERAL SETTINGS FOR NOTIFICATION PAGES 4. Choose whether or not to use a logo on each notification page. You can specify the IronPort logo or any graphic file referenced at the URL you enter in the Use Custom Logo field. Note — See “Custom Text and Logos: Authentication, and End-User Acknowledgement Pages” on page 258 for more information about working with custom logos. 5. Submit and commit your changes.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H I RO N PO R T E N D -U S E R N OT I FI CA TI O N PA G E S When you choose end-user notification pages defined by IronPort, the Web Proxy displays a different page depending on the reason why it blocked the original page. However, you can still customize each page to make them specific to your organization.
CONFIGURING IRONPORT NOTIFICATION PAGES Table 12-1 describes the settings you can configure for IronPort notification pages. Table 12-1 IronPort Notification Page Settings Setting Description Custom Message Choose whether or not to include additional text you specify on each notification page. When you enter a custom message, AsyncOS places the message before the last sentence on the notification page which includes the contact information.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Editing IronPort Notification Pages Each IronPort Notification page is stored on the Web Security appliance as an HTML file. You can edit the content of these HTML pages to include additional text or to edit the overall look and feel of each page. You can use variables in the HTML files to display specific information to the user. You can also turn each variable into a conditional variable to create if-then statements.
EDITING IRONPORT NOTIFICATION PAGES Table 12-2 Variables for Customized End-User Notification Pages (Continued) Variable Description Always Evaluates to TRUE if Used as Conditional Variable %j URL category warning page custom text No %k Redirection link for the end-user acknowledgement page and end-user URL category warning page No %K Response file type No %l WWW-Authenticate: header line No %L Proxy-Authenticate: header line No %M The Method of the request, such as “GET” or “POST” Yes
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 12-2 Variables for Customized End-User Notification Pages (Continued) Variable Description Always Evaluates to TRUE if Used as Conditional Variable %X Extended blocking code. This is a 16-byte base64 value that encodes the most of the web reputation and anti-malware information logged in the access log, such as the ACL decision tag and WBRS score.
EDITING IRONPORT NOTIFICATION PAGES 10. Commit your change, and close the SSH client. Rules and Guidelines for Editing IronPort Notification Pages Use the following rules and guidelines when editing IronPort notification pages: • Each customized IronPort notification page file must be a valid HTML file. For a list of HTML tags you can include, see “Supported HTML Tags in Notification Pages” on page 258.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE For example, the following text is some HTML code that uses %R as a conditional variable to check if re-authentication is offered, and uses %r as a regular variable to provide the re-authentication URL. %?R
WORKING WITH USER DEFINED END-USER NOTIFICATION PAGES WOR K IN G W IT H U SE R D E FI N E D E N D -U S E R N OT I FI CA TI O N PA G E S When you choose end-user notification pages defined by someone in your organization, by default, AsyncOS redirects all blocked websites to the URL regardless of the reason why it blocked the original page.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 12-4 End-User Notification Parameters for Redirected URLs (Continued) Parameter Name Description DVS_Verdict Malware category that the DVS engine assigns to the transaction. For more information about malware categories, “Malware Scanning Verdict Values” on page 460. DVS_ThreatName The name of the malware found by the DVS engine.
CONFIGURING USER DEFINED END-USER NOTIFICATION PAGES And you have the following access log entry: 1182468145.492 1 172.17.0.8 TCP_DENIED/403 3146 GET http:// www.espn.com/index.html HTTP/1.1 - NONE/- - BLOCK_WEBCAT-DefaultGroupDefaultGroup-NONE-NONE-DefaultRouting - Then AsyncOS creates the following redirected URL: http://www.example.com/eun.policy.html?Time=21/Jun/ 2007:23:22:25%20%2B0000&ID=0000000004&Client_IP=172.17.0.8&User=&Site=www.espn.com&URI=index.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE E N D - U S E R A C K N O W L E D G E M E N T PA G E You can configure the Web Security appliance to inform users that it is filtering and monitoring their web activity. The appliance does this by displaying an end-user acknowledgement page when a user first accesses a browser after a certain period of time. When the end-user acknowledgement page appears, users must click a link to access the original site requested or any other website.
CONFIGURING THE END-USER ACKNOWLEDGEMENT PAGE Consider the following rules and guidelines when enabling the end-user acknowledgement page: • When a user is tracked by IP address, the appliance uses the shortest value for maximum time interval and maximum IP address idle timeout to determine when to display the end-user acknowledgement page again. • The first transaction from a user must be an HTTP request, and the user must agree to the terms for all transactions to succeed.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 12-2 Editing End-User Acknowledgment Page Settings 3. In the End-User Acknowledgement Page section, enable the “Require end-user to click through acknowledgement page” field. See “Custom Text and Logos: Authentication, and End-User Acknowledgement Pages” on page 258 for information about how this feature works with custom messages. 4.
CONFIGURING THE END-USER ACKNOWLEDGEMENT PAGE Please acknowledge the following statements before accessing the Internet. 7. Click the “Preview Acknowledgment Page Customization” link to view the current end-user acknowledgement page in a separate browser window. 8. Submit and commit your changes.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G T HE E ND -U S E R U RL C A T E GO R Y WA R N IN G PA G E You can configure the end-user acknowledgement page on the Security Services > End-User Notification page. You can include some simple HTML tags in the custom message, such as font color and size. To configure the end-user acknowledgement page: 1. Navigate to the Security Services > End-User Notification page, and click Edit Settings. 2.
WORKING WITH IRONPORT FTP NOTIFICATION MESSAGES WOR K IN G W IT H I RO N PO R T F TP N OT I FI CA TI O N M E S S A GE S The FTP Proxy displays a predefined notification message to native FTP clients when there is an error with FTP Proxy authentication. You can customize this FTP notification with a custom message. To configure IronPort FTP notification messages: 1. Navigate to the Security Services > End-User Notification page, and click Edit Settings. 2. Scroll down to the Native FTP section. 3.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CU S TO M TE X T I N N OT I FI CA TI O N PA GE S The following sections apply to custom text entered for IronPort notification and end-user acknowledgement pages. Supported HTML Tags in Notification Pages You can format the text in IronPort notification and end-user acknowledgement pages using some HTML tags. Tags must be in lower case and follow standard HTML syntax (closing tags, etc.). You can use the following HTML tags.
CUSTOM TEXT AND LOGOS: AUTHENTICATION, AND END-USER ACKNOWLEDGEMENT PAGES http://www.example.com/index.html http://www.mycompany.com/logo.jpg Then all of the following URLs will also be treated as exempt from all scanning: http://www.example.com/index.html http://www.mycompany.com/logo.jpg http://www.example.com/logo.jpg http://www.mycompany.com/index.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE N O T IF I C A T I O N PA G E TY P E S Users accessing the Internet sometimes cannot access the server they want. By default, the Web Proxy displays a notification page informing users they were blocked and the reason for the block. This section lists and describes all possible notification pages a user might see while accessing the Internet.
NOTIFICATION PAGE TYPES Table 12-5 Codes Used in Notification Pages (Continued) Notification Code Code Description Client IP address. File type of the file the client attempted to download. The protocol the client requested to use. The URL to which the client is redirected. Host name of the web server. Table 12-6 describes the different notification pages users might encounter.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 12-6 Notification Page Types (Continued) Notification Title Notification Text Notification Codes Security: Browser Based on your corporate Access Policies, requests from your computer have been blocked because it has been determined to be a security threat to the corporate network. Your browser may have been compromised by a malware/spyware agent identified as “”.
NOTIFICATION PAGE TYPES Table 12-6 Notification Page Types (Continued) Notification Title Notification Text Notification Codes Filter Failure The request for page has been denied because an internal server is currently unreachable or overloaded. (, FILTER_FAILURE, ) Please retry the request later. Found The page is being redirected to . (, FOUND, , ) FTP Aborted The request for the file did not succeed.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 12-6 Notification Page Types (Continued) Notification Title Notification Text Notification Codes FTP Service Unavailable The system cannot communicate with the FTP server . The FTP server may be busy, may be permanently down, or may not provide this service. (, FTP_SERVICE_UNAVAIL, ) Please confirm that this is a valid address. If it is correct, try this request later.
NOTIFICATION PAGE TYPES Table 12-6 Notification Page Types (Continued) Notification Title Notification Text Notification Codes Only if Cached But Not in Cache The page has been blocked based on your corporate policies. (, ONLY_IF_CACHED_NOT_IN_C ACHE, ) Policy: General Based on your corporate Access Policies, access to this web site has been blocked.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 12-6 Notification Page Types (Continued) Notification Title Notification Text Notification Codes Range Not Satisfiable The system cannot process this request. A non-standard browser may have generated an invalid HTTP request. (, RANGE_NOT_SATISFIABLE) If you are using a standard browser, please retry the request. Redirect Permanent The page is being redirected to .
CHAPTER 13 URL Filters This chapter contains the following information: • “URL Filters Overview” on page 268 • “Configuring the URL Filtering Engine” on page 271 • “Filtering Transactions Using URL Categories” on page 272 • “Custom URL Categories” on page 281 • “Redirecting Traffic” on page 284 • “Warning Users and Allowing Them to Continue” on page 286 • “Creating Time Based URL Filters” on page 288 • “Viewing URL Filtering Activity” on page 289 • “Regular Expressions” on page 290 • “URL Category Descrip
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE U R L F I L T E R S O V E R V I EW AsyncOS for Web allows administrators to control user access based on the web server category of a particular HTTP or HTTPS request. For example, you can block all HTTP requests for gambling web sites, or you can decrypt all HTTPS requests for web-based email websites. Using policy groups, you can create secure policies that control access to web sites containing objectionable or questionable content.
UNCATEGORIZED URLS Enable the Dynamic Content Analysis engine when you enable Cisco IronPort Web Usage Controls on the Security Services > Acceptable Use Controls page. After the Dynamic Content Analysis engine categorizes a URL, it stores the category verdict and URL in a temporary cache. This allows future transactions to benefit from the earlier response scan and be categorized at request time instead of at response time, and it improves overall performance.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE For more information about creating custom URL categories, see “Custom URL Categories” on page 281. Matching URLs to URL Categories When the URL filtering engine matches a URL category to the URL in a client request, it first evaluates the URL against the custom URL categories included in the policy group. If the URL in the request does not match an included custom category, the URL filtering engine compares it to the predefined URL categories.
CONFIGURING THE URL FILTERING ENGINE CO N FI GU R IN G T HE U R L F I L TE R I NG E NG I NE To apply predefined category settings to policy groups and configure custom settings to manage web transactions, you must first enable and choose a URL filtering engine, either the Cisco IronPort Web Usage Controls URL filtering engine or the IronPort URL Filters. By default, the Cisco IronPort Web Usage Controls URL filtering engine is enabled in the System Setup Wizard.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE F IL T E R IN G TRA NS A C TI ON S U S IN G U RL C A TE GO R IE S The URL filtering engine configured allows you to filter transactions in Access, Decryption, and Data Security Policies. To configure URL filtering in a policy group, click the link in the policies table under the URL Categories column for the policy group you want to edit. For more information about the policies table, see “Using the Policies Tables” on page 110.
CONFIGURING URL FILTERS FOR ACCESS POLICY GROUPS Figure 13-1 Configuring Access Policy URL Categories C H A P T E R 1 3 : U R L F I L T E R S 273
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 3. In the Custom URL Category Filtering section, choose an action for each custom URL category. Table 13-1 describes each action. Table 13-1 URL Category Filtering for Access Policies Action Description Include Choose whether or not the URL filtering engine should compare the client request against the custom URL category. The URL filtering engine compares client requests against included custom URL categories, and ignores excluded custom URL categories.
CONFIGURING URL FILTERS FOR DECRYPTION POLICY GROUPS Table 13-1 URL Category Filtering for Access Policies (Continued) Action Description Warn The Web Proxy initially blocks the request and displays a warning page, but allows the user to continue by clicking a hypertext link in the warning page. For more information, see “Warning Users and Allowing Them to Continue” on page 286. Block The Web Proxy denies transactions that match this setting.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 13-2 Configuring Decryption Policy URL Categories 3. Choose an action for each custom and predefined URL category. Table 13-2 describes each action. Table 13-2 URL Category Filtering for Decryption Policies Action Description Include Choose whether or not the URL filtering engine should compare the client request against the custom URL category.
CONFIGURING URL FILTERS FOR DATA SECURITY POLICY GROUPS Table 13-2 URL Category Filtering for Decryption Policies (Continued) Action Description Use Global Setting Uses the action for this category in the global Decryption Policy group. This is the default action for user defined policy groups. Applies to user defined policy groups only. Pass Through Passes through the connection between the client and the server without inspecting the traffic content.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 2. Click the link in the policies table under the URL Categories column for the policy group you want to edit. The IronPort Data Security Policies: URL Categories: policyname page appears.
