ASA: Send Network Traffic from the ASA to theCSC−SSM Configuration Example

Document ID: 99141

Contents

IntroductionPrerequisites Requirements Components Used ConventionsBackground InformationConfigure ASA − CSC SSM Flow Diagram CSC Initial Setup How to Configure ASA to Divert Traffic to CSC−SSM Network Diagram ASA ConfigurationCSC Home Page CSC SetupSMTP Configuration Trend Micro SMTP ConfigurationHTTP Configuration Scanning File Blocking URL Blocking URL FilteringFTP Configuration Trend Micro FTP ConfigurationVerifyTroubleshoot Internet Access Spam Not Being Detected License violation errors Performance Issue Email Issue Traffic Issue Grayware Pattern Update Issue HTTPS Traffic Issue Unable to bypass traffic from CSC Inspection Unable to log all the HTTP traffic that passes through CSC−SSM Error while upgrading CSC Error while CSC automatically updating signatures CSC module fails to show syslogs CSC Log server runs into infinite loop and stops abruptly Troubleshooting CommandsRelated Information

Introduction

This document provides a sample configuration for how to send network traffic from the Cisco ASA 5500Series Adaptive Security Appliance (ASA) to the Content Security and Control Security Services Module(CSC−SSM).

The CSC−SSM provides protection against viruses, spyware, spam, and other unwanted traffic. Itaccomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that is diverted to it by the adaptivesecurity appliance. In order to force the ASA to divert the traffic to the CSC−SSM, you need to use ModularPolicy Framework.

Refer to ASA: Send Network Traffic from the ASA to the AIP SSM Configuration Example in order to sendnetwork traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to theAdvanced Inspection and Prevention Security Services Module (AIP−SSM) (IPS) module.

Note: The CSC−SSM can scan FTP, HTTP, POP3, and SMTP traffic only when the destination port of thepacket that requests the connection is the well−known port for the specified protocol. The CSC−SSM can scanonly these connections:

FTP connections opened to TCP port 21• HTTP connections opened to TCP port 80• POP3 connections opened to TCP port 110• SMTP connections opened to TCP port 25•

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

A basic understanding of how to configure Cisco ASA 5500 Series runs software version 7.1 andlater.

•

The CSC−SSM has been installed.•

Components Used

The information in this document is based on these software and hardware versions:

ASA 5520 with software version 7.1 and later• CSC−SSM−10 with software version 6.1•

The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

The CSC−SSM maintains a file that contains signature profiles of suspicious content, updated regularly froman update server at Trend Micro. The CSC−SSM scans traffic it receives from the adaptive security applianceand compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on tothe adaptive security appliance for routing, or blocks and reports content that is suspicious.

By default, CSC−SSM comes with a base license that provides these features:

Detects and takes action on viruses and malware in the network traffic• Blocks compressed or very large files that exceed specified parameters• Scans for and remove spyware, adware, and other types of grayware•

Additionally, if it is equipped with a Plus License, it also performs these tasks:

Reduces spam and protect against phishing fraud in your SMTP and POP3 traffic• Sets up content filters that enable you to allow or prohibit email traffic that contain key words orphrases

•

Filters/Blocks URLs that you do not want users to access, or URLs that are known to have hidden ormalicious purposes

•

Note: The CSC−SSM can scan FTP file transfers only when FTP inspection is enabled on the ASA. Bydefault, FTP inspection is enabled.

Note: The CSC−SSM cannot support Stateful Failover because the CSC−SSM does not maintain connectioninformation, and therefore cannot provide the failover unit with the required information for Stateful Failover.The connections that a CSC−SSM is scanning are dropped when the security appliance in which theCSC−SSM is installed fails. When the standby adaptive security appliance becomes active, it forwards thescanned traffic to the CSC−SSM and the connections are reset.

Configure

In a network in which the adaptive security appliance is deployed with the CSC−SSM, you configure theadaptive security appliance to send to the CSC−SSM only the types of traffic that you want to be scanned.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on thecommands used in this section.

ASA − CSC SSM Flow Diagram

This diagram shows the flow of traffic within ASA and CSC−SSM:

In this example, clients can be network users who access a web site, download files from an FTP server, orretrieve mail from a POP3 server.

In this configuration, this is how the traffic flows:

The client initiates a request.1. The adaptive security appliance receives the request and forwards it to the Internet.2. When the requested content is retrieved, the adaptive security appliance determines whether itsservice policies define this content type as one that should be diverted to the CSC−SSM for scanning,and does so if appropriate.

3.

The CSC−SSM receives the content from the adaptive security appliance, scans it and compares it toits latest update of the Trend Micro content filters.

4.

If the content is suspicious, the CSC−SSM blocks the content and reports the event. If the content isnot suspicious, the CSC−SSM forwards the requested content back to the adaptive security appliancefor routing.

5.

CSC Initial Setup

In the initial setup, several parameters need to be configured. Make sure you have gathered the informationrequired for these parameters before you begin.

