Cisco Cisco Web Security Appliance S170 Guía Del Usuario
21-2
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 21 L4 Traffic Monitor
Configuring the L4 Traffic Monitor
–
Any IP address that is listed in the Additional Suspected Malware Addresses property and not
listed in the Allow List and not determined to be ambiguous.
listed in the Allow List and not determined to be ambiguous.
Note
You can define the Allow List and the Additional Suspected Malware Addresses properties on the Web
Security Manager > L4 Traffic Monitor Policies page.
Security Manager > L4 Traffic Monitor Policies page.
The L4 Traffic Monitor listens to and monitors network ports for rogue activity. It performs one of the
following actions on all traffic on your network:
following actions on all traffic on your network:
•
Allow. It always allows traffic to and from known allowed and unlisted addresses.
•
Monitor. It monitors traffic under the following circumstances:
–
When the Action for Suspected Malware Addresses option is set to Monitor, it always monitors
all traffic that is not to or from a known allowed address.
all traffic that is not to or from a known allowed address.
–
When the Action for Suspected Malware Addresses option is set to Block, it monitors traffic to
and from ambiguous addresses.
and from ambiguous addresses.
•
Block. When the Action for Suspected Malware Addresses option is set to Block, it blocks traffic to
and from known malware addresses.
and from known malware addresses.
The L4 Traffic Monitor Database
The L4 Traffic Monitor uses and maintains its own internal database. This database is continuously
updated with matched results for IP addresses and domain names. Additionally, the database table
receives periodic updates from the Cisco IronPort update server at the following location:
updated with matched results for IP addresses and domain names. Additionally, the database table
receives periodic updates from the Cisco IronPort update server at the following location:
https://update-manifests.ironport.com
For information about update intervals and the Cisco IronPort update server, see
.
Configuring the L4 Traffic Monitor
The L4 Traffic Monitor can be enabled as part of an initial system setup using the System Setup Wizard.
By default, the L4 Traffic Monitor is enabled and set to monitor traffic on all ports. This includes DNS
and other services.
By default, the L4 Traffic Monitor is enabled and set to monitor traffic on all ports. This includes DNS
and other services.
Note
To monitor true client IP addresses, the L4 Traffic Monitor should always be configured inside the
firewall and before network address translation (NAT). For more information about deploying the L4
Traffic Monitor, see
firewall and before network address translation (NAT). For more information about deploying the L4
Traffic Monitor, see
.
You can configure the following settings:
•
Global L4 Traffic Monitor settings. You can enable or disable the L4 Traffic Monitor after an
initial configuration and configure which TCP ports to monitor. Use the Security Services > L4
Traffic Monitor page. For more information see
initial configuration and configure which TCP ports to monitor. Use the Security Services > L4
Traffic Monitor page. For more information see
.
•
L4 Traffic Monitor policies. When the L4 Traffic Monitor is enabled, you configure specific
policies for managing traffic. Use the Web Security Manager > L4 Traffic Monitor Policies page.
For more information see
policies for managing traffic. Use the Web Security Manager > L4 Traffic Monitor Policies page.
For more information see