Saturday, November 21, 2015

Configuring and Generating IME Reports

You can customize your report by configuring the number of items you want to have in your report and what the time interval should be. You can also use Domain Name System (DNS) to resolve the IP addresses and use filters to further refine the type of information you want the report to contain.

To configure and generate a sample report, follow these steps:

Step 1: In the Report tree, click New, and then in the New Report dialog box, enter the name of the new report, choose the type of report from the drop-down list, and then click OK. The new report will show up under My Reports in the Report tree.


Step 2: Select your report, and on the General tab, configure the settings for your report:

* In the Report Description field, enter a description for this report.

* In the Top field, enter how many top events you want to see in this report.

* Select the Resolve Addresses Using DNS check box, if you want to use the DNS address resolution.

* Configure the time interval for this report. Either enter the duration or a custom time.


Step 3: On the Filter tab, from the Filter Name drop-down menu, choose the filter name. Or, to add a filter, click the Note icon.



Step 4: Click Generate Report. Your report shows up in the bottom half of the Report Settings pane, displaying the statistics in graph and table form.

Step 5: To customize the display, choose Bar or Pie Chart in the Display Type drop-down menu.

Step 6: Click Print to print the report, or click Save to save the report in PDF or RTF format.

Step 7: To see events for a single IP address, choose the IP address from the Events for drop-down list.


Saturday, November 14, 2015

Customizing Cisco IME Dashboards

The dashboards contain various gadgets that provide information on sensors, including sensor health, sensor status, security alerts, and event statistics.

The Dashboard view features two default dashboards:

* Health Dashboard: Contains gadgets with information about selected sensor health, status, licenses, and utilization.

* Events Dashboard: Contains gadgets with graphs and statistics about attackers, victims, and signatures.



You can add and customize your own dashboard and add gadgets based on the items you would like to track within the sensor.

To add a dashboard, choose Home > Dashboards and click Add Dashboards. A blank untitled dashboard appears and is named CCNP Security in this example.


Based on your security standards and requirements, you can customize the metrics that are used to determine the health of the IPS in the Sensor Health pane. This can be done by choosing Configuration Sensor Name > Sensor Management > Sensor Health.


A metric must be selected, or it will not show up in the health status results. You can accept the default configuration or edit the values.

The IPS produces a health and security event when the overall health status of the IPS changes.


Adding Gadgets

With the CCNP Security dashboard successfully added, the next step is to add gadgets to the dashboard. To know which gadgets are available and which to choose, navigate to Home > Dashboards and click Add Gadgets. Double-click a gadget icon or drag and drop a gadget to add it to the dashboard. After the gadgets are added, click Add Gadgets again to hide them.


Cisco IME provides 14 built-in gadgets:

* Sensor Information: Displays the most important sensor information, such as device type, IPS version, analysis engine status, host name, and IP address.

* Sensor Health: Displays two meters: the Sensor Health meter and the Network Security Health meter. They indicate the overall system health and overall network security health, respectively. The meters have three color scales - green, yellow, and red - to depict Normal, Needs Attention, and Critical.

* Licensing: Displays the license status and signature and engine versions of the sensor.

* Interface Status: Displays the status of the interfaces, whether enabled, whether up or down, mode, packets transmitted, and received.

* Global Correlation Reports: Displays the alerts and denied packets resulting from reputation data and traditional detection techniques.

* Global Correlation Health: Displays the status of global correlation and the network participation status, counters, and connection history.

* Network Security: Displays graphs of the event count and the average threat rating and risk rating values, including the maximum threat rating and risk rating values over a configured time period. The sensor aggregates these values and puts them in one of three categories: green, yellow, or red.

* Top Applications: Displays the top ten services ports that the sensor has observed over the past 10 seconds.

* CPU, Memory and Load: Displays the current sensor CPU, memory, and disk usage. If the sensor has multiple CPUs, multiple meters are presented.

* RSS Feed: A generic RSS feed gadget. By default, the data is fed from Cisco securiyt advisories. You can customize and add more RSS feeds.

* Top Attackers: Displays the top number of attacker IP addresses that occured in the last configured time interval. You can configure the top number of attacker IP addresses for 10, 20, and 30. You can configure the time interval to cover the last hour, last 8 hours, or last 24 hours. You can also filter this information.