CONFIGURING URL FILTERS FOR DATA SECURITY POLICY GROUPS 3. In the Custom URL Category Filtering section, choose an action for each custom URL category. Table 13-3 describes each action. Table 13-3 URL Category Filtering for IronPort Data Security Policies Action Description Include Choose whether or not the URL filtering engine should compare the client request against the custom URL category.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Monitor • Block See Table 13-3 for details on these actions. 5. In the Uncategorized URLs section, choose the action to take for upload requests to web sites that do not fall into a predefined or custom URL category. 6. Submit and commit your changes.
CUSTOM URL CATEGORIES C U S TO M U R L C A T E G O RI E S The Web Security appliance ships with many predefined URL categories by default, such as Web-based Email and more. However, you can also create user defined custom URL categories that specify specific host names and IP addresses. You might want to create custom URL categories for internal sites or a group of external sites you know you can trust. Create, edit, and delete custom URL categories on the Web Security Manager > Custom URL Categories page.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 13-5 Creating a Custom URL Category 3. Enter the settings in Table 13-4 for the custom URL category. Table 13-4 Custom URL Category Settings Setting Description Category Name Enter a name for the URL category. This name appears when you configure URL filtering for policy groups. List Order Choose the order in the list of custom URL categories to place this category. Enter “1” for the topmost URL category.
CUSTOM URL CATEGORIES Table 13-4 Custom URL Category Settings (Continued) Setting Description Advanced: Regular Expressions You can use regular expressions to specify multiple web servers that match the pattern you enter. Note: The URL filtering engine compares URLs with addresses entered in the Sites field first. If the URL of a transaction matches an entry in the Sites field, it is not compared to any expression entered here.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE R E D I R E C T I N G TR A F F I C In addition to using the Web Security appliance to monitor and block traffic to certain websites, you can also use it to redirect users to a different website. You can configure the appliance to redirect traffic originally destined for a URL in a custom URL category to a location you specify. This allows you to redirect traffic at the appliance instead of at the destination server.
REDIRECTING TRAFFIC 6. Submit and commit your changes.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WA R NI NG US E R S A ND A L L O WI NG TH E M T O CO N TI N UE In addition to using the Web Security appliance to block traffic to certain websites, you can also use it to warn users that a site does not meet the organization’s acceptable use policies and allow them to continue if they choose.
USER EXPERIENCE WHEN WARNING USERS User Experience When Warning Users When the URL filtering engine warns users for a particular request, it provides a warning page that the Web Proxy sends to the end user. However, not all websites display the warning page to the end user. For example, some Web 2.0 websites display dynamic content using javascript instead of a static webpage and are not likely to display the warning page from the Web Proxy.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CR E A TI NG T I M E B A S E D U R L F I L TE R S You can configure how the Web Security appliance to handles requests for URLs in particular categories differently based on time and day. For example, you can block access to social networking sites, such as blogs and forums, during business hours. To define URL filtering actions by time you must first define at least one time range.
VIEWING URL FILTERING ACTIVITY V IEW I N G U R L F IL T E R I N G A C T I V I T Y The Monitor > URL Categories page provides a collective display of URL statistics that includes information about top URL categories matched and top URL categories blocked. Additionally, this page displays category-specific data for bandwidth savings and web transactions. For detailed information about monitoring and reporting functionality, see “Monitoring” on page 395.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE RE GU LAR E X PRE SS I ON S Regular expressions are pattern matching descriptions that contain normal printable characters and special characters that are used to match patterns in text strings. For example, a text string such as “welcome” matches “welcome” or “welcomemyfriend.” When a match occurs, the function returns true. If no match occurs, the function returns false. Actions are executed only when a pattern-matching expression is true.
REGULAR EXPRESSION CHARACTER TABLE /downloads/.*\.(exe|zip|bin) Avoid using regular expressions strings that are redundant because they can cause higher CPU usage on the Web Security appliance. A redundant regular expression is one that starts or ends with “.*”. Note — You must enclose regular expressions that contain blank spaces or non-alphanumeric characters in ASCII quotation marks.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 13-5 Regular Expression Character Descriptions (Continued) Character Description () Group characters in a regular expression. For example: (abc)* matches abc or abcabcabc “...” Literally interprets any characters enclosed within the quotation marks. \ Escape character. Note — To match the literal version of any of the special characters, the character must be preceded by a backslash “\”. For example, to exactly match a period “.
URL CATEGORY DESCRIPTIONS UR L CA TE G O R Y DE SC R IP T IO N S This section lists the URL categories for both URL filtering engines. The tables also include the abbreviated URL category names that may appear in the in the Web Reputation filtering and anti-malware scanning section of an access log file entry. Note — The URL category abbreviations for Cisco IronPort Web Usage Controls include the prefix “IW_” before each abbreviation so that the “art” category becomes “IW_art.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Business and Industry busi 1019 Sites involved in business-tobusiness transactions of all kinds.
URL CATEGORY DESCRIPTIONS Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Computers and Internet comp 1003 Information about computers and software such as: hardware, software, software support sites; information for software engineers, programming and networking; website design, and the web and Internet in general; computer science; computer graphics and clipart. wallpapers.com unicode.org redhat.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Filter Avoidance filt 1025 Web pages that promote and aid undetectable and anonymous surfing. proxyblind.org the-cloak.com proxybuster.net youhide.com zend2.
URL CATEGORY DESCRIPTIONS Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Government and Law gov 1011 Foreign relations; news and information relating to politics and elections such as: politics, political parties, election news and voting; sites and information relating the field of law such as: attorneys, law firms, law publications, legal reference material, courts, dockets, legal associations; legisl
URL CATEGORY DESCRIPTIONS Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Internet Telephony voip 1067 Sites that provide telephonic services using the Internet aussievoip.com.au downloadsquad.com/ category/voip/ skypepc.com simplecall.net packet8.
URL CATEGORY DESCRIPTIONS Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Online Trading trad 1028 Online brokerages, sites which afford the user the ability to trade stocks online. tdwaterhouse.com tradingdirect.com scottrade.com pricegroup.com orionfutures.com Paranormal and Occult nonm 1029 Non-mainstream approaches to life.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Real Estate rest 1045 Information that would support the search for real estate. This includes: office and commercial space; real estate listings: rentals, apartments, homes; house building; roommates, etc. realtor.com zillow.com/ remax.com joannekizerrealestate.com/ rockfordhomesinc.
URL CATEGORY DESCRIPTIONS Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Shopping shop 1005 Auctions; bartering; online purchasing; coupons and free offers; yellow pages; classified ads; general office supplies; online catalogs; online malls. ticketmaster.com radioshack.com pier1.com amazon.com ecco.com Social Networking snet 1069 Sites that provide social networking. myspace.com facebook.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Sports and Recreation sprt 1008 All sports, professional and amateur; recreational activities; hunting; fishing; fantasy sports; gun and hunting clubs; public parks; amusement parks; water parks; theme parks; zoos and aquariums. espn.go.com sports.yahoo.com nfl.com fantasyfootball.com/ hickoryhawks.
URL CATEGORY DESCRIPTIONS Table 13-6 URL Category Descriptions for Cisco IronPort Web Usage Controls (Continued) URL Category Abbreviation Code Description Example URLs Violence viol 1032 Sites related to violence and violent behavior. realfights.com severe-spanking.com justfights.com facesofdeath.com maafa.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 13-7 lists the URL categories for IronPort URL Filters.
URL CATEGORY DESCRIPTIONS Table 13-7 URL Categories for IronPort URL Filters (Continued) URL Category URL Category Abbreviation Code Computing & Internet Comp 75 Ringtones/Mobile Phone Downloads Ring 9804 Motor Vehicles Moto 1101 Politics Poli 9806 Suspect/Threat URLs Susp 9101 Hacking Hack 7504 Sex Education Sex 1490 Web-based E-mail Web- 7507 Streaming Media Stre 7509 Reference Refe 7001 Adult/Sexually Explicit Adul 90 Criminal Activity Crim 91 Intolerance & Hate
CHAPTER 14 Web Reputation Filters This chapter contains the following information: • “Web Reputation Filters Overview” on page 310 • “Web Reputation Scores” on page 311 • “How Web Reputation Filtering Works” on page 313 • “Configuring Web Reputation Scores” on page 315 • “Viewing Web Reputation Filtering Activity” on page 318 C H A P T E R 1 4 : W E B R E P U T A T I O N F I L T E R S 309
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WE B R E P U TA TI ON F I L T E R S O V E R VI EW IronPort Web Reputation Filters is a security feature that analyzes web server behavior and assigns a reputation score to a URL to determine the likelihood that it contains URL-based malware. It helps protect against URL-based malware that threatens end-user privacy and sensitive corporate information.
WEB REPUTATION SCORES WE B R E P U TA TI ON SC O RE S Web Reputation Filters use statistically significant data to assess the reliability of Internet domains and score the reputation of URLs. Data such as how long a specific domain has been registered, or where a web site is hosted, or whether a web server is using a dynamic IP address is used to judge the trustworthiness of a given URL.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE E N A B L IN G WE B R E P U T A TI O N F IL T E R S To use web reputation in policy groups, you must first enable Web Reputation Filters. By default, Web Reputation Filters are enabled in the System Setup Wizard. If it is not enabled in the System Setup Wizard, you can edit them in the web interface. To enable Web Reputation Filters in the web interface: 1. Navigate to the Security Services > Web Reputation Filters page. 2. Click Enable.
HOW WEB REPUTATION FILTERING WORKS HO W WE B RE P UT A T IO N F I L TE R I NG WO R K S Web Reputation Scores are associated with an action to take on a URL request. The available actions depend on the policy group type that is assigned to the URL request: • Access Policies. You can choose to block, scan, or allow. • Decryption Policies. You can choose to drop, decrypt, or pass through. You can configure each policy group to correlate an action to a particular Web Reputation Score.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Web Reputation in Decryption Policies Table 14-2 describes the default Web Reputation Scores for Access Policies. Table 14-2 Default Web Reputation Scores for Decryption Policies Score Action Description -10 to -9.0 Drop Bad site. The request is dropped with no notice sent to the end user. Use this setting with caution. -8.9 to 5.9 Decrypt Undetermined site.
CONFIGURING WEB REPUTATION SCORES CO N FI GU R IN G WE B RE P UT A T IO N S CO R E S When you install and set up the Web Security appliance, it has default settings for Web Reputation Scores. However, you can modify threshold settings for web reputation scoring to fit your organization’s needs. You configure the web reputation filter settings for each policy group. Configuring Web Reputation for Access Policies To edit the web reputation filter settings for an Access Policy group: 1.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 4. Verify the Enable Web Reputation Filtering field is enabled. 5. Move the markers to change the range for URL block, scan, and allow actions. 6. Submit and commit your changes. Configuring Web Reputation for Decryption Policies To edit the web reputation filter settings for a Decryption Policy group: 1. Navigate to the Web Security Manager > Decryption Policies page. 2.
CONFIGURING WEB REPUTATION FOR IRONPORT DATA SECURITY POLICIES 6. In the Sites with No Score field, choose the action to take on request for sites that have no assigned Web Reputation Score. 7. Submit and commit your changes. Configuring Web Reputation for IronPort Data Security Policies Only negative and zero values can be configured for web reputation threshold settings for IronPort Data Security Policies. By definition, all positive scores are monitored.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE V IEW I N G WE B R E P U TA TI O N F IL T E R IN G A CT IV I TY The S-Series appliance supports several options for generating feature specific reports, and displays of summary statistics. Reports You can use options on the Monitor > Reports pages of the web interface to select a type of report, capture data, schedule periodic email delivery, and archive reports. For more information about working with reports, see “Reporting Overview” on page 414.
CHAPTER 15 Anti-Malware Services This chapter contains the following information: • “Anti-Malware Overview” on page 320 • “IronPort DVS™ (Dynamic Vectoring and Streaming) Engine” on page 322 • “Webroot Scanning” on page 325 • “McAfee Scanning” on page 326 • “Configuring Anti-Malware Scanning” on page 328 • “Viewing Anti-Malware Scanning Activity” on page 332 C H A P T E R 1 5 : A N T I - M A L W A R E S E R V I C E S 319
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A N T I - M A L WA R E O V E R V I EW The Web Security appliance anti-malware feature is a security component that uses the IronPort DVS™ engine in combination with the Webroot™ and McAfee technology to identify and stop a broad range of web-based malware threats. For more information about the DVS engine, see “IronPort DVS™ (Dynamic Vectoring and Streaming) Engine” on page 322.
MALWARE CATEGORY DESCRIPTIONS Table 15-1 Malware Category Descriptions (Continued) Malware Type Description Phishing URL A phishing URL is displayed in the browser address bar. In some cases, it involves the use of domain names and resembles those of legitimate domains. Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal personal identity data and financial account credentials.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE IR O NPO R T DV S™ ( D YN A M IC VE C T OR IN G A ND S T RE A M I NG ) E NG I NE The IronPort Dynamic Vectoring and Streaming (DVS) engine inspects web traffic to provide protection against the widest variety of web-based malware ranging from commercially invasive adware applications, to malicious trojans, system monitors, and phishing attacks. To configure the DVS engine, and Webroot and McAfee global settings, see “Configuring Anti-Malware Scanning” on page 328.
