Content Analysis System Guide

Transcription

1 Content Analysis System Guide Version

2 - 2 - Content Analysis System Administration Guide

3 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, CONTENT ANALAYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland 3

4 Contents Initial Configuration 6 About the Content Analysis System Solution 8 Content Analysis System Hardware and Software Requirements 10 Set Up the Appliance with the Command Line Interface 11 Log In or Log Out of the CAS 12 Install the Appliance License 13 Activate Licensed Components 14 The CAS Home Page 15 Route Traffic to Alternate Networks 16 Proxy the CAS Through a Gateway Device 17 Identify the CAS Appliance 18 Set the Date/Time Manually 19 Synchronize the System Clock 20 Set the Timezone 21 Prepare the Appliance to Scan Data 22 Change the Default ICAP Server Ports 24 Define File Type Policy 25 Set AV Scanning Options 27 Establish ICAP Connections Between the ProxySG and the CAS 30 Configure ICAP Exception Policies 31 Troubleshoot ICAP Errors 34 Enable Secure ICAP Connections 36 Allow Trusted File Execution (Whitelisting) 39 About Whitelisting 40 Isolate and Analyze Suspicious Files 41 Drop Slow Download Connections 43 Establish ICAP Connections Between the ProxySG and the CAS 44 Manually Configure an ICAP Service on the ProxySG 45 Automatically Configure an ICAP Service on the ProxySG 47 Configure ICAP Policy 50 Configure ICAP Exception Policies 51 Monitoring and Alerts 54 4

5 View the CPU Usage Report 56 View the Memory Usage Report 57 View ICAP Connections Data 58 View Ethernet Adapter Statistics 59 View Historical Connection Data 60 Scan Results 61 Cache Hits 63 View the Sandboxing Objects Report 64 View the ICAP Bytes Report 65 View ICAP Object Scan History 66 View Current Connections 67 Manage the CAS System Logs 68 Set Up Alert Delivery Methods 71 Administrative Tasks 75 Control Access to the Management Console 76 Manage Administrator Access to the CAS 77 Define an Administrative Login Message 82 Manually Scan Files for Threats 83 Update Anti-Virus Pattern Files 84 Install a new CAS System Image 86 Set Log Parameters 87 Review System Activities 88 Archive or Restore the System Configuration 89 Perform Administrative Tasks from the Command Line Interface 90 Troubleshooting and Support Utilities 93 Archive or Restore the System Configuration 94 Onboard Diagnostics 95 Inspect Traffic 96 Test Network Connectivity 98 Restart System Services 99 Review System Activities 100 View and Export the System Information File 101 Manually Scan Files for Threats 102 Send Diagnostic Information to Blue Coat Support 103 Review the Web Logs 104 5

6 Initial Configuration This chapter introduces you to the Content Analysis System appliance, the Management Console and helps you to prepare the appliance for deployment. About the Content Analysis System Solution 8 Content Analysis System Hardware and Software Requirements 10 Set Up the Appliance with the Command Line Interface 11 Log In or Log Out of the CAS 12 Install the Appliance License 13 Activate Licensed Components 14 The CAS Home Page 15 Route Traffic to Alternate Networks 16 Proxy the CAS Through a Gateway Device 17 Identify the CAS Appliance 18 Set the Date/Time Manually 19 Synchronize the System Clock 20 Set the Timezone 21 6

7 7

8 About the Content Analysis System Solution The Content Analysis System (CAS) is Blue Coat's next-generation anti-virus, malware, and spyware management system. As with the ProxyAV appliance, CAS provides Blue Coat's world-class virus scanning and integration with your ProxySG appliance appliance infrastructure. CAS also provides new functionality. Anti-virus, malware, and spyware scanning with one or multiple simultaneous anti-virus vendors. (Malware and spyware scanning functions are dependent on the licensed AV vendor.) The File Whitelisting feature uses a classification system to identify files that appear to be suspicious, but are known to be good. File Whitelisting also provides an option for identifying specific files, hosts, and destination addresses to prevent delays with known-good (yet suspicious) elements. Sandbox integration with Blue Coat's Malware Analysis or FireEye. When a suspicious file is found to not be a virus and is not in the whitelist database, the CAS sends the file to an external appliance to run the file in a virtualized workstation environment. The actions of the suspicious file, (registry edits, requests to malicious web sources) are identified and included in a detailed report sent to the CAS administrator, who performs appropriate actions. In busy network environments, anti-virus scan result caching improves the performance of live scanning. WebPulse reporting of malware on ProxySG appliance appliances deployed with a CAS appliance. 1. A user in the protected network requests a file from the Internet. 2. The ProxySG appliance compares the file against the Blue Coat Web Filtering database and the local WebPulse 8

9 database on the appliance. If the domain hosting the file has been categorized as a malware source, the file download is denied and the user is notified. If the domain is not recognized, the ProxySG forwards it to the CAS for analysis. 3. The CAS compares the file details against the whitelist. If the file is in the whitelist, scanning is suspended and the file is sent to the user. 4. If no match is found, the file is compared against the virus scan cache. 5. If the file has not been scanned before, the available anti-virus engines scan the file. 6. If the file is of a type defined in the Sandboxing list, it is forwarded to a sandbox appliance, (if configured). 7. If another user requests the same file, the ProxySG will use the cached entry it as bad, based on the scanning cache and the file is blocked. 9

10 Content Analysis System Hardware and Software Requirements The Content Analysis System hardware and software requirements listed below are valid as of the publishing of this guide. For the most current list, refer to the release notes for the Content Analysis System release operating on your appliances. Supported Hardware Platforms CAS is supported on the following platforms: S400-A1 S400-A2 S400-A3 S400-A4 Supported SGOS Software Versioins The Blue Coat CAS supports only the Blue Coat ProxySG appliance as an Internet Content Adaptation Protocol (ICAP) client. While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS or higher, and arbitrary ICAP header parsing requires SGOS Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS or higher. Supported Browsers The Content Analysis System Management Console supports the following web browsers: Microsoft Internet Explorer, version 9.x, 10.x Mozilla Firefox, version 2.x,3.x Google Chrome Other browsers might be compatible, but have not been tested. 10

11 Set Up the Appliance with the Command Line Interface Use the Content Analysis System Command Line Interface (CLI) to initially configure the appliance, upload support information, and to view the appliance status and configuration. The appliance accepts CLI commands through a serial console connection (Secure Shell (SSH v2), which is located on the back of the appliance. SSH access to the appliance is enabled by default. 1. Connect to the appliance through the Serial Console connection at the rear of the appliance. 2. Launch a terminal application, such as hyperterm. Enter the following connection settings: BPS: 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: none 3. To start the initial configuration wizard, select Initial Setup. This wizard prompts you to define the following settings: IP Address Subnet Mask Default Gateway DNS Server Alternate DNS Server Administrator Password Beyond the initial setup wizard provided in the CLI, you can also perform several administrative tasks. For more information, see "Perform Administrative Tasks from the Command Line Interface" on page

12 Log In or Log Out of the CAS The Logout link displays when you click the down arrow next to the admin login name on the Management Console banner, as shown below. To log out, click Logout. You are logged out and a message confirming the logout displays. If you have disabled authentication, the logout link does not display in the Management Console banner. Log In to the Content Analysis System By default, the Content Analysis System appliance challenges both administrative users and read-only users for their login credentials before permitting access to the Management Console. As a best practice, Blue Coat recommends that you log out of the appliance after completing your tasks in the Management Console. To log in to the appliance again, click the link on the window that displays or the following URL into a browser: cas_ip_address :

13 Install the Appliance License The Content Analysis System appliance requires a license to operate. The license activates the default components, plus any additional features that you purchased from Blue Coat. First time access When you log in to the appliance for the first time, the interface displays the Invalid or Missing License dialog. Perform the steps below to install the license as appropriate for your deployment method. The CAS is connected to the Internet If the CAS appliance is connected to the Internet, retrieve the license directly from Blue Coat and install it. 1. In the CAS appliance interface, select System > Licensing. 2. Click Download License from Blue Coat. The appliance confirms the download and installation. 3. Proceed to "Activate Licensed Components" on page 14. The CAS is in a closed network If the CAS appliance cannot connect directly to the Internet, you must download the license file and install it manually. This task requires your BlueTouch Online (BTO) account credentials. 1. From a system/client that has Internet access, proceed to a. Enter your BTO credentials. b. Navigate to your CAS appliance entitlement and download the license file. 2. In the License Management section of System > Licensing, click Upload License File. The appliance confirms the upload and installation. 13

14 Activate Licensed Components Licensed Components can be managed in System> Licensing. All software components used by the Content Analysis System appliance require a license to operate. After completing the license retrieval task (see "Install the Appliance License" on page 13), review the default and entitled components and enable as required. 1. Select System > Licensing. The Licensing Activation section of this page contains the following columns: Active: This column informs you of the activation status of a given component. Component: The name and version number of the anti-virus application. Status: The status of the anti-virus application (Active or Available) and the date and time the license expires. 2. To activate the anti-virus component, select it in the Active column. 3. Click Save Changes. 14

15 The CAS Home Page Access the Content Analysis System appliance home page by browsing to (replace with the IP address of your CAS appliance). This page displays the current Blue Coat Content Analysis System content scanning and network statistics. System Health Displays the current health of the system, specifically the amount of time the service and system have been up, the system's current activity, the AV vendor used on the system, the term of the license, and the date of the patterns installed on the system. Scanned Statistics Displays the number of files scanned and malware caught for plain and Secure ICAP. Traffic Statistics Displays the network traffic statistics and appliance MAC addresses. Information is segregated by Terabytes (TB), Gigabytes (GB), Megabytes (MB), Kilobytes (KB), and Bytes. Also provides the volume of traffic processed per second. To reset the traffic statistics click Reset All Historical Stats or Reset Interface Stats. This resets the data counter to 0. If you are planning to remove power to the Content Analysis System, it is important that you issue the #shutdown command before you do. Failing to do so may corrupt your configuration. "Perform Administrative Tasks from the Command Line Interface" on page 90 15

16 Route Traffic to Alternate Networks Network Route configuration is available in Settings > Network Routes. For deployments where the default gateway configured on the Content Analysis System does not route traffic to all segments of the network, you can define additional routes. A typical use for the route table is when the SMTP or DNS servers to be used by the CAS appliance are located on an internal network. Routes added here do not affect traffic that is scanned by the appliance; they are only used for connections where the CAS appliance is the client. Examples of this include updates of pattern and engine files, checking for updates to the CAS firmware, and sending alerts. To add a route to the table: 1. Identify the network interface that will be used to route traffic to the alternate subnet. 2. Select Settings > Network Routes. 3. Click Add.The Add Network Route dialog displays. 4. Destination: Enter the network address for the alternate network. 5. Mask: Enter the subnet mask for the alternate network. 6. Gateway: Enter the IP address for the gateway that will route traffic to the alternate network. 7. Click Add. 8. Click Save Changes. Use the Edit button if you need to change the settings of a route you added. Use the Delete button to delete an added route you no longer need. 16

17 Proxy the CAS Through a Gateway Device If your network requires all users and servers to connect through a proxy to access Internet resources, you must configure the CAS appliance proxy server settings so that Internet-bound traffic is sent to the ProxySG appliance or other proxy server. 1. Select Settings > Proxy. 2. Enter the Server IP address or hostname and Port for your ProxySG appliance. 3. Enter the proxy authentication Username and Password, if required. 4. Select Enabled. 5. Click Save Changes. 17

18 Identify the CAS Appliance The Content Analysis System appliance name is given when alerts are sent out to recipients, plus in other elements such as the CLI prompt and SNMP logs. 1. Select System > Identification. 2. Enter a unique Appliance Name, which is crucial for easier multi-device management. Consider using a geographic or other location-based name. 3. The Administrator identifies the main communication recipient for this CAS appliance. For example, if an alert is sent that mentions contacting the CAS appliance administrator, this address is given. 4. Click Save Changes. 18

19 Set the Date/Time Manually Date and Time configuration is available in Settings > Date Time. The Content Analysis System uses the date and time settings to record events on the appliance and to track engine file updates. Some AV engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining the most current version of the pattern file. By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you prefer to manually set the date and time on the appliance, do the following: 1. In Date Settings, select the date. 2. In Time Settings, set the hour, minutes, and seconds. 2. Click Save Changes. 19