* Top Victims: Displays the top number of victim IP addresses that occured in the last configured time interval.

* Top Signatures: Displays the top number of signatures that occured in the last configured time interval. You can also filter this information.

* Attacks Over Time: Displays the attack counts in the last configured interval. Each set of data in the graph is the total alert counts that IME recieved during each minute. You can configure the time interval to cover the last hour, last 8 hours, or last 24 hours. You can also filter this information.

Saturday, November 7, 2015

Configuring Remote IPS Blocking Using ACLs on a Router

The Cisco IPS uses the blocking feature to prevent packets from reaching their destination by using another Cisco device as the initiator at the request of the sensor. THe blocking device must be reachable and accessible by the sensor for management purposes.

The sensor must be able to communicate with the blocking device and should have Telnet or Secure Shell (SSH) access configured. The sensor will connect to the blocking device through either of these protocols.


Using ACLs on a Router

On a blocking device, you can have only one active access control list (ACL) for each interface and direction combination. To accomodate other ACL entries apart from the ones that are generated by the sensor, you should configure the additional ACL in the form of pre-blocked and post-block ACLs. These ACLs allow an administrator to include access rules that must be processed before and after the blockig rules are added by the sensor:

* Pre-block ACLs: These are used for permitting what you do not want the sensor to block and thus override the deny lines resulting from blocks. From example, when a packet is checked against an ACL, the first line that is matched determines the action. Therefore, if the first line matched is a permit line from the pre-block ACL, the packet is permitted, even though there could be a deny line from an automatic block that is listed later in the ACL.

* Post-block ACLs: These are used for additional blocking or permitting of traffic on an interface when there is an existing ACL that must be there after the block action. The sensor creates an ACL with the following entries and applies it to the specified interface and direction as required:

* A permit line for the sensor IP addres if it is currently blocked

* A copy of all the configuratio nlines in the pre-block ACL

* A deny line for each address being blocked by the sensor

* A copy of all the configuration lines of the post-block ACL


Configuration Tasks

A number of steps need to be performed to complete the configuration process for blocking. They are grouped here into tasks to make them easy to follow:

Step 1: Add the blocking device to the sensor known host list. This involves importing an authentic copy of the public key of the blocking device to later reliably authenticate it in SSH connections. This is only required if you use SSH to communicate with the blocking devices, and it is optional.

Step 2: Configure the sensor global blocking properties. This involves enabling blocking and defining blocking parameters, such as the maximum number of blocking entries, IP addresses to be blocked, and IP addresses that cannot be blocked.

Step 3: Create blocking device login profiles. This task involves defining the username, password, and enable password for communication between the sensor and the blocking device for blocking.

Step 4: Define the blocking device properties: This task involves defining the properties of the blocking device such as device type, IP address, login profile, and communication method.

Step 5: Configure properties of managed interfaces: This involves selecting the blocking interfaces or VLAN and specifying the direction in which to apply the ACL and also defining pre-block and post- block ACLs. This step is optional and is not required for Cisco ASA devices.

Step 6: Assign a block action to a signature. This task involves configuring a signature action to request blocking from an external device.

For Task 1, if you select SSH-DES or 3DES as the secure communication method, the sensor uses SSH password authentication to log in to the managed device. To configure the sensor to communicate with a blocking device using SSH, you must manually retrieve the SSH public key of the blocking device to the sensor. Follow these steps to add the blocking device to the sensor known host list:

Step 1: Navigate to Configuration > Sensor Management > SSH > Known Host Keys.

Step 2: Click Add. The Add Known Host Key window opens.


Step 3: Enter the IP address of the managed (blocking) device, and click Retreive Host Key.

Step 4: The sensor will retrieve the host key of the device. Verify the authenticity of this key by comparing it with a known authentic copy, and click OK to confirm that it is authentic.

Follow these steps to configure the sensor blocking properties:

Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Properties to display the Blocking Properties panel.


Step 2: Verify that the Enable Blocking check box is selected. Blocking is enabled by default, so it should be selected.

Step 3: There is an Allow Sensor IP Address to Be Blocked check box as well, which should remain deselecte. Selecting this box can allow the sensor to block itself and not be able to communicate with the devices it is managing.