As the first step to configure the CSC−SSM, launch the Cisco ASDM. By default, you can access theCSC−SSM through the management IP address of the ASA at https://192.168.1.1/. You need to ensure thatyour PC and the management interface of ASA are in the same network. Alternatively, you can download theASDM Launcher for subsequent accesses.

Configure these parameters with the ASDM:

Once in main ASDM window, choose Configuration > Trend Micro Content Security > WizardSetup and click Launch Setup Wizard.

1.

Activation key:

The first step to obtain the activation key is to identify the Product Authorization Key (PAK) shippedalong with the product. It contains a barcode and 11 hexadecimal characters. For example, a samplePAK can be 120106C7D4A.

Use the PAK to register the CSC−SSM at Product License Registration (registered customers only)webpage. After you register, you receive activation keys by e−mail.

2.

Management port IP parameters:

Specify IP address, netmask and gateway IP address for the CSC Management interface.

DNS Servers�IP address for the Primary DNS server.

3.

Host and Domain Names�Specify a host name as well as the domain name of the CSC−SSM.

Incoming domain�Domain name used by the local mail server as the incoming e−mail domain.

Note: Anti−SPAM policies are applied only to e−mail traffic that come into this domain.

Notification settings�Administrator e−mail address and the e−mail server IP address and port to beused for notifications.

4.

Management host access parameters:

Enter the IP address and mask for each subnet and host that should have management access to theCSC−SSM.

Note: By default, all networks have management access to the CSC−SSM. For security purposes,Cisco recommends that you restrict access to specific subnets or management hosts.

5.

New password for CSC−SSM:

Change the default password, cisco, to a new password for management access.

6.

In step 6 of the CSC Setup Wizard, specify the type of traffic to be scanned.7.

The adaptive security appliance diverts packets to the CSC−SSM after firewall policies are appliedbut before the packets exit the egress interface. For example, packets that are blocked by an access listare not forwarded to the CSC−SSM.

Configure service policies to specify which traffic the adaptive security appliance should divert to theCSC−SSM. The CSC−SSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the well−knownports for those protocols.

In order to simplify the initial configuration process, this procedure creates a global service policy thatdiverts all traffic for the supported protocols to the CSC−SSM, both inbound and outbound. Becausescanning all traffic that comes through the adaptive security appliance can reduce the performance ofthe adaptive security appliance and the CSC−SSM, you want to revise this security policy later. Forexample, it is not usually necessary to scan all traffic that comes from your inside network because itcomes from a trusted source. If you refine the service policies so that the CSC−SSM scans only trafficfrom untrusted sources, you can achieve your security goals and maximize the performance of theadaptive security appliance and the CSC−SSM.

Complete these steps in order to create a global service policy that identifies traffic to be scanned:

Click Add in order to add a new type of traffic.a. Choose Global from the Interface drop−down list.b. Leave the Source and Destination fields set to Any.c. In the Service are, click the ellipsis (...) radio button. In this dialog box, choose a predefinedservice or click Add in order to define a new service.

d.

In the If CSC card fails, then area, choose whether the adaptive security appliance shouldpermit or deny selected traffic if the CSC−SSM is unavailable.

e.

Click OK in order to return to the Traffic Selection for CSC Scan window.f. Click Next.g.

In step 7 of the CSC Setup Wizard, review configuration settings you entered for the CSC−SSM.8.

If you are satisfied with these settings, click Finish.

The ASDM shows a message that indicates that the CSC device is now active.

By default, the CSC−SSM is configured to perform content security scans enabled by the license youpurchased, which can include anti−virus, anti−spam, anti−phishing, and content filtering. It is alsoconfigured to get periodic updates from the Trend Micro update server.

If included in the license you purchased, you can create custom settings for URL blocking and URLfiltering, as well as e−mail and FTP parameters. See the Cisco Content Security and Control SSMAdministrator Guide for more information.

How to Configure ASA to Divert Traffic to CSC−SSM

In order to force the ASA to divert the traffic to the CSC−SSM, you need to use Modular Policy Framework.Complete these steps in order to accomplish the identification and diversion of the traffic to CSC−SSM:

Create an access list that matches the traffic you want scanned by the CSC−SSM, in order to divertthe traffic to CSC−SSM, with the access−list extended command:

hostname(config)#access−list acl−name extended {deny | permit} protocol src_ip mask dest_ip mask operator port

1.

Create a class map in order to identify the traffic that should be diverted to the CSC−SSM with theclass−map command:

hostname(config)#class−map class_map_name

2.

Once in class map configuration mode, use the match access−list command in order to identify thetraffic with the use of the access−list previously specified:

3.

hostname(config−cmap)#match access−list acl−name

hostname(config−cmap)#exit

Create a policy map in order to send traffic to the CSC−SSM with the policy−map command:

hostname(config)#policy−map policy_map_name

4.

Once in the policy map configuration mode, use the class command in order to specify the class map,previously created, that identifies the traffic to be scanned:

hostname(config−pmap)#class class_map_name

5.