20 Synchronize the System Clock NTP configuration is available in Settings > NTP. The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver or modem. The Content Analysis System ships with a predefined list of Blue Coat NTP servers, and attempts to connect to them in the order they appear in the NTP server list. If the Blue Coat NTP servers aren't accessible to your CAS appliance, if you want to use an internal server, or if your organization has standardized on a particular NTP server for all network equipment, you can define other NTP servers. In addition, you can reorder the servers to give a specific NTP server higher priority over others. Use the options on this page to have your CAS synchronize with Network Time Protocol (NTP) servers.. To configure NTP 1. Select Settings > NTP. 2. Make sure Enable usage of NTP on device is enabled. 3. Add an NTP server by clicking Add NTP Server. The Add NTP Server dialog displays 4. Define your preferred NTP server by IP address or hostname and click Add. Blue Coat's NTP server addresses are ntp1.bluecoat.com and ntp2.bluecoat.com. 5. (optional) Repeat the process if your organization has multiple NTP servers. 6. Click Save Changes. 7. Click Acquire Time Now (at the top of the page) to force the appliance to synchronize the system time with the configured NTP server. The CAS appliance uses the servers in the order they appear on the NTP server list. To change the order, drag and drop the servers to the desired priority position in the list. 20

21 Set the Timezone Use Timezone to use local time instead of UTC time in recording events.the Content Analysis System uses the date and time settings to record events on the appliance and to track engine file updates. Some AV engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining the most current version of the pattern file. By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you prefer to use the local time instead, configure the appliance to use local time: 1. Select Settings > Timezone. 2. Select your time zone region from the Time Zone Region drop-down list. 2. Select your local time zone from the Time Zone drop-down list. 3. Click Save Changes. 21

22 Prepare the Appliance to Scan Data Before the CAS appliance can scan traffic from a ProxySG appliance, it must be configured to accept traffic. The topics in this chapter will help you to ready the CAS to receive traffic to be scanned. Change the Default ICAP Server Ports 24 Define File Type Policy 25 Set AV Scanning Options 27 Establish ICAP Connections Between the ProxySG and the CAS 30 Configure ICAP Exception Policies 31 Troubleshoot ICAP Errors 34 Enable Secure ICAP Connections 36 Allow Trusted File Execution (Whitelisting) 39 About Whitelisting 40 Isolate and Analyze Suspicious Files 41 Drop Slow Download Connections 43 22

23 23

24 Change the Default ICAP Server Ports ICAP Server Ports can be configured from Settings > ICAP. By default, the Content Analysis System appliance receives data from the ProxySG appliance through an Internet Content Adaptation Protocol (ICAP) connection. All CAS appliance models support up to 250 simultaneous ICAP connections. These CAS supports both Plain ICAP (port 1344), which is the default setting. You can change the port, but be advised that this change must occur on both ends of the transaction: the CAS and the ProxySG appliance ICAP service. 24

25 Define File Type Policy You can configure how the Content Analysis System appliance reacts when specific file extensions or file types are sent received over ICAP from a ProxySG appliance. File Extensions policy applies to all anti-virus vendors. If you employ Kaspersky or Sophos, you can configure additional Ignore, Scan, and Block policy for types of data. File Extensions The Content Analysis System scans original files and files within an archive. You can specify file types that are blocked neither scanned, nor served to the client (deny) or served to the client unscanned (allow). Checks are performed on the original file and files inside an archive. To prevent overhead on the Content Analysis System, you can create policy on the ProxySG appliance to restrict specified file extensions from being sent to the Content Analysis System for scanning. For more information, see Malicious Content Scanning Services in the Blue Coat ProxySG Configuration and Management Guide. To specify blocked or passed-through file types: 1. Select Services > AV File Types. The interface displays the Scanning Behavior. 2. Under File Extensions, enter file types as appropriate: a. List files extensions to block Any file types with these extensions are blocked and not served to the client. b. List file extensions that do not need to be scanned Any file types with these extensions are passed to the user, unscanned. If you enable this option, consider the Blue Coat advisory that viruses and other malicious code can be embedded in many file types, including image formats. Use a comma or semicolon as a delimiter to separate file types. For example:.gif;.tif. 3. Click Save Changes. Known File Type Management (Kaspersky or Sophos) In addition to the manual file extensions lists, the CAS appliance can, depending on the anti-virus vendor, apply specific rules, (Ignore, Scan, Block) to specific types of data. This feature is only available if your appliance is licensed to use either the Kaspersky or Sophos AV engine. Instead of simply examining the file extension associated with each file, the appliance examines the apparent data type to determine the correct type of file. Apparent Data Types allow the CAS appliance to identify data content using the actual file signature and information in the HTTP header rather than by file extensions. For example, it can identify graphics (such as JPG and GIF files), documents, archives, executables, encodings, media, and macros. The appliance also recognizes all files within an archived or compound Microsoft file. If an individual file in a compound file is specified to be blocked, the entire compound file is blocked. For example, if a zip file contains Word files and JPG files and by policy Word files are allowed while JPG files are blocked, the entire zip file would be blocked. To specify apparent data types and actions for each type: 1. In the Global Options field, select Apply Global Options before Sending to Antivirus Engines. This option applies your selected actions against the most common file types. 2. Click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on. Ignore The file is served back to the ProxySG without being scanned by the Content Analysis System appliance. 25

26 Block No scanning occurs and the Content Analysis System appliance returns a response to the ProxySG appliance that the file was blocked (code type: file_type_blocked). Scan The appliance scans the object for malicious content and returns the content or modified response to the ProxySG appliance 3. For each configured vendor, determine whether to apply Global Options or to use vendor-specific options. To use vendor-specific options, click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on. If you choose to use the unique file options for a specific anti-virus vendor, check the appropriate box or the actions will be ignored. 4. (Optional) Sophos only Select Detection of weak types to enable recognition of file types that otherwise might be difficult for the Content Analysis System appliance to identify with 100 percent confidence. 5. Click Save Changes. 26

27 Set AV Scanning Options AV Scanning Option configuration is available in Services > AV Scanning Behavior. Step 1: Configure the CAS to return cached responses. Selecting Enabled configures the CAS to return cached responses to the ProxySG appliance when applicable. If the hash of the data matches a file that the CAS has already determined to be clean or contain a virus, it returns the cached response. This option allows the appliance to learn about traffic patterns on your network and adjust accordingly. Step 2: Set the maximum file size. An individual file size cannot exceed the specified size, 5120 MB. This limitation also applies to each file within an archive. Step 3: Configure policies for anti-virus exceptions. These options define how the CAS behaves when a scanning timeout or a scanning error occurs.the behavior is as follows: Block If selected for an error type, the file is dropped Serve If selected, the file is passed to the client, unscanned. The default for all options is Block. The supported scanning errors for different AV vendors are described in the following table. Error Description Vendors File scanning timeout Maximum individual file size exceeded Maximum total uncompressed size exceeded Maximum total number of files in archive exceeded Maximum number of archive layers exceeded Decode/decompress error Password protected archive The time required to scan the file exceeds the specified or appliance limit. A file size exceeds the specified or maximum appliance limit. An uncompressed file size exceeds the specified or maximum appliance limit. An archive contains more files than the specified or maximum appliance limit. An archive contains more archive layers than the specified or maximum appliance limit. This option is only supported by Kaspersky and McAfee. Sophos generates an anti-virus engine error, which is categorized by the Other errors policy option An error occurred during decoding or during decompression of a compressed file. For example, a corrupted file or a method used to decompress the file is unsupported. A archive file that requires a password to access. Kaspersky McAfee Sophos Kaspersky McAfee Sophos Kaspersky McAfee Sophos Kaspersky McAfee Sophos Kaspersky McAfee Kaspersky McAfee Sophos Kaspersky McAfee Sophos 27

28 Error Description Vendors Out of temporary storage space The CAS buffer capacity for files to be scanned is full. Kaspersky McAfee Sophos Other errors Any miscellaneous error that causes irregular behavior. Kaspersky McAfee Sophos Step 4: Specify vendor-specific options. Set the following vendor-specific options: Engine Settings File Scanning Timeout File Size/Count Limitations Engine Settings The following table describes the vendor-specific engine settings. Option Vendors Default Notes Detect Spyware Kaspersky McAfee Disabled Enabled Sophos Disabled Detect Adware Kaspersky Disabled Detect Adware is disabled by default. It can be deselected, but it cannot be selected without selecting Detect Spyware. Enable Antivirus engine heuristic Detect Potentially Unwanted Applications (adware) Kaspersky Disabled This option enables the appliance to catch potential viruses for which pattern signatures might be unavailable. Because the Kaspersky anti-virus engine heuristics option requires additional system resources, Blue Coat recommends that you verify that CPU usage is within the normal operating range for the appliance before enabling heuristics. Note: Do not enable Kaspersky heuristics if the current CPU utilization is in a Warning or Critical state. Sophos Enabled This option detects adware. 28

29 Option Vendors Default Notes Use Sophos Weak Types Sophos Disabled File Scanning Timeout File scanning timeout is the maximum length of time the file is scanned by the CAS appliance. When the timeout value is reached, the scan is abandoned.some files, though not viruses themselves, are designed to disable a virus scanner. Although these files cannot disable a CAS appliance, they could use up system resources and slow down overall throughput. Defining a timeout value allows the appliance to reclaim system resources. The default is 800 seconds; a value between 10 and 3600 seconds (60 minutes) is valid. File Size/Count Limitations Maximum Total Uncompressed Size: This option is included in the vendor-specific settings. An uncompressed file or archive cannot exceed the specified size (MB). The maximum is Maximum Total Number of Files in Archive: This option is included in the vendor-specific settings. An archive cannot contain more than the specified number of files. Maximum Archive Layers: This option is included in the vendor-specific settings. An archive is a file containing multiple files and a folder structure. It cannot contain more than the specified number of layers (directories). The maximum is: McAfee: 300 Sophos: 100 Kaspersky: 40 If any of these options are exceeded, the object is not scanned. After completing these steps, click Save Changes. Click Default Settings to restore all configurations to a default state. 29

30 Establish ICAP Connections Between the ProxySG and the CAS Before your Content Analysis System appliance (CAS) can handle traffic, you must configure your ProxySG appliance to send traffic to it. Traffic is sent using the Internet Content Adaptation Protocol (ICAP). When a user requests content from the Internet, it is forwarded to the CAS appliance for processing. The data is first compared against the file whitelist, then scanned for viruses with the vendors you have configured on the appliance. If the file does not match any known viral signatures, but appears to be a suspicious executable file, the CAS appliance forwards that file to a sandbox, where it is executed and monitored to determine what type of threat (if any) the file poses to the user and the network. While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS or higher, and arbitrary ICAP header parsing requires SGOS Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS or higher. To send data to the Content Analysis System appliance, you must configure the ProxySG appliance to send data to the CAS appliance with ICAP. The ProxySG appliance has two methods to achieve this: manual and automatic. The manual configuration requires that you create policy to trigger the ICAP connection for destination URLs, categories and file types. The automatic configuration relies on the Malware Scanning option that provides a threshold configuration to determine how strict ICAP scanning will be. 30

31 Configure ICAP Exception Policies Whether you've used an automatic ICAP configuration with Malware scanning or a manual configuration with an ICAP request modification rule in the VPM, you may find that your organization needs to exempt specific destinations from ICAP scanning. If a destination URL, category or file type is trusted, you may decide not to have that traffic scanned. The examples provided in this topic detail the steps to configure the most common types of ICAP exemptions. Exempt a domain from ICAP scanning If you are using the Malware Scanning configuration, add a new Web Content layer from the Policy menu, label it ICAP Scan and proceed with the steps below. If you have configured a manual ICAP scan policy instead, the proceeding policies must be positioned above your existing ICAP scan rule. 1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section. 2. Right-click the action field in this rule. Click New > Set ICAP Response Service. 3. Name the new object DoNotScan and select Do not Use any ICAP response service. 4. Click OK, and OK. 5. Right-click the destination field in this new rule. Click Set > New > Request URL. 6. Enter (replace with a domain you would like to exempt from ICAP scanning). Click Add, 31