Step 4: There is a Maximum Block Entries Field that has values ranging from 1 to 65,535. The default is 250 and is the recommended amount of entries to be blocked. After the sensor reaches it maximum, newer blocks will not occur.

Step 5: Click the Add button to add a host or network to the list of addresses never to be blocked, which will appear under the Never Block Addresses section.

Step 6: Enter the IP address of the host or network in the IP Address field.

Step 7: Choose the network mask that corresponds to the IP address from the Mask drop-down menu.

Step 8: Click OK. The new host or network appears in the Never Block Addresses list on the Blocking Properties panel.

Step 9: Click Apply to apply your changes and save the updated configuration. In Task 3, you will be specifying the username and password that the sensor will use when logging in to the blocking devices. This is created under a login profile, where one login profile can be used for multiple devices.

An example will be creating a login profile for routers that share the same username and password.

Follow these steps to create a device login profile:

Step 1: Navigate to Configuration > Sensor Management > Blocking > Device Login Profiles. This displays the Device Login Profiles window.

Step 2: Click Add to add a profile, add the Add Device Login Profile window opens.


Step 3: Enter a name for your profile in the Profile Name field.

Step 4: Enter the username that will be used to log in to the blocking device in the Username field.

This step is optional if a username is not required by the blocking device.

Step 5: Enter the password that is used to log in to the blocking device in the New Password field. Enter the same password in the Confirm New Password field.

Step 6: Enter the enable password that is used on the blocking device under the Enable Password section in the New Password field. This is optional if an enable password is not used. If this is entered, it will have to be confirmed by entering the same password in the Confirm New Password field.

Step 7: Click OK and the new device login profile appears in the list in the Device Login Profiles window.

Step 8: Click Apply to apply your changes and save the revised configuration.

In Task 4, you will define the properties of the blocking device by following these steps:

Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Devices to display the Blocking Devices panel.

Step 2: Click Add and the Add Blocking Device window opens. You might receive an error message if you have not configured the device login profile.


Step 3: Enter the IP address of the blocking device in the IP Address field.

Step 4: Enter the sensor's Network Address Translation (NAT) address in the Sensor's NAT Address field. This is an optional field and should only be used if there is a NAT device between the management interface of the sensor and the management interface of the blocking device.

Step 5: Choose the device login profile from the Device Login Profile drop-down list. The login profile was created in Task 3 and is a prerequisite to this step.

Step 6: Choose the device type form the Device Type drop-down list. The options from the list are Cisco Router, PIX/ASA, and Cat 6K.

Step 7: Observe the Block and Rate Limit check boxes in the Response Capabilities section. The Block check box is selected, as the response action by the blocking device is to block.

Step 8: From the communication drop-down list, choose the connection method that will be used for the management access. It is recommended that you use the SSSH 3DES method.

Step 9: Click OK.

Step 10: Click Apply to apply your changes and save the upload configuration.

In Task 5, you will configure the properties of the managed interface by following these steps:

Step 1: Navigate to Configuration > Blocking > Router Blocking Device Interfaces. Because a router was selected in Task 3, it only follows that the interfaces will be router interfaces. If the blocking device is not created in Task 3, an error message will be produced when attempting the next step.

Step 2: Click Add and the Add Router Blocking Device Interface window opens.


Step 3: Choose the IP address of the blocking device from the Router Blocking Device drop-down list.

Step 4: Type in the blocking interface name in the Blocking Interface field.

Step 5: Select the direction in which you want to apply the blocking ACL, which can be in or out.

Step 6: Enter the name of the pre-block ACL in the Pre-Block ACL field. This is optional.

Step 7: Enter the nam of the post-block ACL in the Post-Block ACL field. This is also an optional field.

Step 8: Click OK and the new interface appears in the Router Blocking Device interface list. If the exact same information already exists, you will receive an error message.

Step 9: Click Apply to apply your changes and save the revised configuration. Task 6 is the last set of steps when configuring remote blocking. The key here is selecting a signature and modifying it such that the alert response is to block the malicious host. Follow these steps to modify the signature so that a block is performed when triggered.

Step 1: Navigate to Configuration > Policies > Signature Definition > sig0 to reveal the Signature window.

Step 2: From the Sig0 window, select a signature or a group of signatures and click Edit Actions. The Edit Action window opens.


