Cisco Cisco Web Security Appliance S680 Guía Del Usuario
26-4
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 26 System Administration
Support Commands
When enabling the “Secure Tunnel,” the appliance creates an SSH tunnel over the specified port to the
server upgrades.ironport.com. By default this connection is over port 443, which will work in most
environments. Once a connection is made to upgrades.ironport.com, Cisco IronPort Customer Support
is able to use the SSH tunnel to obtain access to the appliance. As long as the connection over port 443
is allowed, this will bypass most firewall restrictions. You can also use the
server upgrades.ironport.com. By default this connection is over port 443, which will work in most
environments. Once a connection is made to upgrades.ironport.com, Cisco IronPort Customer Support
is able to use the SSH tunnel to obtain access to the appliance. As long as the connection over port 443
is allowed, this will bypass most firewall restrictions. You can also use the
techsupport tunnel
command in the CLI.
In both the “Remote Access” and “Tunnel” modes, a password is required. It is important to understand
that this is not the password that will be used to access the system. Once that password and the system
serial number are provided to your Customer Support representative, a password used to access the
appliance is generated.
that this is not the password that will be used to access the system. Once that password and the system
serial number are provided to your Customer Support representative, a password used to access the
appliance is generated.
Once the techsupport tunnel is enabled, it will remain connected to
upgrades.ironport.com
for 7 days.
After 7 days, no new connections can be made using the techsupport tunnel. If there are any existing
connections using the tunnel after 7 days, those connections will continue to exist and work. However,
once those connections are closed, they will not be able to open again because the techsupport tunnel
will have closed after 7 days. The timeout set on the SSH tunnel connection does not apply to the Remote
Access account; it will remain active until specifically deactivated.
connections using the tunnel after 7 days, those connections will continue to exist and work. However,
once those connections are closed, they will not be able to open again because the techsupport tunnel
will have closed after 7 days. The timeout set on the SSH tunnel connection does not apply to the Remote
Access account; it will remain active until specifically deactivated.
Packet Capture
Sometimes when you contact Cisco IronPort Customer Support with an issue, you may be asked to
provide insight into the network activity going into and out of the Web Security appliance. The appliance
provides the ability to intercept and display TCP/IP and other packets being transmitted or received over
the network to which the appliance is attached.
provide insight into the network activity going into and out of the Web Security appliance. The appliance
provides the ability to intercept and display TCP/IP and other packets being transmitted or received over
the network to which the appliance is attached.
You might want to run a packet capture to debug the network setup and to discover what network traffic
is reaching the appliance or leaving the appliance.
is reaching the appliance or leaving the appliance.
The appliance saves the captured packet activity to a file and stores the file locally. You can configure
the maximum packet capture file size, how long to run the packet capture, and on which network
interface to run the capture. You can also use a filter to limit the number of packets seen by the packet
capture which can make the output more usable on networks with a high volume of traffic. You can send
any stored packet capture file using FTP to Cisco IronPort Customer Support for debugging and
troubleshooting purposes.
the maximum packet capture file size, how long to run the packet capture, and on which network
interface to run the capture. You can also use a filter to limit the number of packets seen by the packet
capture which can make the output more usable on networks with a high volume of traffic. You can send
any stored packet capture file using FTP to Cisco IronPort Customer Support for debugging and
troubleshooting purposes.
The Support and Help > Packet Capture page displays the list of complete packet capture files stored on
the hard drive. When a packet capture is running, the web interface shows the status of the capture in
progress by showing the current statistics, such as file size and time elapsed.
the hard drive. When a packet capture is running, the web interface shows the status of the capture in
progress by showing the current statistics, such as file size and time elapsed.