32 Close, OK and Install Policy. Exempt a category from ICAP Scanning Because some media streams come without end, sending those streams to an ICAP appliance for scanning can lead to delays in processing other traffic. As a best practice measure, follow these steps to defer the streaming media category from being ICAP scanned. 1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section. 2. Right-click the destination field in this new rule, click Set > New > Request URL Category. Extend the Blue Coat categories list, select TV/Video Streams. Name the object TV/Video Stream Category. 3. Click OK, OK, and Install Policy. Show Screen Use policy to react to specific ICAP scan results SGOS introduced the option to define policy to take action based on the results of ICAP scanning. See the Troubleshoot ICAP Errors topic for the available policy triggers. In this example, we want to allow users to download archive files such as zip, rar or, gz, if they are password protected and from a trusted domain. To take action on ICAP scan results, your ICAP request modification rule (or Malware Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to be able to take action on a given request. 1. Add a new Web Access Layer and name it ICAP Error Actions. 2. In the Edit menu, select Reorder Layers. Position the ICAP Error Actions layer below your ICAP Scan layer. 3. Right-click the destination field, click Set > New > Request URL. 4. Enter the domain name of the URL in question. In this case, we'll use Click Add, Close, and OK. 5. Right-click the Service field in the new rule, click Set > New > ICAP Error Code. 6. Select Password Protected Archive, click Add, OK, and OK. 32

33 7. Right-click the Action field and select Allow and click Install Policy. 33

34 Troubleshoot ICAP Errors ICAP error codes are available as objects in policy for the Content Analysis SystemICAP server only and are useful for creating policy that is flexible and granular. SGOS introduced policy actions to react to the results of an ICAP scan. See the ICAP Policy topic for an example on working with the response codes below in policy. To take action on ICAP scan results, your ICAP request modification rule (or Malware Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to be able to take action on a given request. The following table lists common ICAP errors that are generated by the Content Analysis System: ICAP Error Codes Available in Policy ICAP Error Code VPM Object Name Description Anti-virus Engine Failure Anti-virus License Expired Anti-virus Load Failure Connection Failure Anti-virus Engine Failure Anti-virus License Expired Anti-virus Load Failure Connection Failure The ICAP appliance was unable to load the configured anti-virus scanning engine. The anti-virus license on the ICAP device has expired. The ICAP device responded to the ICAP request, but was unable to begin the file scan because the service was unavailable. A connection to the ICAP device could not be established. Decode error Decode Error Error detected during file decompression/decoding. File Extension Blocked File Extension Blocked The ICAP device has the requested file extension set to Block. File Type Blocked File Type Blocked The ICAP device identified the file type from the file's header and found that the detected file type is set to Block. ICAP Connection Mode Not Supported ICAP Connection Unavailable ICAP Security Error ICAP Connection Mode Not Supported ICAP Connection Unavailable ICAP Security Error A configuration mismatch has occurred with plain and secure ICAP settings. Verify that your ICAP appliance and ProxySG appliance ICAP service and policy objects all support the same set of secure and insecure connection methods. A connection with the ICAP device could not be established. A connection was established with the ICAP device but the security settings between the ProxySG appliance and the ICAP device could not be negotiated. 34

35 ICAP Error Code VPM Object Name Description Internal Error Internal Error The ICAP device reported an unspecified error that prevented the file from being scanned. Password Protected Insufficient Space Maximum Archive Layers Exceeded Max file size exceeded Maximum Total Files Exceeded Maximum Total Size Exceeded Password Protected Archive Insufficient Space Maximum Archive Layers Exceeded Maximum File Size Exceeded Maximum Total Files Exceeded Maximum Total Size Exceeded Archive file could not be scanned because it is password protected. Indicates that the disk is full. The ICAP device reported that the configured maximum layers permitted in an archive file have been exceeded. Maximum individual file size to be scanned exceeds settings in configuration. The maximum individual file size that can be scanned depends on the RAM and disk size of the ProxyAV model. The requested file exceeds the configured maximum number of files permitted in a single archive file. Maximum total uncompressed file size exceeds settings in configuration. The maximum limit varies by ProxyAV model. Request Timeout Request Timeout The requested file failed to load, as the connection with the origin content server timed out. Scan timeout Scan Timeout Scan operation was abandoned because the file scanning timeout was reached. The default is 800 seconds. Server Error Server Error The origin content server responded to the user's request to serve a file with an error. Server Unavailable Server Unavailable The origin content server hosting the requested file is unavailable. 35

36 Enable Secure ICAP Connections By default, the Content Analysis System appliance receives data from the ProxySG appliance through an Internet Content Adaptation Protocol (ICAP) connection. This occurs on port 1344, which is the Plain ICAP port. For heightened security, you can enable a secure connection between the CAS appliance and the ProxySG appliance. Using secure ICAP ensures that no unencrypted HTTPS data can pass between the CAS and the ProxySG. If the ProxySG appliance supports only Plain ICAP connections, you cannot enable secure ICAP. After your appliance is configured initially, you must create a new certificate. The default certificate does not contain information, such as the common name field, that can be validated by the ProxySG appliance. Such information must be resolvable to the CAS appliance hostname or IP address. Configure the CAS to receive secure ICAP connections. 1. Select Settings > ICAP. 2. Secure the connection. a. Select secure. b. The default secure Port is You can change the port, but be advised that this change must occur on both ends of the transaction: the Content Analysis System and the ProxySG appliance secure ICAP service. c. Select plain if you want to allow an non-secure, backup connection over the plain port should the ProxySG appliance not be able to send a secure connection. This might occur if there is a certificate mismatch or other issue on the ProxySG side of the transaction. 3. Generate the secure connection certificate. a. On the Settings > ICAP page, click Certificate Management. The interface displays the Certificate Management dialog. b. The Current Information tab displays what is in the current appliance certificate. If any of that information is incorrect, click Create Certificate. 36

37 c. Select Custom Parameters. d. Enter the various entity information. e. Enter a recipient , who gets notified upon if there are problems with the certificate. f. Select a Date Valid until value. Upon this date, the CAS appliance deems this certificate invalid. The ProxySG appliance registers an ICAP service error. g. Set the Size value, which is h. Click Save Changes to generate the certificate. The certificate file downloads to your default download folder. i. Click Current Information and Download Public Key to save the certificate file to your local system. Import the CAS certificate and enable secure ICAP connections between the ProxySG and CAS appliances. 1. Log in to the ProxySG appliance Management Console. 2. Navigate to Configuration > SSL > CA Certificates. 3. Import the CAS cert. 37

38 a. Click Import. The Management Console displays the Import External Certificate dialog. b. Name the CA Cert. c. Open the CAS appliance certificate in a text editor on your system and copy all text including: -----BEGIN CERTIFICATE----- to -----END CERTIFICATE d. Click Paste From Clipboard to add the certificate to the CA Certificate PEM field. e. Click OK to close the dialog; click Apply. 4. Add the certificate to the approval list. a. Select SSL > CA Certificates > Certificate Lists. b. Select the AV_Approval CA Certificate list and click Edit. c. Select your new certificate from the list on the let and click Add>> to add the certificate to this CA certificate list. d. Click OK ; click Apply. 5. Navigate to External Services > ICAP. 6. Select your CAS ICAP service object in the list and click Edit. 7. Add a check next to This service supports secure ICAP connections. 8. Select AV_SSL from the SSL Device Profile drop-down menu. Click OK and Apply. 9. Edit the ICAP service object again and click Sense Settings to verify your configuration. 38

39 Allow Trusted File Execution (Whitelisting) Whitelisting configuration is available in Services> Whitelisting. By default, the Content Analysis System scans all files and executables in an effort to protect computers and networks from harmful content. You might determine that some of those files are acceptable and perhaps necessary for your enterprise. After one initial scan, a hash for good files is added to the file whiltelist, which exempts them from CAS scanning. The CAS appliance refers to the list of known-good hashes comprising the location and name of the file. If a file matches a hash in the whitelist, the appliance informs the ProxySG appliance that the file is good and the user is permitted to download it. If the file is not on the whitelist and scanning is enabled, the Content Analysis System (CAS ) scans it with the available anti-virus vendors. If a file fails to match any known virus signatures, the appliance sends it to the configured sandbox vendor for final inspection (if sandboxing is configured). To use whitelisting, you must first activate it in System > Licensing. About Trust Scores A Trust Score is a number that represents the file's level of trust from a known and trusted source. The higher the number, the greater the trust. For example: Trust Score Meaning 0 File is likely malicious 2-3 Gray file (unknown if file is malicious) 7 or above File comes from known trusted source Seven is the default value for the minimum trusted score and is the best practice value for most deployments. However, you can adjust the trusted score minimum value if your situation dictates it. 1. Select Services > Whitelisting. 2. Enter a number in the Trusted whitelisting score value box. 7 is the default and best practice value for most deployments. 3. Click Save Changes. 39

40 About Whitelisting The file whitelist service is a Blue Coat-hosted database of SHA1 file hashes. The hash comprises file names and the URLs on which they are found. When a user requests a file from a Web site, the ProxySG appliance sends it to the CAS via ICAP for scanning. Before it scans the file for viruses, the file's name, URL and other information are evaluated as a hash. That hash is compared against the whitelist database. If the file is in the whitelist database, the service returns a trusted score. If the trusted score is above the threshold defined in the Trusted whitelisting score value option (Services > Whitelisting), the appliance does not scan the file. As a result, the appliance sends a 200 OK HTTP ICAP response to the ProxySG appliance and the user is permitted to retrieve the file. If a file doesn't match the whitelist, it's scanned by the active anti-virus engines. If the file doesn't match any viral signatures, but still appears to be suspicious (that is, the file is executable and from an untrusted source), it is sent to a sandboxing service. The sandboxing service executes the file in an protected virtual instance of Windows XP or Windows 7 to determine what threats are posed. The Blue Coat Malware Analysis Appliance (MAA) returns a threat level score, while the FireEye sandbox appliance simply returns a yes or no response. That MAA score is then reported to the file whiltelist service on the appliance, which in turn, updates the local database with the file hash and the score. All known hashes have an indefinite lifecycle. All unknown hashes are continually sent to the service for checking. 40

41 Isolate and Analyze Suspicious Files Sandbox Configuration is available in Services> Sandboxing When the Content Analysis System appliance detects a suspicious file that's not on the whitelist and doesn't match any known viral signatures, the appliance can forward the file to a sandbox appliance to analyze it. This analysis uses one or more Windows 7 or Windows XP virtual systems to safely execute the suspicious file while the sandbox server monitors the resource changes, (such as the Windows registry, configuration files and services) and the Internet resources it requests. Depending on the results, the file is either quarantined or released and the appliance sends the system administrator a notification with the results of the test. Before using sandboxing,you must first activate it in System > Licensing. Supported Sandboxing Vendors Blue Coat uses two sandboxing vendors: Blue Coat Malware Analysis Appliance and FireEye. You must have already installed the sandboxing server before you can use sandboxing feature on CAS. Refer to the server's documentation for installation instructions. These two sandboxing vendors use different methods to evaluate threats: The Malware Analysis Appliance analyzes the file and returns a number that represents the level of threat. The higher the number, the greater the threat. After you assign a threat threshold in sandboxing, the appliance will send an alert every time a threat appears with a number greater to or equal than the defined threshold. The FireEye ( appliance doesn't use a threat threshold to determine whether a file is malware. Instead, it returns a Yes or No response ("Yes", this threat is malware). Blue Coat sends an alert on each Yes response. Configure Sandboxing 1. Select Services > Sandboxing. 2. In the Vendors section, click the Enabled check box next to one or both sandboxing vendors. 3. Optional To modify a setting (such as the threat threshold), select a vendor and click Edit. The Threat Threshold is only available on the Malware Analysis Appliance. The number set is a greater than or equal to relationship. The Malware Analysis Appliance returns numbers associated with the threat. The higher the number, the higher the likelihood the threat is malware. Anything above 6 is typically malware. 41