Step 3: Select the Request Block Host, Request Rate Limit, or Request Block Connection action from the Other Actions section.

Step 4: Click OK.

Step 5: Click Apply to apply your changes and save the revised configuration.

Sunday, November 1, 2015

Configuring Websense URL Filtering and Botnet feature in Cisco ASA

I was asked to migrate a customer that's using Websense URL filtering and Botnet feature to an ASA context. I install a Botnet license (1 year license) on our ASA firewalls and I'm glad to know this feature works. I believe Cisco is now moving towards a new approach with Advanced Malware Protection (AMP) on their next-gen ASA firewalls (5500-X series) and next-gen IPS (FirePower).


Botnet config:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        168 days
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH18087ABC
Running Permanent Activation Key: 0xc22ecd45 0x78ac555a 0xa9637128 0xfe9838f8 0x0e15edef
Running Timebased Activation Key: 0x9c1876cf 0x49ca6c5e 0xc949bb03 0xdbf386df 0x847c2123
Configuration register is 0x1

ciscoasa/CUST(config)# dynamic-filter ?

configure mode commands/options:
  ambiguous-is-black  Handle (ambiguous) greylist matched traffic as blacklist
                      for Dynamic Filter drop
  blacklist           Configure Dynamic Filter blacklist
  drop                Enable traffic drop based on Dynamic Filter traffic
                      classification
  enable              Enable Dynamic Filter classification
  use-database        Use Dynamic Filter data downloaded from updater-server
  whitelist           Configure Dynamic Filter whitelist

exec mode commands/options:
  database  Dynamic Filter data commands
ciscoasa/CUST(config)# dynamic-filter use-database ?

configure mode commands/options:
  <cr>
ciscoasa/CUST(config)# dynamic-filter use-database

ciscoasa/CUST(config)# access-list DYNAMIC-FILTER-ACL extended permit ip any any

ciscoasa/CUST(config)# dynamic-filter enable ?    

configure mode commands/options:
  classify-list  Set the access-list for classification
  interface      Enable classification on an interface
  <cr>
ciscoasa/CUST(config)# dynamic-filter enable interface ?

configure mode commands/options:
Current available interface(s):
  inside    Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter enable interface outside ?

configure mode commands/options:
  classify-list  Set the access-list for classification
  <cr>
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list ?                       

configure mode commands/options:
  WORD  Specify the name of an access-list
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list DYNAMIC-FILTER-ACL
ciscoasa/CUST(config)# dynamic-filter drop ?

configure mode commands/options:
  blacklist  Drop traffic matching blacklist
ciscoasa/CUST(config)# dynamic-filter drop blacklist ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  interface             Enable drop on an interface
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface ?

configure mode commands/options:
Current available interface(s):
  inside    Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa/CUST(config)# $st interface outside threat-level ?                

configure mode commands/options:
  eq     Threat-level equal to operator
  range  Threat-level range operator
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range high ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range range high very-high     

ciscoasa/CUST(config)# dynamic-filter whitelist
ciscoasa/CUST(config-llist)# ?

Dynamic Filter list configuration
  address  Add IP address to local list
  name     Add domain name to local list
  no       Negate a command
ciscoasa/CUST(config-llist)# address ?

dynamic-filter-list mode commands/options:
  Hostname or A.B.C.D  Add IP address or network to local list
ciscoasa/CUST(config-llist)# address 208.67.220.220 ?

dynamic-filter-list mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ciscoasa/CUST(config-llist)# address 208.67.220.220 255.255.255.255   // OPEN DNS IP

class-map DYNAMIC-FILTER-DNS-CMAP
 match port udp eq domain

policy-map DYNAMIC-FILTER-DNS-PMAP
 class dynamic-filter_snoop_class
  inspect dns dynamic-filter-snoop

ciscoasa/CUST(config)# service-policy ?

configure mode commands/options:
Available policy-maps:
  global_policy
  DYNAMIC-FILTER-DNS-PMAP
service-policy DYNAMIC-FILTER-DNS-PMAP interface outside