WORKING WITH MULTIPLE MALWARE VERDICTS When the assigned web reputation score indicates to scan the transaction, the DVS engine receives the URL request and server response content. The DVS engine, in combination with the Webroot and/or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses information from the malware scanning verdicts and Access Policy settings to determine whether to block or deliver the content to the client.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Dialer • Worm • Browser Helper Object • Phishing URL • Adware • Encrypted file • Unscannable • Other Malware Suppose the McAfee scanning engine detects both adware and a virus in the scanned object, and that the appliance is configured to block adware and monitor viruses. According to the list above, viruses belong in a higher priority verdict category than adware.
WEBROOT SCANNING WE B RO OT SC A N NI N G The Webroot scanning engine inspects objects to determine the malware scanning verdict to send to the DVS engine. The Webroot scanning engine inspects the following objects: • URL request. Webroot evaluates a URL request to determine if the URL is a malware suspect. If Webroot suspects the response from this URL might contain malware, the appliance monitors or blocks the request, depending on how the appliance is configured.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE MCAFEE SCANNING The McAfee scanning engine inspects objects downloaded from a web server in HTTP responses. After inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the request.
MCAFEE CATEGORIES McAfee Categories Table 15-2 lists the McAfee verdicts and how they correspond to malware scanning verdict categories.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G A N T I- M A LWA R E SC A N NI N G The DVS engine and Webroot and McAfee are enabled by default during system setup. Anytime after system setup, you can configure the anti-malware settings for the Web Security appliance. You configure the following anti-malware settings: • Global anti-malware settings. Set object scanning parameters, specify global settings for URL matching, and control when to block the URL or allow processing to continue.
CONFIGURING ANTI-MALWARE SCANNING Table 15-3 Anti-Malware Settings (Continued) Setting Description Threat Risk Threshold The TRT (Threat Risk Threshold) assigns a numerical value to the probability that malware exists. Proprietary algorithms evaluate the result of a URL matching sequence and assign a TRR (Threat Risk Rating). This value is associated with the threat risk threshold setting.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 15-1 Access Policy Anti-Malware Settings 8. Configure the anti-malware settings for the policy as necessary. Table 15-4 describes the anti-malware settings you can configure for Access Policies. Table 15-4 Anti-Malware Settings for Access Policies Setting Description Enable Suspect User Agent Scanning Choose whether or not to enable the appliance to scan traffic based on the user agent field specified in the HTTP request header.
CONFIGURING ANTI-MALWARE SCANNING Table 15-4 Anti-Malware Settings for Access Policies (Continued) Setting Description Enable McAfee Choose whether or not to enable the appliance to use the McAfee scanning engine when scanning traffic. When you enable McAfee scanning, you can choose to monitor or block some additional categories in the Malware categories on this page. Malware Categories Choose whether to monitor or block the various malware categories based on a malware scanning verdict.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE V IE W I N G A N T I - M A L WA R E S CA NN I N G A CT I V I T Y The Web Security appliance supports several options for generating feature specific reports, and interactive displays of summary statistics. Reports You can use options on the Monitor > Reports pages of the web interface to select a type of report, capture data, schedule periodic email delivery, and archive reports. For more information about working with reports, see “Reporting Overview” on page 414.
CHAPTER 16 Authentication This chapter contains the following information: • “Authentication Overview” on page 334 • “How Authentication Works” on page 337 • “Working with Authentication Realms” on page 344 • “Working with Authentication Sequences” on page 346 • “Appliance Behavior with Multiple Authentication Realms” on page 349 • “Testing Authentication Settings” on page 350 • “Configuring Global Authentication Settings” on page 353 • “Allowing Users to Re-Authenticate” on page 366 • “Tracking Authentic
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A U TH E N TI C A T IO N O VE R VI EW Authentication is the act of confirming the identity of a user. By using authentication in the Web Security appliance, you can control access to the Web for each user or a group of users. This allows you to enforce the organization’s policies and comply with regulations. When you enable authentication, the Web Security appliance authenticates clients on the network before allowing them to connect to a destination server.
WORKING WITH UPSTREAM PROXY SERVERS method for prompting users to provide their user names and passwords. These applications cannot be used when the Web Security appliance is deployed in transparent mode.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE MyDomain\jsmith However, if the Web Proxy uses Basic authentication for an NTLM authentication realm, then entering the Windows domain is optional. If the user does not enter the Windows domain, then the Web Proxy prepends the default Windows domain. Note — When the Web Proxy uses authentication with an LDAP authentication realm, ensure users do not enter the Windows domain name.
HOW AUTHENTICATION WORKS HO W A UT HE NT I CA T I ON WO R K S To authenticate users who access the web, the Web Security appliance connects to an external authentication server. The authentication server contains a list of users and their corresponding passwords and it organizes the users into a hierarchy. For users on the network to successfully authenticate, they must provide valid authentication credentials (user name and password as stored in the authentication server).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Basic. Allows a client application to provide authentication credentials in the form of a user name and password when it makes a request. You can use the Basic authentication scheme with either an LDAP or Active Directory server. • NTLMSSP. Allows the client application to provide authentication credentials in the form of a challenge and response. It uses a binary message format to authenticate clients that use the NTLM protocol to access network resources.
HOW WEB PROXY DEPLOYMENT AFFECTS AUTHENTICATION Table 16-2 describes the differences between Basic and NTLMSSP authentication schemes. Table 16-2 Basic versus NTLMSSP Authentication Schemes Authentication Scheme User Experience Security Basic The client always prompts users for credentials. After the user enters credentials, browsers typically offer a check box to remember the provided credentials.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-3 Methods of Authentication (Continued) Web Proxy Deployment Client to Web Security Appliance Web Security Appliance to Authentication Server Explicit forward NTLM NTLMSSP Transparent NTLM NTLMSSP The following subsections describe these methods of authentication in more detail.
HOW WEB PROXY DEPLOYMENT AFFECTS AUTHENTICATION 2. Web Proxy uses a 307 HTTP response to redirect the client to the Web Proxy which masquerades as a local web server. 3. Client sends a request to the redirected URL. 4. Web Proxy sends a 401 HTTP response “Authorization required.” 5. User is prompted for credentials and enters them. 6. Client sends the request again, but this time with the credentials in an “Authorization” HTTP header. 7.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-6 lists advantages and disadvantages of using transparent Basic authentication and cookie-based credential caching.
HOW WEB PROXY DEPLOYMENT AFFECTS AUTHENTICATION Table 16-7 lists advantages and disadvantages of using explicit forward NTLM authentication.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H A U T HE NT IC A T I ON R E A L M S An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration. You can perform any of the following tasks when configuring authentication: • Include up to three authentication servers in a realm. • Create zero or more LDAP realms. • Create zero or one NTLM realm. • Include an authentication server in multiple realms.
EDITING AUTHENTICATION REALMS To create an authentication realm: 1. On the Network > Authentication page, click Add Realm. The Add Realm page appears. 2. Enter a name for the authentication realm in the Realm Name field. Note — All sequence and realm names must be unique. Also, the name must not contain the percent (%) character. 3. If no NTLM realm is defined, choose the authentication protocol and scheme in the Authentication Protocol and Scheme(s) field. 4.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H A U T HE NT IC A T I ON S E Q U E NC E S When you create more than one realm, you can group the realms into an authentication sequence. An authentication sequence is a group of authentication realms listed in the order the Web Security appliance uses for authenticating clients. You can perform any of the following tasks when configuring authentication sequences: • Create multiple authentication sequences.
CREATING AUTHENTICATION SEQUENCES Creating Authentication Sequences You can create an authentication sequence after you create multiple authentication realms. To create an authentication sequence: 1. On the Network > Authentication page, click Add Sequence. The Add Realm Sequence page appears. Choose realm. Add a realm to the sequence. Delete the realm. 2. Enter a name for the sequence in the Name for Realm Sequence field. Note — All sequence and realm names must be unique. 3.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Delete a realm by clicking the trash can icon. • Change the order of the realms by clicking the arrow icon in the Order column for the realm. 3. Submit and commit your changes. Deleting Authentication Sequences If you delete an authentication sequence, any Access Policy group that depends on the deleted sequence becomes disabled. To delete an authentication sequence: 1. On the Network > Authentication page, click the trash can icon for the sequence name. 2.
APPLIANCE BEHAVIOR WITH MULTIPLE AUTHENTICATION REALMS A P P L I A N C E B E H AV I O R W I T H M U L TI P L E A U TH E N TI C A T IO N R E A L M S You can configure the Web Security appliance to attempt authenticating clients against multiple authentication servers, and against authentication servers with different authentication protocols. When you configure the appliance to authenticate against multiple authentication servers, it only requests the credentials from the clients once.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE TE ST I NG A UT H E NT I CA TI ON SE TT IN G S When you create or edit an authentication realm, you enter a lot of configuration settings to connect to the authentication server. You can test the settings you enter before submitting the changes to verify you entered the connection information correctly. You can test authentication setting from either the CLI or the web interface: • Web interface. Use Start Test when you create or edit an authentication realm.
TESTING AUTHENTICATION SETTINGS IN THE WEB INTERFACE 4. It validates the user credentials by generating a kerberos ticket. 5. It validates whether the user has the proper privileges to add the Web Security appliance to the Active Directory domain. 6. It validates whether you can fetch the groups within the domain. Testing Authentication Settings in the Web Interface You verify the authentication settings in the Test Current Settings section when you create or edit an authentication realm.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Testing Authentication Settings in the CLI You can use the testauthconfig CLI command to test authentication settings defined for a given realm. The command syntax is: testauthconfig [-d level] [realm name] Running the command without any option causes the appliance to list the configured authentication realms from which you can make a selection. The debug flag (-d) controls the level of debug information. The levels can range between 0-10.
CONFIGURING GLOBAL AUTHENTICATION SETTINGS CO N FI GU R IN G G L OB A L A U TH E N T IC A T IO N S E T TI N GS Some authentication settings are independent of any realm you define. For example, you can configure whether or not clients send authentication credentials to the Web Security appliance securely, even when using Basic authentication scheme. For more information, see “Sending Authentication Credentials Securely” on page 363.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 16-7 Global Authentication Settings 2. Edit the settings in the Global Authentication Settings section as defined in Table 16-8. Table 16-8 Global Authentication Settings Setting Description Action if Authentication Service Unavailable Choose one of the following values: • Permit traffic to proceed without authentication. Processing continues as if the user was authenticated. • Block all traffic if user authentication fails.
CONFIGURING GLOBAL AUTHENTICATION SETTINGS Table 16-8 Global Authentication Settings (Continued) Setting Description Basic Authentication Token TTL Controls the length of time that user credentials are stored in the cache before revalidating them with the authentication server. The default value is the recommended setting.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 3. If the Web Proxy is deployed in transparent mode, edit the settings in Table 16-9. Table 16-9 Transparent Proxy Mode Authentication Settings Setting Description Credential Encryption This setting specifies whether or not the client sends the login credentials to the Web Proxy through an encrypted HTTPS connection.
CONFIGURING GLOBAL AUTHENTICATION SETTINGS Table 16-9 Transparent Proxy Mode Authentication Settings (Continued) Setting Description Redirect Hostname Enter the short host name of the network interface on which the Web Proxy listens for incoming connections. When you configure authentication on an appliance deployed in transparent mode, the Web Proxy uses this host name in the redirection URL sent to clients for authenticating users. You can enter either the following values: • Single word host name.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-9 Transparent Proxy Mode Authentication Settings (Continued) Setting Description Credential Cache Options: This setting specifies the way that transactions are associated with a user (either by IP address or using a cookie) after the user has authenticated successfully. Surrogate Type Choose one of the following options: • IP Address. The appliance authenticates the user at a particular IP address.
CONFIGURING GLOBAL AUTHENTICATION SETTINGS Table 16-9 Transparent Proxy Mode Authentication Settings (Continued) Setting Description Advanced When Credential Encryption is enabled, you can choose whether the appliance uses the digital certificate and key shipped with the appliance or a digital certificate and key you upload here. (Secure Authentication Certificate) To upload a digital certificate and key, click Browse and navigate to the necessary file on your local machine.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 4. If the Web Proxy is deployed in explicit forward mode, edit the settings in Table 16-10. Table 16-10 Explicit Forward Proxy Mode Authentication Settings Setting Description Credential Encryption This setting specifies whether or not the client sends the login credentials to the Web Proxy through an encrypted HTTPS connection. To enable credential encryption, choose “HTTPS Redirect (Secure)”.
CONFIGURING GLOBAL AUTHENTICATION SETTINGS Table 16-10 Explicit Forward Proxy Mode Authentication Settings (Continued) Setting Description Redirect Hostname Enter the short host name of the network interface on which the Web Proxy listens for incoming connections. When you enable Authentication Mode above, the Web Proxy uses this host name in the redirection URL sent to clients for authenticating users. You can enter either the following values: • Single word host name.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-10 Explicit Forward Proxy Mode Authentication Settings (Continued) Setting Description Credential Cache Options: This setting specifies the way that transactions used for authenticating the client are associated with a user (either by IP address or using a cookie) after the user has authenticated successfully. Surrogate Type Choose one of the following options: • IP Address. The Web Proxy authenticates the user at a particular IP address.
