Transcript
Content Analysis System Guide
Version 1.2
Blue Coat Systems, Inc. Content Analysis System 1.2
Third Party Copyright Notices © 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, CONTENT ANALAYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas:
Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085
Rest of the World:
Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
2
Blue Coat Systems, Inc. Content Analysis System 1.2
Contents
Chapter 1: Initial Configuration
1
About Content Analysis
3
Content Analysis System Hardware and Software Requirements
5
Supported Hardware Platforms
5
Supported SGOS Software Versioins
5
Supported Browsers
5
Set Up the Appliance with the Command Line Interface
6
Log In or Log Out of the Content Analysis Web UI
7
Log In to Content Analysis
7
Manage the Appliance Licenses and Subscriptions
8
About Content Analysis Licensing
8
The Content Analysis Home PageTab
10
System Health
10
Scanned StatisticsObjects Processed
10
Traffic Statistics
10
Route Traffic to Alternate Networks
11
Activate Licensed Components
12
Proxy Connections Through a Gateway Device
13
Identify Content Analysis
14
Set the Date/Time Manually
15
Synchronize the System Clock
16
Configure NTP
16
Set the Timezone
17
Chapter 2: Prepare the Appliance to Scan Data
18
Change the Default ICAP Server Ports
20
3
Blue Coat Systems, Inc. Content Analysis System 1.2
Define File Type Policy
21
Set AV Scanning Options
23
Bypass Analysis for Known-Good Files (Whitelisting)
27
About Trust Scores
27
Sandbox Suspicious Files
28
Supported Sandboxing Vendors
28
Configure Malware Analysis Appliance Sandboxes
28
Configure a FireEye Sandbox
30
Set File Types to be Sandboxed
30
Configure Sandbox Reporting
30
Report Malware to Blue Coat WebPulse
32
Enable Web Pulse Threat Collaboration
32
Drop Slow Download Connections
33
Default Threshold Values
33
Chapter 3: Scan Proxied Traffic
34
Enable Secure ICAP Connections
36
Manually Configure an ICAP Service on the ProxySG
39
Automatically Configure an ICAP Service on the ProxySG
41
Configure Malware Scanning
41
Optimize the ICAP Configuration
42
Configure ICAP Policy
44
Create a default rule to send traffic to the Content Analysis with ICAP Configure Scanning Exemption Policies
44 46
Exempt a domain from scanning
46
Exempt a category from Scanning
47
Use policy to react to specific ICAP scan results
47
4
Blue Coat Systems, Inc. Content Analysis System 1.2
Troubleshoot ICAP Errors
49
Chapter 4: Monitoring and Alerts
51
View the CPU Usage Report
53
View the Memory Usage Report
54
View ICAP Connections Data
55
View Ethernet Adapter Statistics
56
View Historical Connection Data
57
View Request History
57
Scan Results
58
Cache Hits
60
View the Sandboxing Report
61
View the ICAP Bytes Report
62
View ICAP Object Scan History
63
View Current Connection
64
Connection Request Columns
64
Manage the System Logs
65
Configure SNMP
65
Download MIBs
65
Set Log Parameters
65
Review System Activities
66
Available System Logs
67
Set Up Alert Delivery Methods
68
Alert Delivery Methods
68
Event Types
68
Test Alerts
68
Configure E-Mail Alerts
69
5
Blue Coat Systems, Inc. Content Analysis System 1.2
E-mail Addresses
69
Server settings
69
Authentication settings
69
Configure SNMP
69
Enable SNMP Trap Support
70
Configure Syslog
70
Customize Alert Messages
70
Chapter 5: Administrative Tasks
72
Control Access to the Management Console
74
Manage Administrator Access
75
Authenticate Administrators with Local Credentials
75
Create a Read-Only User Account
75
Create an Administrative User Account
75
Change a User's Password
76
Delete Administrator Accounts
76
Authenticate Administrators with LDAP
76
Authenticate Administrators with RADIUS
77
About RADIUS authentication
77
RADIUS prerequisites
77
About the Blue-Coat-Authorization RADIUS attribute
78
Enable RADIUS Authentication
78
Example: FreeRADIUS Configuration Procedure Define an Administrative Login Message
78 81
Enable and configure the Login Banner
81
Update Anti-Virus Pattern Files
82
Update All Now
83
6
Blue Coat Systems, Inc. Content Analysis System 1.2
Force Update All Now
83
Downloads
83
Install a new System Image
84
Manage System Images
84
Update the System Software From bto.bluecoat.com
84
Most Recent Download
84
Archive or Restore the System Configuration
85
Available Options
85
Perform Administrative Tasks from the Command Line Interface
86
Standard Mode Commands
86
Enable Mode Commands
88
Chapter 6: Troubleshooting and Support Utilities
92
Onboard Diagnostics
94
Available Sensors
94
Inspect Traffic
95
Available Options
95
Manage PCAP Files
95
Filter Packet Captures
95
Test Network Connectivity
97
Ping Utility Fields
97
Example
97
Restart System Services
98
Available Options
98
Review System Activities
99
Available System Logs
99
View and Export the System Information File
100
7
Blue Coat Systems, Inc. Content Analysis System 1.2
Manually Scan Files for Threats
101
Send Diagnostic Information to Blue Coat Support
102
Upload Log Files to Blue Coat Support
102
Delete Core Files
102
Troubleshooting Tips
102
Clear File Caches
103
Clear Caches
103
Review the Web Logs
104
View Web Logs
104
Download Web Logs
105
8
Blue Coat Systems, Inc. Content Analysis System 1.2
Chapter 1: Initial Configuration This chapter introduces you to the Content Analysis System appliance, the Management Console and helps you to prepare the appliance for deployment.
About Content Analysis
3
Content Analysis System Hardware and Software Requirements
5
Set Up the Appliance with the Command Line Interface
6
Log In or Log Out of the Content Analysis Web UI
7
Manage the Appliance Licenses and Subscriptions
8
The Content Analysis Home PageTab
10
Route Traffic to Alternate Networks
11
Activate Licensed Components
12
Proxy Connections Through a Gateway Device
13
Identify Content Analysis
14
Set the Date/Time Manually
15
Synchronize the System Clock
16
Set the Timezone
17
1
Blue Coat Systems, Inc. Content Analysis System 1.2
2
Blue Coat Systems, Inc. Content Analysis System 1.2
About Content Analysis Blue Coat Content Analysis a next-generation anti-virus, malware, and spyware detection system. Content Analysis includes the following features: l
l
l
l
l
Anti-virus, malware, and spyware scanning with multiple simultaneous anti-virus vendors. (Malware and spyware scanning functions are dependent on the licensed AV vendor.) File Whitelisting uses a classification system to identify files that appear to be suspicious, but are known to be good. File Whitelisting also provides an option to manually whitelist specific files, hosts, and destination addresses to prevent delays with known-good (yet suspicious) files. Sandbox integration with Blue Coat's Malware Analysis or FireEye execute suspicious files in a controlled virtual machine environment. When a suspicious file is found to not be a virus and is not in the file whitelist, Content Analysis sends the file to an external appliance to run the file in a virtualized workstation environment. The actions of the suspicious file, (registry edits, requests to malicious web sources) are identified and included in a detailed report sent to the Content Analysis administrator to take appropriate action. Content Analysis version 1.2 includes support for multiple MAAs and multiple profiles for Windows system emulation. Cached Responses can be used to speed up processing for files that have been scanned previously. The Blue Coat WebPulse service is an integral part of Content Analysis protection. Users are protected by the BCWF database on the proxy, and when viruses and malware are discovered through scanning, those results can be shared with Blue Coat to classify bad URLs for the benefit of all WebPulse users worldwide.
Content Analysis Scanning Workflow
3
Blue Coat Systems, Inc. Content Analysis System 1.2 1. A user in the protected network requests a file from the Internet. 2. The Proxy compares the file against the Blue Coat Web Filtering database and the local WebPulse database. If the domain hosting the file has been categorized as a malware source, the file download is denied and the user is notified. If the domain is not recognized, the Proxy forwards it to for analysis. 3. compares the file details against the File Whitelist. If the file is in the Whitelist, scanning is suspended and the file is sent to the user. If no match is found, the file is compared against the virus scan cache. If not present, the file is forwarded to the enabled anti-virus scanners. 4. If the file contains malware, the the file is blocked and the user receives a deny page with a description of the virus or malware. 5. If the file is clean, but is of a suspicious type (executable or a type defined in the Sandboxing configuration), it is forwarded to a sandbox appliance, (if configured) for dynamic analysis. 6. The results of the Sandbox analysis are reported to the administrator. shared with Blue Coat WebPulse, and if the file is malicious, the Content Analysis administrator is notified via email.
4
Blue Coat Systems, Inc. Content Analysis System 1.2
Content Analysis System Hardware and Software Requirements The Content Analysis System hardware and software requirements listed below are valid as of the publishing of this guide. For the most current list, refer to the release notes for the Content Analysis release you are using. Supported Hardware Platforms
CAS is supported on the following platforms: l
S400-A1
l
S400-A2
l
S400-A3
l
S400-A4
l
S500
Supported SGOS Software Versioins
The Blue Coat CAS supports only the Blue Coat ProxySG appliance as an Internet Content Adaptation Protocol (ICAP) client. While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS 6.5.1 or higher, and arbitrary ICAP header parsing requires SGOS 6.5.2.1. Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS 6.5.2 or higher. Supported Browsers
The Content Analysis System Management Console supports the following web browsers: l
Microsoft Internet Explorer, version 9.x, 10.x
l
Mozilla Firefox, version 2.x,3.x
l
Google Chrome
Other browsers might be compatible, but have not been tested.
5
Blue Coat Systems, Inc. Content Analysis System 1.2
Set Up the Appliance with the Command Line Interface Use the Content Analysis Command Line Interface (CLI) to initially configure the appliance, upload support information, and to view the appliance status and configuration. The appliance accepts CLI commands through a serial console connection (Secure Shell (SSH v2), which is located on the back of the appliance. SSH access to the appliance is enabled by default.
1. Connect to the appliance through the Serial Console connection at the rear of the appliance. 2. Launch a terminal application, such as hyperterm. Enter the following connection settings: BPS: 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: none 3. To start the initial configuration wizard, select Initial Setup. This wizard prompts you to define the following settings: IP Address Subnet Mask Default Gateway DNS Server Alternate DNS Server Administrator Password Beyond the initial setup wizard provided in the CLI, you can also perform several administrative tasks. For more information, see See "Perform Administrative Tasks from the Command Line Interface" on page 86.
6
Blue Coat Systems, Inc. Content Analysis System 1.2
Log In or Log Out of the Content Analysis Web UI The Logout link displays when you click the down arrow next to the admin login name on the Management Console banner, as shown below.
To log out, click Logout. You are logged out and a message confirming the logout displays. If you have disabled authentication, the logout link does not display in the Management Console banner. Log In to Content Analysis
By default, Content Analysis challenges administrative users for their log-in credentials before permitting access to the Management Console. As a best practice, Blue Coat recommends that you log out of the appliance after completing your tasks in the Management Console. To log in to the appliance again, click the link on the window that displays or the following URL into a browser:
https://content_analysis_IP_address:8082
7
Blue Coat Systems, Inc. Content Analysis System 1.2
Manage the Appliance Licenses and Subscriptions Content Analysis requires a license to operate. The license activates the default components, plus any additional features that you purchased from Blue Coat.
First time access When you log in to the appliance for the first time, the interface displays the Invalid or Missing License dialog.
Perform the steps below to install the license as appropriate for your deployment method. About Content Analysis Licensing
The licensed components on your Content Analysis appliance vary in how they are managed. The licensed components include the appliance's base license and Sandboxing, while Malware vendors and Whitelisting services are subscription-based. While the licensed components can be installed in an offline appliance via file, subscription-based components can only be retrieved by the appliance directly. Because of this, complete the initial task of installing the base license and subscriptions while your appliance has access to the the following URLs: l
contentanalysis.bluecoat.com
l
subscription.es.bluecoat.com
l
services.es.bluecoat.com
l
device-services.es.bluecoat.com
l
bto-services.es.bluecoat.com
A single rule on your outbound firewall and/or ProxySG appliance to allow the Content Analysis appliance IP to access bluecoat.com without authentication will suffice. If your proxy is explicit, or authentication is required, see Configure Proxy Settings.
8
Blue Coat Systems, Inc. Content Analysis System 1.2 Before you proceed, visit the Blue Coat Licensing Portal at https://services.bluecoat.com/eservice_enu/licensing/register.cgi to associate the activation code provided in your e-fulfillment letter with your Content Analysis appliance serial number. If you fail to do this, subscription elements of your license will not be available.
Content Analysis is connected to the Internet If Content Analysis is connected to the Internet, retrieve the base license directly from Blue Coat and install it.
1. In the Content Analysis appliance interface, select System > Licensing. 2. Click Download License from Blue Coat. The appliance confirms the download and installation.
