Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
Web Security Appliance Design Guide
Document ID: 118885
Contributed by Ivo Sabev, Cisco TAC Engineer.
Apr 09, 2015
Apr 09, 2015
Contents
Introduction
Background Information
Design
Network
General Considerations
Load−Balancing
Firewalls
Identities
Access/Decryption/Routing/Outbound Malware Policies
Custom URL Categories
Anti−Malware and Reputation
Background Information
Design
Network
General Considerations
Load−Balancing
Firewalls
Identities
Access/Decryption/Routing/Outbound Malware Policies
Custom URL Categories
Anti−Malware and Reputation
Introduction
This document describes how to design the Cisco Web Security Appliance (WSA) and associated components
for optimal performance.
for optimal performance.
Background Information
When you design a solution for the WSA, it requires careful consideration, not only in regards to the
configuration of the appliance itself, but also the associated network devices and their features. Every network
is a collaboration of multiple devices, and if one of them does not participate correctly in the network, then
user experiences might decline.
configuration of the appliance itself, but also the associated network devices and their features. Every network
is a collaboration of multiple devices, and if one of them does not participate correctly in the network, then
user experiences might decline.
There are two main components that must be considered when you configure the WSA: the hardware and the
software. The hardware comes in two different types. The first is the physical type of hardware, such as the
S170, S380, and S680 Series models, as well as other End of Life (EoL) models, such as the S160, S360,
S660, S370, and S670 Series models. The other hardware type is virtual, such as the S000v, S100v, and
S300v Series models. The Operating System (OS) that runs on this hardware is called AsyncOS for Web,
which is based on FreeBSD at its core.
software. The hardware comes in two different types. The first is the physical type of hardware, such as the
S170, S380, and S680 Series models, as well as other End of Life (EoL) models, such as the S160, S360,
S660, S370, and S670 Series models. The other hardware type is virtual, such as the S000v, S100v, and
S300v Series models. The Operating System (OS) that runs on this hardware is called AsyncOS for Web,
which is based on FreeBSD at its core.
The WSA offers proxy service and also scans, inspects, and categorizes all traffic (HTTP, HTTPS, and File
Transfer Protocol (FTP)). All of these protocols run on top of TCP and heavily rely on Domain Name System
(DNS) for proper operation. For these reasons, the network health is vital for proper operation of the appliance
and its communication with various parts of the network, both inside and outside of the enterprise control.
Transfer Protocol (FTP)). All of these protocols run on top of TCP and heavily rely on Domain Name System
(DNS) for proper operation. For these reasons, the network health is vital for proper operation of the appliance
and its communication with various parts of the network, both inside and outside of the enterprise control.
Design
Use the information that is described in this section in order to design the WSA and related components for
optimal performance.
optimal performance.