Here are some useful show commands to verify Botnet feature:

ciscoasa/CUST# show dynamic-filter data      
Dynamic Filter is using downloaded database version '1446144909'   // UPDATE FROM CISCO SIO
Fetched at 15:17:36 UTC Oct 29 2015, size: 2097145
Sample contents from downloaded database:
  loubouscoc.narod.ru  alkhair.org  mfqr.cn.com  azpros.com
  tubez11.cu.cc  72.66.16.146  monitor4eg.ru  wildroute.biz
Sample meta data from downloaded database:
  threat-level: very-high,      category: Malware,
  description: "These are sources that use various exploits to deliver adware, spyware and other malware to victim computers.  Some of these are associated with rogue online vendors and distributors of dialers which deceptively call premium-rate phone numbers."
  threat-level: high,   category: Bot and Threat Networks,
  description: "These are rogue systems that control infected computers.  They are either systems hosted on threat networks or systems that are part of the botnet itself."
  threat-level: moderate,       category: Malware,
  description: "These are sources that deliver deceptive or malicious anti-spyware, anti-malware, registry cleaning, and system cleaning software."
  threat-level: low,    category: Ads,
  description: "These are advertising networks that deliver banner ads, interstitials, rich media ads, pop-ups, and pop-unders for websites, spyware and adware.  Some of these networks send ad-oriented HTML emails and email verification services."
Total entries in Dynamic Filter database:
  Dynamic data: 79504 domain names , 2942 IPv4 addresses
  Local data: 0 domain names , 2 IPv4 addresses
Active rules in Dynamic Filter asp table:
  Dynamic data: 0 domain names , 2942 IPv4 addresses
  Local data: 0 domain names , 2 IPv4 addresses

ciscoasa/CUST# show dynamic-filter reports infected-hosts all
Total 149 infected-hosts in buffer
Host (interface)                        Latest malicious conn time, filter action  Conn logged, dropped
=======================================================================================================
172.27.199.123 (inside)         13:52:06 UTC Oct 29 2015, dropped                14109  14109
Malware-sites connected to (not ordered)
Site                                            Latest conn port, time, filter action   Conn logged, dropped Threat-level Category
-------------------------------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com)                  80, 13:52:06 UTC Oct 29 2015, dropped             6      6   very-high  Malware
54.149.242.159 (neutral-sky.info)                80, 13:21:05 UTC Oct 29 2015, dropped             9      9   very-high  Malware
54.213.23.40 (neutral-sky.info)                  80, 13:20:23 UTC Oct 29 2015, dropped             9      9   very-high  Malware
54.213.128.72 (neutral-sky.info)                 80, 13:21:26 UTC Oct 29 2015, dropped             6      6   very-high  Malware
52.25.206.149 (neutral-sky.info)                 80, 13:20:44 UTC Oct 29 2015, dropped             6      6   very-high  Malware
=======================================================================================================
172.27.181.179 (inside)         11:23:38 UTC Oct 29 2015, dropped                  229    229

Last clearing of the infected-hosts report: Never


ciscoasa/CUST# show dynamic-filter reports top infected-hosts
Infected Hosts (since last clear)
Host                                            Connections Logged
----------------------------------------------------------------------
172.27.199.121 (inside)                      49660
172.27.199.123 (inside)                      14109

Last clearing of the top infected-hosts report: Never


ciscoasa/CUST# show dynamic-filter reports top malware-ports
Malware Ports (since last clear)
Port                                            Connections Logged
----------------------------------------------------------------------
tcp 80                                           78693
tcp 443                                            273
udp >8192                                           37
udp 4682                                             1

Last clearing of the top ports report: Never


ciscoasa/CUST# show dynamic-filter reports top malware-sites
Malware Sites (since last clear)
Site                            Connections Logged Dropped Threat-level Category
---------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com)            13649    13649    very-high  Malware
173.193.251.201 (x.rafomedia.com)          12643    12643    very-high  Malware
94.75.230.226 (a.adquantix.com)             9338     9338    very-high  Malware
94.75.230.225 (a.adquantix.com)             8519     8519    very-high  Malware
211.100.56.174 (analytics3.dopool.com)      3627     3627    very-high  Malware
104.28.9.72 (zigad.winnerical.org)           906      906    very-high  Malware
104.28.8.72 (zigad.winnerical.org)           906      906    very-high  Malware
52.74.115.82 (in1.apusapps.com)              831      831    very-high  Malware
54.255.128.61 (in1.apusapps.com)             828      828    very-high  Malware
212.113.89.75 (abs.proxistore.com)           636      636    very-high  Malware