3. Proceed to Activate Licensed Components on page 12. Content Analysis is in a closed network If Content Analysis cannot consistently connect directly to the Internet after the initial setup, you can download the base license file from the Blue Coat Licensing Portal and install it manually. This task requires your BlueTouch Online (BTO) account credentials.
1.
From a system/client that has Internet access, proceed to https://bto.bluecoat.com/licensing. a. Enter your BTO credentials.
b. Navigate to your Content Analysis entitlement and download the license file. 2.
In the License Management section of System > Licensing, click Upload License File. The appliance confirms the upload and installation.
9
Blue Coat Systems, Inc. Content Analysis System 1.2
The Content Analysis Home PageTab Access the Content Analysis System appliance home page by browsing to https://1.2.3.4:8082 (replace 1.2.3.4 with the IP address of Content Anlaysis).
This page displays the current Content Analysis System scanning health and and network statistics. System Health
Displays the current health of the system, specifically the amount of time the service and system have been up, the system's current activity, the AV vendor(s) used on the system, the term of the license, and the date of the patterns installed on the system. Scanned StatisticsObjects Processed
Displays the number of files scanned and malware caught for plain and Secure ICAP. Traffic Statistics
Displays the network traffic statistics and appliance MAC addresses. Information is segregated by Terabytes (TB), Gigabytes (GB), Megabytes (MB), Kilobytes (KB), and Bytes. Graphs here also provide the volume of traffic processed per second. To reset the traffic statistics click Reset All Historical Stats or Reset Interface Stats . This resets the data counter to 0. If you are planning to remove power to the appliance, it is important that you issue the #shutdowncommand to do so. Failing to do so may corrupt your configuration. See "Perform Administrative Tasks from the Command Line Interface" on page 86
10
Blue Coat Systems, Inc. Content Analysis System 1.2
Route Traffic to Alternate Networks Network Route configuration is available in Settings > Network Routes . For deployments where the default gateway does not route traffic to all segments of the network, you can define additional routes . A typical use for the route table is when the SMTP or DNS servers located on an internal network. Routes added here do not affect traffic that is scanned by the appliance; they are only used for connections where Content Analysis is the client. Examples of this include updates of pattern and engine files, checking for updates to the firmware, and sending alerts. To add a route to the table:
1. Identify the network interface that will be used to route traffic to the alternate subnet. 2. 3. 4. 5. 6. 7. 8.
Select Settings > Network Routes . Click Add.The Add Network Route dialog displays.
Destination: Enter the network address for the alternate network. Mask : Enter the subnet mask for the alternate network. Gateway : Enter the IP address for the gateway that will route traffic to the alternate network. Click Add. Click Save Changes . Use the Edit button if you need to change the settings of a route you added. Use the Delete button to delete an added route you no longer need.
11
Blue Coat Systems, Inc. Content Analysis System 1.2
Activate Licensed Components Licensed Components can be managed in System > Licensing. All components used by Content Analysis require a license to operate. After completing the license retrieval task (see Manage the Appliance Licenses and Subscriptions on page 8), review the default and entitled components and enable as required.
1.
Select System > Licensing. The Licensing Activation section of this page contains the following columns: l l l
Active: This column informs you of the activation status of a given component. Component: The name and version number of the anti-virus application. Status: The status of the anti-virus application (Active or Available) and the date and time the license expires.
2. To activate the anti-virus component, select it in the Active column. 3. Click Save Changes .
12
Blue Coat Systems, Inc. Content Analysis System 1.2
Proxy Connections Through a Gateway Device Use this configuration page to define a proxy in networks where your network requires all servers to connect through a proxy to access Internet resources..
1. 2. 3. 4. 5.
Select Settings > Proxy . Enter the Server IP address or hostname and Port for your ProxySG appliance. Enter the proxy authentication Username and Password, if required. Select Enabled. Click Save Changes .
13
Blue Coat Systems, Inc. Content Analysis System 1.2
Identify Content Analysis The Content Analysis name is used when alerts are sent out to recipients, plus in other elements such as the CLI prompt and SNMP logs.
1. Select System > Identification. 2. Enter a unique Appliance Name, which is crucial for easier multi-device management. Consider using a geographic or other location-based name. 3. The Administrator Email identifies the main recipient for this Content Analysis system. For example, if an alert is sent that mentions contacting the Content Analysis administrator, this address is given. 4. Click Save Changes .
14
Blue Coat Systems, Inc. Content Analysis System 1.2
Set the Date/Time Manually Date and Time configuration is available in Settings > Date Time. Content Analysis uses the date and time settings to record events and to track engine file updates. Some AV engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining the most current version of the pattern file. By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you prefer to manually set the date and time on the appliance, do the following:
1. In Date Settings , select the date. 2. In Time Settings , set the hour, minutes, and seconds. 2. Click Save Changes .
15
Blue Coat Systems, Inc. Content Analysis System 1.2
Synchronize the System Clock NTP configuration is available in Settings > NTP. The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver or modem. Content Analysis Includes a predefined list of Blue Coat NTP servers, and attempts to connect to them in the order they appear in the NTP server list. If the Blue Coat NTP servers aren't accessible, or if you want to use a particular NTP server, you can define other NTP servers. In addition, you can reorder the servers to give a specific NTP server higher priority over others. Use the options on this page to have Content Analysis synchronize with Network Time Protocol (NTP) servers.. Configure NTP
1. 2. 3. 4.
Select Settings > NTP. Make sure Enable usage of NTP on device is enabled. Add an NTP server by clicking Add NTP Server. The Add NTP Server dialog displays Define your preferred NTP server by IP address or hostname and click Add. Blue Coat's NTP server addresses are ntp1.bluecoat.com and ntp2.bluecoat.com .
5. (optional) Repeat the process if your organization has multiple NTP servers. 6. Click Save Changes . 7. Click Acquire Time Now (at the top of the page) to force the appliance to synchronize the system time with the configured NTP server. Content Analysis uses the servers in the order they appear on the NTP server list. To change the order, drag and drop the servers to the desired priority position in the list.
16
Blue Coat Systems, Inc. Content Analysis System 1.2
Set the Timezone Use Timezone to use local time instead of UTC time in recording events.Content Analysis uses the date and time settings to record events on the appliance and to track engine file updates. Some AV engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining the most current version of the pattern file. By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you prefer to use the local time instead, configure the appliance to use local time:
1. 2. 2. 3.
Select Settings > Timezone. Select your time zone region from the Time Zone Region drop-down list. Select your local time zone from the Time Zone drop-down list. Click Save Changes .
17
Blue Coat Systems, Inc. Content Analysis System 1.2
Chapter 2: Prepare the Appliance to Scan Data Before the Content Analysis can scan traffic from a ProxySG appliance, it must be configured to accept traffic. The topics in this chapter will help you to ready Content Analysis to receive traffic to be scanned.
Change the Default ICAP Server Ports
20
Define File Type Policy
21
Set AV Scanning Options
23
Bypass Analysis for Known-Good Files (Whitelisting)
27
Sandbox Suspicious Files
28
Report Malware to Blue Coat WebPulse
32
Drop Slow Download Connections
33
18
Blue Coat Systems, Inc. Content Analysis System 1.2
19
Blue Coat Systems, Inc. Content Analysis System 1.2
Change the Default ICAP Server Ports ICAP Server Ports can be configured from Settings > ICAP. Content Analysis receives data from the ProxySG appliance through an Internet Content Adaptation Protocol (ICAP) connection. All CAS appliance models support up to 250 simultaneous ICAP connections. Content Analysis supports both Plain ICAP (default), and Secure ICAP. You can change the port, but be advised that this change must occur on both ends of the transaction: Content Analysis the ProxySG appliance ICAP service.
20
Blue Coat Systems, Inc. Content Analysis System 1.2
Define File Type Policy You can configure how Content Analysis reacts when specific file extensions or file types are sent received over ICAP from a ProxySG appliance. File Extensions policy applies to all anti-virus vendors. If you employ Kaspersky or Sophos, you can configure additional Ignore, Scan, and Block policy for types of data.
File Extensions Content Analysis scans files and files within an archive. You can specify file types that are blocked—neither scanned, nor served to the client —or served to the client unscanned (allow). Checks are performed on the original file and files inside an archive. To reduce Content Analysis resource overhead, you can create policy on the ProxySG appliance to restrict specified file extensions from being sent to it for scanning. For more information, see Malware Scanning in the Blue Coat ProxySG Configuration and Management Guide. To specify blocked or passed-through file types:
1. Select Services > AV File Types . The interface displays the Scanning Behavior . 2. Under File Extensions , enter file types as appropriate: a. List files extensions to block —Any file types with these extensions are blocked and not served to the client. b.
List file extensions that do not need to be scanned—Any file types with these extensions are passed to the user, unscanned. If you enable this option, consider the Blue Coat advisory that viruses and other malicious code can be embedded in many file types, including image formats. Use a comma or semicolon as a delimiter to separate file types. For example: .gif; .tif.
3. Click Save Changes . Known File Type Management (Kaspersky or Sophos) In addition to the manual file extensions lists, Content Analysis can, depending on the anti-virus vendor, apply specific rules, (Ignore, Scan, Block ) to specific types of data. This feature is only available if your appliance is licensed to use either the Kaspersky or Sophos AV engine. Instead of simply examining the file extension associated with each file, the appliance examines the apparent data type to determine the correct type of file. Apparent Data Types allow Content Analysis to identify data using the actual file signature and information in the HTTP header rather than by file extensions. For example, it can identify graphics (such as JPG and GIF files), documents, archives, executables, encodings, media, macros, and even recognizes all files within an archived or compound Microsoft file. If an individual file in a compound file is specified to be blocked, the entire compound file is blocked. For example, if a zip file contains Word files and JPG files and by policy Word files are allowed while JPG files are blocked, the entire zip file is blocked.
To specify apparent data types and actions for each type:
21
Blue Coat Systems, Inc. Content Analysis System 1.2 1. In the Global Options field, select Apply Global Options before Sending to Antivirus Engines . This option applies your selected actions against the most common file types. 2.
Click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on. n
Ignore—The file is served back to the ProxySG without being scanned by the Content Analysis System appliance.
n
Block —No scanning occurs and the Content Analysis System appliance returns a response to the ProxySG appliance that the file was blocked (code type: file_type_blocked).
n
Scan—The appliance scans the object for malicious content and returns the content or modified response to the ProxySG appliance
3. For each configured vendor, determine whether to apply Global Options or to use vendor-specific options. To use vendor-specific options, click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on. If you choose to use the unique file options for a specific anti-virus vendor, check the appropriate box or the actions will be ignored. 4.
(Optional) Sophos only—Select Detection of weak types to enable recognition of file types that otherwise might be difficult for the Content Analysis System appliance to identify with 100 percent confidence.
5. Click Save Changes .
22
Blue Coat Systems, Inc. Content Analysis System 1.2
Set AV Scanning Options AV Scanning Option configuration is available in Services > AV Scanning Behavior.
Step 1: Configure Content Analysis to return cached responses. Selecting Enabled configures Content Analysis to return cached responses to the ProxySG appliance when applicable. If the hash of the data matches a file that Content Analysis has already determined to be clean or contain a virus, it returns the cached response. This option allows the appliance to learn about traffic patterns on your network and adjust accordingly.
Step 2: Set the maximum file size. An individual file size cannot exceed the specified size, 5120 MB. This limitation also applies to each file within an archive.
Step 3: Configure policies for anti-virus exceptions. These options define how Content Analysis behaves when a scanning timeout or a scanning error occurs.The behavior is as follows: n n
Block —If selected for an error type, the file is dropped Serve—If selected, the file is passed to the client, unscanned.
The default for all options is Block . The supported scanning errors for different AV vendors are described in the following table.
Error File scanning timeout
Description
Vendors
The time required to scan the file exceeds the specified or appliance limit.
Kaspersky McAfee Sophos
Maximum individual A file size exceeds the specified or maximum appliance limit. file size exceeded
Kaspersky McAfee Sophos
An uncompressed file size exceeds the specified or maximum appliance limit.
Kaspersky McAfee Sophos
Maximum total num- An archive contains more files than the specified or maximum ber of files in appliance limit. archive exceeded
Kaspersky McAfee Sophos
Maximum total uncompressed size exceeded
Maximum number of archive layers exceeded
An archive contains more archive layers than the specified or maximum appliance limit. This option is only supported by Kaspersky and McAfee. Sophos generates an anti-virus engine error, which is categorized by the Other errors policy option
Decode/decompress An error occurred during decoding or during decompression of error a compressed file. For example, a corrupted file or a method used to decompress the file is unsupported.
23
Kaspersky McAfee Kaspersky McAfee Sophos
Blue Coat Systems, Inc. Content Analysis System 1.2 Error
Description
Vendors
Password protected archive
A archive file that requires a password to access.
Kaspersky McAfee Sophos
Out of temporary storage space
The buffer capacity for files to be scanned is full.
Kaspersky McAfee Sophos
Other errors
Any miscellaneous error that causes irregular behavior.