SENDING AUTHENTICATION CREDENTIALS SECURELY Table 16-10 Explicit Forward Proxy Mode Authentication Settings (Continued) Setting Description Credential Cache Options: Specifies the number of entries that are stored in the authentication cache. Set this value to safely accommodate the number of users that are actually using this device. The default value is the recommended setting.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE To configure the appliance to use credential encryption, enable the Credential Encryption setting in the global authentication settings. For more information, see “Configuring Global Authentication Settings” on page 353. You can also use the advancedproxyconfig > authentication CLI command. For more information, see “Advanced Proxy Configuration” on page 90.
SENDING AUTHENTICATION CREDENTIALS SECURELY Access Policies that do not require authentication. Typically, they often match the global Access Policy since it never requires authentication.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A L L O WI NG US E R S TO R E - A U TH E N T IC A T E AsyncOS for Web can block users from accessing different categories of websites depending on who is trying to access a website. In these cases, users successfully authenticate, but they are not authorized to access certain websites due to configured URL filtering in the applicable Access Policy. You can allow these authenticated users another opportunity to access the web if they fail authorization.
USING RE-AUTHENTICATION WITH INTERNET EXPLORER Using Re-Authentication with Internet Explorer When you enable re-authentication and clients use Microsoft Internet Explorer, you need to verify certain settings to ensure re-authentication works properly with Internet Explorer. Due to a known issue with Internet Explorer, re-authentication does not work properly under the following circumstances: • Internet Explorer is configured to use the Web Security appliance as a proxy.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — If the Web Security appliance uses cookies for authentication surrogates, IronPort recommends enabling credential encryption. For more information, see “Using ReAuthentication with Internet Explorer” on page 367.
TRACKING AUTHENTICATED USERS TR A C K I N G A U T H E N T I C A T E D U S E R S Table 16-11 describes which authentication surrogates are supported with other configurations and different types of requests (explicitly forwarded and transparently redirected).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE L DA P A U T H E N T I C A T I O N The Lightweight Directory Access Protocol (LDAP) server database is a repository for employee directories. These directories include the names of employees along with various types of personal data such as a phone number, email address, and other information that is exclusive to the individual employee. The LDAP database is composed of objects containing attributes and values.
LDAP AUTHENTICATION SETTINGS Table 16-12 LDAP Authentication Settings (Continued) Setting Description LDAP Server Enter the LDAP server IP address or host name and its port number. You can specify up to three servers. The host name must be a fully-qualified domain name. For example, ldap.example.com. An IP address is required only if the DNS servers configured on the appliance cannot resolve the LDAP server host name. The default port number for Standard LDAP is 389.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-12 LDAP Authentication Settings (Continued) Setting Description User Authentication Enter values for the following fields: Base Distinguished Name (Base DN) The LDAP database is a tree-type directory structure and the appliance uses the Base DN to navigate to the correct location in the LDAP directory tree to begin a search. A valid Base DN filter string is composed of one or more components of the form object-value. For example dc=companyname, dc=com.
LDAP AUTHENTICATION SETTINGS Table 16-12 LDAP Authentication Settings (Continued) Setting Description Group Authorization Choose whether or not to enable LDAP group authorization. When you enable LDAP group authorization, you can group users by group object or user object. For more information on configuring this section, see “LDAP Group Authorization” on page 373.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • A non-Identity policy group uses the Identity policy group and the primary group is configured as an authorized group in the Active Directory server. Table 16-13 describes the group object settings. Table 16-13 LDAP Group Authorization—Group Object Settings Group Object Setting Description Group Membership Attribute Within Group Object Choose the LDAP attribute which lists all users that belong to this group.
LDAP AUTHENTICATION SETTINGS Table 16-14 LDAP Group Authorization—User Object Settings (Continued) User Object Setting Description Group Membership Attribute is a DN Specify whether the group membership attribute is a distinguished name (DN) which refers to an LDAP object. For Active Directory servers, enable this option. When this is enabled, you must configure the subsequent settings.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE N T L M A U T H E N T I C A T IO N The NT Lan Manager (NTLM) authenticates users with an encrypted challenge-response sequence that occurs between the appliance and a Microsoft Windows domain controller. The NTLM challenge-response handshake occurs when a web browser attempts to connect to the appliance and before data is delivered. When you configure an NTLM authentication realm, you do not specify the authentication scheme.
NTLM AUTHENTICATION SETTINGS NTLM Authentication Settings Table 16-15 describes the authentication settings you define when you choose NTLM authentication. Table 16-15 NTLM Authentication Settings Setting Description Active Directory Server Enter the Active Directory server IP address or host name. You can specify up to three servers. The host name must be a fully-qualified domain name. For example, ntlm.example.com.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-15 NTLM Authentication Settings (Continued) Setting Description Network Security Configure whether or not the Active Directory server is configured to require signing. When you enable this check box, the appliance uses Transport Layer Security (TLS) when communicating with the Active Directory server.
JOINING THE ACTIVE DIRECTORY DOMAIN Figure 16-10 Joining an Active Directory Domain Status tells you whether or not AsyncOS has created the computer account. Click to join the Active Directory domain. When you click Join Domain, you are prompted to enter login credentials for the Active Directory server. The login information is used only to create the Active Directory computer account and is not saved. Enter the login information and click Create Account.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Red text indicates that the domain was not joined and no computer account was created. AsyncOS only creates an Active Directory computer account when you edit the authentication realm Active Directory information or when the appliance reboots.
SUPPORTED AUTHENTICATION CHARACTERS S U P P O R T E D A U T H E N T I C A T I O N C HA R A C T E R S This section lists the characters the Web Security appliance supports when it communicates with LDAP and Active Directory servers. For authentication to work properly, verify that your authentication servers only use the supported characters listed in this section.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-18 lists the characters the Web Security appliance supports for the Location field for Active Directory servers. You enter the location string in the Location field when you configure an NTLM authentication realm. Table 16-18 Supported Active Directory Server Characters — Location Field Supported Characters Characters Not Supported A...Z 0 1 2 ` ~ ! / [ ] space + \ , ; " = < > a...z 3 4 5 6 7 8 9 # $ ^ & ( ) _ - { } ' .
LDAP SERVER SUPPORTED CHARACTERS LDAP Server Supported Characters Table 16-20 lists the characters the Web Security appliance supports for the User Name field for LDAP servers. Table 16-20 Supported LDAP Server Characters — User Name Field Supported Characters Characters Not Supported A...Z a...z 0 1 2 3 4 5 6 7 8 9 ` ~ ! # $ % ^ & ( ) _ - { } ' . / \ [ ] : ; | = , + * ? < > @ " Note: The appliance only supports the ‘(’ and ‘)’ characters when they are escaped with a backslash ( \ ) character.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 16-23 lists the characters the Web Security appliance supports for the Custom User Filter Query Field field for LDAP servers. Table 16-23 Supported LDAP Server Characters — Custom User Filter Query Field Supported Characters Characters Not Supported A...Z a...z 0 1 2 3 4 5 6 7 8 9 ` ~ ! # $ % ^ & ( ) _ - { } ' .
CHAPTER 17 L4 Traffic Monitor This chapter contains the following information: • “About L4 Traffic Monitor” on page 386 • “How the L4 Traffic Monitor Works” on page 387 • “Configuring the L4 Traffic Monitor” on page 389 • “Viewing L4 Traffic Monitor Activity” on page 393 C H A P T E R 1 7 : L 4 T R A F F I C M O N I T O R 385
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A B O U T L 4 TRA FF I C M O N I T OR The Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic across all network ports and stops malware attempts to bypass port 80. Additionally, when internal clients are infected with malware and attempt to phone-home across non-standard ports and protocols, the L4 Traffic Monitor prevents phone-home activity from going outside the corporate network.
HOW THE L4 TRAFFIC MONITOR WORKS HO W T HE L 4 TR A F FI C M O N IT OR WOR K S The L4 Traffic Monitor listens to network traffic that comes in over all ports on the appliance and matches domain names, and IP addresses against entries in its own database tables to determine whether to allow incoming and outgoing traffic. All web destinations fall under one of the following categories: • Known allowed address. Any IP address or host name listed in the Allow List property.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE The L4 Traffic Monitor Database The L4 Traffic Monitor uses and maintains its own internal database. This database is continuously updated with matched results for IP addresses and domain names. Additionally, the database table receives periodic updates from the IronPort update server at the following location: https://update-manifests.ironport.
CONFIGURING THE L4 TRAFFIC MONITOR CO N FI GU R IN G T HE L 4 TR A F FI C M O N IT OR The L4 Traffic Monitor can be enabled as part of an initial system setup using the System Setup Wizard. By default, the L4 Traffic Monitor is enabled and set to monitor traffic on all ports. This includes DNS and other services. Note — To monitor true client IP addresses, the L4 Traffic Monitor should always be configured inside the firewall and before network address translation (NAT).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • All ports except proxy ports. Monitors all TCP ports except the following ports for for rogue activity. - Ports configured in the “HTTP Ports to Proxy” property on the Security Services > Proxy Settings page (usually port 80). - Ports configured in the “Transparent HTTPS Ports to Proxy” property on the Security Services > HTTPS Proxy page (usually port 443). 5. Submit and commit the changes.
CONFIGURING L4 TRAFFIC MONITOR POLICIES 3. On the Edit L4 Traffic Monitor Policies page, configure the L4 Traffic Monitor policies described in Table 17-1. Table 17-1 L4 Traffic Monitor Policies Property Description Allow List Enter zero or more address to which the L4 Traffic Monitor should always allow clients to connect. Separate multiple entries with a space or comma. For a list of valid address formats you can use, see “Valid Formats” on page 392. Note: Entering a domain name such as example.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 17-1 L4 Traffic Monitor Policies Property Description Additional Suspected Malware Addresses (optional) Enter zero or more known addresses that the L4 Traffic Monitor should consider as a possible malware. For a list of valid address formats you can use, see “Valid Formats” on page 392.
VIEWING L4 TRAFFIC MONITOR ACTIVITY V IEW I N G L 4 TRA F F IC M ON I TO R A C T IV I TY The S-Series appliance supports several options for generating feature specific reports and interactive displays of summary statistics. Reports You can use options on the Monitor > Reports pages of the web interface to select a type of report, capture data, schedule periodic email delivery, and archive reports. For more information about working with reports, see “Reporting Overview” on page 414.
CHAPTER 18 Monitoring This chapter contains the following information: • “Monitoring System Activity” on page 396 • “Using the Monitor Tab” on page 397 • “Overview Page” on page 399 • “L4 Traffic Monitor Data Page” on page 400 • “Clients Pages” on page 401 • “Web Site Activity Page” on page 402 • “Anti-Malware Page” on page 403 • “URL Categories Page” on page 404 • “Web Reputation Filters Page” on page 405 • “System Status Page” on page 406 • “SNMP Monitoring” on page 407 C H A P T E R 1 8 : M O N I T O
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE M O NI T OR IN G S YS T E M A C TI V IT Y Administrators and executive management require information to better understand evolving corporate threats. While the Web Security appliance controls the malware threat to a corporate environment, comprehensive monitoring and reporting tools provide insight to threats that are monitored or blocked, and display actionable data such as top clients infected to help you manage the presence of malware.
USING THE MONITOR TAB US I NG TH E M O NI TO R TA B The Monitor tab provides several options for viewing system data. This section describes those options and explains the information displayed on each of the following pages: Overview, L4 Traffic Monitor, Client Web Activity, Client Malware Risk, Web Site Activity, Anti-Malware, URL Categories, and Web Reputation Filters. Monitor tab display pages provide a colorful overview of system activity and support multiple options for viewing system data.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 18-2 Searching for Web Sites or Clients You can search for an exact match of a web site, client IP address or user ID, or you can search for web sites or clients that start with a specific text string. Note — You need to configure authentication to view client user IDs instead of client IP addresses.
OVERVIEW PAGE OV ER V I EW PA G E The Monitor > Overview page displays the Overview report. This report contains highlights of the System Status report and provides summary system traffic and security risk summary data.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE L 4 TR A F F IC M ON I TO R D A T A PA GE The Monitor > L4 Traffic Monitor page displays information about malware ports and malware sites that the L4 Traffic Monitor detected during the specified time range. The upper part of the report displays the number of connections for each of the top malware ports and web sites. The lower part of the report displays malware ports and sites detected.
CLIENTS PAGES C L I E N T S PA G E S You can use the following pages to monitor client activity: • Monitor > Clients > Web Activity page — This page shows the Client Web Activity report, which includes the following information: • Top clients by total web transactions • Top clients by blocked web transactions The client details table provides additional details including, bandwidth usage and the amount of bandwidth saved by blocking.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WE B S IT E A C T IV IT Y PA G E Use the following pages to monitor high-risk web sites accessed during a specific time range: • Monitor > Web Site Activity page — This page shows the Web Site Activity report, which includes the following information: • Top five sites by high-risk transactions detected. A high-risk transaction is any monitored or blocked transaction. • Top five sites by malware transactions detected.