Once in policy map class configuration mode, you can configure these:

If you want to enforce a per−client limit for simultaneous connections that the adaptivesecurity appliance diverts to the CSC−SSM, use the set connection command, as follows:

hostname(config−pmap−c)#set connection per−client−max n

where n is the maximum simultaneous connections the adaptive security appliance allows foreach client. This command prevents a single client from abusing the services of theCSC−SSM or any server protected by the SSM, which includes the prevention of attempts atDoS attacks on HTTP, FTP, POP3, or SMTP servers that the CSC−SSM protects.

♦

Use the csc command in order to control how the ASA handles traffic when the CSC−SSM isunavailable:

hostname(config−pmap−c)#csc {fail−close | fail−open}

where fail−close specifies that the ASA should block traffic if the CSC−SSM fails and incontrast, fail−open specifies that the ASA should allow traffic if the CSC−SSM fails.

Note: This applies to the traffic selected by the class map only. Other traffic not sent to theCSC−SSM is not affected by a CSC−SSM failure.

♦

6.

Lastly, apply the policy map globally or to a specific interface with the service−policy command:

hostname(config−pmap−c)#service−policy policy_map_name [global | interface interface_ID]

where interface_ID is the name assigned to the interface with the nameif command.

Note: Only one global policy is allowed. You can override the global policy on an interface with theapplication of a service policy to that interface. You can only apply one policy map to each interface.

7.

Network Diagram

This diagram is an example of an ASA 5500 configured for these parameters:

The summary of the network diagram illustrates these:

HTTP connection to the outside networks• FTP connection from clients inside the security appliance to the servers outside the security appliance• POP3 clients from the clients inside the security appliance to the servers outside the securityappliance.

•

Incoming SMTP connections designated to the inside mail server•

ASA Configuration

ASA5520

ciscoasa(config)#show running−config: Saved:ASA Version 8.0(2) !hostname ciscoasadomain−name Security.lab.comenable password 2kxsYuz/BehvglCF encryptedno namesdns−guard!interface GigabitEthernet0/0 speed 100 duplex full nameif outside security−level 0 ip address 172.30.21.222 255.255.255.0 !interface GigabitEthernet0/1 description INSIDE nameif inside security−level 100 ip address 192.168.5.1 255.255.255.0 !

!−−− Output suppressed

access−list csc−acl remark Exclude CSC module traffic from being scannedaccess−list csc−acl deny ip host 10.89.130.241 any

!−−− In order to improve the performance of the ASA and CSC Module.!−−− Any traffic from CSC Module is excluded from the scanning.

access−list csc−acl remark Scan Web & Mail traffic

access−list csc−acl permit tcp any any eq wwwaccess−list csc−acl permit tcp any any eq smtpaccess−list csc−acl permit tcp any any eq pop3

!

!−−− All Inbound and Outbound traffic for WEB, Mail services is scanning.

access−list csc−acl−ftp permit tcp any any eq ftp

!−−− All Inbound and Outbound traffic for FTP service is scanning.

class−map csc−class match access−list csc−acl !

class−map csc−ftp−class match access−list csc−acl−ftp! policy−map global_policyclass csc−classcsc fail−open

class csc−ftp−classcsc fail−openpolicy−map global_policy class inspection_default

!−−− Inspect FTP traffic for scanning.

inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect http service−policy global_policy global

!−−− Output suppressed

CSC Home Page

CSC Setup

Trend Micro InterScan for Cisco CSC−SSM provides protection for major traffic protocols, such as SMTP,HTTP, and FTP, as well as POP3 traffic, in order to ensure that employees do not accidentally introduceviruses from their personal e−mail accounts.

Choose Configuration > Trend Micro Content Security in order to open the CSC−SSM. From the

Configuration menu, choose from these configuration options:

CSC Setup�Launches the Setup Wizard to install and configure the CSC−SSM• Web�Configures Web scanning, file blocking, URL filtering, and URL blocking• Mail�Configures scanning, content filtering, and spam prevention for incoming and outgoing SMTPand POP3 e−mail

•

File Transfer�Configures file scanning and blocking• Updates�Schedules updates for content security scanning components, for example, virus patternfile, scan engine, and so forth

•

The Web, Mail, File Transfer, and Updates options are described in more detail in these chapters:

Mail�Configuring SMTP and POP3 Mail Traffic• Web and File Transfer�Configuring Web (HTTP) and File Transfer (FTP) Traffic• Updates�Managing Updates and Log Queries•

This example shows how to configure a CSC−SSM to scan the incoming SMTP message to the internalnetwork network.

The incoming SMTP messages are diverted to the CSC−SSM for scanning. In this example, all the trafficfrom outside to access the inside mail server (192.168.5.2/24) for SMTP services are diverted to theCSC−SSM.

access−list csc_inbound extended permit tcp any host 192.168.5.2 eq smtp

These default settings give you some protection for your e−mail traffic after you install Trend MicroInterScan for Cisco CSC−SSM.