Kaspersky McAfee Sophos
Step 4: Specify vendor-specific options. Set the following vendor-specific options: n
Engine Settings
n
File Scanning Timeout
n
File Size/Count Limitations
Engine Settings The following table describes the vendor-specific engine settings.
Option
Vendors
Detect Spyware
Kaspersky Disabled
Detect Adware
Default
McAfee
Enabled
Sophos
Disabled
Kaspersky Disabled
Notes
Detect Adware is disabled by default. It can be deselected, but it cannot be selected without selecting Detect Spyware.
24
Blue Coat Systems, Inc. Content Analysis System 1.2 Option
Vendors
Default
Enable Antivirus engine heuristic
Kaspersky Disabled
Notes This option enables the appliance to catch potential viruses for which pattern signatures might be unavailable.
Because the Kaspersky anti-virus engine heuristics option requires additional system resources, Blue Coat recommends that you verify that CPU usage is within the normal operating range for the appliance before enabling heuristics. Note: Do not enable Kaspersky heuristics if the current CPU utilization is in a Warning or Critical state. Detect Potentially Unwanted Applications (adware)
Sophos
Enabled
Use Sophos Weak Types
Sophos
Disabled
This option detects adware.
File Scanning Timeout File scanning timeout is the maximum length of time the file is scanned by the system. When the timeout value is reached, the scan is abandoned.Some files, though not viruses themselves, are designed to disable a virus scanner. Although these files cannot disable a Content Analysis, they could use up system resources and slow down overall throughput. Defining a timeout value allows the system to reclaim some of its resources. The default is 800 seconds; a value between 10 and 3600 seconds (60 minutes) is valid.
File Size/Count Limitations Maximum Total Uncompressed Size: This option is included in the vendor-specific settings. An uncompressed file or archive cannot exceed the specified size (MB). The maximum is 5120. Maximum Total Number of Files in Archive: This option is included in the vendor-specific settings. An archive cannot contain more than the specified number of files. Maximum Archive Layers : This option is included in the vendor-specific settings. An archive is a file containing multiple files and a folder structure. It cannot contain more than the specified number of layers (directories). The maximum is:
25
Blue Coat Systems, Inc. Content Analysis System 1.2 n
McAfee: 300
n
Sophos: 100
n
Kaspersky: 40
If any of these options are exceeded, the object is not scanned. After completing these steps, click Save Changes .
Click Default Settings to restore all configurations to a default state.
26
Blue Coat Systems, Inc. Content Analysis System 1.2
Bypass Analysis for Known-Good Files (Whitelisting) Whitelisting configuration is available in Services > Whitelisting. Whitelisting is a cloud-based service used by Content Analysis to improve the efficiency of threat analysis. If a user on your network requests a file, Content Analysis sends a hash of that file (containing the filename and the URL from which it was requested) to the Whitelisting service for comparison. If the file is in the Whitelist database, the service returns a trust score for that file. Content Analysis uses the whitelisting score, to determine the next step: l
l
If the file has a trust score that is unknown or lower than the configured threshold, it will subject the file to anti-virus and sandbox analysis. If the file has a trust score above your configured trust threshold, no further scanning will take place and the Proxy will be instructed (via a 200 OK ICAP response) to serve the file to the user who requested it.
As files are scanned by the anti-virus engines, positive results are shared with the whitelisting service. To use whitelisting, ensure that Content Analysis has an active license and that it can access https://contentanalysis.es.bluecoat.com. About Trust Scores
A Trust Score is a number that represents the file's level of trust from a known and trusted source. The higher the number, the greater the trust. For example:
Trust Score
Meaning
0
File is likely malicious
2-3
Gray file (unknown if file is malicious)
7 or above
File comes from known trusted source
Seven is the default value for the minimum trusted score and is the best practice value for most deployments. However, you can adjust the trusted score minimum value if your situation dictates it.
1. Select Services > Whitelisting. 2. Enter a number in the Trusted whitelisting score value box. 7 is the default and best practice value for most deployments. 3. Click Save Changes .
27
Blue Coat Systems, Inc. Content Analysis System 1.2
Sandbox Suspicious Files Sandbox Configuration is available in Services > Sandboxing When Content Analysis Systemdetects a suspicious file that's not on the whitelist and doesn't match any known malware signatures, the appliance can forward the file to a sandbox to analyze it. Sandbox analysis uses virtual machine environments to safely execute suspicious files. As files are executed, the sandbox monitors for malicious URL web requests or changes to Windows system files.
Scanning results vary from vendor to vendor. Supported Sandboxing Vendors
Content Analysis supports two sandboxing vendors: Blue Coat Malware Analysis Appliance (MAA) and FireEye. Both vendors use Windows virtual machines to execute files, but each vendor produces unique results when evaluating threats. l
l
The Blue Coat Malware Analysis Appliance (MAA) evaluates the threat of a given file and provides a threat score as a number between 1 and 10. The higher the number, the greater the threat. Based on the threat threshold you set in the Edit Sandboxing Vendor configuration, Content Analysis sends an alert every time a scan results in a value equal to or greater than the defined threshold. The FireEye (http://www.fireeye.com/) appliance scan results in a simple Yes or No report. Content Analysis sends an alert when a Yes response is received. Sandboxing requires an active license to operate and all sandboxing servers must be configured before you can use the Content Analysis sandboxing feature. Refer to your sandboxing server's documentation for installation and configuration instructions.
Configure Malware Analysis Appliance Sandboxes
Content Analysis supports multiple Malware Analysis Appliances (MAAs). If more than one MAA is configured, traffic is sent to each in round-robin fashion. Analysis traffic is balanced based on the processing queue and system health of each configured and enabled appliance. The MAA service health and queued analysis connections can be identified from the MAA management console. Analysis queues are managed separately for SandBox and IntelliVM profiles waiting to be processed.
1. In the Vendors section, select Blue Coat Malware Analysis Appliance and click Edit. The Edit Sandboxing Vendor Information window displays. 2. Click the Add button under Servers . The Add Sandboxing Server dialog displays. 3. Enter the IP address and administrative credentials used to access the sandbox appliance. 4. Check the Enabled box and click Ok . 5. (optional) Select a server and click Test to validate the configuration. 6. (optional) repeat steps 3-5 to add additional MAAs to your sandbox configuration.
28
Blue Coat Systems, Inc. Content Analysis System 1.2
7. Select the check mark next to one or more available IntelliVM Profiles . If you enable more than one, each enabled MAA will execute suspicious files in each IntelliVM profile as well as in sandbox emulation, if that option is enabled. 8. Click Ok . 9. Click Save Changes . Make sure that the naming for each IntelliVM profile on each MAA is consistent. If one MAA has a Windows 8 profile with the name "Windows8", every enabled MAA must have a Windows 8 IntelliVM profile with that same name. Content Analysis will report an error if an enabled profile does not exist on all enabled Malware Analysis Appliances.
29
Blue Coat Systems, Inc. Content Analysis System 1.2 Configure a FireEye Sandbox
1. In the Vendors section, click the FireEye line to select it, then click Edit. The Edit FireEye Settings window displays. 2. Enter the server IP address and administrative credentials used to access the FireEye appliance.
3. Check the Enabled box and click Ok . Unlike with the MAA server configuration, the FireEye server configuration does not provide a threshold configuration, as scans result in either a positive or negative malware found response. Set File Types to be Sandboxed
The File Types section provides a list of executable file types known to be used to distribute malware. Select the file types you want to send to the sandboxing servers for analysis.
If you know of a file type that may contain malware that is not in this list, add that extension to the File Type Extensions box at the bottom of this section.
Configure Sandbox Reporting
You must have Blue Coat Security Analytics Platform installed and configured before you can integrate it with Content Analysis. The alert mechanism you have selected (email, local log, syslog or SNMP trap) for sandboxing alerts will contain a link to the report on Security Analytics server. Due to the dynamic nature of this report and the time taken to collect data, you may need to examine the Analytics report several times before all activity visible.
1. Click the Enable Report check box. 2. Enter the server IP address or hostname in to the Server field.
30
Blue Coat Systems, Inc. Content Analysis System 1.2 3. The Security Analytics Platform constantly records all network traffic activity. When malware is detected, the report that is generated can include a window of activity; showing the events before and after detection. Set Minutes Before Event and Minutes After Event to define the breadth of this report.
31
Blue Coat Systems, Inc. Content Analysis System 1.2
Report Malware to Blue Coat WebPulse Enable WebPulse notifications in Services > WebPulse. After the Blue Coat Malware Analysis Appliance scans a file that returns a score of 7 or higher, or a FireEye appliance returns a positive malware verdict, the threat information, (a hash of the file, the file name, the URL and other meta data) is sent to the Blue Coat Threat Labs for further analysis. If that analysis determines that the file is not malware, the URL is classified appropriately. If the malware analysis yields a positive result for malware, the Blue Coat Web Filter service is updated for all users worldwide with the URL and file hash classified as malware. The hash of the file is also added to the cache database on the Content Analysis appliance so that it can block future threats at both the file and URL levels. Enable Web Pulse Threat Collaboration
To share this information with Blue Coat's WebPulse service, and confirm that you have the best protection, make sure that the checkbox on this screen is enabled. If it's not, check it and click Save Changes to commit the change. The WebPulse collaborative defense powers Blue Coat’s Web Security portfolio, delivering fast and effective Web 2.0 threat protection for 75 million users worldwide.
This option is enabled by default.
32
Blue Coat Systems, Inc. Content Analysis System 1.2
Drop Slow Download Connections ICTM configuration is available in Settings > ICTM . Intelligent Connection Traffic Monitoring (ICTM) monitors connections between your Proxy and Content Analysis. If connections take longer to complete than expected, (such as with infinite stream data, like stock tickers or Internet radio), ICTM drops the connection to keep resources available for scanning other objects. When ICTM is enabled, the system checks for slow downloads and compares the number of concurrent slow ICAP connections to the warning and critical thresholds. If the warning threshold is reached, the appliance notifies the administrator of the dropped URLs (through an e-mail or SNMP trap, if the option is selected). You can use this information to create policy on the Proxy to ignore these URLs or URL categories in the future. If the critical threshold is reached, Content Analysis terminates the oldest, slowest connections so that the level below the threshold is maintained.
1. Select Enable Intelligent Connection Traffic Monitoring (ICTM) . 2. Specify how many seconds a connection lasts before it is determined to be a slow download. The minimum is 30 seconds. Blue Coat recommends the default of 60 seconds. The larger the value, the more resources are wasted on suspected infinite stream URLs. Conversely, lower values might tag the downloads of large objects as slow, thus targeting them for termination before the download is complete. 3. Specify the warning threshold: a. Specify how many concurrent connections that have exceeded the duration specified in Step 2 before a warning message is sent. The allowed maximum is the maximum number of ICAP connections allowed by Content Analysis; the value varies by hardware model. By default, an e-mail warning is sent if this threshold is reached. The e-mail is sent to recipients specified on the Alerts > Alerts Settings page. If you disable this option, no warning is sent and nothing is logged in the Content Analysis log file.
b. Specify the time interval, in minutes, that Content Analysis repeats the warning messages while the appliance remains in a warning state. c. Specify the critical threshold. If the number of concurrent slow connections reaches this threshold, system drops enough of these connections (beginning with the oldest connections) to maintain a level below the critical threshold. Oldest connections are dropped first. 7. Click Save Changes . Default Threshold Values n n
Warning threshold: 70% of the recommended maximum ICAP connections Critical threshold : 90% of the recommended maximum ICAP connections
33
Blue Coat Systems, Inc. Content Analysis System 1.2
Chapter 3: Scan Proxied Traffic Before Content Analysis can handle traffic, you must configure your ProxySG appliance to send traffic to it.
Traffic is sent from the Proxy to Content Analysis using the Internet Content Adaptation Protocol (ICAP). When a user requests content from the Internet, it is forwarded to Content Analysis for processing. The data is first compared against the file whitelist, then scanned for malware with the vendors you have configured on the appliance. If the file does not match any known signatures, but appears to be a suspicious executable file, Content Analysis forwards that file to a sandbox, where it is executed and monitored to determine what type of threat (if any) the file poses to the user and the network. While Content Analysis can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS 6.5.1 or higher, and arbitrary ICAP header parsing requires SGOS 6.5.2.1. Because of this, the ProxySG appliance that communicates with Content Analysis should run SGOS 6.5.2 or higher.
To have Content Analysis scan the traffic your users request, configure the Proxy to identify the types of data it will scan. The proxy has two methods to achieve this: manual and automatic . The manual configuration requires that you create policy to trigger the ICAP connection for destination URLs, categories and file types. The automatic configuration relies on the Malware Scanning option that provides a threshold configuration to determine how strict content scanning will be, while the manual configuration requires policy to be set that defines the traffic to be scanned.
