Cisco Cisco Web Security Appliance S170 Guía Del Usuario
A-6
Cisco AsyncOS 8.0.6 for Web User Guide
Appendix A Troubleshooting
Logging Problems
Step 2
Create a Decryption Policy that uses the custom URL category created in
as part of its
membership, and set the action for the custom URL category to Pass Through.
Alert: Problem with Security Certificate
Typically, the root certificate information you generate or upload in the appliance is not listed as a trusted
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
Note
Mozilla Firefox browsers: The certificate you upload must contain
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
Logging Problems
•
•
•
•
Custom URL Categories Not Appearing in Access Log Entries
When a web access policy group has a custom URL category set to Monitor and some other component,
such as the Web Reputation Filters or the DVS engine, makes the final decision to allow or block a
request for a URL in the custom URL category, then the access log entry for the request shows the
predefined URL category instead of the custom URL category.
such as the Web Reputation Filters or the DVS engine, makes the final decision to allow or block a
request for a URL in the custom URL category, then the access log entry for the request shows the
predefined URL category instead of the custom URL category.
Logging HTTPS Transactions
HTTPS transactions in the access logs appear similar to HTTP transactions, but with slightly different
characteristics. What gets logged depends on whether the transaction was explicitly sent or transparently
redirected to the HTTPS Proxy:
characteristics. What gets logged depends on whether the transaction was explicitly sent or transparently
redirected to the HTTPS Proxy:
•
TUNNEL. This gets written to the access log when the HTTPS request was transparently redirected
to the HTTPS Proxy.
to the HTTPS Proxy.
•
CONNECT. This gets written to the access log when the HTTPS request was explicitly sent to the
HTTPS Proxy.
HTTPS Proxy.
When HTTPS traffic is decrypted, the access logs contain two entries for a transaction:
•
TUNNEL or CONNECT depending on the type of request processed.