SMTP Configuration

Trend Micro SMTP Configuration

Complete these steps in order to configure the CSC−SSM to scan the incoming SMTP message using ASDM:

Choose Configuration > Trend Micro Content Security > Mail in ASDM and click ConfigureIncoming Scan in order to display the SMTP Incoming Message Scan/Target window.

1.

The window takes you to the Trend Micro InterScan for Cisco CSC−SSM Login prompt. Enter theCSC−SSM Password.

2.

The SMTP Incoming Message Scan window has these three views:

Target♦ Action♦ Notification♦

You can switch among views if you click the appropriate tab for the information you want. The activetab name appears in brown text; inactive tab names appear in black text. Use all three tabs in order toconfigure virus scanning of incoming SMTP traffic.

Click Target in order to allow you to define the scope of activity upon which is acted.

The SMTP Incoming message scan is enabled by default.

3.

In the Default Scanning section, All scannable files is selected by default. It scans regardless of thefile name extensions.

4.

Configure the SMTP compressed file handling for incoming mail.5.

Configure to skip scanning of compressed files when one of these is true:

Decompressed file count is greater than 200.♦ Decompressed file size exceeds 20 MB.♦ Number of compression layers exceeds three.♦ Decompressed or compressed file size ratio is greater than 100 to 1.♦ Compressed files exceed specified scanning criteria.♦

Modify the default parameters of the Decompressed file count as 300 and Decompressed file size as30 MB.

In the Scan for Spyware/Grayware section of these windows, which was shown in step 5, choosethe types of grayware you want detected by Trend Micro InterScan for Cisco CSC−SSM. See theonline help for a description of each type of grayware listed.

6.

Click Save in order to enable the new configurationClick the Action tab, which allows you to define the action to be taken when a threat is detected.Examples of actions are clean or delete.

These values are default action taken for the incoming mails.

For Messages with Virus/Malware Detection section�Clean the message or attachment inwhich the malware was detected, and if the message or attachment is uncleanable, delete it.

♦

For Spyware/Grayware Detections�These are the files to be delivered if the SMTPmessages in which spyware or grayware is detected.

Click Save in order to enable the new configuration

♦

7.

Click Notification tab, which allows you to compose a notification message, as well as define who isnotified of the event and the action.

8.

If you are satisfied with the default notification setup, no further action is required. But, you canreview the notification options and decide whether you want to change the defaults. For example, youcan send a notification to the administrator when a security risk has been detected in an e−mailmessage. For SMTP, you can also notify the sender or recipient.

Check the Administrator and Recipient boxes for email notification. You can also tailor the defaulttext in the notification message to something more appropriate for your organization such as in thisscreen shot.

In the Inline Notifications section of the window, choose one of the listed options, neither, or both.9.

In our example, choose Risk free message and type your own message in the field provided.

Click Save in order to enable the new configuration.

HTTP Configuration

Scanning

After installation, by default your HTTP and FTP traffic is scanned for viruses, worms, and Trojans. Malwaresuch as spyware and other grayware require a configuration change before they are detected.

These default settings give you some protection for your Web and FTP traffic after you install Trend Micro

InterScan for Cisco CSC−SSM. You can change these settings. For example, you can prefer to use the Scanby specified file extensions option rather than All Scannable Files for malware detection. Before you makechanges, review the online help for more information about these selections.

After installation, it is possible that you want to update additional configuration settings in order to obtain themaximum protection for your Web and FTP traffic. If you purchased the Plus License, which entitles you toreceive URL blocking, anti−phishing, and URL filtering functionality, you must configure these additionalfeatures.

Complete these steps in order to configure the CSC−SSM to scan the HTTP message with ASDM:

Click the Web (HTTP) in the Trend Micro page, and this Web Message Scan window has four views:

Target♦ Webmail Scanning♦ Action♦ Notification♦

Click the appropriate tab for the information you want in order to switch among views. The active tabname appears in brown text; inactive tab names appear in black text. Use all tabs in order to configurevirus scanning of Web traffic.

Click the Target in order to allow you to define the scope of activity upon which is to be acted.

The HTTP message scan is enabled by default.♦ Enabled with the use of All Scannable Files as the scanning method.♦ Web (HTTP) compressed file handling for downloading from the Web�Configured to skipscanning of compressed files when one of these is true:

Decompressed file count is greater than 200.◊ Decompressed file size exceeds 30 MB.◊ Number of compression layers exceeds three.◊ Decompressed or compressed file size ratio is greater than 100 to 1.◊

♦

For Webmail scanning�Configured to scan Webmail sites for Yahoo, AOL, MSN, and Google.

1.

Large File handling2.

The Target tabs on the HTTP Scanning and FTP Scanning windows allow you to define the size ofthe largest download you want scanned. For example, you can specify that a download under 20 MBis scanned, but a download larger than 20 MB is not scanned.

