Cisco Cisco Web Security Appliance S170 사용자 가이드
A-5
AsyncOS 8.6 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
HTTPS/Decryption/Certificate Problems
URL Categories Do Not Block Some FTP Sites
When a native FTP request is transparently redirected to the FTP Proxy, it contains no hostname
information for the FTP server, only its IP address. Because of this, some predefined URL categories
and Web Reputation Filters that have only hostname information will not match native FTP requests,
even if the requests are destined for those servers. If you wish to block access to these sites, you must
create custom URL categories for them using their IP addresses.
information for the FTP server, only its IP address. Because of this, some predefined URL categories
and Web Reputation Filters that have only hostname information will not match native FTP requests,
even if the requests are destined for those servers. If you wish to block access to these sites, you must
create custom URL categories for them using their IP addresses.
Large FTP Transfers Disconnect
If the connection between the FTP Proxy and the FTP server is slow, uploading a large file may take a long
time, particularly when Cisco Data Security Filters are enabled. This can cause the FTP client to time out
before the FTP Proxy uploads the entire file and you may get a failed transaction notice. The transaction
does not fail, however, but continues in the background and will be completed by the FTP Proxy.
time, particularly when Cisco Data Security Filters are enabled. This can cause the FTP client to time out
before the FTP Proxy uploads the entire file and you may get a failed transaction notice. The transaction
does not fail, however, but continues in the background and will be completed by the FTP Proxy.
You can workaround this issue by increasing the appropriate idle timeout value on the FTP client.
Zero Byte File Appears On FTP Servers After File Upload
FTP clients create a zero byte file on FTP servers when the FTP Proxy blocks an upload due to outbound
anti-malware scanning.
anti-malware scanning.
HTTPS/Decryption/Certificate Problems
•
•
•
•
•
Also see:
–
–
–
Accessing HTTPS Sites Using Routing Policies with URL Category Criteria
For transparently redirected HTTPS requests, the Web Proxy must contact the destination server to
determine the server name and therefore the URL category in which it belongs. Due to this, when the
Web Proxy evaluates Routing Policy Group membership, it cannot yet know the URL category of an
HTTPS request because it has not yet contacted the destination server. If the Web Proxy does not know
the URL category, it cannot match the transparent HTTPS request to a Routing Policy that uses a URL
category as membership criteria.
determine the server name and therefore the URL category in which it belongs. Due to this, when the
Web Proxy evaluates Routing Policy Group membership, it cannot yet know the URL category of an
HTTPS request because it has not yet contacted the destination server. If the Web Proxy does not know
the URL category, it cannot match the transparent HTTPS request to a Routing Policy that uses a URL
category as membership criteria.