42 4. In the File Types section, select the types of files you want to send to the sandboxing server. The file types listed are the ones that most likely need to be sandboxed. Any executable file that does not match a known virus signature or whitelist hash is a candidate for Sandboxing. 5. Under Reporting, in the Time Window tab, type the minutes before and after a sandboxing event that are to be captured in the report. An "event" occurs when the sandbox indicates that a file being sandboxed is likely malicious. This setting applies to both Solera and Blue Coat Reporter reports. 6. To enable Blue Coat reporting,do the following: Blue Coat reporting, using Reporter, helps you begin research on items that are believed to be malicious. If it is malicious, you are immediately notified. a. Select the Blue Coat Reporter tab. b. Click the Enabled check box to enable Blue Coat Reporting. c. Enter the following data to enable communication with your installation of Blue Coat Reporter: Server IP address Username Password Database Name User Role Label The label appears on the Blue Coat reporting system and will be the name of the report when retrieved from the link 7. If you have a Blue Coat Security Analytics Platform appliance and want to enable Sandbox reporting,do the following: You must have Blue Coat Security Analytics Platform installed and configured before you can integrate it with sandboxing. The alert mechanism you have chosen for sandboxing alerts will contain a link to the report. Due to the dynamic nature of this report, and the time taken to collect data, you may need to visit this report multiple times to get the full report. a. Click the Security Analytics Platform Reporting tab. b. Click the Enable Report check box. c. Enter the following: Server:Enter the IP address or hostname of the Blue Coat Security Analytics Platform device. Minutes Before Event Minutes After Event 8. Under Settings, click Enable sending threat information to WebPulse for further analysis to send threat information to WebPulse. The WebPulse collaborative defense powers Blue Coat s Web Security portfolio, delivering fast and effective Web 2.0 threat protection for 75 million users worldwide. When you select this option, the threat information is sent to the Blue Coat Threat Labs for further analysis. 9. Click Save Changes. 42

43 Drop Slow Download Connections ICTM configuration is available in Settings > ICTM. Intelligent Connection Traffic Monitoring (ICTM) monitors ICAP connections between your ProxySG appliance and Content Analysis System. If connections take longer to complete than expected, (such as with infinite stream data, like stock tickers or Internet radio), ICTM drops the connection to keep resources available for scanning other objects. When ICTM is enabled, the CAS appliance checks for slow downloads and compares the number of concurrent slow ICAP connections to the warning and critical thresholds. If the warning threshold is reached, the appliance notifies the administrator of the dropped URLs (through an or SNMP trap, if the option is selected). The administrator can then create policy on the ProxySG appliance to ignore these URLs or URL categories in the future. If the critical threshold is reached, the CAS appliance terminates the oldest, slowest connections so that the level below the threshold is maintained. 1. Select Enable Intelligent Connection Traffic Monitoring (ICTM). 2. Specify how many seconds a connection lasts before it is determined to be a slow download. The minimum is 30 seconds. Blue Coat recommends the default of 60 seconds. The larger the value, the more resources are wasted on suspected infinite stream URLs. Conversely, lower values might tag the downloads of large objects as slow, thus targeting them for termination before the download is complete. 3. Specify the warning threshold: a. Specify how many concurrent connections that have exceeded the duration specified in Step 2 before a warning message is sent. The allowed maximum is the maximum number of ICAP connections allowed by the CAS appliance; the value varies by hardware model. By default, an warning is sent if this threshold is reached. The is sent to recipients specified on the Alerts > Alerts Settings page. If you disable this option, no warning is sent and nothing is logged in the CASlog file. b. Specify the time interval, in minutes, that the CAS appliance repeats the warning messages while the appliance remains in a warning state. c. Specify the critical threshold. If the number of concurrent slow connections reaches this threshold, the CAS appliance drops enough of these connections (beginning with the oldest connections) to maintain a level below the critical threshold. Oldest connections are dropped first. 7. Click Save Changes. Default Threshold Values Warning threshold: 70% of the recommended maximum ICAP connections Critical threshold : 90% of the recommended maximum ICAP connections 43

44 Establish ICAP Connections Between the ProxySG and the CAS Before your Content Analysis System appliance (CAS) can handle traffic, you must configure your ProxySG appliance to send traffic to it. Traffic is sent using the Internet Content Adaptation Protocol (ICAP). When a user requests content from the Internet, it is forwarded to the CAS appliance for processing. The data is first compared against the file whitelist, then scanned for viruses with the vendors you have configured on the appliance. If the file does not match any known viral signatures, but appears to be a suspicious executable file, the CAS appliance forwards that file to a sandbox, where it is executed and monitored to determine what type of threat (if any) the file poses to the user and the network. While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS or higher, and arbitrary ICAP header parsing requires SGOS Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS or higher. To send data to the Content Analysis System appliance, you must configure the ProxySG appliance to send data to the CAS appliance with ICAP. The ProxySG appliance has two methods to achieve this: manual and automatic. The manual configuration requires that you create policy to trigger the ICAP connection for destination URLs, categories and file types. The automatic configuration relies on the Malware Scanning option that provides a threshold configuration to determine how strict ICAP scanning will be. Manually Configure an ICAP Service on the ProxySG 45 Automatically Configure an ICAP Service on the ProxySG 47 Configure ICAP Policy 50 Configure ICAP Exception Policies 51 44

45 Manually Configure an ICAP Service on the ProxySG The ProxySG appliance requires an ICAP service object to communicate with the Content Analysis System appliance. If you are enabling Secure ICAP between the CAS appliance and the ProxySG appliance, this topic assumes that you have completed the steps in "Enable Secure ICAP Connections" on page Log in to the ProxySG appliance Management Console. 2. Add a new ICAP service. a. Select Configuration > External Services > ICAP. b. Click Add. The Management Console displays the Add List Item dialog. c. Enter a name for the CAS appliance and click OK d. Click Apply. 3. Select the new entry in the list and click Edit. The Management Console displays the Edit ICAP Service dialog. a. Enter the Service URL, which is the CAS appliance ICAP address. The format is as follows: icap://ip_ address/avscan, where IP_address is the CAS IP address or hostname. b. Select the ICAP Service Ports per your deployment. The default service is a Plain ICAP connection. If you enabled (or plan to enable) a Secure ICAP connection between the ProxySG appliance and the CAS appliance, select that option and from the SSL Device Profile drop-down list, select the CAS certificate that you created. 45

46 If you enable secure connections, you can select both options so that in the event there is a certificate match or another error, the AV scan occurs over the plain connection. If you select only the Secure option, the ProxySG appliance does not forward the scan request in the event of a secure connection error. c. Select Send options Client Address, Server Address, Authenticated User and Authenticated Groups to forward this information with each file sent to the CAS appliance. This ensures that all threat reporting generated by the CAS appliance bears the appropriate information. d. Click Sense Settings to prompt the ProxySG appliance to query the CAS appliance for the optimal ICAP settings. e. Click OK to close the dialog. 4. Click Apply. 46

47 Automatically Configure an ICAP Service on the ProxySG Malware Scanning uses a set of predefined ICAP scanning policies to protect your network and users from malicious content. Once Malware Scanning is enabled, your appliance will send traffic to your ICAP device, (either ProxyAV or Content Analysis System ) to be scanned for viruses and threats. Configure Malware Scanning 1. Log in to the ProxySG appliance Management Console. 2. Select Configuration > Threat Protection > Malware Scanning. 3. Add the CAS appliance. a. Click New. The Management Console displays the Add ProxyAV ICAP Server dialog. b. Enter the IP address or hostname for the CAS appliance. c. Select the ProxyAV Ports per your deployment (applies to CAS appliances). d. Click OK. The default is Plain ICAP connections. If you enabled (or plan to enable) a Secure ICAP connections between the ProxySG appliance and the CAS appliance, select that option. If you enable secure connections, you can select both options so that in the event there is a certificate match or another error, the AV scan occurs over the plain connection. If you select only Secure, the ProxySG appliance does not forward the scan request in the event of a secure connection error. 4. The Malware options on the bottom of the page are now selectable. 47

48 a. (Optional) Change the protection level from the default of High Performance to Maximum Protection, to scan all files, rather than those that are typically vectors for viral attacks. This can unnecessarily cause the CAS appliance to use more resources than necessary as it has to scan all data users request from the Internet. If your organization does not have a policy that requires all data to be scanned, use the High Performance Protection Level setting. b. The Connection Security options apply if you have enabled secure ICAP. You can instruct the ProxySG appliance when or when not to use secure connections. c. For the best security, Blue Coat recommends leaving the default Actions on Unsuccessful Scan option to Deny the client request. 5. Select Enable Malware Scanning box and click Apply. Optimize the ICAP Configuration With Malware Scanning enabled, the next step is to optimize the ICAP service object. 1. In the ProxySG management console, browse to Configuration > External Services > ICAP. 2. Here, you'll notice that there is a service called proxyav1. This object was created when you created a new Malware Scanning object. Select proxyav1 and click Edit. The Edit ICAP Service proxyav1 dialog displays. 48

49 3. Click Sense Settings. A confirmation dialog appears, click OK. The ProxySG appliance queries the CAS appliance to determine the optimal settings for ICAP connections and timeout values and sets them in the ICAP service object. 4. Click OK and Apply to save the optimized ICAP service settings. 49

50 Configure ICAP Policy Once you have defined an ICAP request modification object, you can use policy on the ProxySG appliance to send traffic to the CAS appliance. Create a default rule to send traffic to the CAS appliance with ICAP This step is only required for manual ICAP configurations. If you use the Automatic configuration with Malware Scanning, skip this step and proceed to the other policy examples. 1. Log in to the ProxySG appliance Management Console. 2. Launch the Visual Policy Manager from Configuration > Policy > Visual Policy Manager. 3. Click Policy > Add Web Content layer. 4. Name the new layer ICAP Scan. 5. Right-click the action field in the rule. Click New > Set ICAP Response Service. 6. Select the ICAP service you created in the Management Console and click Add to move it to the box on the right. 7. Choose a failure method. Select either Deny the client request, (fail closed) or Continue without further ICAP processing (fail open). 8. Click OK, OK and Install Policy to commit this change to the appliance. 50

51 Configure ICAP Exception Policies Whether you've used an automatic ICAP configuration with Malware scanning or a manual configuration with an ICAP request modification rule in the VPM, you may find that your organization needs to exempt specific destinations from ICAP scanning. If a destination URL, category or file type is trusted, you may decide not to have that traffic scanned. The examples provided in this topic detail the steps to configure the most common types of ICAP exemptions. Exempt a domain from ICAP scanning If you are using the Malware Scanning configuration, add a new Web Content layer from the Policy menu, label it ICAP Scan and proceed with the steps below. If you have configured a manual ICAP scan policy instead, the proceeding policies must be positioned above your existing ICAP scan rule. 1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section. 2. Right-click the action field in this rule. Click New > Set ICAP Response Service. 3. Name the new object DoNotScan and select Do not Use any ICAP response service. 4. Click OK, and OK. 5. Right-click the destination field in this new rule. Click Set > New > Request URL. 6. Enter (replace with a domain you would like to exempt from ICAP scanning). Click Add, 51

52 Close, OK and Install Policy. Exempt a category from ICAP Scanning Because some media streams come without end, sending those streams to an ICAP appliance for scanning can lead to delays in processing other traffic. As a best practice measure, follow these steps to defer the streaming media category from being ICAP scanned. 1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section. 2. Right-click the destination field in this new rule, click Set > New > Request URL Category. Extend the Blue Coat categories list, select TV/Video Streams. Name the object TV/Video Stream Category. 3. Click OK, OK, and Install Policy. Show Screen Use policy to react to specific ICAP scan results SGOS introduced the option to define policy to take action based on the results of ICAP scanning. See the Troubleshoot ICAP Errors topic for the available policy triggers. In this example, we want to allow users to download archive files such as zip, rar or, gz, if they are password protected and from a trusted domain. To take action on ICAP scan results, your ICAP request modification rule (or Malware Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to be able to take action on a given request. 1. Add a new Web Access Layer and name it ICAP Error Actions. 2. In the Edit menu, select Reorder Layers. Position the ICAP Error Actions layer below your ICAP Scan layer. 3. Right-click the destination field, click Set > New > Request URL. 4. Enter the domain name of the URL in question. In this case, we'll use Click Add, Close, and OK. 5. Right-click the Service field in the new rule, click Set > New > ICAP Error Code. 6. Select Password Protected Archive, click Add, OK, and OK. 52