ANTI-MALWARE PAGE A N T I - M A L WA R E PA G E Use the following pages to monitor malware detected by the Anti-Malware DVS engine: • Monitor > Anti-Malware page — This page shows the Anti-Malware report, which includes the following information: • Top malware categories detected (by number of transactions) • Top malware threats detected (by number of transactions) The Malware Categories and Malware Threats sections show the same data as the graphs, but in table format.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE UR L CA T E G O RI E S PA G E Use the Monitor > URL Categories page to view the URL Categories report. This report shows the top 10 URL categories by completed transactions and the top 10 URL categories by blocked transactions for a specified time range. Competed transactions include both clean transactions and monitored transactions.
WEB REPUTATION FILTERS PAGE WE B R E P U TA TI ON F IL T E R S PA G E Use the Monitor > Web Reputation Filters page to view the Web Reputation Filters report. This report shows the result of Web Reputation filtering for transactions during a specified time range.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE SY S TE M S T A T US PA G E Use the Monitor > System Status page to monitor the System Status. This page displays the current status and configuration of the Web Security appliance. The following table describes each display. Table 18-2System Status This Section... Displays Web Security Appliance Status • System uptime • System resource utilization — CPU usage, RAM usage, and percentage of disk space used for reporting and logging.
SNMP MONITORING SNMP MONITORING The IronPort AsyncOS operating system supports system status monitoring via SNMP (Simple Network Management Protocol). This includes IronPort’s Enterprise MIB, asyncoswebsecurityappliance-mib.txt. The asyncoswebsecurityappliance-mib helps administrators better monitor system health. In addition, this release implements a read-only subset of MIB-II as defined in RFCs 1213 and 1907. (For more information about SNMP, see RFCs 1065, 1066, and 1067.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • ASYNCOS-MAIL-MIB.txt — an SNMPv2 compatible description of the Enterprise MIB for IronPort Email Security appliances. • IRONPORT-SMI.txt — defines the role of the asyncoswebsecurityappliance-mib in IronPort’s SNMP managed products. These files are available on the documentation CD included with your IronPort appliance. You can also find these files on the IronPort Customer Support portal.
SNMP TRAPS Status change traps are sent when the status changes. Fan Failure and high temperature traps are sent every 5 seconds. The other traps are failure condition alarm traps — they are sent once when the state changes (healthy to failure). It is a good idea to poll for the hardware status tables and identify possible hardware failures before they become critical. Temperatures within 10 per cent of the critical value may be a cause for concern.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE > Please enter the SNMPv3 passphrase again to confirm. > Which port shall the SNMP daemon listen on? [161]> Service SNMP V1/V2c requests? [N]> y Enter the SNMP V1/V2c community string. []> public From which network shall SNMP V1/V2c requests be allowed? [192.168.1.1]> Enter the Trap target as a host name, IP address or list of IP addresses separated by commas (IP address preferred). Enter “None” to disable traps. [None]> 10.1.1.29 Enter the Trap Community string.
SNMP TRAPS What threshold would you like to set for CPU utilization? [95]> What URL would you like to check for connectivity failure? [http://downloads.ironport.com]> Enterprise Trap Status 1. CPUUtilizationExceeded Enabled 2. RAIDStatusChange Enabled 3. connectivityFailure Enabled 4. fanFailure Enabled 5. highTemperature Enabled 6. keyExpiration Enabled 7. linkDown Enabled 8. linkUp Enabled 9. memoryUtilizationExceeded Disabled 10. powerSupplyStatusChange Enabled 11. resourceConservationMode Enabled 12.
CHAPTER 19 Reporting This chapter contains the following information: • “Reporting Overview” on page 414 • “Scheduling Reports” on page 415 • “On-Demand Reports” on page 417 • “Archiving Reports” on page 418 • “Exporting Report Data” on page 419 C H A P T E R 1 9 : R E P O R T I N G 413
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE RE P OR T IN G O V E R VI EW Reporting functionality aggregates information from individual security features and records data that can be used to monitor your web traffic patterns and security risks. You can run reports in real-time to view an interactive display of system activity over a specific period of time, or you can schedule reports and run them at regular intervals. Reporting functionality also allows you to export raw data to a file.
SCHEDULING REPORTS SC H E D UL I NG RE P O R T S You can schedule reports to run on a daily, weekly, or monthly basis. Scheduled reports can be configured to include data for the previous day, previous seven days, or previous month. Alternatively, you can include data for a custom number of days (from 2 days to 100 days) or a custom number of months (from 2 months to 12 months). Regardless of when you run a report, the data is returned from the previous time interval (hour, day, week, or month).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Editing Scheduled Reports To edit reports, select the report title from the list on the Monitor > Report Scheduling page, modify settings then submit and commit your changes. Deleting Scheduled Reports To delete reports, go to the Monitor > Report Scheduling page and select the check boxes corresponding to the reports that you want to delete. To remove all scheduled reports, select the All check box, Delete and Commit your changes.
ON-DEMAND REPORTS ON-DEMAND REPOR TS The Generate Report Now option on the Monitor > Archived Reports page allows you to generate on-demand data displays for each report type. To generate a report: 1. Select Generate Report Now Figure 19-2 Generating an On-Demand Report 2. Select a report type and edit the title, if necessary. To avoid creating multiple reports with the same name, consider using a descriptive title. 3. Select a time range for the data included in the report. 4.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A R C H I V I N G R E PO R T S The Monitor > Archived Reports page lists available archived reports. Report names in the Report Title column are interactive and link to a view of each report. The Show menu filters the types of reports that are listed. Additionally, interactive column headings can be used to sort the data in each column. The appliance stores up to 12 instances of each scheduled report (up to 1000 reports).
EXPORTING REPORT DATA E X P O R TI N G R E P O R T D A T A Export links on the display pages will export raw data to a comma-separated values (CSV) file, that you can access and manipulate using database applications such as, Microsoft Excel.
CHAPTER 20 Logging This chapter contains the following information: • “Logging Overview” on page 422 • “Working with Log Subscriptions” on page 428 • “Access Log File” on page 436 • “W3C Compliant Access Logs” on page 447 • “Custom Formatting in Access Logs and W3C Logs” on page 450 • “Including HTTP/HTTPS Headers in Log Files” on page 459 • “Malware Scanning Verdict Values” on page 460 • “Traffic Monitor Log” on page 462 C H A P T E R 2 0 : L O G G I N G 421
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE L OG G IN G O VE R VI EW You can use log files to monitor web traffic. To configure the appliance to create log files, you create log subscriptions. A log subscription is an appliance configuration that associates a log file type with a name, logging level, and other parameters, such as size and destination information. You can subscribe to a variety of log file types. For more information about log subscriptions, see “Working with Log Subscriptions” on page 428.
LOG FILE TYPES Table 20-1 Default Log File Types (Continued) Log File Type Description Enabled by Default? Configuration Logs Records messages related to the Web Proxy configuration management system. No Connection Management Logs Records messages related to the Web Proxy connection management system. No Data Security Logs Records client history for upload requests that are evaluated by the IronPort Data Security Filters.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-1 Default Log File Types (Continued) Log File Type Description Enabled by Default? FTP Proxy Logs Records error and warning messages related to the FTP Proxy. No GUI Logs Records history of page refreshes in the web interface. Yes HTTPS Logs Records Web Proxy messages specific to the HTTPS proxy (when HTTPS scanning is enabled). No License Module Logs Records messages related to the Web Proxy’s license and feature key handling system.
LOG FILE TYPES Table 20-1 Default Log File Types (Continued) Log File Type Description Enabled by Default? Request Debug Logs Records very detailed debug information on a specific HTTP transaction from all Web Proxy module log types. You might want to create this log subscription to troubleshoot a proxy issue with a particular transaction without creating all other proxy log subscriptions. No Note: You can create this log subscription in the CLI only.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-1 Default Log File Types (Continued) Log File Type Description Enabled by Default? Webroot Integration Framework Logs Records messages related to communication between the Web Proxy and the Webroot scanning engine. No Webroot Logs Records the status of anti-malware scanning activity from the Webroot scanning engine.
WEB PROXY LOGGING • Memory Manager Logs • Miscellaneous Proxy Modules Logs • Request Debug Logs • SNMP Module Logs • WCCP Module Logs • Webcat Integration Framework Logs • Webroot Integration Framework Logs For a description of each log type, see Table 20-1, “Default Log File Types,” on page 422.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WOR K IN G W IT H L O G S UB SC R IP T IO N S A log subscription is an appliance configuration that specifies the type of log file to create and other factors, such as the log file name and method of retrieving the log file. Use the System Administration > Log Subscriptions page to configure log file subscriptions. Figure 20-1 shows the Log Subscriptions page where you work with log subscriptions.
LOG FILE NAME AND APPLIANCE DIRECTORY STRUCTURE • Apache • Squid • Squid Details • Exclude entries based on HTTP status codes. You can configure the access log to not include transactions based on particular HTTP status codes to filter out certain transactions. For example, you might want to filter out authentication failure requests that have codes of 407 or 401. Log File Name and Appliance Directory Structure The appliance creates a directory for each log subscription based on the log subscription name.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • Automatically. AsyncOS rolls over log subscriptions based on the first user-specified limit reached: maximum file size or maximum time. Log subscriptions based on the FTP poll retrieval method create files and store them in the FTP directory on the appliance until they are retrieved from a remote FTP client, or until the system needs to create more space for log files. To roll over a log subscription in the web interface: 1.
ADDING AND EDITING LOG SUBSCRIPTIONS The hostkeyconfig subcommand performs the following functions: Table 20-2 Managing Host Keys—List of Subcommands Command Description New Add a new key. Scan Automatically download a host key. Host Display system host keys. This is the value to place in the remote system’s ‘known_hosts’ file. Fingerprint Display system host key fingerprints. User Displays the public key of the system account that pushes the logs to the remote machine.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 6. If you are creating a W3C access log, configure the following options: Access Log Option Log Fields Description Choose the fields you want to include in the W3C access log. Select a field in the Available Fields list, or type a field in the Custom Field box, and click Add. The order the fields appear in the Selected Log Fields list determines the order of fields in the W3C access log file.
ADDING AND EDITING LOG SUBSCRIPTIONS Table 20-3 describes the levels of detail you can choose in the Log Level field. Table 20-3 Logging Levels Log Level Description Critical This is the least detailed setting. This level only includes errors. Using this setting will not allow you to monitor performance and other important activities. However, the log files will not reach their maximum size as quickly. This log level is equivalent to the syslog level “Alert.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-4 Log Transfer Protocols (Continued) Retrieval Method Description FTP on Remote Server This method periodically pushes log files to an FTP server on a remote computer.
DELETING A LOG SUBSCRIPTION Deleting a Log Subscription To delete a log subscription: 1. Navigate to the System Administration > Log Subscriptions page. 2. Click the icon under the Delete column for the log subscription you want to delete. 3. Submit and commit your changes.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE A C CE SS L O G F I L E The access log file provides a descriptive record of all Web Proxy filtering and scanning activity. Access log file entries display a record of how the appliance handled each transaction. You can view the access log file from the System Administration > Log Subscriptions page. Note — The W3C access log also records all Web Proxy filtering and scanning activity, but in a format that is W3C compliant.
ACCESS LOG FILE Table 20-5 Access Log File Entry (Continued) Field Value Field Description DIRECT/my.website.com Code that describes which server was contacted for the retrieving the request content. Most common values include: • NONE. The Web Proxy had the content, so it did not contact any other server to retrieve the content. • DIRECT. The Web Proxy went to the server named in the request to get the content. • DEFAULT_PARENT.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-5 Access Log File Entry (Continued) Field Value Field Description RoutingPolicyGroup Routing Policy group name as ProxyGroupName/ ProxyServerName. When the transaction matches the global Routing Policy, this value is “DefaultRouting.” When no upstream proxy server is used, this value is “DIRECT.” Any space in the policy group name is replaced with an underscore ( _ ).
ACL DECISION TAGS Table 20-6 Transaction Result Codes (Continued) Result Code Description TCP_CLIENT_REFRESH _MISS The client sent a “don’t fetch response from cache” request by issuing the ‘Pragma: no-cache’ header. Due to this header from the client, the appliance fetched the object from the origin server. TCP_DENIED The client request was denied due to Access Policies. NONE There was an error in the transaction. For example, a DNS failure or gateway timeout.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-7 ACL Decision Tag Values (Continued) 440 ACL Decision Tag Description BLOCK_ADMIN The Web Proxy blocked the transaction based on Applications or Objects settings for the Access Policy group. BLOCK_ADMIN_CONNECT The Web Proxy blocked the transaction based on the TCP port of the destination as defined in the HTTP CONNECT Ports setting for the Access Policy group.