34
Blue Coat Systems, Inc. Content Analysis System 1.2
Enable Secure ICAP Connections
36
Manually Configure an ICAP Service on the ProxySG
39
Automatically Configure an ICAP Service on the ProxySG
41
Configure ICAP Policy
44
Configure Scanning Exemption Policies
46
Troubleshoot ICAP Errors
49
35
Blue Coat Systems, Inc. Content Analysis System 1.2
Enable Secure ICAP Connections By default, Content Analysis receives data from the ProxySG appliance through an Internet Content Adaptation Protocol (ICAP) connection. This occurs on port 1344, which is the Plain ICAP port. For heightened security, you can enable a secure connection between Content Analysis and the ProxySG appliance. n
If the ProxySG appliance supports only Plain ICAP connections, you cannot enable secure ICAP.
n
After your appliance is configured initially, you must create a new certificate. The default certificate does not contain information, such as the common name field, that can be validated by the ProxySG appliance. Such information must resolve to the Content Analysis hostname or IP address.
Configure Content Analysis to receive secure ICAP connections. 1. Select Settings > ICAP. 2. Secure the connection.
a. Select secure. b. The default secure Port is 11344. You can change the port, but be advised that this change must occur on both ends of the transaction: Content Analysis and the ProxySG appliance secure ICAP service. c. Select plain if you want to allow an non-secure, backup connection over the plain port should the ProxySG appliance not be able to send a secure connection. This might occur if there is a certificate mis-match or other issue on the ProxySG side of the transaction. 3.
Generate the secure connection certificate.
a. On the Settings > ICAP page, click Certificate Management. The interface displays the Certificate Management dialog. b. The Current Information tab displays what is in the current appliance certificate. If any of that information is incorrect, click Create Certificate.
36
Blue Coat Systems, Inc. Content Analysis System 1.2
c. Select Custom Parameters . d. Enter the various entity information. e. Enter a recipient Email , who gets notified upon if there are problems with the certificate. f. Select a Date Valid until value. This is the expiry date for the certificate. g. Set the Size value, which is the key length used to encrypt the certificate. Standard sizes are 1024, 2048 and 4096. h. Click Save Changes to generate the certificate. The certificate file downloads to your default download folder. i. Click Current Information and Download Public Key to save the certificate file to your local system. Import the certificate and enable secure ICAP connections between the ProxySG and Content Analysis. 1. Log in to the ProxySG appliance Management Console. 2. Navigate to Configuration > SSL > CA Certificates .
37
Blue Coat Systems, Inc. Content Analysis System 1.2 3.
Import the certificate you created previously.
a. Click Import. The Management Console displays the Import External Certificate dialog. b. Name the CA Cert. c. Open the CAS appliance certificate in a text editor on your system and copy all text including: ----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----. d. Click Paste From Clipboard to add the certificate to the CA Certificate PEM field. e. Click OK to close the dialog; click Apply . 4.
Add the certificate to the approval list.
a. Select SSL > CA Certificates > Certificate Lists . b. Select the AV_Approval CA Certificate list and click Edit. c. Select your new certificate from the list on the let and click Add>> to add the certificate to this CA certificate list. 5. 6. 7. 8. 9.
d. Click OK ; click Apply . Navigate to External Services > ICAP. Select your CAS ICAP service object in the list and click Edit. Add a check next to This service supports secure ICAP connections . Select AV_SSL from the SSL Device Profile drop-down menu. Click OK and Apply . Edit the ICAP service object again and click Sense Settings to verify your configuration.
38
Blue Coat Systems, Inc. Content Analysis System 1.2
Manually Configure an ICAP Service on the ProxySG The ProxySG appliance requires an ICAP service object to communicate with Content Analysis. If you are enabling Secure ICAP this topic assumes that you have completed the steps in Enable Secure ICAP Connections on page 36.
1. Log in to the ProxySG appliance Management Console. 2. Add a new ICAP service. a. Select Configuration > External Services > ICAP. b. Click Add. The Management Console displays the Add List Item dialog. c. Enter a name for the CAS appliance and click OK d. Click Apply . 3. Select the new entry in the list and click Edit. The Management Console displays the Edit ICAP Service dialog.
a. Enter the Service URL, which is the Content Analysis ICAP address. The format is as follows: icap://IP_address/avscan, where IP_address is the Content Analysis IP address or hostname. b. Select the ICAP Service Ports per your deployment.
39
Blue Coat Systems, Inc. Content Analysis System 1.2 n
The default service is a Plain ICAP connection.
n
If you enabled (or plan to enable) a Secure ICAP connection between the ProxySG appliance and Content Analysis, select that option and from the SSL Device Profile drop-down list, select the certificate that you created.
n
If you enable secure connections, you can select both options so that in the event there is a certificate match or another error, the AV scan occurs over the plain connection. If you select only the Secure option, the ProxySG appliance does not forward the scan request in the event of a secure connection error.
c. Select Send options—Client Address , Server Address , Authenticated User and Authenticated Groups —to forward this information with each file sent over ICAP. This ensures that all threat reporting bears the appropriate information. d. Click Sense Settings to prompt the ProxySG appliance to query Content Analysis for the optimal ICAP settings. e. Click OK to close the dialog. 4. Click Apply .
40
Blue Coat Systems, Inc. Content Analysis System 1.2
Automatically Configure an ICAP Service on the ProxySG Malware Scanning uses a set of predefined ICAP scanning policies to protect your network and users from malicious content. Once Malware Scanning is enabled, your appliance will send traffic to your ICAP device, (either ProxyAV or Content Analysis System ) to be scanned for malware and threats.
Configure Malware Scanning
1. Log in to the ProxySG appliance Management Console. 2. Select Configuration > Threat Protection > Malware Scanning. 3. Add the CAS appliance.
a. Click New. The management console displays the Add ProxyAV ICAP Server dialog. b. Enter the IP address or hostname for Content Analysis. c. Select the ProxyAV Ports per your deployment (applies to Content Analysis appliances). n The default is Plain ICAP connections . n If you enabled (or plan to enable) a Secure ICAP connections between the ProxySG appliance and Content Analysis, select that option. n If you enable secure connections, you can select both options so that in the event there is a certificate match or another error, the AV scan occurs over the plain connection. If you select only Secure, the ProxySG appliance does not forward the scan request in the event of a secure connection error. d. Click OK.
41
Blue Coat Systems, Inc. Content Analysis System 1.2 4. The Malware options on the bottom of the page are now selectable.
a. (Optional) Change the protection level from the default of High Performance to Maximum Protection, to scan all files, rather than those that are typically vectors for viral attacks. This can unnecessarily cause Content Analysis to use more resources than necessary as it has to scan all data users request from the Internet. If your organization does not have a policy that requires all data to be scanned, use the High Performance Protection Level setting. b. The Connection Security options apply if you have enabled secure ICAP. You can instruct the ProxySG appliance when or when not to use secure connections. c. For the best security, Blue Coat recommends leaving the default Actions on Unsuccessful Scan option to Deny the client request. 5. Select Enable Malware Scanning box and click Apply . Optimize the ICAP Configuration
With Malware Scanning enabled, the next step is to optimize the ICAP service object.
1. In the ProxySG management console, browse to Configuration > External Services > ICAP. 2. Here, you'll notice that there is a service called proxyav1. This object was created when you created a new Malware Scanning object. Select proxyav1 and click Edit. The Edit ICAP Service proxyav1 dialog displays.
42
Blue Coat Systems, Inc. Content Analysis System 1.2
3. Click Sense Settings . A confirmation dialog appears, click OK. The ProxySG appliance queries Content Analysis to determine the optimal settings for ICAP connections and timeout values and sets them in the ICAP service object. 4. Click OK and Apply to save the optimized ICAP service settings.
43
Blue Coat Systems, Inc. Content Analysis System 1.2
Configure ICAP Policy Once you have defined an ICAP request modification object, you can use policy on the ProxySG appliance to send traffic to Content Analysis. Create a default rule to send traffic to the Content Analysis with ICAP
This step is only required for manual ICAP configurations. If you use the Automatic configuration with Malware Scanning, skip this step and proceed to the other policy examples.
1. Log in to the ProxySG appliance Management Console. 2. 3.
Launch the Visual Policy Manager from Configuration > Policy > Visual Policy Manager. Click Policy > Add Web Content layer.
4. Name the new layer ICAP Scan. 5. Right-click the action field in the rule. Click New > Set ICAP Response Service.
6. Select the ICAP service you created in the Management Console and click Add to move it to the box on the right. 7. Choose a failure method. Select either Deny the client request, (fail closed) or Continue without fur-
44
Blue Coat Systems, Inc. Content Analysis System 1.2 ther ICAP processing (fail open). 8. Click OK, OK and Install Policy to commit this change to the appliance.
45
Blue Coat Systems, Inc. Content Analysis System 1.2
Configure Scanning Exemption Policies Whether you've used an automatic ICAP configuration with Malware scanning or a manual configuration with an ICAP request modification rule in the VPM, you may find that your organization needs to exempt specific destinations from ICAP scanning. If a destination URL, category or file type is trusted, you may decide not to have that traffic scanned. The examples provided in this topic detail the steps to configure the most common types of ICAP exemptions. If you are using the Malware Scanning configuration, add a new Web Content layer from the Policy menu, label it ICAP Scan and proceed with the steps below. If you have configured a manual ICAP scan policy instead, the proceeding policies must be positioned above your existing ICAP scan rule. Exempt a domain from scanning
1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section. 2. Right-click the action field in this rule. Click New > Set ICAP Response Service. 3. Name the new object DoNotScan and select Do not Use any ICAP response service.
4. Click OK, and OK.
46
Blue Coat Systems, Inc. Content Analysis System 1.2 5. Right-click the destination field in this new rule. Click Set > New > Request URL. 6. Enter www.bluecoat.com (replace with a domain you would like to exempt from ICAP scanning). Click Add, Close, OK and Install Policy.
Exempt a category from Scanning
Because some media streams come without end, sending those streams to an ICAP appliance for scanning can lead to delays in processing other traffic. As a best practice measure, follow these steps to defer the streaming media category from being ICAP scanned.
1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section. 2. Right-click the destination field in this new rule, click Set > New > Request URL Category . Extend the Blue Coat categories list , select TV/Video Streams . Name the object TV/Video Stream Category .
3. Click OK, OK, and Install Policy. Show Screen
Use policy to react to specific ICAP scan results
SGOS 6.5.2.1 introduced the option to define policy to take action based on the results of ICAP scanning. See the Troubleshoot ICAP Errors topic for the available policy triggers. In this example, we want to allow users to download archive files such as zip, rar or, gz, if they are password protected and from a trusted domain. To take action on ICAP scan results, your ICAP request modification rule (or Malware Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to be able to take action on a given request.
1. Add a new Web Access Layer and name it ICAP Error Actions . 2. In the Edit menu, select Reorder Layers . Position the ICAP Error Actions layer below your ICAP Scan layer. 3. Right-click the destination field, click Set > New > Request URL.
47
Blue Coat Systems, Inc. Content Analysis System 1.2 4. Enter the domain name of the URL in question. In this case, we'll use www.example.com . Click Add, Close, and OK. 5. Right-click the Service field in the new rule, click Set > New > ICAP Error Code. 6. Select Password Protected Archive, click Add, OK, and OK.
7. Right-click the Action field and select Allow and click Install Policy.
48
Blue Coat Systems, Inc. Content Analysis System 1.2
Troubleshoot ICAP Errors ICAP error codes are available as objects in policy for the Content Analysis ICAP server only and are useful for creating policy that is flexible and granular. SGOS 6.5.2 introduced policy actions to react to the results of an ICAP scan. See the ICAP Policy Content Analysis Exemption Policy topic for an example on working with the response codes below in policy. To take action on ICAP scan results, your ICAP request modification rule (or Malware Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to be able to take action on a given request.
The following table lists common ICAP errors that the Proxy can address in policy: ICAP Error Codes Available in Policy
ICAP Error Code
VPM Object Name Description
Anti-virus Engine Failure
Anti-virus Engine Failure
The ICAP appliance was unable to load the configured antivirus scanning engine.
Anti-virus License Expired
Anti-virus License Expired
The anti-virus license on the ICAP device has expired.
Anti-virus Load Failure
Anti-virus Load Failure
The ICAP device responded to the ICAP request, but was unable to begin the file scan because the service was unavailable.
Connection Fail- Connection Fail- A connection to the ICAP device could not be established. ure ure Decode error
Decode Error
Error detected during file decompression/decoding.
File Extension Blocked
File Extension Blocked
The ICAP device has the requested file extension set to Block.
File Type Blocked
File Type Blocked
The ICAP device identified the file type from the file's header and found that the detected file type is set to Block.
ICAP Connection ICAP Connection A configuration mismatch has occurred with plain and Mode Not SupMode Not Supsecure ICAP settings. Verify that your ICAP appliance and ported ported ProxySG appliance ICAP service and policy objects all support the same set of secure and insecure connection methods. ICAP Connection ICAP Connection A connection with the ICAP device could not be established. Unavailable Unavailable ICAP Security Error
ICAP Security Error
A connection was established with the ICAP device but the security settings between the ProxySG appliance and the ICAP device could not be negotiated.