53 7. Right-click the Action field and select Allow and click Install Policy. 53

54 Monitoring and Alerts As the CAS appliance scans data, statistics for virtually every activity are tracked and either graphed or added to a report. Using the various statistical reports, you can plan policy changes or determine the effectiveness of features such as cached response and sandboxing. View the CPU Usage Report 56 View the Memory Usage Report 57 View ICAP Connections Data 58 View Ethernet Adapter Statistics 59 View Historical Connection Data 60 Scan Results 61 Cache Hits 63 View the Sandboxing Objects Report 64 View the ICAP Bytes Report 65 View ICAP Object Scan History 66 View Current Connections 67 Manage the CAS System Logs 68 Set Up Alert Delivery Methods 71 54

55 55

56 View the CPU Usage Report CPU historical statistics are available in Statistics> CPU Usage. The CPU Usage report shows CPU utilization, as represented as a percentage of available cycles at a given point in time, for your CAS appliance. The CAS appliance displays information for the past hour, the past day, and month. If you find that the CPU consistently uses over 90% of the available cycles, you can reduce load on the appliance by applying policy to the associated ProxySG appliances to restrict the types of files sent to the CAS. If this behavior persists, your CAS appliance may be undersized for the amount of traffic your users generate. 56

57 View the Memory Usage Report Memory usage statistics are available in Statistics> Memory Usage. The CAS appliance displays memory usage information for the past hour, day, and month. It is normal to see occasional spikes in memory usage during periods of high load, but if your appliance sustains a memory utilization value beyond 90% for more than a day, consult technical support for assistance. 57

58 View ICAP Connections Data ICAP Connection historical statistics are available in Statistics> Connections. This report tracks the number of connections on the CAS appliance over the past hour, day, or month. 58

59 View Ethernet Adapter Statistics Ethernet Adapter statistics are available in Statistics> Ethernet. The Ethernet report lists the statistics for each network interface on the appliance. Ethernet Adapter Media Type Item Auto-neg Current Duplex Description Displays the results of link auto-negotiation (true or false) Displays the duplex value of the established connection (FULL, HALF, or DISCONNECTED, UNAVAILABLE) Current Speed Displays the current adapter speed In Mega Bits per second, 10, 100, or 1000 The Received table displays the following information for each network interface: Item packets error dropped fifo frame compressed multicast Description The number of data packets that were received on the interface The number of Ethernet errors detected on the interface The number of packets dropped at the interface based on ICTM monitoring First in, first out errors detected on the interface when packets are received in incorrect order Frame errors detected The number of compressed packets received by the interface The number of multicast packets received by the interface The Transmitted table displays the following information for each network interface: Item Description packets error dropped fifo collision carrier compressed The number of data packets that were sent on the interface The number of Ethernet errors detected on the interface The number of packets dropped at the interface based on ICTM monitoring First in, first out errors detected on the interface when packets are sent in incorrect order The number of Ethernet collision errors detected Displays the International Carrier Code, if applicable The number of compressed packets transmitted by the interface 59

60 View Historical Connection Data Connection Data historical statistics are available in Statistics> Historical Connections. You can track the ICAP scan history details such as the filename and URL on which it was found and the client IP address here. To view request history: 1. Set the number of requests to display by entering the number in the Collect last requests and click Save Changes. 2. Click Refresh to display the request history list. This report contains the following columns. Column Date URL Client IP Size Result Time take, ms Mode Description The date the ICAP scan finished. The URL from which the file was retrieved. The IP address of the client requesting the file. Note: To display IP addresses, the ProxySG appliance that sends traffic to this CAS appliance must have Send Client Address enabled in the ICAP service object. The size of the file that was scanned. The result of the scan. See Scan Results for more information. The amount of time taken to scan the file, measured in milliseconds. The file was sent to the CAS through either Secure or Plain ICAP service. 60

61 Scan Results Refer to the proceeding table to understand the results of past ICAP scans for Historical Connections. Result Clean Parameter Error Password Protected Unsupported Compression Corrupt Archive Too Many Layers Unsupported Too Large Uncompressed Size Too Large Too Many Files in Archive Blocked Extension Ignored Extension Ignored Type Timeout No Patterns Update Error Invalid Option License Expired Internal Error Unknown Error Exception Virus Blocked Type Insufficient Resources Internal AV Error Description The file contained no threats. Incorrect scan parameter defined. The file could not be scanned as it is protected by a password. The file uses an unsupported compression method. The archive file, (zip, rar, gz) could not be opened because it is corrupted. The archive file exceeds the maximum number of archive layers supported. The file is not a supported type for analysis. The file exceeds the maximum file size limitation. The archive file exceeds the maximum file size limitation. The archive file (zip, rar, gz) exceeds the limit of files in an archive. The file was blocked based on the AV File Type configuration. The file was not scanned, based on the AV File Type configuration. The file was not scanned, based on the apparent data type of the file. The scan process failed, waiting for the end of the file. Enable ICTM in Settings > ICTM if this message appears frequently. The anti-virus pattern was not available for the active anti-virus vendor. An error occurred during the anti-virus pattern update. The file was not scanned. A required scan option is not defined. The file was not scanned. The license for the component required for scanning has expired. The file was not scanned. An internal error occurred. The file was not scanned. The file was not scanned due to an unexpected error. A virus was found during the scan. The file was blocked based on the apparent data type of the file. (Kaspersky or Sophos only) The appliance has exceeded the available resources, (CPU, Disk, Memory). The file was not scanned. To determine the cause of resource issues, review the appliance statistics pages. The anti-virus engine experienced an issue while scanning the file. 61

62 Result AV Load Error Out of Memory Description The anti-virus engine failed to load. The appliance ran out of available memory while the file was being scanned. 62

63 Cache Hits Cache Hit historical statistics are available in Statistics> Cache Hits. The Cache Hits report shows how many files have been served to users without scanning, because those files were found to match a hash of an earlier successful scan. Information is shown for the past hour in the minutes graph, the past day in the hours graph, and the past month in the days graph. See "Set AV Scanning Options" on page 27 to enable Cached Responses. 63

64 View the Sandboxing Objects Report Sandboxing statistics are available in Statistics> Sandboxing Objects. The Sandboxing Objects report shows the number of files sent to the external sandboxing server over the last 60 minutes, 24 hours or 30 days. 64

65 View the ICAP Bytes Report ICAP traffic byte statistics are available in Statistics> ICAP Bytes. The ICAP Bytes report allows you to monitor how much ICAP traffic, in bytes, the Content Analysis System has processed in the past hour, day or month. 65

66 View ICAP Object Scan History ICAP Object available in Statistics> ICAP objects. The ICAP Objects report shows how many objects (files) the Content Analysis System has scanned in the past hour, day, or month. 66

67 View Current Connections Current Connection statistics are available in Statistics> Current Connections. You can review all connections established by the CAS appliance in real time here. This report has the following columns: Column Description Date URL Client IP Size State Time take, ms Mode The date the ICAP scan was started. The URL from which the file was retrieved. The IP address of the client requesting the file. The size of the file being scanned. The state of the scanning process. Available states are Reading, Queued and Scanning. The amount of time taken to scan the file, measured in milliseconds. The service module currently being used to scan the file (AV, caching, whitelisting or sandboxing). Click the Refresh button to update the statistics in this report. In order for the Client IP column to display IP addresses, the ProxySG appliance that sends traffic to this CAS appliance has to have Send Client address enabled in the ICAP service object. 67

68 Manage the CAS System Logs Every action performed by the Content Analysis System appliance is logged to either a file or a remote server (such as an SNMP or syslog server). Follow the steps detailed in this section to configure CAS appliance reporting for your environment. Configure SNMP SNMP configuration is available in Settings > SNMP. To integrate with network management tools, you can specify the SNMP password (community string) and download Management Information Base (MIB) files. The Content Analysis System supports SNMPv2 and SNMPv3. 1. Type a password in Read Community. 2. Retype the password in Verify Read Community. 3. Click Save Changes. Download MIBs A MIB is a document (written in the ASN.1 data description language) that contains descriptions of managed objects. SNMP uses a specified set of commands and queries, and the MIBs contain information on these commands and the target objects. MIBs are typically read using MIB browsers. 1. Click Download MIBs on the SNMP settings page. 2. Save the downloaded mib.zip file to your local workstation. 3. Install the MIB file into your preferred SNMP analysis tool and follow the directions supplied by the tool's vendor to connect to the CAS appliance. If your CAS replaces a ProxyAV appliance, please note that the iso.org.dod.internet.mgmt.mib-2 Object IDs are not supported on CAS. Set Log Parameters Log parameter configuration is available in Settings > Logging. Use these settings to set logging options for various modules. Each module is a section of code that serves a certain purpose (such as Audit, ICAP, INTERNAL, and SNMP). Logging by module allows a more finite understanding of what is occurring in the product. Use the File column to define how much detail is included in the log file that is saved to the appliance, and the Syslog column to specify the detail level of events sent to your Syslog server. 1. In the File and Syslog columns, click the row corresponding to the module you want to edit.the interface displays a drop-down, as shown below. 68

69 2. Do one of the following: a. In the drop-down list, select a file error severity level for the module, None, Critical, Error, Warning, Info, Debugging. Setting the severity alters how verbose each log message is, from most verbose, (DEBUGGING) to least (CRITICAL). Select NONE to disable log reporting for each of the output options. The previous setting remains highlighted for reference. b. Enter your own descriptive severity level text: i. Note the flashing cursor. ii. Backspace to delete the message text. iii. Enter new text, as shown by the example below. In this case, we entered "Network." 3. Click Save Changes. Review System Activities The CAS system logs can be viewed in Utilities> System Logs. Use this page to review the CAS subsystem activity logs. The appliance logs the actions of all of the functions performed by the Content Analysis System appliance (CAS). Typically, this information is only useful when troubleshooting an issue with the assistance of a Blue Coat technical support engineer or support partner. The logs in this list, along with web logs and the system configuration can be sent to Blue Coat support via the Troubleshooting utility page. Available System Logs boot.log: The log created as the appliance boots. cas: The internal ICAP service logs. 69

70 cas-audit: Administrative actions performed on the web interface. cas-connection: ICAP connection logs. clp_alerts.log: Captures everything system wide that has been flagged as an alert clp_services.log: Internal appliance log for system services. cron: Scheduled jobs log. dmesg: Internal service log, for Blue Coat engineering use. dmesg.old: Internal service log, for Blue Coat engineering use. dracut.log: Internal service log, for Blue Coat engineering use. lastlog: Internal service log, for Blue Coat engineering use. tomcat6-initd.log: Internal service log, for Blue Coat engineering use. wtmp: Internal service log, for Blue Coat engineering use. Click the button to view the selected log file or the button to download the selected log file. The button deletes all data in the specified log. 70

71 Set Up Alert Delivery Methods Alert delivery configuration is available in Settings > Alert Locations. When significant events occur (such as CAS finds a virus or blocks a file), you can have the Content Analysis System appliance notify you by sending an , an alert log entry, a syslog entry, or an SNMP trap. For each type of event that you want to be notified about, select the desired alert delivery method. Alert Delivery Methods For each event, choose one or more of the following alert delivery methods: Sends an to the administrator. To configure alerts, see "Configure Alerts" on page 72. Logging: Creates an entry in the CAS system log. See Review System Activities. Syslog: Creates an entry in the Syslog server. See "Configure Syslog" on page 73. SNMP Trap: Sends a trap to the SNMP manager. See "Configure SNMP" on page 73. Event Types You can send alerts for the following types of events: Virus is found: A virus was found in an ICAP session. If you have configured alerts, the URL of the web page where the virus was found is included in the . So that you do not accidentally launch the page, the URL is reformatted to make it unclickable. For example: is rewritten as hxxp://virus.com. File was passed through without being scanned: Several settings on the Anti-virus page enable the administrator to allow files to pass through the Content Analysis System appliance unscanned. For example, there is an anti-virus file scanning timeout. File was blocked (exclude virus case): A file is blocked for any reason other than a virus infection. For example, the administrator decides to block password-protected compressed files. Anti-virus update failed: The antivirus update failed due to an error in retrieving or installing the latest image. Anti-virus update succeeded: A new version of the Content Analysis System anti-virus pattern file has been installed. Intelligent Connection Traffic Monitoring (ICTM): If the maximum specified concurrent slow connection warning or critical thresholds are reached, an alert is sent. Reboot: A reboot has occurred. Sandboxing Threat: A sandboxing threat has been identified. Test Alerts Click one of the buttons to send a test alert via each of the available methods. Set Up Alert Delivery Methods Alert delivery configuration is available in Settings > Alert Locations. 71

