Cisco WSA Policies

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 4th part of the series.
Creating policies is one the major (en most fun) part of the WSA. In this blog I’ll cover the configuration of access policies and identities.
Click  Web Security Manager > Access Policies
access policy default
Only one policy can be applied. This is based on first match (top-down). If no policy matches, the Global Policy will be used.
First, you have to create a identity. An identity doesn’t identify a user, but it identifies a client or transaction that may require authentication. Identity membership is determined before authentication is done. Policy group membership is determined after authentication is performed.
Click  Web Security Manager > Identities > add identity and create the identity, based on IP’s ip ranges or IP subnets. Possible identities are:

  • Kiosk users
  • Update agents
  • Company users

Read more

Cisco WSA Defending Malware

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the last post in the series.
Malware.. we all know that we don’t want it. But how do we block it?
All websites have a Web based reputation number (WBRS). This is a number between -10 and +10. You can define what ranges are used for what action. Think about: -10 to -5 drop, -4 to +5 scan, +6 to +10 do not scan. The WSA receives regulary updates with new reputations.
Note: these features are licensed!
Read more

OTV FHRP filtering on a ASR router

We configured a OTV DCI in my previous post and it was working as expected and by design. But during testing of all the VLANs I discovered a problem with HSRP over OTV, but only for 1 specific VLAN. The test results:

  • A ping from a host in DC1 in VLAN 10 to the HSRP address gives random drops
  • A ping from a host in DC1 in any VLAN to the HSRP address pings without any problems
  • Shutdown the SVI of VLAN 10 in DC2, A ping from a host in DC1 in VLAN 10 to the HSRP address without any problems
  • VLAN 10 is still disabled in DC2, but a host can ping the HSRP address from DC2 to DC1. This should be impossible because of the FHRP filtering
  • Changing the standby group number (they are the same in DC1 and DC2 to keep the same MAC address) partially solved the problem, but some hosts in DC1 got the HSRP MAC of DC2 in the ARP table. This is not what we want.
  • Moving the SVI from a 6500 switch to a 3750 switch in DC1, none of the above problems

I still have no idea why this problem only exists for VLAN 10, all other VLANs work as expected but I’ve found a good workaround for this in the configuration guide:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wan/command/wan-cr-book/wan-m1.html#wp3953249580
Read more