ACL DECISION TAGS Table 20-7 ACL Decision Tag Values (Continued) ACL Decision Tag Description BLOCK_SUSPECT_USER_AGENT The Web Proxy blocked the transaction based on the Suspect User Agent setting for the Access Policy group. BLOCK_WBRS The Web Proxy blocked the transaction based on the Web Reputation filter settings for the Access Policy group. BLOCK_WBRS_DLP The Web Proxy blocked the upload request based on the Web Reputation filter settings for the Data Security Policy group.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-7 ACL Decision Tag Values (Continued) ACL Decision Tag Description OTHER The Web Proxy did not complete the request due to an error, such as an authorization failure, server disconnect, or an abort from the client. Understanding Web Reputation and Anti-Malware Information The access log file entries aggregate and display the results of Web Reputation filtering and anti-malware scanning.
UNDERSTANDING WEB REPUTATION AND ANTI-MALWARE INFORMATION Table 20-8 Access Log File Entry — Web Reputation and Anti-Malware Information (Continued) Field Value Example 1 Field Value Example 2 Description 13 0 The malware scanning verdict Webroot passed to the DVS engine. Applies to responses detected by Webroot only. For more information, see “Malware Scanning Verdict Values” on page 460. ComedyPlanet - - - Name of the spyware that is associated with the object.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-8 Access Log File Entry — Web Reputation and Anti-Malware Information (Continued) Field Value Example 1 Field Value Example 2 Description - 1 A value that McAfee uses as a virus type. IronPort Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only. - 0 Generic Downloader.ab The name of the virus that McAfee scanned.
UNDERSTANDING WEB REPUTATION AND ANTI-MALWARE INFORMATION Table 20-8 Access Log File Entry — Web Reputation and Anti-Malware Information (Continued) Field Value Example 1 Field Value Example 2 Description - IW_adv The URL category verdict determined during response-side scanning, abbreviated. Applies to the Cisco IronPort Web Usage Controls URL filtering engine only.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE The “10” value is the malware scanning verdict that Webroot passes to the DVS engine. (“10” corresponds to generic spyware, as explained in Table 20-13 on page 460.) The “BLOCK_AMW_REQ” ACL decision tag shows that Webroot’s request-side checking of the URL produced this verdict. The remainder of the fields show the spyware name (“Malware”), threat risk rating (“100”), threat ID (“-”), and trace ID (“-”) values, which Webroot derived from its evaluation.
W3C COMPLIANT ACCESS LOGS W3 C C OM P L IA NT A CC E S S L O GS The Web Security appliance provides two different log types for recording Web Proxy transaction information, the access logs and the W3C access logs. The W3C access logs are W3C compliant, and record transaction history in the W3C Extended Log File (ELF) Format. You can create multiple W3C access log subscriptions and define the data to include in each.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-9 describes the header fields listed at the beginning of each W3C log file. Table 20-9 W3C Log File Header Fields Header Field Description Version The version of the W3C ELF format used. Date The date and time at which the entry was added. System The Web Security appliance that generated the log file in the format “Management_IP - Management_hostname.
WORKING WITH LOG FIELDS IN W3C ACCESS LOGS of the computers involved in the transaction. Table 20-10 on page 449 describes the W3C log fields prefixes. Table 20-10 W3C Log Field Prefixes Prefix Header Description c Client s Server cs Client to server sc Server to client x Application specific identifier. For example, the W3C log field “cs-method” refers to the method in the request sent by the client to the server, and “c-ip” refers to the client’s IP address.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CU S TO M FO R M A T T IN G I N A C CE SS L OG S A N D W 3C L OG S You can customize access logs and W3C access logs to include many different fields to capture comprehensive information about web traffic within the network. Access logs use format specifiers, and the W3C access logs use W3C log fields. Table 20-11 describes the W3C log fields you can include in the W3C access logs and the custom format specifiers (for the access logs) they correspond with.
CUSTOM FORMATTING IN ACCESS LOGS AND W3C LOGS Table 20-11 Log Fields in W3C Logs and Format Specifiers in Access Logs (Continued) W3C Log Field Format Specifier in Access Logs Description cs-username %A Authenticated user name. This field is written with double-quotes in the access logs.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-11 Log Fields in W3C Logs and Format Specifiers in Access Logs (Continued) W3C Log Field 452 Format Specifier in Access Logs Description %Xl IronPort Data Security Policy scanning verdict. If this field is included, it will display the IDS verdict, or “0” if IDS was active but the document scanned clean, or "-" if no IDS policy was active for the request.
CUSTOM FORMATTING IN ACCESS LOGS AND W3C LOGS Table 20-11 Log Fields in W3C Logs and Format Specifiers in Access Logs (Continued) W3C Log Field Format Specifier in Access Logs Description x-result-code %Xr Result code x-resultcode-httpstatus %w/%h Result code and the HTTP response code, with a slash (/) in between x-suspect-user-agent %?BLOCK_SUSPE CT_USER_AGENT, MONITOR_SUSPE CT?%
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-11 Log Fields in W3C Logs and Format Specifiers in Access Logs (Continued) 454 W3C Log Field Format Specifier in Access Logs Description x-webcat-req-code-abbr %XQ The URL category verdict determined during request-side scanning, abbreviated. Applies to both IronPort URL Filters and Cisco IronPort Web Usage Controls URL filtering engines. x-webcat-req-code-full %XR The URL category verdict determined during request-side scanning, full name.
CUSTOM FORMATTING IN ACCESS LOGS AND W3C LOGS Table 20-11 Log Fields in W3C Logs and Format Specifiers in Access Logs (Continued) W3C Log Field Format Specifier in Access Logs Description N/A %:
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 20-11 Log Fields in W3C Logs and Format Specifiers in Access Logs (Continued) 456 W3C Log Field Format Specifier in Access Logs Description N/A %:>r Wait-time to receive the verdict from the Web Reputation Filters, including the time required for the Web Proxy to send the request. N/A %:>s Wait-time to receive the verdict from the Web Proxy anti-spyware process, including the time required for the Web Proxy to send the request.
CONFIGURING CUSTOM FORMATTING IN ACCESS LOGS Configuring Custom Formatting in Access Logs Use the System Administration > Log Subscriptions page to configure custom formatting for access log file entries. Click the access log file name to edit the access log subscription.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 20-3 Configuring Custom Log Fields in the W3C Logs Enter the custom fields to add in the Custom Fields text box in the Log Fields section. You can enter multiple custom fields in the Custom Fields text box and add them simultaneously as long as each entry is separated by a new line (click Enter) before clicking Add. Note — You can create a custom field for any header in a client request or a server response.
INCLUDING HTTP/HTTPS HEADERS IN LOG FILES IN C L UD IN G H T TP / HT T P S HE A D E R S I N L O G F IL E S If the list of predefined access log and W3C log fields does not include all header information you want to log from HTTP/HTTPS transactions, you can type a user defined log field in the Custom Fields text box when you configure the access and W3C log subscriptions. Custom log fields can be any data from any header sent from the client or the server.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE M A L WA RE S C A NN I NG VE R D IC T VA L UE S A malware scanning verdict is a value assigned to a URL request or server response that determines the probability that it contains malware. The scanning engines return the malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the scanned object.
MALWARE SCANNING VERDICT VALUES Table 20-13 Malware Scanning Verdict Values (Continued) Malware Category Malware Scanning Verdict Value Virus 27 C H A P T E R 2 0 : L O G G I N G 461
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE TR A F FI C M ON IT O R L OG The L4 Traffic Monitor log file provides a detailed record of monitoring activity. You can view L4 Traffic Monitor log file entries and track updates to firewall block lists and firewall allow lists. Consider the following example log entries: Example 1 172.xx.xx.xx discovered for blocksite.net (blocksite.net) added to firewall block list. In this example, where a match becomes a block list firewall entry.
CHAPTER 21 Configuring Network Settings This chapter contains the following information: • “Changing the System Hostname” on page 464 • “Configuring Network Interfaces” on page 465 • “Configuring TCP/IP Traffic Routes” on page 469 • “Virtual Local Area Networks (VLANs)” on page 471 • “Configuring Transparent Redirection” on page 475 • “Configuring SMTP Relay Hosts” on page 482 • “Configuring DNS Server(s)” on page 484 C H A P T E R 2 1 : C O N F I G U R I N G N E T W O R K S E T T I N G S 463
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE C H A N G I N G T HE S YS T E M H O S TN A M E The hostname parameter is used to identify the system at the CLI prompt. You must enter a fully-qualified hostname for the system. The hostname parameter is also used in end-user notification pages, end-user acknowledgement pages, and to form the machine NetBIOS name when the Web Security appliance joins an Active Directory domain. It has no direct relationship with the hostname configured for the interface.
CONFIGURING NETWORK INTERFACES CO N FI GU R IN G N E T W O R K IN T E R FA C E S You can configure the appliance network interfaces by modifying IP address, subnet, and host name information for the Management, Data, and L4 Traffic Monitor interfaces. Table 21-1 describes the network interface settings you can configure.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • P1 only • P1 and P2 You can enable the M1 and P1 ports during or after System Setup. However, you can only enable the P2 port after System Setup in the web interface or using the ifconfig CLI command. The Web Proxy listens for client web requests on different network interfaces depending on how you configure the Web Security appliance: • M1.
CONFIGURING THE NETWORK INTERFACES FROM THE WEB INTERFACE Figure 21-1 Editing Network Interfaces 2. Configure interface settings as necessary. Table 21-2 describes the interface settings you can define for each interface. Table 21-2 Interface Settings Interface Setting Description IP Address Enter the IP address to use to manage the Web Security appliance. Enter an IP address that exists on your management network.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Choose whether or not to use HTTP or HTTPS to administer AsyncOS through the web interface. You must specify the port to access AsyncOS with each protocol you configure. You can also choose to redirect HTTP requests to HTTPS. When you do this, AsyncOS automatically enables both HTTP and HTTPS. 5. Choose the type of wired connections plugged into the “T” network interfaces: • Duplex TAP. Choose Duplex TAP when the T1 port receives both incoming and outgoing traffic.
CONFIGURING TCP/IP TRAFFIC ROUTES CO N FI GU R IN G T CP / I P TRA FF IC RO U TE S You can administer routes for data and management traffic, add static routes, load your IP routing tables, and modify the default gateway using the Network > Routes page or the routeconfig command.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Working With Routing Tables You can save your current routing table to a file. You can load a previously saved route table. You can add new routes or delete existing ones. To save a route table, click Save Route Table and specify where to save the file. To load a previously saved route table, click Load Route Table, navigate to the file, and then submit and commit your changes.
VIRTUAL LOCAL AREA NETWORKS (VLANS) V IR T U A L L O C A L A R E A N E T W OR K S ( VL A N S ) VLANs are virtual local area networks bound to physical data ports. You can configure one or more VLANs to increase the number of networks the IronPort appliance can connect to beyond the number of physical interfaces included. For example, a Web Security appliance has two data interfaces available for VLANs: P1 and Management. VLANs allow more networks to be defined on separate “ports” on existing interfaces.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE VLANs and Physical Ports A physical port does not need an IP address configured in order to be in a VLAN. The physical port on which a VLAN is created can have an IP that will receive non-VLAN traffic, so you can have both VLAN and non-VLAN traffic on the same interface. VLANs can only be created on the Management and P1 data ports. Managing VLANs You can create, edit and delete VLANs via the etherconfig command.
MANAGING VLANS []> new VLAN ID for the interface (Ex: "34"): []> 31 Enter the name or number of the ethernet interface you wish bind to: 1. Management 2. P1 3. T1 4. T2 [1]> 2 VLAN interfaces: 1. VLAN 31 (P1) 2. VLAN 34 (P1) Choose the operation you want to perform: - NEW - Create a new VLAN. - EDIT - Edit a VLAN. - DELETE - Delete a VLAN. []> Creating an IP Interface on a VLAN via the interfaceconfig Command In this example, a new IP interface is created on the VLAN 34 ethernet interface.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 3. VLAN 31 4. VLAN 34 [1]> 4 Netmask (Ex: "255.255.255.0" or "0xffffff00"): [255.255.255.0]> Hostname: []> v.example.com Currently configured interfaces: 1. Management (10.10.1.10/24 on Management: example.com) 2. P1 (10.10.0.10 on P1: example.com) 3. VLAN 34 (10.10.31.10 on VLAN 34: v.example.com) Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - DELETE - Remove an interface. []> example.
CONFIGURING TRANSPARENT REDIRECTION CO N FI GU R IN G TRA NS P A R E N T RE DI R E CT I ON When you configure the Web Security appliance web proxy service in transparent mode, you must connect the appliance to an L4 switch or a WCCP v2 router, and you must configure the appliance so it knows to which device it is connected. You configure the device on the Network > Transparent Redirection page.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE The Web Cache Communication Protocol allows 257 different service IDs. AsyncOS allows you to create a dynamic WCCP service for each possible service ID. However, in typical usage, most users create one or two WCCP services, where one is a standard service and the other a dynamic service. When you create a WCCP service of any type, you must also specify the following information: • Assignment method.