Internal Error
Internal Error
The ICAP device reported an unspecified error that prevented the file from being scanned.
49
Blue Coat Systems, Inc. Content Analysis System 1.2
ICAP Error Code
VPM Object Name Description
Password Protected
Password Protected Archive
Archive file could not be scanned because it is password protected.
Insufficient Space
Insufficient Space
Indicates that the disk is full.
Maximum Archive Layers Exceeded
Maximum Archive Layers Exceeded
The ICAP device reported that the configured maximum layers permitted in an archive file have been exceeded.
Max file size exceeded
Maximum File Size Exceeded
Maximum individual file size to be scanned exceeds settings in configuration. The maximum individual file size that can be scanned depends on the RAM and disk size of the ProxyAV model.
Maximum Total Files Exceeded
Maximum Total Files Exceeded
The requested file exceeds the configured maximum number of files permitted in a single archive file.
Maximum Total Size Exceeded
Maximum Total Size Maximum total uncompressed file size exceeds settings in Exceeded configuration. The maximum limit varies by ProxyAV model.
Request Timeout
Request Timeout
Scan timeout
Scan Timeout
The requested file failed to load, as the connection with the origin content server timed out. Scan operation was abandoned because the file scanning timeout was reached. The default is 800 seconds.
Server Error
Server Error
The origin content server responded to the user's request to serve a file with an error.
Server Unavailable
Server Unavailable
The origin content server hosting the requested file is unavailable.
50
Blue Coat Systems, Inc. Content Analysis System 1.2
Chapter 4: Monitoring and Alerts As the CAS appliance scans data, statistics for virtually every activity are tracked and either graphed or added to a report. Using the various statistical reports, you can plan policy changes or determine the effectiveness of features such as cached response and sandboxing.
View the CPU Usage Report
53
View the Memory Usage Report
54
View ICAP Connections Data
55
View Ethernet Adapter Statistics
56
View Historical Connection Data
57
Scan Results
58
Cache Hits
60
View the Sandboxing Report
61
View the ICAP Bytes Report
62
View ICAP Object Scan History
63
View Current Connection
64
Manage the System Logs
65
Configure SNMP
65
Set Log Parameters
65
Review System Activities
66
Set Up Alert Delivery Methods
68
Configure E-Mail Alerts
69
Configure SNMP
69
Configure Syslog
70
Customize Alert Messages
70
51
Blue Coat Systems, Inc. Content Analysis System 1.2
52
Blue Coat Systems, Inc. Content Analysis System 1.2
View the CPU Usage Report CPU historical statistics are available in Statistics > CPU Usage. The CPU Usage report shows CPU utilization, as represented as a percentage of available cycles at a given point in time, for Content Analysis. Content Analysis displays information for the past hour, the past day, and month. If you find that the CPU consistently uses over 90% of the available cycles, you can reduce load on the appliance by applying policy to the associated Proxy to restrict the types of files sent to Content Analysis. If this behavior persists, your Content Analysis system may be undersized for the amount of traffic your users generate.
53
Blue Coat Systems, Inc. Content Analysis System 1.2
View the Memory Usage Report Memory usage statistics are available in Statistics > Memory Usage. Content Analysis displays memory usage information for the past hour, day, and month on this page. It is normal to see occasional spikes in memory usage during periods of high load, but if Content Analysis sustains a memory utilization value beyond 90% for more than a day, consult Blue Coat technical support for assistance.
54
Blue Coat Systems, Inc. Content Analysis System 1.2
View ICAP Connections Data ICAP Connection historical statistics are available in Statistics > Connections . This report tracks the number of connections on Content Analysis over the past hour, day, or month.
55
Blue Coat Systems, Inc. Content Analysis System 1.2
View Ethernet Adapter Statistics Ethernet Adapter statistics are available in Statistics > Ethernet. The Ethernet report lists the statistics for each network interface on the appliance.
Ethernet Adapter Media Type Item
Description
Auto-neg
Displays the results of link auto-negotiation (true or false)
Current Duplex
Displays the duplex value of the established connection (FULL, HALF, or DISCONNECTED, UNAVAILABLE)
Current Speed
Displays the current adapter speed In Mega Bits per second, 10, 100, or 1000
The Received table displays the following information for each network interface:
Item
Description
packets
The number of data packets that were received on the interface
error
The number of Ethernet errors detected on the interface
dropped
The number of packets dropped at the interface based on ICTM monitoring
fifo
First in, first out errors detected on the interface when packets are received in incorrect order
frame
Frame errors detected
compressed
The number of compressed packets received by the interface
multicast
The number of multicast packets received by the interface
The Transmitted table displays the following information for each network interface:
Item
Description
packets
The number of data packets that were sent on the interface
error
The number of Ethernet errors detected on the interface
dropped
The number of packets dropped at the interface based on ICTM monitoring
fifo
First in, first out errors detected on the interface when packets are sent in incorrect order
collision
The number of Ethernet collision errors detected
carrier
Displays the International Carrier Code, if applicable
compressed
The number of compressed packets transmitted by the interface
56
Blue Coat Systems, Inc. Content Analysis System 1.2
View Historical Connection Data Connection Data historical statistics are available in Statistics > Historical Connections . You can track the scan history details such as the filename and URL on which it was found here.
View Request History
1. Set the number of requests to display by entering the number in the Collect last __ requests and click Save Changes . 2. Click Refresh to display the request history list. This report contains the following columns.
Column
Description
Date
The date the ICAP scan finished.
URL
The URL from which the file was retrieved.
Client IP
The IP address of the client requesting the file.
Note: To display IP addresses, the ProxySG appliance that sends traffic to this Content Analysis must have Send Client Address enabled in the ICAP service object. Size
The size of the file that was scanned.
Result
The result of the scan. See Scan Results for more information.
Duration (ms)
The amount of time taken to scan the file, measured in milliseconds.
Mode
The file was sent to Content Analysis through either Secure or Plain ICAP service.
57
Blue Coat Systems, Inc. Content Analysis System 1.2
Scan Results Refer to the proceeding table to understand the results of past ICAP scans for Historical Connections.
Result
Description
Clean
The file contained no threats.
Parameter Error
Incorrect scan parameter defined.
Password Protected
The file could not be scanned as it is protected by a password.
Unsupported Compression
The file uses an unsupported compression method.
Corrupt Archive
The archive file, (zip, rar, gz) could not be opened because it is corrupted.
Too Many Layers
The archive file exceeds the maximum number of archive layers supported.
Unsupported
The file is not a supported type for analysis.
Too Large
The file exceeds the maximum file size limitation.
Uncompressed Size Too Large
The archive file exceeds the maximum file size limitation.
Too Many Files in Archive
The archive file (zip, rar, gz) exceeds the limit of files in an archive.
Blocked Extension
The file was blocked based on the AV File Type configuration.
Ignored Extension
The file was not scanned, based on the AV File Type configuration.
Ignored Type
The file was not scanned, based on the apparent data type of the file.
Timeout
The scan process failed, waiting for the end of the file. Enable ICTM in Settings > ICTM if this message appears frequently.
No Patterns
The anti-virus pattern was not available for the active antivirus vendor.
Update Error
An error occurred during the anti-virus pattern update. The file was not scanned.
Invalid Option
A required scan option is not defined. The file was not scanned.
License Expired
The license for the component required for scanning has expired. The file was not scanned.
Internal Error
An internal error occurred. The file was not scanned.
Unknown Error
The file was not scanned due to an unexpected error.
Virus
A virus was found during the scan.
Blocked Type
The file was blocked based on the apparent data type of the file. (Kaspersky or Sophos only).
58
Blue Coat Systems, Inc. Content Analysis System 1.2 Result
Description
Insufficient Resources
The appliance has exceeded the available resources, (CPU, Disk, Memory). The file was not scanned. To determine the cause of resource issues, review the Content Analysis .
Internal AV Error
The anti-virus engine experienced an issue while scanning the file.
AV Load Error
The anti-virus engine failed to load.
Out of Memory
The appliance ran out of available memory while the file was being scanned.
59
Blue Coat Systems, Inc. Content Analysis System 1.2
Cache Hits Cache Hit historical statistics are available in Statistics > Cache Hits . The Cache Hits report shows how many files have been served to users without scanning, because those files were found to match a hash of an earlier successful scan. Information is shown for the past hour in the minutes graph, the past day in the hours graph, and the past month in the days graph. See Set AV Scanning Options on page 23 to enable Cached Responses.
60
Blue Coat Systems, Inc. Content Analysis System 1.2
View the Sandboxing Report Sandboxing statistics are available in Statistics > Sandboxing. The Sandboxing report shows the number of files sent to the configured external sandboxing servers over the last 60 minutes, 24 hours or 30 days.
61
Blue Coat Systems, Inc. Content Analysis System 1.2
View the ICAP Bytes Report ICAP traffic byte statistics are available in Statistics > ICAP Bytes Processed. The ICAP Bytes report allows you to monitor how much ICAP traffic, in bytes, Content Analysis has processed in the past hour, day or month.
62
Blue Coat Systems, Inc. Content Analysis System 1.2
View ICAP Object Scan History ICAP Object available in Statistics > ICAP objectsObjects Processed. The ICAP Objects Processed report shows how many objects (files) Content Analysis has scanned in the past hour, day, or month.
63
Blue Coat Systems, Inc. Content Analysis System 1.2
View Current Connection Current Connection statistics are available in Statistics > Current Connections . You can review all scanning requests in real time here. Connection Request Columns
Column
Description
Date
The date the ICAP scan was started.
URL
The URL from which the file was retrieved.
Client IP
The IP address of the client requesting the file.
Size
The size of the file being scanned.
State
The state of the scanning process. Available states are Reading, Queued and Scanning.
Duration (ms)
The amount of time taken to scan the file, measured in milliseconds.
Mode
The service module currently being used to scan the file (AV, caching, whitelisting or sandboxing).
Click the Refresh button to update the statistics in this report .
In order for the Client IP column to display IP addresses, the ProxySG appliance that sends traffic to this Content Analysis has to have Send Client address enabled in the ICAP service object.
64
Blue Coat Systems, Inc. Content Analysis System 1.2
Manage the System Logs Every action performed by Content Analysis is logged to either a file or a remote server (such as an SNMP or syslog server). Follow the steps detailed in this section to configure reporting for your environment.
Configure SNMP
65
Set Log Parameters
65
Review System Activities
66
Configure SNMP SNMP configuration is available in Settings > SNMP. To integrate with network management tools, you can specify the SNMP password (community string) and download Management Information Base (MIB) files. Content Analysis supports SNMPv2 and SNMPv3.
1. Type a password in Read Community . 2. Retype the password in Verify Read Community . 3. Click Save Changes . Download MIBs
A MIB is a document (written in the ASN.1 data description language) that contains descriptions of managed objects. SNMP uses a specified set of commands and queries, and the MIBs contain information on these commands and the target objects. MIBs are typically read using MIB browsers.
1. Click Download MIBs on the SNMP settings page. 2. Save the downloaded mib.zip file to your local workstation. 3. Install the MIB file into your preferred SNMP analysis tool and follow the directions supplied by the tool's vendor to connect to the CAS appliance .
If you are replacing a ProxyAV appliance, please note that the iso.org.dod.internet.mgmt.mib-2 Object IDs are not supported on Content Analysis.
Set Log Parameters Log parameter configuration is available in Settings > Logging. Use these settings to set logging options for various modules. Each module is a section of code that serves a certain purpose (such as Audit, ICAP, INTERNAL, and SNMP). Logging by module allows a more finite understanding of what is occurring in the product. Use the File column to define how much
65
Blue Coat Systems, Inc. Content Analysis System 1.2 detail is included in the log file that is saved to the appliance, and the Syslog column to specify the detail level of events sent to your Syslog server.
1.
2.
In the File and Syslog columns, click the row corresponding to the module you want to edit.The interface displays a drop-down, as shown below.
Do one of the following:
a.
In the drop-down list, select a file error severity level for the module, None, Critical , Error, Warning, Info, Debugging. Setting the severity alters how verbose each log message is, from most verbose, (DEBUGGING ) to least (CRITICAL). Select NONE to disable log reporting for each of the output options.
The previous setting remains highlighted for reference.
b.
Enter your own descriptive severity level text: i. Note the flashing cursor.
ii. Backspace to delete the message text. iii. Enter new text, as shown by the example below. In this case, we entered "Network."
3. Click Save Changes .
Review System Activities The system logs can be viewed in Utilities > System Logs .