72 When significant events occur (such as CAS finds a virus or blocks a file), you can have the Content Analysis System appliance notify you by sending an , an alert log entry, a syslog entry, or an SNMP trap. For each type of event that you want to be notified about, select the desired alert delivery method. Alert Delivery Methods For each event, choose one or more of the following alert delivery methods: Sends an to the administrator. To configure alerts, see "Configure Alerts" on page 72. Logging: Creates an entry in the CAS system log. See Review System Activities. Syslog: Creates an entry in the Syslog server. See "Configure Syslog" on page 73. SNMP Trap: Sends a trap to the SNMP manager. See "Configure SNMP" on page 73. Event Types You can send alerts for the following types of events: Virus is found: A virus was found in an ICAP session. If you have configured alerts, the URL of the web page where the virus was found is included in the . So that you do not accidentally launch the page, the URL is reformatted to make it unclickable. For example: is rewritten as hxxp://virus.com. File was passed through without being scanned: Several settings on the Anti-virus page enable the administrator to allow files to pass through the Content Analysis System appliance unscanned. For example, there is an anti-virus file scanning timeout. File was blocked (exclude virus case): A file is blocked for any reason other than a virus infection. For example, the administrator decides to block password-protected compressed files. Anti-virus update failed: The antivirus update failed due to an error in retrieving or installing the latest image. Anti-virus update succeeded: A new version of the Content Analysis System anti-virus pattern file has been installed. Intelligent Connection Traffic Monitoring (ICTM): If the maximum specified concurrent slow connection warning or critical thresholds are reached, an alert is sent. Reboot: A reboot has occurred. Sandboxing Threat: A sandboxing threat has been identified. Test Alerts Click one of the buttons to send a test alert via each of the available methods. Configure Alerts alert configuration is available in Settings > Alerts > . When you enable "Set Up Alert Delivery Methods" on page 71, you must define an SMTP (Simple Mail Transfer Protocol) server and specify the addresses to which notifications will be sent. 72

73 settings Sender address: The sender's name will appear in the From line of any message that the Content Analysis System sends out. For example: Recipient address: The addresses to which alerts will be sent when alerts occur. Use a comma to separate addresses, for example: user1@company.com,user2@company.com. At least one recipient address is required. If you don't set a recipient address, the appliance will not attempt to send alert s. Server settings Server address Your SMTP server hostname or IP address. This is the server that will send alert to your administrators. Server port The port used by your SMTP server. Typically, the port used for SMTP is 25. SMTP authentication settings If your SMTP server requires users to authenticate before sending mail, define your SMTP username and password. When you're done entering your SMTP server settings, click Save Changes. Configure SNMP SNMP configuration is available in Settings > Alerts > SNMP Trap. The Simple Network Management Protocol (SNMP) is a widely used method of monitoring computer networks. You can configure the Content Analysis System to automatically send event notifications to any SNMP server, called a trap listener. Configure CAS for SNMP support: Specify one or more trap destinations Specify the server(s) to which SNMP trap alerts will be sent: Server(s): The IP address or hostname of the SNMP monitoring server. Separate each address with a comma. Security Name: Your SNMP server's community string. When you're done entering your SNMP server settings, click Save Changes. Configure Syslog Syslog server configuration is available in Settings > Alerts > . The system logging (syslog) feature gives administrators a way to centrally log and analyze events. If you "Set Up Alert Delivery Methods" on page 71 for any events, you must also define the syslog server settings. Server: The IP address or hostname of your syslog server. Port: The port used by your syslog server to listen for incoming data. 73

74 Protocol: The transport protocol used by your syslog server. Available options are: UDP, TCP, and TLS. Click Save Changes. Customize Alert Messages Alert message configuration is available in Settings > Alerts > Messages. When significant events occur, the Content Analysis System sends alerts to the configured alert delivery methods ( , SNMP, local log, and/or syslog). These messages are in HTML, which can be customized with variable keywords to provide context to each alert event. By including variables in the message, you can see, for example, the URL from which an infected file was downloaded, who downloaded the file, and the name of the virus. 1. Select Settings > Alerts. 2. Click Messages. 3. Click one of the icons below to modify the alert message: Displays alert message text, including variable keywords Displays the HTML code for the alert message The following keywords can be used: %CLIENT : The client IP address %ACTION : The action that was performed (file passed/dropped) %URL : The URL from which the file was downloaded %VIRUS : The virus or potentially unwanted software (PUS) name %REASON : Why the event occurred. For example, why was the file scanned? %MACHINENAME : The name of the Content Analysis System appliance. %MACHINEIP : The Content Analysis System appliance IP address %HWSERIALNUMBER : The Content Analysis System appliance serial number %PROTOCOL : The scanned protocol %APPNAME : The application name (Content Analysis System) %APPWEB : The application vendor web address %APPVERSION : The application version %AVVENDOR : The AV vendor %AVENGINEVERS : The AV engine version. %AVPATTERNVERS : The AV pattern version. %AVPATTERNDATE : The AV pattern date. %TIMESTAMP : The time the event occurred %ADMINMAIL : The administrator address The % character always precedes the variable name. Capitalization is also important; do not use lowercase variable names. 4. Click Save Changes. 74

75 Administrative Tasks Control Access to the Management Console 76 Manage Administrator Access to the CAS 77 Define an Administrative Login Message 82 Manually Scan Files for Threats 83 Update Anti-Virus Pattern Files 84 Install a new CAS System Image 86 Set Log Parameters 87 Review System Activities 88 Archive or Restore the System Configuration 89 Perform Administrative Tasks from the Command Line Interface 90 75

76 Control Access to the Management Console Management Console configuration is available in Settings > Web Management. By default, the CAS Web-based management console is accessible via HTTPS on port On this page, you can enable an HTTP management port, (8081 by default) and configure alternate ports and administrative session login timeouts here. 1. Perform one of the following: a. Click Enable HTTP Administration to let the administrator access the Management Console without a secure connection. (optional) Specify a different port number. b. Click Enable HTTPS Administration to encrypt the connection to the Management Console. (optional) Specify a different port number. When HTTPS is enabled, you must enter the following URL format to access the Content Analysis System appliance Management Console: For example: 2. Enter a session timeout in minutes. When the specified number of minutes has passed without activity in the Management Console, the session terminates. 3. Click Save Changes. To modify the certificate used for HTTPS administration, click Certificate Management. Details on Certificate Management, see Enable Secure ICAP Connections. 76

77 Manage Administrator Access to the CAS In addition to the default local administrator account, you can configure other local accounts or leverage existing LDAP and RADIUS authentication services in your infrastructure to authorize administrative and read-only users. Authenticate Administrators with Local Credentials Local Administrator configuration is available in Settings > Users > Local Users.. The main Content Analysis System administrator can create user accounts for other users. A user account specifies the privileges that are granted to a user. With local CAS authentication, you can create two types of user accounts: Administrator: An administrative account with rights to perform all functions on the appliance. In a default state, the CAS appliance is configured with a single administrator account. The username for this account is admin and the password is what you entered during the initial setup of the appliance. For security best practice, change the default password. Readonly: A read-only access account that permits the user to log in to the appliance but not make any changes. Create a Read-Only User Account 1. Select Users > Add User. 2. Define a new Username. 3. Assign the user a Password. The password can contain a maximum of sixteen characters. 4. From the Role drop-down list, select Readonly. 5. Select Enabled. 6. Click Add. Create an Administrative User Account 1. Select Users > Add User. 2. Define a new Username. 3. Assign the user a Password. The password can contain a maximum of sixteen characters. 4. From the Role drop-down list, select Administrator. 5. Select Enabled. 6. Click Add. Change a User's Password 1. Select Settings > Users. 2. Select the user account to change the password and click Edit User. 3. Assign an updated Password. The password can contain a maximum of 16 characters. 4. Click Add. Delete Administrator Accounts 1. Log in as an administrative user. 2. Click Settings > Users. 77

78 3. Select the Username. 4. Click Delete User. The user account is deleted and the user is no longer allowed to access the CAS appliance interface. Authenticate Administrators with LDAP LDAP Administrator configuration is available in Settings > Users > LDAP Settings.. You can configure the Content Analysis System to authenticate administrators based on their LDAP credentials. The appliance requires the following details to establish a connection with the LDAP server: The IP address or hostname of the LDAP server User search criteria based on Username attribute and the associated BaseDN. Role search criteria based on Username attribute, Base, and Result Role attribute. You can add LDAP users or groups to local role mapping. 1. Select Settings > Users > LDAP Settings. 2. (Optional) to populate all server fields on this page with the standard values for an Active Directory LDAP environment, click Insert Active Directory example. As appropriate, adjust the values to be specific for your LDAP configuration. 3. Enter the LDAP server URL. 4. (Optional) Manager's Credentials If your LDAP server supports anonymous searching, do not complete this section. If anonymous search is not supported, enter the User Distinguished Name and Password. 5. User Search Criteria: Enter the User Attribute and Base to define from what level of the LDAP directory searches is performed. 6. Role Search Criteria: Enter the Username Attribute, Base, and Result Role Attribute to define the search details for role authorization. 7. Enter an LDAP user or group to local role mapping. Click Add User Mapping or Add Group Mapping. This is required, as it binds LDAP users and groups with permissions roles on the CAS appliance. Enter a username or group name, select a role, and click Add. 8. Select Enabled. 9. Click Save Changes. Authenticate Administrators with RADIUS Radius Administrator configuration is available in Settings > Users > Radius Settings.. You can configure the Content Analysis System to be a RADIUS client that accesses the RADIUS server database to authenticate and authorize users. To set up communication between the CAS appliance and the RADIUS server, you 78

79 must perform configuration on both servers. As a best practice measure to ensure administrators can always log in to the appliance, even when your RADIUS server is unavailable, maintain a local administrator account. About RADIUS authentication on the CAS appliance When a user attempts to access the CAS appliance, the appliance challenges the user for access credentials. It then forwards the credentials in an Access-Request message to the configured RADIUS server. The RADIUS server authenticates the user and sends an 'access-accept' or 'access-reject' response back along with the value for the Blue-Coat- Authorization attribute defined for the user. The CAS appliance parses the response to check if the user is authenticated and then uses the custom attribute to determine the user s access privileges; the user is then allowed appropriate access or denied access to the CAS appliance. If your CAS deployment does not already make use of a RADIUS server, you can use FreeRADIUS. For information on deploying FreeRadius, click "Example: FreeRADIUS Configuration Procedure" on page 80 RADIUS prerequisites If you are using FreeRADIUS, select the Download Blue Coat's dictionary file for FreeRADIUS Server here link to view the dictionary file for Blue Coat-specific RADIUS attributes. To configure the CAS appliance as a RADIUS client, provide the following details for your RADIUS server: IP address and port number of the primary RADIUS server. (Optional, but recommended) IP address and port number for the secondary RADIUS server. Pre-shared key (or shared secret) that is configured on the RADIUS server. Because RADIUS uses a client-server architecture for managing user account information, before a device can become a RADIUS client it, must be configured with the same pre-shared key that is configured on the RADIUS server. This allows it to be able to pass user credentials on to the RADIUS server for verification. The RADIUS server must have the Blue-Coat-Authorization attribute defined and associated with users or groups on the server who require administrative access to the CAS appliance. About the Blue-Coat-Authorization RADIUS attribute After you enable communication between the CAS appliance and the RADIUS server, the RADIUS server must authenticate users and authorize access to the CAS appliance. For authentication, the RADIUS server uses its database to validate user credentials. To enable authorization, you must define the Blue-Coat-Authorization (vendor-specific) attribute in the RADIUS user profile for users who require administrative access or read-only access to the CAS appliance. The Blue- Coat-Authorization values that you can assign are as follows: No access: This is the default value used when read-only access (1) or administrative access (2) is not specified. 1: Read-only access 2: Read-write access (administrative access or full access user) Enable RADIUS Authentication 1. Select Settings > Users > RADIUS Settings. 2. Click the Enabled check box. 3. Enter the IP address and port number of the primary RADIUS server. 79