WORKING WITH THE FORWARDING AND RETURN METHOD Working with the Forwarding and Return Method WCCP defines the forwarding method as the method by which redirected packets are transported from the router to the web proxy. Conversely, the return method redirects packets from the web proxy to the router. You configure the forwarding and return methods for a WCCP service in the Forwarding Method and Return Method fields under the Advanced section when you create or edit a WCCP service.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — IronPort suggests using a service ID number from 90 to 99 for the WCCP service used for the return path (based on the source port). For more information about creating WCCP services, see “Adding and Editing a WCCP Service” on page 478. Adding and Editing a WCCP Service You must create at least one WCCP service when you configure the transparent redirection device as a WCCP router. If IP spoofing is enabled on the appliance, you must create two WCCP services.
ADDING AND EDITING A WCCP SERVICE 4. Configure the WCCP options. Table 21-3 describes the WCCP options. Table 21-3 WCCP Service Options WCCP Service Option Description Service Profile Name Enter a name for the WCCP service.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 21-3 WCCP Service Options (Continued) WCCP Service Option Description Service Use this section to describe the service group for the router. Choose to create either a standard (“well known”) or dynamic service group. If you create a dynamic service, enter the following information: • Service ID. Enter any number from 0 to 255 in the Dynamic Service ID field. • Port number(s). Enter up to eight port numbers for traffic to redirect in the Port Numbers field.
DELETING A WCCP SERVICE Table 21-3 WCCP Service Options (Continued) WCCP Service Option Advanced Description Configure the following fields: • Load-Balancing Method. This is also known as the assignment method. Choose Mask, Hash, or both. Default is both. For more information about load-balancing, see “Working with the Assignment Method” on page 476. • Forwarding Method. Choose L2, GRE, or both. Default is both.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G S M T P R E L AY H O ST S AsyncOS periodically sends system-generated email messages, such as notifications, alerts, and IronPort Customer Support requests. By default, AsyncOS uses information listed in the MX record on your domain to send email. However, if the appliance cannot directly reach the mail servers listed in the MX record, you must configure at least one SMTP relay host on the appliance.
CONFIGURING SMTP FROM THE CLI 2. Enter the information listed in Table 21-4. Table 21-4 SMTP Relay Host Settings Property Description Relay Hostname or IP Address Enter the host name or IP address to use for the SMTP relay Port Enter the port for connecting to the SMTP relay. If this property is empty, the appliance uses port 25. This property is optional.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G D NS SE R VE R ( S ) You can configure the DNS settings for your IronPort appliance using the Network > DNS page or using the dnsconfig command. Before you configure DNS, consider the following: • Whether to use the Internet’s DNS servers or your own, and which specific server(s) to use. • Which routing table to use for DNS traffic. You must use the routing table associated with the interface that faces the DNS server, either Data or Management.
DNS ALERT For example, four DNS servers with two configured at priority 0, one at priority 1, and one at priority 2: Table 21-5 Example of DNS Servers, Priorities, and Timeout Intervals Priority Server(s) Timeout (seconds) 0 1.2.3.4, 1.2.3.5 5, 5 1 1.2.3.6 10 2 1.2.3.7 45 AsyncOS randomly chooses between the two servers at priority 0. If one of the priority 0 servers is down, the other is used. If both priority 0 servers are down, the priority 1 server (1.2.3.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 21-6 Edit DNS Settings 3. Select to use the Internet’s root DNS servers or your own internal DNS server or the Internet’s root DNS servers and specify authoritative DNS servers. 4. If you use your own DNS server(s), or specify authoritative DNS servers, enter the server ID, specify a priority, and use the Add Row key to repeat as necessary for each server. 5.
CHAPTER 22 System Administration This chapter contains the following information: • “Managing the S-Series Appliance” on page 488 • “Support Commands” on page 489 • “Working with Feature Keys” on page 495 • “Administering User Accounts” on page 497 • “Configuring Administrator Settings” on page 503 • “Configuring the Return Address for Generated Messages” on page 504 • “Managing Alerts” on page 505 • “Setting System Time” on page 512 • “Installing a Server Digital Certificate” on page 514 • “Upgrading the
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE M A N A G IN G T H E S - SE RI E S A P P L IA N C E The S-Series appliance provides a variety of tools for managing the system.
SUPPORT COMMANDS SUPPOR T COMMANDS The features in this section are useful when you upgrade the appliance or contact your support provider. You can find the following commands under the Technical Support section of the Support and Help menu: • Open a Support Case. For more information, see “Open a Support Case” on page 489. • Remote Access. For more information, see “Remote Access” on page 490. • Packet Capture. For more information, see “Packet Capture” on page 491.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 22-1 Open a Technical Support Case Page 2. In the Other Recipients field, enter other email addresses separated by commas if you want to send this support request to other people. By default, the support request (including the configuration file) is sent to IronPort Customer Support (via the checkbox at the top of the form). 3. Enter your contact information, such as name and email. 4.
PACKET CAPTURE Figure 22-2 Remote Access Page By enabling Remote Access you are activating a special account used by IronPort Customer Support for debugging and general access to the system. This is used by IronPort Customer Support for tasks such as assisting customers in configuring their systems, understanding configurations, and investigating problem reports. You can also use the techsupport command in the CLI.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE The appliance saves the captured packet activity to a file and stores the file locally. You can configure the maximum packet capture file size, how long to run the packet capture, and on which network interface to run the capture. You can also use a filter to limit the number of packets seen by the packet capture which can make the output more usable on networks with a high volume of traffic.
PACKET CAPTURE Editing Packet Capture Settings To edit the packet capture settings in the CLI, run the packetcapture > setup command. To edit packet capture settings in the web interface, select the Packet Capture option under the Support and Help menu, and then click Edit Settings. Table 22-1 describes the packet capture settings you can configure. Table 22-1 Packet Capture Configuration Options Option Description Capture file size limit The maximum file size for all packet capture files.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 22-3 on page 494 shows where you can edit the packet capture settings in the web interface.
WORKING WITH FEATURE KEYS WOR K IN G W IT H FE AT UR E KEYS Occasionally, your support team may provide a key to enable specific functionality on your system. Use the System Administration > Feature Keys page in the web interface (or the featurekey command in the CLI) to enter the key and enable the associated functionality. Keys are specific to the serial number of your appliance and specific to the feature being enabled (you cannot re-use a key from one system on another system).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Feature Key Settings Page The Feature Key Settings page is used to control whether your appliance checks for and downloads new feature keys, and whether or not those keys are automatically activated. Figure 22-5 The Feature Key Settings Page To add a new feature key manually, paste or type the key into the Feature Key field and click Submit Key. An error message is displayed if the feature is not added (if the key is incorrect, etc.
ADMINISTERING USER ACCOUNTS A D M I NI ST E R I NG U S E R A CC OU N TS The following types of users can log into the Web Security appliance to manage the appliance: • Local users. You can define users locally on the appliance itself. For more information, see “Managing Local Users” on page 497. • Users defined in an external system. You can configure the appliance to connect to an external RADIUS server to authenticate users logging into the appliance.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE To create a new user account, specify a user name and a full name, and then assign the user to a group. Each group provides a different level of default permissions. Table 22-2 lists the groups you can assign. Table 22-2 User Groups Group Description Administrator The administrators group allows full access to all system configuration settings. However, the upgradecheck and upgradeinstall commands can be issued only from the system defined “admin” account.
MANAGING LOCAL USERS 4. Select a user type. See Table 22-2, “User Groups,” on page 498 for more information about user types. 5. Enter a password and retype it. 6. Submit and commit your changes. Deleting Users To delete a user: 1. On the System Administration > Users page, click the trash can icon corresponding to the listed user name. 2. Confirm the deletion by clicking Delete in the warning dialog that appears. 3. Submit and commit your changes. Editing Users To edit a user: 1.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE • The who command lists users, the time of login, idle time, and the remote host from which the user is logged in: example.com> who Username ======== admin Login Time ========== 03:27PM Idle Time ========= 0s Remote Host =========== 10.xx.xx.xx What ==== cli • The whoami command displays the user name and group information: example.
USING EXTERNAL AUTHENTICATION You can configure the appliance to contact multiple external servers for authentication. You might want to define multiple external servers to allow for failover in case one server is temporarily unavailable. When you define multiple external servers, the appliance connects to the servers in the order defined on the appliance.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 7. Optionally, click Add Row to add another RADIUS server. Repeat steps 3-6 for each RADIUS server. Note — You can add up to ten RADIUS servers. 8. Enter the number of seconds AsyncOS stores the external authentication credentials before contacting the RADIUS server again to authenticate again in the “External Authentication Cache Timeout” field. Default is zero (0).
CONFIGURING ADMINISTRATOR SETTINGS CO N FI GU R IN G A D M I N IS TR A T O R SE TT I NG S You can configure the Web Security appliance to have stricter access requirements for administrators logging into the appliance. You might want to do this to meet certain organization requirements. You configure these settings with the adminaccessconfig CLI command. You can configure the appliance to: • Display user-defined text at administrator login. • Restrict administrator access to certain machines.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE CO N FI GU R IN G T HE R E T UR N A D DR E S S F OR GE N E R A T E D M E S SA G E S You can configure the return address for mail generated by AsyncOS for reports. You can specify the display, user, and domain names of the return address. You can also choose to use the Virtual Gateway domain for the domain name. Configure the return address on the System Administration > Return Addresses page.
MANAGING ALERTS M A N A G IN G A L E R TS Alerts are email notifications containing information about events occurring on the IronPort appliance. These events can be of varying levels of importance (or severity) from minor (Informational) to major (Critical) and pertain generally to a specific component or feature on the appliance. Alerts are generated by the IronPort appliance. You can specify which alert messages are sent to which users and for which severity of event they are sent.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 22-3 Alert Classifications and Components (Continued) Alert Classification Alert Component Updater Updater Web Proxy Proxy DVS™ and Anti-Malware DVS L4 Traffic Monitor TrafMon Severities Alerts can be sent for the following severities: • Critical: Requires immediate attention. • Warning: Problem or error requiring further monitoring and potentially immediate attention. • Information: Information generated in the routine functioning of this device.
IRONPORT AUTOSUPPORT value to 60 seconds, alerts would be sent at 5 seconds, 15 seconds, 35 seconds, 60 seconds, 120 seconds, etc. IronPort AutoSupport To allow IronPort to better support and design future system changes, the IronPort appliance can be configured to send IronPort Systems a copy of all alert messages generated by the system. This feature, called AutoSupport, is a useful way to allow our team to be proactive in supporting your needs.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Example Alert Message Date: 23 May 2007 21:10:19 +0000 To: joe@example.com From: IronPort S650 Alert [alert@example.com] Subject: Critical example.com: Internal SMTP giving up on message to jane@company.com with... The Critical message is: Internal SMTP giving up on message to jane@company.com with subject 'IronPort Report: Client Web Activity (example.com)': Unrecoverable error. Product: IronPort S650 Web Security Appliance Model: S650 Version: 5.1.
MANAGING ALERT RECIPIENTS Figure 22-13 The Alerts Page Note — If you enabled AutoSupport during System Setup, the email address you specified will receive alerts for all severities and classes by default. You can change this configuration at any time. The Alerts page lists the existing alert recipients and alert settings. From the Alerts page, you can: • Add, configure, or delete alert recipients • Modify the alert settings Adding New Alert Recipients To add a new alert recipient: 1. Click Add Recipient.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Figure 22-14 Adding a New Alert Recipient 2.Enter the recipient’s email address. You can enter multiple addresses, separated by commas. 3.Select which alert severities to receive. 4.Click Submit to add the alert recipient. 5.Click the Commit Changes button, add an optional comment if necessary, then click Commit Changes to save the changes. Configuring Existing Alert Recipients To edit an existing alert recipient: 1.
CONFIGURING ALERT SETTINGS Configuring Alert Settings Alert settings are global settings, meaning that they affect how all of the alerts behave. Editing Alert Settings To edit alert settings: 1. Click Edit Settings... on the Alerts page. The Edit Alert Settings page is displayed: Figure 22-15 Editing Alert Settings 2. Enter a Header From: address to use when sending alerts, or select Automatically Generated (“alert@”). 3.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE SE TT I NG S Y ST E M T IM E To set the system time on your Web Security appliance, set the time zone used, or select an NTP server and query interface. To set the system time, use the System Administration > Time Zone or Time Settings page or use the ntpconfig, settime, and settz commands. Selecting a Time Zone To set the time zone use the System Administration > Time Zone page: Figure 22-16 The Time Zone Page Select a time zone in the Time Zone area.
EDITING SYSTEM TIME Figure 22-17 The Edit Time Settings Page Configure NTP (Network Time Protocol) To edit NTP server settings and use an NTP server to synchronize the system clock with other computers: 1. Enter an NTP server IP address and use the Add Row key to repeat as necessary for each NTP server. 2. Choose the routing table associated with an appliance network interface type, either Management or Data, to use for NTP queries. This is the IP address from which NTP queries should originate. 3.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE IN S TA LL I N G A SE R VE R DI G IT A L CE R TI F IC A T E When an administrator logs into the Web Security appliance using HTTPS, the appliance uses a digital certificate to securely establish the connection with the client application. The Web Security appliance uses the “IronPort Appliance Demo Certificate” that comes installed by default.