66
Blue Coat Systems, Inc. Content Analysis System 1.2
Use this page to review the Content Analysis subsystem activity logs. All functions performed by Content Analysis appliance are logged. Typically, this information is only useful when troubleshooting an issue with the assistance of a Blue Coat technical support engineer or support partner. The logs in this list, along with web logs and the system configuration can be sent to Blue Coat support via the Utilities > Troubleshooting page. Available System Logs n n n n n n n n n n n n n
boot.log: The log created as the appliance boots. cas : The internal ICAP service logs. cas-audit: Administrative actions performed on the web interface. cas-connection: ICAP connection logs. clp_alerts.log: Captures everything system wide that has been flagged as an “alert” clp_services.log: Internal appliance log for system services. cron: Scheduled jobs log. dmesg: Internal service log, for Blue Coat engineering use. dmesg.old: Internal service log, for Blue Coat engineering use. dracut.log: Internal service log, for Blue Coat engineering use. lastlog: Internal service log, for Blue Coat engineering use. tomcat6-initd.log: Internal service log, for Blue Coat engineering use. wtmp: Internal service log, for Blue Coat engineering use.
Click the
button to view the selected log file or the
button to download the selected log file. The
button deletes all data in the specified log.
67
Blue Coat Systems, Inc. Content Analysis System 1.2
Set Up Alert Delivery Methods Alert delivery configuration is available in Settings > Alert Locations . When significant events occur (such as wehn malware is found or a file is blocked), you can have Content Analysis notify you by sending an email, an alert log entry, or a syslog entry, or an SNMP trap. For each type of event that you want to be notified about, select the desired alert delivery method. Alert Delivery Methods
For each event, choose one or more of the following alert delivery methods: l
l l
l
E-mail : Sends an e-mail to the administrator. To configure e-mail alerts, see Configure E-Mail Alerts on page 69. Logging: Creates an entry in the system log. See Review System Activities. Syslog: Creates an entry in the Syslog server. See Configure Syslog on page 70. Entries will be sent via the Proxy module and the Syslog server configured there. SNMP Trap: Sends a trap to the SNMP manager. See Configure SNMP on page 69. Entries will be sent via the Proxy module and the SNMP server configured there.
Event Types
You can send alerts for the following types of events: l
l
l
l
l l
l l
Virus is found: A virus was found in an ICAP session. If you have configured e-mail alerts, the URL of the web page where the virus was found is included in the e-mail. So that you do not accidentally launch the page, the URL is reformatted to make it unclickable. For example: http://virus.com is rewritten as hxxp://virus.com. File was passed through without being scanned: Several settings on the Anti-virus page enable the administrator to allow files to pass through Content Analysis unscanned. For example, there is an anti-virus file scanning timeout. File was blocked (exclude virus case): A file is blocked for any reason other than a virus infection. For example, the administrator decides to block password-protected compressed files. Anti-virus update failed: The antivirus update failed due to an error in retrieving or installing the latest image. Anti-virus update succeeded: A new version of an anti-virus pattern file has been installed. Intelligent Connection Traffic Monitoring (ICTM): If the maximum specified concurrent slow connection warning or critical thresholds are reached, an alert is sent. Reboot: A reboot has occurred. Sandboxing Threat: A sandboxing threat has been identified.
Test Alerts
Click one of the buttons to send a test alert via each of the available methods.
68
Blue Coat Systems, Inc. Content Analysis System 1.2
Configure E-Mail Alerts E-Mail alert configuration is available in Settings > Alerts > Email . When you enable Set Up Alert Delivery Methods on page 68, you must define an SMTP (Simple Mail Transfer Protocol) server and specify the e-mail addresses to which notifications will be sent. E-mail Addresses
Sender e-mail address : The sender's name will appear in the From line of any e-mail message that Content Analysis sends out. For example:
[email protected] . Recipient e-mail address : The e-mail addresses to which alerts will be sent when alerts occur. Use a comma to separate addresses, for example:
[email protected],
[email protected]. At least one recipient address is required. If you don't set a recipient address, the appliance will not attempt to send alert e-mails. Server settings
Server address Your SMTP server hostname or IP address. This is the server that will send alert e-mail to your administrators. Server port The port used by your SMTP server. Typically, the port used for SMTP is 25. Authentication settings
If your SMTP server requires users to authenticate before sending mail, define your SMTP username and password.
When you're done entering your SMTP server settings, click Save Changes .
Configure SNMP SNMP configuration is available in Settings > Alerts > SNMP Trap. The Simple Network Management Protocol (SNMP) is a widely used method of monitoring computer networks. You can configure Content Analysis to automatically send event notifications to any SNMP server, called a trap listener. Content Analysis supports SNMP v2 only.
69
Blue Coat Systems, Inc. Content Analysis System 1.2 Enable SNMP Trap Support
Specify one or more trap destinations Specify the server(s) to which SNMP trap alerts will be sent:
Server(s): The IP address or hostname of the SNMP monitoring server. Separate each address with a comma. Security Name: Your SNMP server's community string. When you're done entering your SNMP server settings, click Save Changes .
Configure Syslog Syslog server configuration is available in Settings > Alerts > Email . The system logging (syslog) feature gives administrators a way to centrally log and analyze events. If you Set Up Alert Delivery Methods on page 68 for any events, you must also define the syslog server settings.
Server: The IP address or hostname of your syslog server. Port: The port used by your syslog server to listen for incoming data. Protocol : The transport protocol used by your syslog server. Available options are: UDP, TCP, and TLS. Click Save Changes .
Customize Alert Messages Alert message configuration is available in Settings > Alerts > Messages . When significant events occur, Content Analysis sends alerts to the configured alert delivery methods (email, SNMP, local log, and/or syslog). These messages are in HTML, which can be customized with variable keywords to provide context to each alert event. By including variables in the message, you can see, for example, the URL from which an infected file was downloaded, who downloaded the file, and the name of the virus.
1. Select Settings > Alerts . 2. Click Messages . 3. Click one of the icons below to modify the alert message: l
Displays alert message text, including variable keywords
l
Displays the HTML code for the alert message
The following keywords can be used:
70
Blue Coat Systems, Inc. Content Analysis System 1.2 l l l l l l l l l l l l l l l l l l
%CLIENT : The client IP address %ACTION : The action that was performed (file passed/dropped) %URL : The URL from which the file was downloaded %VIRUS : The virus or potentially unwanted software (PUS) name %REASON : Why the event occurred. For example, why was the file scanned? %MACHINENAME : The name of the Content Analysis System appliance. %MACHINEIP : The Content Analysis System appliance IP address %HWSERIALNUMBER : The Content Analysis System appliance serial number %PROTOCOL : The scanned protocol %APPNAME : The application name (Content Analysis System) %APPWEB : The application vendor web address %APPVERSION : The application version %AVVENDOR : The AV vendor %AVENGINEVERS : The AV engine version. %AVPATTERNVERS : The AV pattern version. %AVPATTERNDATE : The AV pattern date. %TIMESTAMP : The time the event occurred %ADMINMAIL : The administrator e-mail address The % character always precedes the variable name. Capitalization is also important; do not use lowercase variable names.
4. Click Save Changes .
71
Blue Coat Systems, Inc. Content Analysis System 1.2
Chapter 5: Administrative Tasks Control Access to the Management Console
74
Manage Administrator Access
75
Authenticate Administrators with Local Credentials
75
Authenticate Administrators with LDAP
76
Authenticate Administrators with RADIUS
77
Example: FreeRADIUS Configuration Procedure
78
Define an Administrative Login Message
81
Update Anti-Virus Pattern Files
82
Install a new System Image
84
Archive or Restore the System Configuration
85
Perform Administrative Tasks from the Command Line Interface
86
72
Blue Coat Systems, Inc. Content Analysis System 1.2
73
Blue Coat Systems, Inc. Content Analysis System 1.2
Control Access to the Management Console Management Console configuration is available in Settings > Web Management. By default, the Web-based management console is accessible via HTTPS on port 8082. On this page, you can enable an HTTP management port, (8081 by default) and configure alternate ports and administrative session login timeouts here.
1. Perform one of the following: a. Click Enable HTTP Administration to let the administrator access the Management Console without a secure connection. (optional) Specify a different port number. b.
Click Enable HTTPS Administration to encrypt the connection to the Management Console. (optional) Specify a different port number. When HTTPS is enabled, you must enter the following URL format to access the Content Analysis System appliance Management Console:
https://IP_address:port For example: https://192.0.2.39:8082.
2. Enter a session timeout in minutes. When the specified number of minutes has passed without activity in the Management Console, the session terminates. 3. Click Save Changes . To modify the certificate used for HTTPS administration, click Certificate Management. Details on Certificate Management, see Enable Secure ICAP Connections.
74
Blue Coat Systems, Inc. Content Analysis System 1.2
Manage Administrator Access In addition to the default local administrator account, you can configure other local accounts or leverage existing LDAP and RADIUS authentication services in your infrastructure to authorize administrative and read-only users.
Authenticate Administrators with Local Credentials
75
Authenticate Administrators with LDAP
76
Authenticate Administrators with RADIUS
77
Example: FreeRADIUS Configuration Procedure
78
Authenticate Administrators with Local Credentials Local Administrator configuration is available in Settings > Users > Local Users .. The primary administrator can create user accounts for other users. A user account specifies the privileges that are granted to a user. With local authentication, you can create two types of user accounts: n
Administrator: An administrative account with rights to perform all functions on the appliance. In a default state, Content Analysis is configured with a single administrator account. The username for this account is admin and the password is what you entered during the initial setup of the appliance. For security best practice, change the default password.
n
Readonly : A read-only access account that permits the user to log in to the appliance but not make any changes.
Create a Read-Only User Account
1. 2. 3. 4. 5. 6.
Select Users > Add User. Define a new Username . Assign the user a Password . The password can contain a maximum of sixteen characters. From the Role drop-down list, select Readonly . Select Enabled. Click Add.
Create an Administrative User Account
1. 2. 3. 4. 5. 6.
Select Users > Add User. Define a new Username . Assign the user a Password . The password can contain a maximum of sixteen characters. From the Role drop-down list, select Administrator. Select Enabled. Click Add.
75
Blue Coat Systems, Inc. Content Analysis System 1.2 Change a User's Password
1. 2. 3. 4.
Select Settings > Users . Select the user account to change the password and click Edit User. Assign an updated Password. The password can contain a maximum of 16 characters. Click Add.
Delete Administrator Accounts
1. Log in as an administrative user. 2. Click Settings > Users . 3. Select the Username. 4. Click Delete User. The user account is deleted and the user is no longer allowed to access the Content Analysis system..
Authenticate Administrators with LDAP LDAP Administrator configuration is available in Settings > Users > LDAP Settings .. You can configure Content Analysis to authenticate administrators based on their LDAP credentials. The appliance requires the following details to establish a connection with the LDAP server: n
The IP address or hostname of the LDAP server
n
User search criteria based on Username attribute and the associated BaseDN.
n
Role search criteria based on Username attribute, Base, and Result Role attribute. You can add LDAP users or groups to local role mapping.
1. Select Settings > Users > LDAP Settings . 2. (Optional) to populate all server fields on this page with the standard values for an Active Directory LDAP environment, click Insert Active Directory example. As appropriate, adjust the values to be specific for your LDAP configuration. 3. Enter the LDAP server URL. 4. (Optional) Manager's Credentials — n If your LDAP server supports anonymous searching, do not complete this section. n
If anonymous search is not supported, enter the User Distinguished Name and Password.
5. User Search Criteria: Enter the User Attribute and Base to define from what level of the LDAP directory searches is performed. 6. Role Search Criteria: Enter the Username Attribute, Base, and Result Role Attribute to define the search details for role authorization. 7.
Enter an LDAP user or group to local role mapping. Click Add User Mapping or Add Group Mapping. This is required, as it binds LDAP users and groups with permissions roles on the CAS appliance.
76
Blue Coat Systems, Inc. Content Analysis System 1.2
Enter a username or group name, select a role, and click Add.
8. Select Enabled. 9. Click Save Changes .
Authenticate Administrators with RADIUS Radius Administrator configuration is available in Settings > Users > Radius Settings .. You can configure Content Analysis to use a RADIUS server database to authenticate and authorize users. This configuration requires some elements on both the Content Analysis user interface and the RADIUS server. As a best practice measure to ensure administrators can always log in to the appliance, even when your RADIUS server is unavailable, maintain a local administrator account.
About RADIUS authentication
When a user logs in to the Content Analysis management center, they are challenged for credentials. Those credentials are forwarded in an Access-Request message to the configured RADIUS server. The RADIUS server authenticates the user and sends an 'access-accept' or 'access-reject' response back along with the value for the Blue-Coat-Authorization attribute defined for the user. Content Analysis parses the response to check if the user is authenticated and then uses the custom attribute to determine the user’s access privileges; the user is then allowed appropriate access or denied access.. If your deployment does not already make use of a RADIUS server, you can use FreeRADIUS. For information on deploying FreeRadius, click Example: FreeRADIUS Configuration Procedure on page 78 If you are using FreeRADIUS, select the Download Blue Coat's dictionary file for FreeRADIUS Server here link to view the dictionary file for Blue Coat-specific RADIUS attributes. RADIUS prerequisites
To configure Content Analysis a RADIUS client, provide the following details for your RADIUS server: l
IP address and port number of the primary RADIUS server.
l
(Optional, but recommended) IP address and port number for the secondary RADIUS server.
l
Pre-shared key (or shared secret) that is configured on the RADIUS server. Because RADIUS uses a client-server architecture for managing user account information, before a device can become a RADIUS client it, must be configured with the same pre-shared key that is configured on the RADIUS server. This allows it to be able to pass user credentials on to the RADIUS server for verification.