80 4. Enter the shared secret that you have configured on the RADIUS server. This shared secret allows the CAS appliance to forward user credentials on to the RADIUS server for verification. 5. (Optional, but recommended) Enter the IP address, port, and shared secret for the Alternate RADIUS server. 6. Enter a RADIUS user or group to local role mapping. Click Add User Mapping or Add Group Mapping. Enter a username or group name, select a role, and click Add. 7. Click Save Changes. Example: FreeRADIUS Configuration Procedure The following example shows the RADIUS configuration steps required to support authentication and authorization of the Content Analysis System users on FreeRADIUS server v The main tasks in this work flow are as follows: Configure the CAS IP address on the FreeRADIUS server. Set up the attributes so that the CAS can receive authentication and authorization attributes from the RADIUS server. CAS provides a dictionary file that contains all the authorization attributes supported on the CAS. You must first obtain this dictionary.bluecoat file from the Settings > Users > RADIUS Settings page in the CAS Management Console. Then you need to manually define the attribute, using the attribute name or number, type, value, and vendor code, for all users that are permitted access to the CAS. To enable communication between the FreeRADIUS server and the CAS appliance: 1. Add the IP address of the CAS to the freeradius server client configuration file. /etc/freeradius/clients.conf 2. Add a shared secret to enable communication between CAS and the FreeRADIUS server. For example: client /24 { secret = testing123 shortname = CASNetwork } You can define a single machine ( ) or a subnet ( /24). 3. Download and save the dictionary.bluecoat file to the /usr/share/freeradius/ directory.this file is available from the Download Blue Coat's dictionary file for FreeRADIUS Server here link (Settings > Users > RADIUS Settings). 4. Add Blue Coat s vendor-specific attributes defined in the dictionary.bluecoat file to the /usr/share/freeradius/dictionary file. For example, entries in the /usr/share/freeradius/ dictionary might be as follows: 80

81 $INCLUDE dictionary.xylan $INCLUDE dictionary.bluecoat $INCLUDE dictionary.freeradius.internal 5. Add the Blue Coat Authorization attribute to the users file in the /etc/freeradius/ directory. Specifying the attributes for users or groups allows you to enforce permissions and regulate access the CAS. The syntax used is: <User Name> Cleartext-Password := "<password>" Blue-Coat-Authorization = <RADIUS_VALUE or INTEGER_VALUE_CORRESPONDING_TO_PRIVILEGE> For example, for an admin user you would specify the following details: ratnesh Cleartext-Password := "oldredken123" Reply-Message = "Hello", Blue-Coat-Authorization = Read-Write-Access 6. Save your configuration and restart the FreeRADIUS server. 81

82 Define an Administrative Login Message Administrative Login Messages can be configured in Settings > Consent Banner. The consent banner is the message that displays when you log in to the Content Analysis System appliance. Enable this banner if your organization requires users to comply with an acceptable use policy or to inform users of the consequences of unauthorized use. When enabled, users must accept the terms defined in the banner prior to accessing the CAS Management Console. By default, the login banner is disabled. To enable and configure the login banner: 1. Click the Show Consent Banner check box to enable the display of the banner text on the login page. 2. In the Banner Text field, enter the text that you would like users to view and accept when they log in to the CAS appliance. Up to 2000 characters are supported in this field. 3. (Optional) Click the Show Consent Banner Logo check box to display your company logo. 4. To select the logo image, click Upload New Banner Logo. Browse to the location of the image, select the file, and click Open. 5. Click Save Changes. 6. To view the current banner as configured, click Display Current Consent Banner. The supported image formats are JPG, JPEG, BMP, GIF, and PNG. The recommended image size is 500 pixels by 80 pixels. The CAS automatically scales larger images to 500 pixels by 100 pixels to conform to the dimensions of the Consent Banner. 82

83 Manually Scan Files for Threats The Test Utility can be found in Utilities> Test. Use the Test utility to upload a file that you suspect is infected with a virus or other type of malware to the appliance for an immediate scan result. The Content Analysis System scans the file with the same configuration options as if it were transmitted through ICAP from a ProxySG appliance. The scan is performed with all active AV and sandboxing engines, and uses the whitelist, if active. This utility is also useful to Blue Coat Support, to verify that the appliance is functioning as expected. The eicar.org site provides a benign malware pattern that you can use to test. Click Select and Scan Test File to select a file you suspect may be bad on your local system. The results of the scan are displayed on the screen. If a virus is found, the name appears next to Virus Name. 83

84 Update Anti-Virus Pattern Files Anti-Virus Pattern File configuration is available in Services> AV Patterns. Use the settings on this page to view anti-virus information and update pattern files. The table displays the following information. Column Vendor Version Pattern Version Virus Definitions Last Pattern Update Remaining Update Description Displays the anti-virus vendor. Displays the version of the anti-virus engine that is in use. Displays the version of the pattern file used by the anti-virus engine. It also lists the number of virus definitions included in the pattern file and the time of the most recent pattern file update. Displays the virus unique identification string. Displays the date and time of the most recent pattern update. Displays the number of days before your current license is set to expire. If the license has expired, that date displays, as well as the date on which the grace period expires. The Content Analysis System appliance checks for new engines and pattern files once every 30 minutes. Click Update Now to download and install the virus pattern files for the specified vendor. Clicking Update Now tells the CAS to check if there is a virus pattern file available that is newer than the one currently on the CAS. The update is either a differential update or a full update, based on the update mechanism that your chosen anti-virus vendor supports. Click Force Update Now to force the Content Analysis System to download and install the latest virus pattern files for the specified vendor. Even if you have the latest version installed, this option overwrites the file versions currently residing on the appliance. Update All Now Use the Update All Now option when you are using pattern files from multiple AV vendors. This option instructs the CAS to check if there are newer virus pattern files available than those currently installed on the appliance. The update is either a differential update or a full update, based on the update mechanism of the specific antivirus vendor. Force Update All Now Use the Force Update All Now option when you are using pattern files from multiple AV vendors. This option forces the CAS appliance to download and install the latest virus pattern files for all configured vendors. Even if you have the latest 84

85 version installed, this option overwrites the file versions currently residing on the appliance. Downloads Use the Downloads list to monitor the status of AV pattern and engine downloads. 85

86 Install a new CAS System Image CAS system image management is available in System> Firmware. When new features and improvements are made to the CAS system, you can download a system image from Blue Coat's support portal, Blue Touch Online, ( and installed here.. Manage System Images The CAS stores up to five images on the system. The image that is marked as the default image will be loaded the next time the appliance is rebooted. If the maximum number of images are stored on your system and you download a sixth image, CAS deletes the oldest unlocked image to make room for the new image. Use this option to save images, make them default, and delete images. Select the following options as necessary: Default: The default image will be loaded the next time CAS is rebooted. Locked: Protects the image from being deleted. If you don't want CAS to automatically replace an image when you retrieve new images, you should lock the existing image. Booted: Indicates whether the image has been booted at least once in the past. Delete: Click (Delete button) to remove an image you no longer need. Note that you cannot delete locked images. Update CAS Software From BTO.Bluecoat.com 1. In System Image Retrieval, enter the HTTP or HTTPS URL from where the image is to be retrieved. The CAS image download process works with any HTTP server, and HTTPS servers configured with trusted certificates. If your HTTPS server does not have a trusted certificate, use an internal HTTP server for image and license downloads. 2. Click Retrieve Image. The CAS Management Console provides an alert when new software is available. The alert appears in the lower left-hand corner of the page. If you click the alert, you are redirected to the Software Download pages on BTO. After you log in, copy the download URL into the System Image Retrieval - URL field. 3. Select the new system image as the default and click Save Changes. 4. Reboot the appliance from Utilities > Services once more to complete the installation of the new image. Most Recent Download This section provides information about the most recent image that was downloaded to the appliance, including whether the download was successful. 86

87 Set Log Parameters Log parameter configuration is available in Settings > Logging. Use these settings to set logging options for various modules. Each module is a section of code that serves a certain purpose (such as Audit, ICAP, INTERNAL, and SNMP). Logging by module allows a more finite understanding of what is occurring in the product. Use the File column to define how much detail is included in the log file that is saved to the appliance, and the Syslog column to specify the detail level of events sent to your Syslog server. 1. In the File and Syslog columns, click the row corresponding to the module you want to edit.the interface displays a drop-down, as shown below. 2. Do one of the following: a. In the drop-down list, select a file error severity level for the module, None, Critical, Error, Warning, Info, Debugging. Setting the severity alters how verbose each log message is, from most verbose, (DEBUGGING) to least (CRITICAL). Select NONE to disable log reporting for each of the output options. The previous setting remains highlighted for reference. b. Enter your own descriptive severity level text: i. Note the flashing cursor. ii. Backspace to delete the message text. iii. Enter new text, as shown by the example below. In this case, we entered "Network." 3. Click Save Changes. 87

88 Review System Activities The CAS system logs can be viewed in Utilities> System Logs. Use this page to review the CAS subsystem activity logs. The appliance logs the actions of all of the functions performed by the Content Analysis System appliance (CAS). Typically, this information is only useful when troubleshooting an issue with the assistance of a Blue Coat technical support engineer or support partner. The logs in this list, along with web logs and the system configuration can be sent to Blue Coat support via the Troubleshooting utility page. Available System Logs boot.log: The log created as the appliance boots. cas: The internal ICAP service logs. cas-audit: Administrative actions performed on the web interface. cas-connection: ICAP connection logs. clp_alerts.log: Captures everything system wide that has been flagged as an alert clp_services.log: Internal appliance log for system services. cron: Scheduled jobs log. dmesg: Internal service log, for Blue Coat engineering use. dmesg.old: Internal service log, for Blue Coat engineering use. dracut.log: Internal service log, for Blue Coat engineering use. lastlog: Internal service log, for Blue Coat engineering use. tomcat6-initd.log: Internal service log, for Blue Coat engineering use. wtmp: Internal service log, for Blue Coat engineering use. Click the button to view the selected log file or the button to download the selected log file. The button deletes all data in the specified log. 88

89 Archive or Restore the System Configuration Manage System Configuration files in Utilities> Configuration. Back up and restore the Content Analysis System configuration as an XML file. As a best practice measure, back up your appliance configuration before making changes. Available Options Download Entire Configuration: The Get Configuration option prompts you to find a save location for the configuration archive, config.xml Upload Entire Configuration: The Choose File option prompts you to find the location of a previously saved config.xml file on your workstation. 89

90 Perform Administrative Tasks from the Command Line Interface After the Content Analysis System appliance has been configured for your network, you can either use the web-based management console or the CLI to perform additional testing and administrative tasks. Press the TAB key after entering at least one letter to see the available commands that begin with that text. Use a? at any point in a command to see the syntax options available for a given command. Standard Mode Commands Some administrators prefer to use a command line for quick tasks like sending ICMP (ping) packets to test connectivity or to view the appliance's status. Use the following standard mode commands can be performed without elevated access. enable: Enter the elevated privilege mode, known as enable mode. If configured, a password may be required. exit: End the CLI session. help: Display this list of commands. Also available by typing? ping : Send a series of four ICMP packets to a destination you define to test network connectivity. CAS> ping bto.bluecoat.com PING bto.bluecoat.com ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=55 time=24.5 ms 64 bytes from : icmp_seq=2 ttl=55 time=25.7 ms 64 bytes from : icmp_seq=3 ttl=55 time=27.5 ms 64 bytes from : icmp_seq=4 ttl=55 time=23.9 ms --- bto.bluecoat.com ping statistics packets transmitted, 4 received, 0% packet loss, time 4489ms rtt min/avg/max/mdev = /25.438/27.530/1.382 ms show licenses : Display the current licensing status. Activated licenses are preceded by an asterix. CAS> show licenses * Base license (48 days remaining) * Kaspersky Labs (48 days remaining) * McAfee, Inc. (48 days remaining) Sophos, Plc. (48 days remaining) Sandboxing (48 days remaining) Whitelisting (48 days remaining) show setupinfo : Display the networking and access settings for the appliance. CAS> show setupinfo Network settings: Interface 0: IP address: Subnet mask: NIC media setting: <unknown> IP gateway: DNS server: Access settings: Command Line Interface and Web Interface: HTTP port: <disabled> HTTPS port: 8082 Credentials required: <yes> User name: admin Password: <set> Enable password: <empty> Allowed ICAP clients: <any> show status : Display the current status of the appliance, including physical resources and software 90