In addition, you can:

Specify large downloads to be delivered without scanning, which can introduce a securityrisk.

♦

Specify that downloads greater than the specified limit are deleted.♦ By default, the CSC−SSM software specifies that files smaller than 50 MB are scanned. Modify as 75MB. Files that are 75 MB and larger are delivered without scanning to the requesting client.

Deferred Scanning

The deferred scanning feature is not enabled by default. When enabled, this feature allows you tobegin to download data without scanning the entire download. Deferred scanning allows you to beginto view the data without a prolonged wait while the entire body of information is scanned.

Note: If you do not enable the deferred scanning option, then you can face an unsuccessful updatethrough the CSC module.

Note: When deferred scanning is enabled, the unscanned portion of information can introduce asecurity risk.

Note: Traffic that moves through HTTPS cannot be scanned for viruses and other threats by theCSC−SSM software.

If deferred scanning is not enabled, the entire content of the download must be scanned before it ispresented to you. But, some client software can time out because of the time required to collectsufficient network packets in order to compose complete files for scanning. This table summarizes theadvantages and disadvantages of each method.

MethodAdvantage Disadvantage

Deferredscanningenabled Prevents client

timeoutsMay introduce asecurity risk

Deferredscanningdisabled

Safer. The entire fileis scanned forsecurity risks beforebeing presented toyou.

May result in theclient timing outbefore the downloadis complete

Scan for Spyware and Grayware

Grayware is a category of software that can be legitimate, unwanted, or malicious. Unlike threats suchas viruses, worms, and Trojans, grayware does not infect, replicate, or destroy data, but it can violateyour privacy. Examples of grayware include spyware, adware, and remote access tools.

Spyware or grayware detection is not enabled by default. You must configure this feature in thesewindows in order to detect spyware and other forms of spyware and other grayware in your Web andfile transfer traffic:

Click Save in order to update your configuration.You can switch to the Scanning Webmail tab in order to scan Webmail sites for Yahoo, AOL, MSN,and Google.

3.

Note: If you elect to scan only Webmail, HTTP scanning is restricted to the sites specified on theWebmail Scanning tab of the Web (HTTP) > Scanning > HTTP Scanning window. Other HTTPtraffic is not scanned. Configured sites are scanned until you remove them when you click theTrashcan icon.

In the Name field, enter the exact web site name, a URL keyword, and a string in order to define theWebmail site.

Note: Attachments to messages that are managed on Webmail are scanned.

Click Save in order to update your configuration.You can switch to the Action tab for the configuration of the Virus/Malware Detection andSpyware/Grayware Detections.

Web (HTTP) downloads for files in which virus/malware is detected�Clean the downloadedfile or file in which the malware was detected. If uncleanable, delete the file.

♦

Web (HTTP) downloads and file transfers (FTP) for files in which spyware or grayware isdetected�Files are deleted.

♦

4.

Web (HTTP) downloads when malware is detected�An inline notification is inserted in the browser,which states that Trend Micro InterScan for CSC−SSM has scanned the file that you attempt totransfer, and has detected a security risk.

5.

File Blocking

In the left drop−down menu , click File Blocking.

This feature is enabled by default; however, you must specify the types of files you want blocked. Fileblocking helps you enforce your organization policies for Internet use and other computing resources duringwork time. For example, your company does not allow downloading of music, both because of legal issues aswell as employee productivity issues.

On the Target tab of the File Blocking window, check the Executable check box in order to block.exe.

•

You can specify additional file types by file name extension. Check the Block specified fileextensions check box in order to enable this feature.

•

Then, enter additional file types in the File extensions to block field, and click Add. In the example,.mpg files are blocked.

Click Save when you are finished in order to update the configuration.

•

Check the Administrator Notification box in order to send the default messages in the text box.

Click the Notification tab for the alert message.

URL Blocking

This section describes the URL blocking feature and includes these topics:

Blocking from the Via Local List Tab• Blocking from the Via Pattern File (PhishTrap) Tab•

Note: This feature requires the Plus License.

The URL blocking feature helps you prevent employees from accessing prohibited web sites. For example, itis possible that you want to block some sites because policies in your organization prohibit access to datingservices, online shopping services, or offensive sites.

You can also block sites that are known to perpetrate fraud, such as phishing. Phishing is a technique used bycriminals who send e−mail messages that appear to be from a legitimate organization, which request you toreveal private information such as bank account numbers. This image shows an example of an e−mailmessage used for phishing.

By default, URL blocking is enabled. But, only sites in the TrendMicro PhishTrap pattern file are blockeduntil you specify additional sites for blocking.

Blocking from the Via Local List Tab

Complete these steps in order to configure URL blocking from the Via Local List tab:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click ConfigureURL Blocking in order to display the URL Blocking window.

1.

On the Via Local List tab of the URL Blocking window, type the URLs you want to block in theMatch field. You can specify the exact web site name, a URL keyword, and a string.

2.