UPLOADING CERTIFICATES TO THE WEB SECURITY APPLIANCE The certificate you upload to the appliance must meet the following requirements: • It must use the X.509 standard. • It must include a matching private key in PEM format. DER format is not supported. • The private key must be unencrypted. The Web Security appliance cannot generate Certificate Signing Requests (CSR). Therefore, to have a certificate created for the appliance, you must issue the signing request from another system.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE []> setup Management (HTTPS): paste cert in PEM format (end with '.
UPGRADING THE SYSTEM SOFTWARE U P G R A D I N G T HE S YS T E M S O F TWA R E Upgrading AsyncOS for Web uses the following two step process: 1. Configure the update and upgrade settings. You can configure settings that affect how the Web Security appliance downloads the upgrade information. For example, you can choose from where to download the upgrade images and more. For more information, see “Configuring Upgrade and Service Update Settings” on page 519. 2. Upgrade the system software.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 3. Select an upgrade from the list of available upgrades, and click Begin Upgrade to start the upgrade process. Answer the questions as they appear. 4. When the upgrade is complete, click Reboot Now to reboot the Web Security appliance. Upgrading AsyncOS for Web from the CLI Issue the upgrade command from the CLI to show a list of available upgrades. Select the desired upgrade from the list to install it.
CONFIGURING UPGRADE AND SERVICE UPDATE SETTINGS CO N FI GU R IN G U P GR A D E A N D S E R VI C E UP D A T E SE T T IN G S You can configure how the Web Security appliance downloads security services updates, such as Web Reputation Filters and AsyncOS for Web upgrades. For example, you can choose which network interface to use when downloading the files, configure the update interval. or disable automatic updates.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE You can configure upgrade and updates settings in the web interface or the CLI. For more information, see “Configuring the Update and Upgrade Settings from the Web Interface” on page 522 and “Configuring the Update and Upgrade Settings from the CLI” on page 525. Figure 22-20 shows where you configure upgrade and update settings in the web interface.
UPGRADING FROM A LOCAL SERVER use this feature, you only download the upgrade image from IronPort one time, and then serve it to all Web Security appliances in your network. Figure 22-21 shows how Web Security appliances download upgrade images from local servers.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Note — IronPort recommends changing the update and upgrade settings to use the IronPort update servers (using dynamic or static addresses) after the upgrade is complete to ensure the security service components continue to update automatically.
CONFIGURING THE UPDATE AND UPGRADE SETTINGS FROM THE WEB INTERFACE Figure 22-22 Edit Update Settings Page C H A P T E R 2 2 : S Y S T E M A D M I N I S T R A T I O N 523
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 2. Configure the settings in Table 22-4. Table 22-4 Update and Upgrade Settings Setting Description Update Servers (images) Choose whether to download upgrade and update images from the IronPort update servers or a local web server. The default is the IronPort update servers.
CONFIGURING THE UPDATE AND UPGRADE SETTINGS FROM THE CLI Table 22-4 Update and Upgrade Settings (Continued) Setting Description Automatic Updates Choose whether or not to enable automatic updates of the security components. If you choose automatic updates, enter the time interval. The default is enabled and the update interval is 5 minutes. Routing Table Choose which network interface’s routing table to use when contacting the update servers. The available proxy data interfaces are shown.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE 5. Initiate the update using the Update Now function key on the component page located on the Security Services tab. For example, Security Services > Web Reputation Filters page. 6. View a record of update activity in the updater log file. Subscribe to the updater log file on the System Administration > Log Subscriptions page. Note — Updates that are in-progress cannot be interrupted. All in-progress updates must complete before new changes can be applied.
CHAPTER 23 Command Line Interface This chapter contains the following information: • “The Command Line Interface Overview” on page 528 • “Using the Command Line Interface” on page 529 • “General Purpose CLI Commands” on page 532 • “Web Security Appliance CLI Commands” on page 534 C H A P T E R 2 3 : C O M M A N D L I N E I N T E R F A C E 527
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE TH E C OM M A N D L IN E I NT E R FA CE O VE R VI EW The IronPort AsyncOS Command Line Interface (CLI) is an interactive interface designed to allow you to configure and monitor the Web Security appliance. The commands are invoked by entering the command name with or without any arguments. If you enter a command without arguments, the command prompts you for the required information.
USING THE COMMAND LINE INTERFACE USING THE COMMAND LINE INTERFACE This section describes the rules and conventions of the AsyncOS Command Line Interface. Accessing the Command Line Interface Access to the CLI varies depending on the management connection method chosen while setting up the appliance. The factory default username and password are listed next. Initially, only the admin user account has access to the CLI.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE When there is a default setting, the setting is displayed within the command-prompt brackets. For example: example.com> setgateway Warning: setting an incorrect default gateway may cause the current connection to be interrupted when the changes are committed. Enter new default gateway: [172.xx.xx.
COMMAND HISTORY Currently configured interfaces: 1. Management (172.xxx.xx.xx/xx: example.com) Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - DELETE - Remove an interface. []> Within subcommands, typing Enter or Return at an empty prompt returns you to the main command. Escaping Subcommands You can use the Ctrl+C keyboard shortcut at any time within a subcommand to immediately exit return to the top level of the CLI.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE GENERAL PURPOSE CLI COMMANDS This section describes the some basic commands you might use in a typical CLI session, such as committing and clearing changes. For a full list of commands, see “Web Security Appliance CLI Commands” on page 534. Committing Configuration Changes The commit command allows you to change configuration settings while other operations proceed normally. Changes are not actually committed until you receive confirmation and a timestamp.
SEEKING HELP ON THE COMMAND LINE INTERFACE Are you sure you wish to exit? [N]> y Seeking Help on the Command Line Interface The help command lists all available CLI commands and gives a brief description of each command. The help command can be invoked by typing either help or a single question mark (?) at the command prompt. example.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE WE B S E C UR I T Y A P P L I A N C E C L I C O M M A N D S The Web Security Appliance CLI supports a set of proxy and UNIX commands to access, upgrade, and administer the system. Table 23-1 lists the Web Security appliance Command Line Interface commands. Table 23-1 Web Security appliance Administrative Commands Command Description advancedproxyconfig Configure more advanced Web Proxy configurations, such as authentication and DNS parameters.
WEB SECURITY APPLIANCE CLI COMMANDS Table 23-1 Web Security appliance Administrative Commands (Continued) featurekey Submits valid keys to activate licensed features. For more information, see “Feature Keys Page” on page 495. featurekeyconfig Automatically check for and update feature keys. For more information, see “Feature Key Settings Page” on page 496. grep Searches named input files for lines containing a match to the give pattern. help Returns a list of commands.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 23-1 Web Security appliance Administrative Commands (Continued) pathmtudiscovery Enables or disables Path MTU Discovery. You might want to disable Path MTU Discovery if you need to packet fragmentation. ping Sends an ICMP ECHO REQUEST to the specified host or gateway. proxyconfig Enables or disables the Web Proxy. proxystat Display web proxy statistics. quit, q, exit Terminates an active process or session.
WEB SECURITY APPLIANCE CLI COMMANDS Table 23-1 Web Security appliance Administrative Commands (Continued) shutdown Terminates connections and shuts down the system. snmpconfig Configure the local host to listen for SNMP queries and allow SNMP requests. sshconfig Configure hostname and host key options for trusted servers. status Displays system status. supportrequest Send the support request email to IronPort customer care. This includes system information and a copy of the master configuration.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Table 23-1 Web Security appliance Administrative Commands (Continued) webcache Examine or modify the contents of the proxy cache, or configure domains and URLs that the appliance never caches. Allows an administrator to remove a particular URL from the proxy cache or specify which domains or URLs to never store in the proxy cache. For more information, see “Web Proxy Cache” on page 68. 538 who Displays who is logged into the system.
APPENDI X A IronPort End User License Agreement This appendix contains the following section: • “Cisco IronPort Systems, LLC Software License Agreement” on page 540 A P P E N D I X A : I R O N P O R T E N D U S E R L I C E N S E A G R E E M E N T 539
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE C I S CO I R O N POR T S Y S T E M S , L L C S O F T WA R E L I C E N S E A G R E E M E N T NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT (“AGREEMENT”) FOR THE LICENSE OF THE SOFTWARE (AS DEFINED BELOW).
CISCO IRONPORT SYSTEMS, LLC SOFTWARE LICENSE AGREEMENT 1.6 “Upgrade(s)” means revisions to the Software, which add new enhancements to existing functionality, if and when it is released by IronPort or its third party licensors, in their sole discretion. Upgrades are designated by an increase in the Software’s release number, located to the left of the decimal point (e.g., Software 1.x to Software 2.0).
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE appearing on or in copies of the Software or other materials delivered to Company by IronPort or its reseller.
CISCO IRONPORT SYSTEMS, LLC SOFTWARE LICENSE AGREEMENT WARRANT THAT THE SOFTWARE OR SERVICES (1) IS FREE FROM DEFECTS, ERRORS OR BUGS, (2) THAT OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED, OR (3) THAT ANY RESULTS OR INFORMATION THAT IS OR MAY BE DERIVED FROM THE USE OF THE SOFTWARE WILL BE ACCURATE, COMPLETE, RELIABLE AND/OR SECURE. 6. LIMITATION OF LIABILITY.
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE Software for end use relating to any nuclear, chemical or biological weapons, or missile technology unless authorized by the U.S. Government by regulation or specific license. Company acknowledges it is Company’s ultimate responsibility to comply with any and all import and export restrictions, and other applicable laws, in the U.S.
Index A access log file see also W3C access logs ACL decision tags 439 anti-malware information 442 anti-malware request example entry 445 anti-malware response example entry 446 custom formatting 450 no category (nc) 445 no score (ns) 445 overview 436 result codes 438 URL category abbreviations 293 Web Reputation Filters example entry 445 web reputation information 442 access logs custom fields 459 Access Policies anti-malware 161 applications 159 configuring Web Reputation 315 creating 154 flow diagram 15
C CA see certificate authorities capturing network packets overview 491 case-sensitivity in CLI 530 category filtering database 270 certificate authorities validating 188 certificate authority defined 184 certificate files see also root certificates converting formats 195 supported formats 193 uploading 199 certificates generating and signing your own 515 installing for credential encryption 364 installing on appliance 515 invalid 200 overview 188 root 193 validating 190 validating certificate authorities 1
dropping traffic 181 enabling 197 flow diagram 201, 209 guest users 135 membership 201 Monitor action 182 overview 180 passing through traffic 181 proxy port of request 204 root certificates 193 subnet of request 205 time of request 205 URL category of request 205 user agent of request 205 Decryption Policy groups see also policy groups default gateway 469 default route configuring 469 deleting a URL from the web proxy cache 68 authentication realms 345 authentication sequences 348 log subscriptions 435 WCC
FTP proxy advanced configuration 90 FTP Push 434 self-signed certificate definition 185 symmetric key cryptography definition 185 HTTPS requests authentication 129 G generating root certificates 198 root certificates for HTTPS 193 global Identity policy authentication 129 global policy group overview 110 GRE forwarding method 477 greylist address see ambiguous address guest access overview 135 H hash assignment WCCP assignment method 476 height of appliance 43 heuristic analysis McAfee scanning engine 32
M M1 interface overview 30 M1 port connecting to a laptop 46 MAIL FROM configuring for notifications 504 malware configuring scanning 328 see also anti-malware malware verdicts multiple 323 management interface overview 30 managing the appliance connecting to a laptop 46 connecting to the management interface 15 System Setup Wizard 15 mask assignment WCCP assignment method 476 matching client requests Access Policies 152 Decryption Policies 201 External DLP Policies 219 Identities 132 IronPort Data Security
public key cryptography defined 184 public key infrastructure defined 185 R realms see authentication realms re-authentication overview 366 using with Internet Explorer 367 using with PAC files 367 Redirect setting URL categories 284 redirecting traffic overview 284 regular expressions overview 290 using in URL filters 290 remote upgrades 520 reporting misclassified URLs 243 reports Anti-Malware 403 archiving 418 Client Detail 401 Client Malware Risk 401 Client Web Activity 401 custom date ranges 397 expor
Routing Policies 177 TLS used in HTTPS 186 to upstream proxies 169 tracing policies overview 121 traffic redirecting 284 transaction result codes 438 transparent mode native FTP 76 transparent redirection 475 transparent redirection adding a WCCP service 478 assignment method 476 forwarding method 477 GRE forwarding method 477 hash assignment 476 L2 forwarding method 477 mask assignment 476 overview 475 WCCP services 475 troubleshooting policy groups 121 TRR (Threat Risk Rating) 329 TRT (Threat Risk Thresho
overview 68 splash page 82 usage agreement 82 Web Proxy Autodiscovery Protocol see WPAD web proxy cache modifying 68 removing a URL from the cache 68 Web Reputation Filters about 310 access log file 318 access log information 442 bypassing 80 configuring Access Policies 315 database 310 how it works 313 report 405 scores 311 viewing activity 318 Web Security appliance physical dimensions 43 user name and password 20 Web Site Activity report 402 Webroot scanning engine database 322 overview 325 weight of app