77
Blue Coat Systems, Inc. Content Analysis System 1.2 l
The RADIUS server must have the Blue-Coat-Authorization attribute defined and associated with users or groups on the server who require administrative access to Content Analysis.
About the Blue-Coat-Authorization RADIUS attribute
In addition to authenticating administrators, RADIUS also authorizes administrators by way of a special attribute in the user's profile. This information is used to identify specific users who have permission to log in to the Content Analysis management console or CLI. To enable authorization, define the Blue-CoatAuthorization (vendor-specific) attribute in the RADIUS user profile for users who require administrative access or read-only access to the CAS appliance. The Blue-Coat-Authorization values that you can assign are as follows: l
l l
No access: This is the default value used when read-only access (1) or administrative access (2) is not specified. 1: Read-only access 2: Read-write access (administrative access or full access user)
Enable RADIUS Authentication
1. 2. 3. 4.
Select Settings > Users > RADIUS Settings . Click the Enabled check box. Enter the IP address and port number of the primary RADIUS server. Enter the shared secret that you have configured on the RADIUS server. This shared secret allows Content Analysis to forward user credentials on to the RADIUS server for verification.
5. (Optional, but recommended) Enter the IP address, port, and shared secret for the Alternate RADIUS server. 6.
Enter a RADIUS user or group to local role mapping. Click Add User Mapping or Add Group Mapping. Enter a username or group name, select a role, and click Add.
7. Click Save Changes .
Example: FreeRADIUS Configuration Procedure The following example shows the RADIUS configuration steps required to support authentication and authorization of Content Analysis administrators on FreeRADIUS server v2.1.10. The main tasks in this work flow are as follows: n
Configure the Content Analysis IP address on the FreeRADIUS server.
78
Blue Coat Systems, Inc. Content Analysis System 1.2 l
Set up the attributes so that Content Analysis can receive authentication and authorization attributes from the RADIUS server. Content Analysis provides a dictionary file that contains all the authorization attributes supported on the system. You must first obtain the dictionary.bluecoat file from the Settings > Users > RADIUS Settings page in the Management Console. Then you need to manually define the attribute, using the attribute name or number, type, value, and vendor code, for all users that are permitted access to the Content Analysis UI.
To enable communication between the FreeRADIUS server and Content Analysis:
1.
Add the Content Analysis IP address to the freeRADIUS server client configuration file.
/etc/freeradius/clients.conf 2.
Add a shared secret. For example:
client 10.10.10.0/24 { secret = testing123 shortname = CANetwork } You can define a single machine (10.10.10.107) or a subnet (10.10.10.0/24).
3. Download and save the dictionary.bluecoat file to the /usr/share/freeradius/ directory.This file is available from the Download Blue Coat's dictionary file for FreeRADIUS Server here link (Settings > Users > RADIUS Settings ). 4. Add Blue Coat’s vendor-specific attributes defined in the dictionary.bluecoat file to the /usr/share/freeradius/dictionary file. For example, entries in the /usr/share/freeradius/ dictionary might be as follows:
$INCLUDE dictionary.xylan $INCLUDE dictionary.bluecoat $INCLUDE dictionary.freeradius.internal 5.
Add the Blue Coat Authorization attribute to the users file in the /etc/freeradius/ directory. Specifying the attributes for users or groups allows you to enforce permissions and regulate access to Content Analysis. The syntax used is:
Cleartext-Password := "" Blue-Coat-Authorization = For example, for an admin user you would specify the following details:
ratnesh Cleartext-Password := "oldredken123" Reply-Message = "Hello",
79
Blue Coat Systems, Inc. Content Analysis System 1.2
Blue-Coat-Authorization = Read-Write-Access 6.
Save your configuration and restart the FreeRADIUS server.
80
Blue Coat Systems, Inc. Content Analysis System 1.2
Define an Administrative Login Message Administrative Login Messages can be configured in Settings > Consent Banner. The consent banner is the message that displays when administrators log in to Content Analysis management console. Enable this banner if your organization requires users to comply with an acceptable use policy or to inform users of the consequences of unauthorized use. When enabled, users must accept the terms defined in the banner prior to accessing the management console. By default, the login banner is disabled. Enable and configure the Login Banner
1. Click the Show Consent Banner check box to enable the display of the banner text on the login page. 2. In the Banner Text field, enter the text that you would like users to view and accept when they log in. Up to 2000 characters are supported in this field. 3. (Optional) Click the Show Consent Banner Logo check box to display your company logo. 4. To select the logo image, click Upload New Banner Logo. Browse to the location of the image, select the file, and click Open. 5. Click Save Changes . 6. To view the current banner as configured, click Display Current Consent Banner. The supported image formats are JPG, JPEG, BMP, GIF, and PNG. The recommended image size is 500 pixels by 80 pixels. Content Analysis automatically scales larger images to 500 pixels by 100 pixels to conform to the dimensions of the Consent Banner.
81
Blue Coat Systems, Inc. Content Analysis System 1.2
Update Anti-Virus Pattern Files Anti-Virus Pattern File configuration is available in Services > AV Patterns . Use the settings on this page to view anti-virus information and update pattern files. Content Analysis communicates with several URLs that end with *.es.bluecoat.com. To ensure that these updates are retrieved without issue, Blue Coat recommends that you allow Content Analysis to reach that domain on ports 80 and 443 without authentication, SSL interception or firewall interruption.
The table on this page displays the following information. Column
Description
Vendor
Displays the anti-virus vendor.
Version
Displays the version of the anti-virus engine that is in use.
Pattern Version
Displays the version of the pattern file used by the anti-virus engine. It also lists the number of virus definitions included in the pattern file and the time of the most recent pattern file update.
Virus Definitions
Displays the virus unique identification string.
Last Pattern Update
Displays the date and time of the most recent pattern update.
Remaining
Displays the number of days before your current license is set to expire. If the license has expired, that date displays, as well as the date on which the grace period expires. Content Analysis checks for new engines and pattern files once every 5 minutes.
82
Blue Coat Systems, Inc. Content Analysis System 1.2 Update
Click Update Now to download and install the virus pattern files for the specified vendor. Clicking Update Now tells the system to check if there is a virus pattern file available that is newer than the one it already has. The update is either a differential update or a full update, based on the update mechanism that your chosen antivirus vendor supports.
Click Force Update Now to force Content Analysis to download and install the latest virus pattern files for the specified vendor. Even if you have the latest version installed, this option overwrites the file versions currently residing on the appliance. Update All Now
Use the Update All Now option when you are using pattern files from multiple AV vendors. This option instructs Content Analysis to check if there are newer virus pattern files available than those currently installed on the appliance. The update is either a differential update or a full update, based on the update mechanism of the specific antivirus vendor. Force Update All Now
Use the Force Update All Now option when you are using pattern files from multiple AV vendors. This option forces Content Analysis to download and install the latest virus pattern files for all configured vendors. Even if you have the latest version installed, this option overwrites the file versions currently residing on the appliance. Downloads
Use the Downloads list to monitor the status of AV pattern and engine downloads.
83
Blue Coat Systems, Inc. Content Analysis System 1.2
Install a new System Image System image management is available in System > Firmware. When new features and improvements are made to Content Analysis system, you can download a system image from Blue Coat's support portal, Blue Touch Online, (https://bto.bluecoat.com) and installed here. . Manage System Images
Content Analysis stores up to five images on the system. The image that is marked as the default image will be loaded the next time the appliance is rebooted. If the maximum number of images are stored on your system and you download a sixth image, Content Analysis deletes the oldest unlocked image to make room for the new image. Use this option to save images, make them default, and delete images. Select the following options as necessary:
l
Default: The default image will be loaded the next time the system is rebooted. Locked: Protects the image from being deleted. If you don't want Content Analysis to automatically replace an image when you retrieve new images, you should lock the existing image.
l
Booted: Indicates whether the image has been booted at least once in the past.
l
l
Delete: Click (Delete button) to remove an image you no longer need. Note that you cannot delete locked images.
Update the System Software From bto.bluecoat.com
1.
In System Image Retrieval , enter the HTTP or HTTPS URL from where the image is to be retrieved. The image download process works with any HTTP server, and HTTPS servers configured with trusted certificates. If your HTTPS server does not have a trusted certificate, use an internal HTTP server for image and license downloads. The Content Analysis Management Console provides an alert when new software is available. The alert appears in the lower left-hand corner of the page. If you click the alert, you are redirected to the software download page on BTO. After you log in, download the image file and stage it on your a local HTTP server to which Content Analysis has access.
2. Click Retrieve Image. 3. Select the new system image as the default and click Save Changes . 4. Reboot the appliance from Utilities > Services once more to complete the installation of the new image. Most Recent Download
This section provides information about the most recent image that was downloaded to the appliance, including whether the download was successful.
84
Blue Coat Systems, Inc. Content Analysis System 1.2
Archive or Restore the System Configuration Manage System Configuration files in Utilities > Configuration. Back up and restore the Content Analysis configuration as an XML file. As a best practice measure, back up your appliance configuration before making changes. Available Options n
n
Download Entire Configuration: Get Configuration prompts you to find a save location for the configuration archive, config.xml Upload Entire Configuration: Choose File prompts you to find the location of a previously saved config.xml file on your workstation.
85
Blue Coat Systems, Inc. Content Analysis System 1.2
Perform Administrative Tasks from the Command Line Interface After the system has been configured for your network, you can either use the web-based management console or the CLI to perform additional testing and administrative tasks. Press the TAB key after entering at least one letter to see the available commands that begin with that text. Use a ? at any point in a command to see the syntax options available for a given command. Standard Mode Commands
Some administrators prefer to use a command line for quick tasks like sending ICMP (ping) packets to test connectivity or to view the appliance's status. Use the following standard mode commands can be performed without elevated access.
enable: Enter the elevated privilege mode, known as enable mode. If configured, a password may be required. exit: End the CLI session. help: Display this list of commands. Also available by typing ? ping : Send a series of four ICMP packets to a destination you define to test network connectivity. CAS> ping bto.bluecoat.com PING bto.bluecoat.com (199.91.134.151) 56(84) bytes of data. 64 bytes from 199.91.134.151: icmp_seq=1 ttl=55 time=24.5 ms 64 bytes from 199.91.134.151: icmp_seq=2 ttl=55 time=25.7 ms 64 bytes from 199.91.134.151: icmp_seq=3 ttl=55 time=27.5 ms 64 bytes from 199.91.134.151: icmp_seq=4 ttl=55 time=23.9 ms --- bto.bluecoat.com ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 4489ms rtt min/avg/max/mdev = 23.932/25.438/27.530/1.382 ms
show licenses : Display the current licensing status. Activated licenses are preceded by an asterix. CAS> show licenses * Base license (48 days remaining) * Kaspersky Labs (48 days remaining) * McAfee, Inc. (48 days remaining) Sophos, Plc. (48 days remaining)
86
Blue Coat Systems, Inc. Content Analysis System 1.2 Sandboxing (48 days remaining) Whitelisting (48 days remaining)
show setupinfo : Display the networking and access settings for the appliance. CAS> show setupinfo Network settings: Interface 0: IP address: 10.131.17.83 Subnet mask: 255.255.248.0 NIC media setting: IP gateway: 10.131.16.1 DNS server: 10.131.16.5 Access settings: Command Line Interface and Web Interface: HTTP port: HTTPS port: 8082 Credentials required: User name: admin Password: Enable password: Allowed ICAP clients:
show status : Display the current status of the appliance, including physical resources and software versions. CAS> show status Configuration: Memory installed: 15925 megabytes Memory free: 13290 megabytes CPUs installed: 8 Software version: 1.0.0.0(125617)
87
Blue Coat Systems, Inc. Content Analysis System 1.2
Interface 0 MAC: 00:d0:83:09:64:17 Interface 1 MAC: 00:d0:83:09:64:18 General status: System started: 2013-11-12 18:02:49UTC CPU utilization: 12
upload-sr - prompt the appliance to gather all system logs, configuration files and other troubleshooting data and upload to a Blue Coat support service request. The following format is expected: 2xxxxxxxxx. Enable Mode Commands
Use the elevated commands available in the CAS CLI to make system changes such as configuring the enable mode password, restoring the appliance to a default configuration or shutting down the appliance.
acquire-factory-certificate: Download the factory certificate from Blue Coat. This is already done during the intial configuration of the appliance, so only run this command at the direction of Blue Coat support. disable: Return to the standard mode CLI. exit: End the CLI session. help (or ?) Display this help
ping: Send a series of four ICMP packets to a destination you define to test network connectivity. CAS# ping bto.bluecoat.com PING bto.bluecoat.com (199.91.134.151) 56(84) bytes of data. 64 bytes from 199.91.134.151: icmp_seq=1 ttl=55 time=24.5 ms 64 bytes from 199.91.134.151: icmp_seq=2 ttl=55 time=25.7 ms 64 bytes from 199.91.134.151: icmp_seq=3 ttl=55 time=27.5 ms 64 bytes from 199.91.134.151: icmp_seq=4 ttl=55 time=23.9 ms --- bto.bluecoat.com ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 4489ms rtt min/avg/max/mdev = 23.932/25.438/27.530/1.382 ms
restart reboot: Power cycle the appliance. restart icap: Stop and start the ICAP service.