Click Block after each entry in order to move the URL to the Block List. Click Do Not Block to addthe entry to Block List Exceptions in order to specify your entry as an exception. Entries remain asblocked or exceptions until you remove them.

Note: You can also import a block and exception list. The imported file must be in a specific format.See the online help for instructions.

3.

Blocking from the Via Pattern File (PhishTrap) Tab

Complete these steps in order to configure URL file blocking from the Via Pattern File (PhishTrap) Tab:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click the ConfigureURL Blocking link in order to display the URL Blocking window.

1.

Then click the Via Pattern File (PhishTrap) tab.2. By default, the Trend Micro PhishTrap pattern file detects and blocks known phishing sites, spywaresites, virus accomplice sites that are sites associated with known exploits, and disease vectors, whichare web sites that exist only for malicious purposes. Use the Submit the Potential Phishing URL toTrendLabs fields in order to submit sites that you think should be added to the PhishTrap pattern file.TrendLabs evaluates the site and can add the site to this file if such action is warranted.

3.

Click the Notification tab in order to review the text of the default message that appears in thebrowser when an attempt is made to access a blocked site. The online help shows an example.Highlight and redefine it in order to customize the default message.

4.

Click Save when you are finished in order to update the configuration.5.

URL Filtering

There are two important section to be discussed here.

Filtering Settings• Filtering Rules

The URLs defined on the URL Blocking windows described previously are either always allowed oralways disallowed. The URL filtering feature, however, allows you to filter URLs in categories,which you can schedule to allow access during certain times, defined as leisure time, and disallowaccess during work time.

Note: This feature requires the Plus License.

These are the six URL filtering categories:

Company−prohibited♦ Not work related♦ Research topics♦ Business function♦ Customer defined♦ Others♦

•

By default, company−prohibited sites are blocked during both work and leisure times.

Filtering Settings

Complete these steps in order to configure the URL filtering feature:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click ConfigureURL Filtering Settings in order to display the URL Filtering Settings window.

1.

On the URL Categories tab, review the subcategories listed and the default classifications assigned toeach category to see whether the assignments are appropriate for your organization. For example,Illegal Drugs is a subcategory of the Company−prohibited category. If your organization is a financialservices company, it is possible that you want to leave this category classified ascompany−prohibited. Check the Illegal Drugs check box in order to enable filtering for sites relatedto illegal drugs. But, if your organization is a law enforcement agency, you should reclassify theIllegal Drugs subcategory to the Business function category. See the online help for more informationabout reclassification.

2.

After you have reviewed and refined the subcategory classifications, check the associated subcategoryin order to enable all the subcategories for which you want filtering performed.

3.

If there are sites within some of the enabled subcategories that you do not want filtered, click theURL Filtering Exceptions tab.

4.

Type the URLs you want to exclude from filtering in the Match field. You can specify the exact website name, a URL keyword, and a string.

5.

Click Add after each entry in order to move the URL to the Do Not Filter the Following Sites list.Entries remain as exceptions until you remove them.

Note: You can also import an exception list. The imported file must be in a specific format. See theonline help for instructions.

6.

Click the Schedule tab in order to define the days of the week and hours of the day that should beconsidered work time. Time not designated as work time is automatically designated as leisure time.

7.

Click Save in order to update the URL filtering configuration.8. Click the Reclassify URL tab in order to submit suspect URLs to TrendLabs for evaluation.9.

Filtering Rules

After you have assigned the URL subcategories to the correct categories for your organization, definedexceptions (if any), and created the work and leisure time schedule, assign the filtering rules that determinewhen a category is filtering.

Complete these steps in order to assign the URL filtering rules:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click the ConfigureURL Filtering Rules link in order to display the URL Filtering Rules window.

1.

For each of the six major categories, specify whether the URLs in that category are blocked, and if so,during work time, leisure time, or both. See the online help for more information.

2.

Click Save in order to update the configuration.

Note: For URL Filtering to work correctly, the CSC−SSM module must be able to send HTTPrequests to the Trend Micro service. If an HTTP proxy is required, choose Update > Proxy Settingsin order to configure the proxy setting. The URL Filtering component does not support the SOCKS4proxy.

3.

FTP Configuration

Trend Micro FTP Configuration

After installation, by default your FTP traffic is scanned for viruses, worms, and Trojans. Malware such asspyware and other grayware require a configuration change before they are detected.

File transfer (FTP) scanning of file transfers�Enabled using All Scannable Files as the scanning method.

Complete the steps given in the File Blocking page for HTTP Traffic.

Complete the steps given in the File Blocking page for HTTP Traffic.