91 versions. CAS> show status Configuration: Memory installed: megabytes Memory free: megabytes CPUs installed: 8 Software version: (125617) Interface 0 MAC: 00:d0:83:09:64:17 Interface 1 MAC: 00:d0:83:09:64:18 General status: System started: :02:49UTC CPU utilization: 12 upload-sr - prompt the appliance to gather all system logs, configuration files and other troubleshooting data and upload to a Blue Coat support service request. The following format is expected: 2-xxxxxxxxx. Enable Mode Commands Use the elevated commands available in the CAS CLI to make system changes such as configuring the enable mode password, restoring the appliance to a default configuration or shutting down the appliance. acquire-factory-certificate: Download the factory certificate from Blue Coat. This is already done during the intial configuration of the appliance, so only run this command at the direction of Blue Coat support. disable: Return to the standard mode CLI. exit: End the CLI session. help (or?) Display this help ping: Send a series of four ICMP packets to a destination you define to test network connectivity. CAS# ping bto.bluecoat.com PING bto.bluecoat.com ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=55 time=24.5 ms 64 bytes from : icmp_seq=2 ttl=55 time=25.7 ms 64 bytes from : icmp_seq=3 ttl=55 time=27.5 ms 64 bytes from : icmp_seq=4 ttl=55 time=23.9 ms --- bto.bluecoat.com ping statistics packets transmitted, 4 received, 0% packet loss, time 4489ms rtt min/avg/max/mdev = /25.438/27.530/1.382 ms restart reboot: Power cycle the appliance. restart icap: Stop and start the ICAP service. restart licensing: Stop and restart licensing and subscription services. restart web: Stop and start the web management console service. restart snmp: Stop and start the SNMP service. restore-defaults factory-defaults: Restore the appliance configuration to a default state. restore-defaults factory-defaults-halt: Restore the appliance configuration to a default state and stop the CAS operating system. This is appropriate when you plan to manually remove and restore power to the appliance at a later time. restore-defaults factory-defaults-shutdown: Restore the appliance configuration to a default state and power down the appliance. restore-defaults reset-passwd: Reset the appliance password for the primary local admin account. restore-defaults reset-web: Reset the configuration for the Web management interface. By default, the inactivity timeout is 10 minutes and HTTP (port 8080) administration is disabled. 91

92 security enable-password: Enable and define the password required to reach the elevated privilege mode of the CLI. security unset-password: Disable the need to enter a password when switching from the standard mode to the enable mode of the CLI. show licenses: Display the current licensing status. Activated licenses are preceded by an asterix. CAS# show licenses * Base license (48 days remaining) * Kaspersky Labs (48 days remaining) * McAfee, Inc. (48 days remaining) Sophos, Plc. (48 days remaining) Sandboxing (48 days remaining) Whitelisting (48 days remaining) show setupinfo : Display the networking and access settings for the appliance. CAS# show setupinfo Network settings: Interface 0: IP address: Subnet mask: NIC media setting: <unknown> IP gateway: DNS server: Access settings: Command Line Interface and Web Interface: HTTP port: <disabled> HTTPS port: 8082 Credentials required: <yes> User name: admin Password: <set> Enable password: <empty> Allowed ICAP clients: <any> show status: Display the current status of the appliance, including physical resources and software versions. CAS# show status Configuration: Memory installed: megabytes Memory free: megabytes CPUs installed: 8 Software version: (125617) Interface 0 MAC: 00:d0:83:09:64:17 Interface 1 MAC: 00:d0:83:09:64:18 General status: System started: :02:49UTC CPU utilization: 12 shutdown : Turn off the appliance. upload-sr: Prompt the appliance to gather all system logs, configuration files and other troubleshooting data and upload to a Blue Coat support service request. The following format is expected: x-xxxxxxxxx. 92

93 Troubleshooting and Support Utilities Archive or Restore the System Configuration 94 Onboard Diagnostics 95 Inspect Traffic 96 Test Network Connectivity 98 Restart System Services 99 Review System Activities 100 View and Export the System Information File 101 Manually Scan Files for Threats 102 Send Diagnostic Information to Blue Coat Support 103 Review the Web Logs

94 Archive or Restore the System Configuration Manage System Configuration files in Utilities> Configuration. Back up and restore the Content Analysis System configuration as an XML file. As a best practice measure, back up your appliance configuration before making changes. Available Options Download Entire Configuration: The Get Configuration option prompts you to find a save location for the configuration archive, config.xml Upload Entire Configuration: The Choose File option prompts you to find the location of a previously saved config.xml file on your workstation. 94

95 Onboard Diagnostics The Onboad Diagnostic utility can be found in Utilities> Onboard Diagnostics. View the output from the Content Analysis System appliance hardware monitoring sensors. If the values on this page display with a Critical status, contact a Blue Coat support engineer for assistance. Available Sensors Voltages: Reports the Voltage, Status and State of components for which the appliance has a voltage sensor such as CPU cores, Power Supply and others. Rotation Per Minute: Reports the speed at which the fans on the appliance spin. Temperatures: The results of temperature monitoring for the chassis, CPU and other components that produce heat in the appliance. Power Supplies: The state of the appliance's power supplies. 95

96 Inspect Traffic The Packet Capture utility can be found in Utilities> Packet Capture. The Packet Capture utility examines data sent to and from the Content Analysis System appliance. Packet captures (PCAPs) are saved as PCAP files, compatible with Wireshark and other packet analysis tools that support the same format. Available Options Filter:Define a filter for your packet capture. PCAP filter, using the standard Berkeley PCAP filter syntax. Duration: Set the amount of time (in seconds) to capture traffic. Start: Begin capturing data. Stop: Stop the capture and write it to disk Refresh: As data is being captured, click Refresh to see the file and its size in the table After clicking Stop, the appliance saves the capture and displays it in the list at the bottom of the page. Manage PCAP Files Once a packet capture has been stopped, the table displays a filename, (based on the time and date of the capture) the file size and the date it was saved. The first column provides two buttons: : Download the PCAP file to your local system. : Delete the PCAP file. For the initial release of CAS, no alert or confirmation message appears when you click the delete button on this screen. Filter Packet Captures Because unfiltered packet capture files can grow very large in a small amount of time in a busy environment, it's often prudent to filter your captures to look for only the traffic you're interested in. The following PCAP filter expression examples will help define your own filters. For a more comprehensive look at Berkeley packet filtering, see biot.com/capstats/bpf.html. Example 1: I want to capture all traffic requested by a single user at the IP : host Example 2: Capture all traffic between a single user and a specific URL: host and host Example 3: Capture all HTTP traffic for a specific user: host and port 80 Example 4: Capture only TCP traffic: tcp 96

97 Example 5: Capture traffic for either one user or another: host or host

98 Test Network Connectivity The Utilities > Ping utility tests the network path between the appliance and another host. Available options: Address: Enter the hostname or IP address of the site or host you wish to ping. Ping: Sends four ICMP packets to the host defined in the address field. The system displays the results below the Ping option. Example PING bto.bluecoat.com ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=55 time=24.4 ms 64 bytes from : icmp_seq=2 ttl=55 time=24.2 ms 64 bytes from : icmp_seq=3 ttl=55 time=24.4 ms 64 bytes from : icmp_seq=4 ttl=55 time=24.4 ms --- bto.bluecoat.com ping statistics packets transmitted, 4 received, 0% packet loss, time 3029ms rtt min/avg/max/mdev = /24.420/24.498/0.179 ms 98

99 Restart System Services The restart utilitiy can be found in Utilities> Services. Under the direction of a Blue Coat support engineer or support partner, use the options on this page to restart the appliance or to restart the Content Analysis System services. Available Options Reboot Appliance: Force the appliance to reboot. Refresh Antivirus Engine and Signatures: Stop and start the antivirus subsystem. Restart ICAP Service: Stop and start the service responsible for accepting incoming ICAP connections. Restart Web Management: Stop and start the web server, responsible for hosting the management console on the appliance. Restart Licensing and Subscription Services: Stop and start the appliance's licensing services. Restart SNMP Service: Stop and start the in the appliance service responsible for sending SNMP alerts. 99

100 Review System Activities The CAS system logs can be viewed in Utilities> System Logs. Use this page to review the CAS subsystem activity logs. The appliance logs the actions of all of the functions performed by the Content Analysis System appliance (CAS). Typically, this information is only useful when troubleshooting an issue with the assistance of a Blue Coat technical support engineer or support partner. The logs in this list, along with web logs and the system configuration can be sent to Blue Coat support via the Troubleshooting utility page. Available System Logs boot.log: The log created as the appliance boots. cas: The internal ICAP service logs. cas-audit: Administrative actions performed on the web interface. cas-connection: ICAP connection logs. clp_alerts.log: Captures everything system wide that has been flagged as an alert clp_services.log: Internal appliance log for system services. cron: Scheduled jobs log. dmesg: Internal service log, for Blue Coat engineering use. dmesg.old: Internal service log, for Blue Coat engineering use. dracut.log: Internal service log, for Blue Coat engineering use. lastlog: Internal service log, for Blue Coat engineering use. tomcat6-initd.log: Internal service log, for Blue Coat engineering use. wtmp: Internal service log, for Blue Coat engineering use. Click the button to view the selected log file or the button to download the selected log file. The button deletes all data in the specified log. 100

101 View and Export the System Information File The System Information utility can be found in Utilities> System Information. When working with a Blue Coat Support engineer, one crucial piece of information in determining the cause and solution to an issue is the System Information file. The System Information file is an XML file that contains your appliance configuration as well as the results of all current diagnostic reports for the appliance. When prompted by Blue Coat support to provide this information, click into the text box, highlight all of the text, (there will be several pages of information) and copy it. You can then paste the text into an , your support request or a text file. 101

102 Manually Scan Files for Threats The Test Utility can be found in Utilities> Test. Use the Test utility to upload a file that you suspect is infected with a virus or other type of malware to the appliance for an immediate scan result. The Content Analysis System scans the file with the same configuration options as if it were transmitted through ICAP from a ProxySG appliance. The scan is performed with all active AV and sandboxing engines, and uses the whitelist, if active. This utility is also useful to Blue Coat Support, to verify that the appliance is functioning as expected. The eicar.org site provides a benign malware pattern that you can use to test. Click Select and Scan Test File to select a file you suspect may be bad on your local system. The results of the scan are displayed on the screen. If a virus is found, the name appears next to Virus Name. 102

103 Send Diagnostic Information to Blue Coat Support The Diagnostic Upload utility can be found in Utilities> Troubleshooting. In the event that your CAS appliance fails or restarts unexpectedly, it will produce a zip file containing system logs and the contents of memory at the time of the failure, (known as a core file, or a core dump). When troubleshooting issues of this nature, Blue Coat support personnel will request the relevant files on this page. They can examine the data contained in each zip package to identify the cause of the issue.to send log files to Blue Coat Customer Support, you must have an open Service Request (SR) number. For information on opening a SR, see Upload Log Files to Blue Coat Support To upload log files to the Blue Coat Support server. 1. Under Troubleshooting Logs, put a check next to the file you're interested in. Files are listed based on the time and date they were created. 2. Click Upload Selected Logs To Service Request. The Service Request Upload dialog displays. 3. Enter your service request number into the field in the dialog, click Upload. 4. Click Delete Selected Logs to ensure that the file is removed from the appliance. Delete Core Files System core image files are very large and should be deleted as soon as they are no longer necessary.follow these steps to delete core images. 1. Select the core image file you wish to delete. 2. Click Delete Selected Cores. Troubleshooting Tips If you have trouble uploading files to the Blue Coat Support server, check for the following issues. If your CAS appliance doesn't have direct access to the Internet, you can configure it to use your ProxySG appliance. To add the IP address for the ProxySG on the Content Analysis System appliance; go to Network > Proxy Server for Updates. If your traffic is being sent from your CAS to your ProxySG appliance, verify that SSL intercept for is not enabled on your ProxySG appliance. Verify that the SR number is valid and has not previously been resolved. 103

104 Review the Web Logs Web Server Logs can be found in Utilities> Web Logs. Used for troubleshooting research by Blue Coat Support, the Web Logs page displays a list of the logs generated by the CAS webserver subsystem. On the instruction of a Blue Coat support engineer,click the button to view the selected log file or the button to download the selected log file. View Web Logs Clicking the View icon opens the log in another window. Drag the corners or sides of the log viewing window to resize it. Download Web Logs When you click the Download icon, you are prompted to view or save the file. 104