Cisco Cisco Web Security Appliance S670 Guía Para Resolver Problemas
Network
An error free, fast network is vital for the proper operation of the WSA. If the network is unstable, user
experience might decline. Network problems are usually detected when web pages take longer to reach or are
unreachable. The initial inclination is blame the appliance, but it is usually the network that misbehaves. Thus,
careful consideration and audit should be made in order to ensure that the network offers the best service for
high−level application protocols such as HTTP, HTTPS, FTP, and DNS.
experience might decline. Network problems are usually detected when web pages take longer to reach or are
unreachable. The initial inclination is blame the appliance, but it is usually the network that misbehaves. Thus,
careful consideration and audit should be made in order to ensure that the network offers the best service for
high−level application protocols such as HTTP, HTTPS, FTP, and DNS.
General Considerations
Here are some general considerations that you can implement in order to ensure the best network behavior:
Ensure that the Layer 2 (L2) network is stable, that the spanning−tree operation is correct, and that
there are not frequent spanning−tree computations and topology changes.
there are not frequent spanning−tree computations and topology changes.
•
The routing protocol that is used should also provide fast convergence and stability. The Open
Shortest Path First (OSPF) fast timers or the Enhanced Interior Gateway Routing Protocol (EIGRP)
are good choices for such a network.
Shortest Path First (OSPF) fast timers or the Enhanced Interior Gateway Routing Protocol (EIGRP)
are good choices for such a network.
•
Always use at least two data interfaces on the WSA: one that faces the end−user computers, and
another one for outbound operation (connected to the upstream proxy or Internet). This is done in
order to eliminate possible resource constrains, such as when the number of TCP ports are exhausted
or when network buffers become full (with the use of a single interfaces for both inside and outside
especially).
another one for outbound operation (connected to the upstream proxy or Internet). This is done in
order to eliminate possible resource constrains, such as when the number of TCP ports are exhausted
or when network buffers become full (with the use of a single interfaces for both inside and outside
especially).
•
Dedicate the Management Interface for management−only traffic in order to increase security. In
order to achieve this via the GUI, navigate to Network > Interfaces and check the Separate routing
(M1 port restricted to appliance management services only) check box.
order to achieve this via the GUI, navigate to Network > Interfaces and check the Separate routing
(M1 port restricted to appliance management services only) check box.
•
Use fast DNS servers. Any transaction via the WSA requires at least one DNS lookup (if not in the
cache). A DNS server that is slow or misbehaves affects any transaction and is observed as delayed or
slow internet connectivity.
cache). A DNS server that is slow or misbehaves affects any transaction and is observed as delayed or
slow internet connectivity.
•
When separate routing tables are used, these rules apply:
All interfaces are included in the default Management routing table (M1, P1, P2).
♦
Only Data interfaces are included in the Data routing table.
♦
•
Note: The separation of routing tables is not per interface, but rather per service. For example, traffic between
the WSA and the Microsoft Active Directory (AD) domain controller always obey the routes that are specified
in the Management routing table, and it is possible to configure routes that point out of the P1/P2 interface in
this table. It is not possible to include routes in the Data routing table that use the Management interfaces.
the WSA and the Microsoft Active Directory (AD) domain controller always obey the routes that are specified
in the Management routing table, and it is possible to configure routes that point out of the P1/P2 interface in
this table. It is not possible to include routes in the Data routing table that use the Management interfaces.
Load−Balancing
Here are some load−balancing considerations that you can implement in order to ensure the best network
behavior:
behavior:
DNS rotation This is the term used when a single hostname is used as a proxy, but it has multiple A
records on the DNS server. Each client resolves this to a different IP address and uses different
proxies. A limitation is that changes of DNS records are reflected on clients upon reboot (local DNS
caching), so it offers a low level of robustness if a change must be made. However, this is transparent
to the end−users.
records on the DNS server. Each client resolves this to a different IP address and uses different
proxies. A limitation is that changes of DNS records are reflected on clients upon reboot (local DNS
caching), so it offers a low level of robustness if a change must be made. However, this is transparent
to the end−users.
•