Verify

Use this section in order to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Although,the OIT can be used to view an analysis of some show command outputs, these show commands currently arenot compatible with this tool.

show module�In order to check the status of an SSM, for example:

ciscoasa#show moduleMod Card Type Model Serial No. −−− −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−− −−−−−−−−−−− 0 ASA 5520 Adaptive Security Appliance ASA5520 JMX090000B7 1 ASA 5500 Series Security Services Module−20 ASA−SSM−20 JAF10333331

Mod MAC Address Range Hw Version Fw Version Sw Version −−− −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−− −−−−−−−−−−−− −−−−−−−−−−−−−−− 0 0014.c482.5151 to 0014.c482.5155 1.1 1.0(10)0 8.0(2) 1 000b.fcf8.012c to 000b.fcf8.012c 1.0 1.0(10)0 Trend Micro InterScan Security Module Version 6.0

Mod SSM Application Name Status SSM Application Version−−− −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−−−−−−−−−− 1 Trend Micro InterScan Security Up Version 6.0

Mod Status Data Plane Status Compatibility−−− −−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−− 0 Up Sys Not Applicable 1 Up Up

•

show module 1 details�Use the details keyword in order to view additional information for the SSM,for example:

ciscoasa#show module 1 detailsGetting details from the Service Module, please wait...ASA 5500 Series Security Services Module−20Model: ASA−SSM−20Hardware version: 1.0Serial Number: JAF10333331Firmware version: 1.0(10)0Software version: Trend Micro InterScan Security Module Version 6.0App. name: Trend Micro InterScan Security ModuleApp. version: Version 6.0

•

Data plane Status: UpStatus: UpHTTP Service: UpMail Service: UpFTP Service: UpActivated: YesMgmt IP addr: 172.30.21.235Mgmt web port: 8443

show module slot_num recover�Determines if there is a recovery configuration for the SSM. If arecovery configuration exists for the SSM, the ASA displays it. For example:

ciscoasa#show module 1 recoverModule 1 recover parameters. . .Boot Recovery Image: YesImage URL: tftp://10.21.18.1/ids−oldimgPort IP Address: 172.30.21.10Port Mask: 255.255.255.0Gateway IP Address: 172.30.21.254

•

Refer to Verifying Initial Setup for more information on how to verify that Trend Micro InterScan for CiscoCSC−SSM operates correctly.

Troubleshoot

This section provides information you can use to troubleshoot your configuration. Refer to TroubleshootingTrend Micro InterScan for Cisco CSC SSM for more information on how to troubleshoot more on CSC−SSM.

Internet Access

Problem

The CSC is unable to access the Internet through the ASA management interface or the CSC is unable to getupdates from the Trend server through the Internet. .

Solution

The management interface configures with the management−only command and makes it only accept trafficto or from the ASA, not through it. So remove the management−only command and the NAT statement formanagement−to−outside traffic then allows the Internet for CSC to update.

Spam Not Being Detected

Problem

The CSC is unable to detect the SPAM.

Solution

You have to enable the anti−spam option, which is not enabled by default. The Plus License must be installed,and the DNS settings must be correct for the network−based, anti−spam Email Reputation to functioncorrectly. Refer to Enabling SMTP and POP3 Spam Filtering for more information.

License violation errors

Problem

CSC module shows license violation errors and reports more hosts than what is in the network. The Licenseviolation has been detected on the InterScan for CSC SSM error is seen in the CSCmodule. How can this error be resolved?

Solution

Move all interfaces except the Outside−WAN (security level 0) to the higher security levels.

Performance Issue

Problem

The incoming SMTP traffic has become very slow. The inside mail server sometimes gets response from theserver that takes a couple of minutes or two to receive.

Solution

You possibly run into slow traffic due to out−of−order packets. Try this example, which can resolve theissue.

!−−− Creates a new tcp map and allows for 100 out of order packets

tcp−map localmap queue−limit 100

!−−− This is the class that defines traffic to sent to the csc−module. The name you use can be different.Sets the localmap parameters to flow matching the class map.

policy−map global_policy class csc−class set connection advanced−options localmap

Problem

HTTP scanning did not work and displayed this error:

Error: Failed to rate URL, rc=−723

Solution

This error message is generated when the CSC−SSM has trouble in contacting the Trend Micro Servers. Thiscan happen when there is latency in the network or if the CSC−SSM is too busy to handle connectionrequests. The maximum simultaneous connections on the CSC−SSM−10 is about 500. In this case for thespecified period, the number of connections have possibly surpassed the maximum limit. Refer to Table 2 inCisco ASA 5500 Series Content Security and Control Security Services Module for more information onconnection limits.

A possible workaround for this is to limit the simultaneous connections. Refer to Limit Connections Throughthe CSC SSM for more information.

Email Issue

Problem

The Disclaimer in the emails cannot be removed from the mails if needed and also the fonts cannot bechanged in the email disclaimer. Why does this happens?

Solution

It is not possible to remove the disclaimer from some of outgoing emails on CSC−SSM. Also, you cannotchange the font of the disclaimer since it is not supported on CSC−SSM.

Traffic Issue

Problem

You are unable to stop the traffic from being sent from ASA to CSC−SSM. How can this be resolved?