88
Blue Coat Systems, Inc. Content Analysis System 1.2 restart licensing: Stop and restart licensing and subscription services. restart web: Stop and start the web management console service. restart snmp: Stop and start the SNMP service. restore-defaults factory-defaults: Restore the appliance configuration to a default state. restore-defaults factory-defaults-halt: Restore the appliance configuration to a default state and stop the system. This is appropriate when you plan to manually remove and restore power to the appliance at a later time. restore-defaults factory-defaults-shutdown: Restore the appliance configuration to a default state and power down the appliance. restore-defaults reset-passwd: Reset the appliance password for the primary local admin account. restore-defaults reset-web: Reset the configuration for the Web management interface. By default, the inactivity timeout is 10 minutes and HTTP (port 8080) administration is disabled. security enable-password: Enable and define the password required to reach the elevated privilege mode of the CLI. security unset-password: Disable the need to enter a password when switching from the standard mode to the enable mode of the CLI. show licenses: Display the current licensing status. Activated licenses are preceded by an asterix. CAS# show licenses * Base license (48 days remaining) * Kaspersky Labs (48 days remaining) * McAfee, Inc. (48 days remaining) Sophos, Plc. (48 days remaining) Sandboxing (48 days remaining) Whitelisting (48 days remaining)
show setupinfo : Display the networking and access settings for the appliance. CAS# show setupinfo Network settings: Interface 0: IP address: 10.131.17.83
89
Blue Coat Systems, Inc. Content Analysis System 1.2
Subnet mask: 255.255.248.0 NIC media setting: IP gateway: 10.131.16.1 DNS server: 10.131.16.5 Access settings: Command Line Interface and Web Interface: HTTP port: HTTPS port: 8082 Credentials required: User name: admin Password: Enable password: Allowed ICAP clients:
show status: Display the current status of the appliance, including physical resources and software versions. CAS# show status Configuration: Memory installed: 15925 megabytes Memory free: 13290 megabytes CPUs installed: 8 Software version: 1.0.0.0(125617) Interface 0 MAC: 00:d0:83:09:64:17 Interface 1 MAC: 00:d0:83:09:64:18 General status: System started: 2013-11-12 18:02:49UTC CPU utilization: 12
shutdown : Turn off the appliance.
90
Blue Coat Systems, Inc. Content Analysis System 1.2 upload-sr: Prompt the appliance to gather all system logs, configuration files and other troubleshooting data and upload to a Blue Coat support service request. The following format is expected: xxxxxxxxxx.
91
Blue Coat Systems, Inc. Content Analysis System 1.2
Chapter 6: Troubleshooting and Support Utilities Onboard Diagnostics
94
Inspect Traffic
95
Test Network Connectivity
97
Restart System Services
98
Review System Activities
99
View and Export the System Information File
100
Manually Scan Files for Threats
101
Send Diagnostic Information to Blue Coat Support
102
Clear File Caches
103
Review the Web Logs
104
92
Blue Coat Systems, Inc. Content Analysis System 1.2
93
Blue Coat Systems, Inc. Content Analysis System 1.2
Onboard Diagnostics The Onboad Diagnostic utility can be found in Utilities > Onboard Diagnostics . View the output from the Content Analysis hardware monitoring sensors. If the values on this page display with a Critical status, contact a Blue Coat support engineer for assistance. Available Sensors n
Voltages : Reports the Voltage, Status and State of components for which the appliance has a voltage sensor such as CPU cores, Power Supply and others.
n n
Rotation Per Minute: Reports the speed at which the fans on the appliance spin. Temperatures : The results of temperature monitoring for the chassis, CPU and other components that produce heat in the appliance.
n
Power Supplies : The state of the appliance's power supplies.
94
Blue Coat Systems, Inc. Content Analysis System 1.2
Inspect Traffic The Packet Capture utility can be found in Utilities > Packet Capture. The Packet Capture utility examines data sent to and from Content Analysis. Packet captures (PCAPs) are saved as PCAP files, compatible with Wireshark and other packet analysis tools that support the same format. Available Options n
Filter:Define a filter for your packet capture. PCAP filter, using the standard Berkeley PCAP filter syntax.
n
Duration: Set the amount of time (in seconds) to capture traffic. Start: Begin capturing data. Stop: Stop the capture and write it to disk Refresh: As data is being captured, click Refresh to see the file and its size in the table
n n n
After clicking Stop, the appliance saves the capture and displays it in the list at the bottom of the page. Manage PCAP Files
Once a packet capture has been stopped, the table displays a filename, (based on the time and date of the capture) the file size and the date it was saved. The first column provides two buttons: : Download the PCAP file to your local system. : Delete the PCAP file.
No alert or confirmation message appears when you click the delete button on this screen.
Filter Packet Captures
Because unfiltered packet capture files can grow very large in a small amount of time in a busy environment, it's often prudent to filter your captures to look for only the traffic you're interested in. The following PCAP filter expression examples will help define your own filters. For a more comprehensive look at Berkeley packet filtering, see http://biot.com/capstats/bpf.html.
Example 1: I want to capture all traffic requested by a single user at the IP 10.0.0.125: host 10.0.0.125
95
Blue Coat Systems, Inc. Content Analysis System 1.2
Example 2: Capture all traffic between a single user and a specific URL: host www.eicar.org and host 10.0.0.125
Example 3: Capture all HTTP traffic for a specific user: host 10.0.0.125 and port 80
Example 4: Capture only TCP traffic: tcp
Example 5: Capture traffic for either one user or another: host 10.0.0.125 or host 10.0.0.126
96
Blue Coat Systems, Inc. Content Analysis System 1.2
Test Network Connectivity The Utilities > Ping utility tests the network path between the appliance and another host. Ping Utility Fields n n
Address : Enter the hostname or IP address of the site or host you wish to ping. Ping: Sends four ICMP packets to the host defined in the address field.
The system displays the results below the Ping option. Example
PING bto.bluecoat.com (199.91.134.151) 56(84) bytes of data. 64 bytes from 199.91.134.151: icmp_seq=1 ttl=55 time=24.4 ms 64 bytes from 199.91.134.151: icmp_seq=2 ttl=55 time=24.2 ms 64 bytes from 199.91.134.151: icmp_seq=3 ttl=55 time=24.4 ms 64 bytes from 199.91.134.151: icmp_seq=4 ttl=55 time=24.4 ms --- bto.bluecoat.com ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3029ms rtt min/avg/max/mdev = 24.274/24.420/24.498/0.179 ms
97
Blue Coat Systems, Inc. Content Analysis System 1.2
Restart System Services The restart utilitiy can be found in Utilities > Services . Under the direction of a Blue Coat support engineer or support partner, use the options on this page to restart Content Analysis System or to restart specific Content Analysis services. Available Options n n n
Reboot System : Force the system to reboot. Refresh Antivirus Engines and Signatures : Stop and start the anti-virus subsystem. Restart ICAP Service: Stop and start the service responsible for accepting incoming ICAP connections.
n
Restart Content Analysis Web Management: Stop and start the web server, responsible for hosting the Content Analysis web user interface.
n
Restart SNMP Service: Stop and start the in the appliance service responsible for sending SNMP alerts.
n
Restart Licensing and Subscription Services : Stop and start Content Analysis licensing services.
98
Blue Coat Systems, Inc. Content Analysis System 1.2
Review System Activities The system logs can be viewed in Utilities > System Logs . Use this page to review the Content Analysis subsystem activity logs. All functions performed by Content Analysis appliance are logged. Typically, this information is only useful when troubleshooting an issue with the assistance of a Blue Coat technical support engineer or support partner. The logs in this list, along with web logs and the system configuration can be sent to Blue Coat support via the Utilities > Troubleshooting page. Available System Logs n n n n n n n n n n n n n
boot.log: The log created as the appliance boots. cas : The internal ICAP service logs. cas-audit: Administrative actions performed on the web interface. cas-connection: ICAP connection logs. clp_alerts.log: Captures everything system wide that has been flagged as an “alert” clp_services.log: Internal appliance log for system services. cron: Scheduled jobs log. dmesg: Internal service log, for Blue Coat engineering use. dmesg.old: Internal service log, for Blue Coat engineering use. dracut.log: Internal service log, for Blue Coat engineering use. lastlog: Internal service log, for Blue Coat engineering use. tomcat6-initd.log: Internal service log, for Blue Coat engineering use. wtmp: Internal service log, for Blue Coat engineering use.
Click the
button to view the selected log file or the
button to download the selected log file. The
button deletes all data in the specified log.
99
Blue Coat Systems, Inc. Content Analysis System 1.2
View and Export the System Information File The System Information utility can be found in Utilities > System Information. When working with a Blue Coat Support engineer, one crucial piece of information in determining the cause and solution to an issue is the System Information file. The System Information file is an XML file that contains your appliance configuration as well as the results of all current diagnostic reports for the appliance. When prompted by Blue Coat support to provide this information, click into the text box, highlight all of the text, (there will be several pages of information) and copy it. You can then paste the text into an email, your support request or a text file.
100
Blue Coat Systems, Inc. Content Analysis System 1.2
Manually Scan Files for Threats The Test Utility can be found in Utilities > Test. Use the Test utility to upload a file that you suspect is infected with malware to the appliance for an immediate scan result. Content Analysis scans the file with the same configuration options as if it were transmitted the Proxy. The scan is performed with all active AV and sandboxing engines, and uses the whitelist, if active. This utility is also useful to Blue Coat Support, to verify that the appliance is functioning as expected. The eicar.org site provides a benign malware pattern that you can use to test.
Click Select and Scan Test File to select a file you suspect may be bad on your local system. The results of the scan are displayed on the screen. If a virus is found, the name appears next to Virus Name.
101
Blue Coat Systems, Inc. Content Analysis System 1.2
Send Diagnostic Information to Blue Coat Support The Diagnostic Upload utility can be found in Utilities > Troubleshooting. In the event that Content Analysis fails or restarts unexpectedly, it will produce a file that contains system logs and the contents of memory at the time of the failure. When troubleshooting issues of this nature, Blue Coat support engineers will request the relevant files on this page. They can examine the data contained in each package to identify the cause of the issue.To send log files to Blue Coat Customer Support, you must have an open and active Service Request (SR) number. For information on opening a SR, see https://bto.bluecoat.com/support. Upload Log Files to Blue Coat Support
To upload log files to the Blue Coat Support server.
1. Under Troubleshooting Logs , put a check next to the file you're interested in. Files are listed based on the time and date they were created. 2. Click Upload Selected Logs To Service Request. The Service Request Upload dialog displays. 3. Enter your service request number into the field in the dialog, click Upload. 4. Click Delete Selected Logs to ensure that the file is removed from the appliance. Delete Core Files
System core image files are very large and should be deleted as soon as they are no longer necessary.Follow these steps to delete core images.
1. Select the core image file you wish to delete. 2. Click Delete Selected Cores . Troubleshooting Tips
If you have trouble uploading files to the Blue Coat Support server, check for the following issues. l
l
l
If Content Analysis doesn't have direct access to the Internet, you can configure it to use your ProxySG appliance. Go to Network > Proxy Server for Updates to configure an upstream proxy. If your traffic is being sent from Content Analysis to your ProxySG appliance, verify that SSL intercept for https://upload.bluecoat.com is not enabled on that ProxySG appliance. Verify that the SR number is valid and has not previously been resolved.
102
Blue Coat Systems, Inc. Content Analysis System 1.2
Clear File Caches The file cache utility can be found in Utilities > Cache. At the suggestion of a Blue Coat Support engineer, use the Cache utility to clear the files cached by the appliance during AV scanning, whitelisting, or sandboxing. Clearing these caches is not necessary for normal operation of Content Analysis. Clear Caches
Each of the buttons on this page will clear the cache for the appropriate cache store.
The sandboxing and whitelisting caches persist through a reboot, while the antivirus cache is cleared when Content Analysis is restarted.
103
Blue Coat Systems, Inc. Content Analysis System 1.2
Review the Web Logs Web Server Logs can be found in Utilities > Web Logs . Used for troubleshooting research by Blue Coat Support, the Web Logs page displays a list of the logs generated by the Content Analysis Web server subsystem. At the instruction of a Blue Coat support engineer,click the
button to view the selected log file or the
button to download the selected log file.
View Web Logs
Clicking the View icon opens the log in another window.
Drag the corners or sides of the log viewing window to resize it.
104
Blue Coat Systems, Inc. Content Analysis System 1.2 Download Web Logs
When you click the Download icon, you are prompted to view or save the file.
105
