Cisco Cisco Web Security Appliance S160 Guía Del Usuario
19-2
AsyncOS 8.1 for Cisco Web Security User Guide
Chapter 19 Detecting Rogue Traffic on Non-Standard Ports
List of Known Sites
•
Ensure the L4 Traffic Monitor is ‘logically’ connected after the proxy ports and before any device
that performs network address translation (NAT) on client IP addresses.
that performs network address translation (NAT) on client IP addresses.
List of Known Sites
Configuring L4 Traffic Monitor Global Settings
Step 1
Choose Security Services > L4 Traffic Monitor.
Step 2
Click Edit Global Settings.
Step 3
Choose whether or not to enable the L4 Traffic Monitor.
Step 4
When you enable the L4 Traffic Monitor, choose which ports it should monitor:
•
All ports. Monitors all 65535 TCP ports for rogue activity.
•
All ports except proxy ports. Monitors all TCP ports except the following ports for rogue activity.
Step 1
Configure the Global Settings
See
Step 2
Create L4 TrafficMonitor Policies
See
Address
Description
Known allowed
Any IP address or hostname listed in the Allow List property. These addresses
appear in the log files as “whitelist” addresses.
appear in the log files as “whitelist” addresses.
Unlisted
Any IP address that is not known to be a malware site nor is a known allowed
address. They are not listed on the Allow List, Additional Suspected Malware
Addresses properties, or in the L4 Traffic Monitor Database. These addresses do
not appear in the log files.
address. They are not listed on the Allow List, Additional Suspected Malware
Addresses properties, or in the L4 Traffic Monitor Database. These addresses do
not appear in the log files.
Ambiguous
These appear in the log files as “greylist” addresses and include:
–
Any IP address that is associated with both an unlisted hostname and a
known malware hostname.
known malware hostname.
–
Any IP address that is associated with both an unlisted hostname and a
hostname from the Additional Suspected Malware Addresses property
hostname from the Additional Suspected Malware Addresses property
Known malware
These appear in the log files as “blacklist” addresses and include:
–
Any IP address or hostname that the L4 Traffic Monitor Database
determines to be a known malware site and not listed in the Allow List.
determines to be a known malware site and not listed in the Allow List.
–
Any IP address that is listed in the Additional Suspected Malware
Addresses property, not listed in the Allow List and is not ambiguous
Addresses property, not listed in the Allow List and is not ambiguous