Solution

In order to stop traffic from being sent to ASA from CSC−SSM, the Administrator must remove the servicepolicy from the interface with the no service−policy command:

hostname(config−pmap−c)#no service−policy policy_map_name [global | interface interface_ID]

Grayware Pattern Update Issue

Problem

This error message is logged on CSC module.

GraywarePattern : Pattern Update: Unable to get the pattern information.Pattern Update: The download file was unsuccessful for ActiveUpdate wasunable to unzip the downloaded patch packages. The zip file may becorrupted. This can happen due to an unstable network connection. Pleasetry downloading the file again.. The error code is 24.

AntiVirusPattern : Pattern Update: The download file was unsuccessful forActiveUpdate was unable to unzip the downloaded patch packages. The zipfile may be corrupted. This can happen due to an unstable networkconnection. Please try downloading the file again.. The error code is 24.

How can this error message be resolved?

Solution

This issue is related to Cisco bug ID CSCtc37947 (registered customers only) and Cisco bug ID CSCsk10777(registered customers only) . Reseat the CSC−SSM or upgrade the code to 6.2.x in order to resolve this issue.Also the removal of the temporary files created for auto update on the CSC root account can resolve the issue.Restart the services after you reseat CSC−SSM or upgrade the code.

HTTPS Traffic Issue

Problem

You are unable to block the HTTPS traffic through CSC−SSM. How can the HTTPS traffic be blocked?

Solution

The CSC−SSM cannot block the HTTPS traffic because it cannot deep inspect the packet due to the SSLencryption on it.

Unable to bypass traffic from CSC Inspection

Traffic can be bypassed from CSC Inspection if you add deny statements for the network ranges in question tothe ACL used for matching traffic to pass to the module.

Unable to log all the HTTP traffic that passes through CSC−SSM

CSC cannot log all of the traffic but only displays information of block/filtered attempts.

Error while upgrading CSC

The [ERR−PAT−0002] The update system cannot decompress the update file,and cannot continue. This message is for diagnostic purposes only.Customers − please contact Technical Support error message appears when you upgradeCSC. This error message is seen when .bin file is used instead of .pkg file. The issue does not occur when.pkg file is used.

Error while CSC automatically updating signatures

Problem:

When the CSC does the automatic update, it got this message.

Anti−spam pattern 17462 was successfully downloaded and installed. Unableto copy file. You must manually copy file/opt/trend/isvw/temp/AU/piranhacache/* to path/opt/trend/isvw/lib/mail/cache.

Solution:

This is an issue known bug with CSC Trendmicro code. A bug has been filed for this and for complete details.Refer to Cisco bug ID CSCtc37947 (registered customers only) . Upgrade the CSC to 6.3.1172(2) or later inorder to get rid of the problem.

CSC module fails to show syslogs

Problem:

After upgrading to 6.3.1172.4, the LogServer service on the CSC module might fail and the administratorreceives this email notification: LogServer has recently stopped on InterScan for CSCSSM. Please contact Customer Support for assistance.

Solution:

There are two options as a workaround:

Install the engineering build fix.

Contact Cisco TAC (registered customers only) for information on how to install this build.

1.

Re−image the device to an older version.

Refer to Re−imaging the CSC−SSM for complete information about this process.

2.

Refer to Cisco bug ID CSCtl21378 (registered customers only) for more information.

CSC Log server runs into infinite loop and stops abruptly

Problem:

CSC module's Log server runs into one infinite loop and stops abruptly.

Solution:

This issue is due to the Cisco bug ID CSCtl21378. Refer to CSCtl21378 (registered customers only) for moreinformation.

Troubleshooting Commands

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OITin order to view an analysis of show command output.

Refer to Troubleshooting Trend Micro InterScan for Cisco CSC−SSM for more information on how totroubleshoot various issues of the CSC−SSM.

Note: Refer to Important Information on Debug Commands before you use debug commands.

debug module−boot�Shows debug messages about the SSM booting process.• hw−module module 1 shutdown�Shutdown the SSM• hw−module module 1 reset�Reset the SSM•

Note: The %ASA−3−421001: TCP flow from inside:172.22.50.112/1718 tooutside:XX.XX.XX.XX/80 is skipped because Content Security and Controlcard has failed message is a log message that appears when the CSC module become totallyunresponsive.

Note: Use this command in order to reset the module.

ASA#hw−module module 1 reset

The module in slot 1 should be shut down before resetting it or loss of configuration may occur.Reset module in slot 1? [confirm]

(Confirm it at this point by 'return'.)

Refer to the command reference guide for more information about this command.

Related Information

Cisco ASA 5500 Series Adaptive Security Appliances − Product Support• Cisco Content Security and Control SSM Administrator Guide, 6.2• Cisco Content Security and Control SSM Administrator Guide• Cisco Adaptive Security Device Manager − Product Support• Technical Support & Documentation − Cisco Systems•

Contacts & Feedback | Help | Site Map© 2010 − 2011 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks ofCisco Systems, Inc.

Updated: Oct 18, 2007 Document ID: 99141