Last clearing of the top sites report: Never


Websense URL filtering config:

ciscoasa/CUST(config)# url-server ?

configure mode commands/options:
  (  Open parenthesis for the network interface where the URL filtering server
     resides
ciscoasa/CUST(config)# url-server (inside) ?

configure mode commands/options:
  host    Configure the IP address of the URL filtering server after this
          keyword
  vendor  The URL server vendor, default is Websense
ciscoasa/CUST(config)# url-server (inside) vendor ?

configure mode commands/options:
  smartfilter  Secure Computing SmartFilter (N2H2) URL server
  websense     Websense URL server
ciscoasa/CUST(config)# url-server inside) vendor websense ?

configure mode commands/options:
  host  Configure the IP address of the URL filtering server after this keyword
ciscoasa/CUST(config)# url-server (inside) vendor websense host ?

configure mode commands/options:
  Hostname or A.B.C.D  IP address of the URL filtering server
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 ?

configure mode commands/options:
  protocol  Protocol to be used for communicating to the URL server, TCP
            protocol will be used by default
  timeout   The maximum idle time permitted before the system switches to the
            next server specified, default is 30 seconds
  version   Optional version number for the Websense server, the version can be
            1 or 4, default is 1. UDP protocol is available only in version 4
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol ?               

configure mode commands/options:
  tcp  TCP to be used as transport protocol
  udp  UDP to be used as transport protocol
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp ?

configure mode commands/options:
  connections  Optional simultaneous TCP connection count
  version      Optional version number for the Websense server, the version can
               be 1 or 4, default is 1. UDP protocol is available only in
               version 4
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version ?

configure mode commands/options:
  1  Websense version 1
  4  Websense version 4
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 ?

configure mode commands/options:
  connections  Optional simultaneous TCP connection count
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections ?               

configure mode commands/options:
  <1-100>  Specify number of TCP connections to this URL server, default is 5
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections 10ciscoasa/CUST(config)# url-block ?

configure mode commands/options:
  block        Configure number of blocks that will be buffered
  url-mempool  Configure memory resource to be allocated for long URL buffer
  url-size     Configure maximum allowed URL size
ciscoasa/CUST(config)# url-block url-mempool ?

configure mode commands/options:
  <2-10240>  Memory resource allocated for long URL buffer in KB
ciscoasa/CUST(config)# url-block url-mempool 512
ciscoasa/CUST(config)# url-block url-size ? 

configure mode commands/options:
  <2-4>  Maximum allowed URL size in KB
ciscoasa/CUST(config)# url-block url-size  4
ciscoasa/CUST(config)# url-block block ?

configure mode commands/options:
  <1-16>  Number of blocks that will be buffered
ciscoasa/CUST(config)# url-block block 16

ciscoasa/CUST(config)# filter ?

configure mode commands/options:
  activex  ActiveX filtering
  ftp      FTP filtering
  https    HTTPS filtering
  java     Java filtering
  url      HTTP filtering
ciscoasa/CUST(config)# filter https ?

configure mode commands/options:
  except             Create an exception to previously specified set of IP
Enter the port or port range <start>[-<end>]
  aol               
  bgp               
  biff              
  bootpc            
  bootps            
  chargen           
  cifs              
  citrix-ica        
  cmd               
  ctiqbe            
  daytime           
  discard           
  dnsix             
  domain            
  echo              
  exec              
  finger            
  ftp               
  ftp-data          
  gopher            
  h323              
ciscoasa/CUST(config)# filter https 443 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of local/internal host which is source for
                       connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 ?

configure mode commands/options:
  A.B.C.D  Network mask to be applied to local IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of foreign/external host which is
                       destination for connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?

configure mode commands/options:
  A.B.C.D  Network mask to be applied to foreign IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?                     

configure mode commands/options:
  allow  When url-server is down, allow outbound <service> traffic
  <cr>
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 allow

ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter url http 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter ftp 21 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow

ciscoasa/CUST# ping 10.160.6.77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.160.6.77, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/130 ms

ciscoasa/CUST# ping ping 10.15.16.45 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.16.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 320/326/330 ms


Here are some useful show commands for Websense redirection:

ciscoasa/CUST# show run url-server
url-server (inside) vendor websense host 10.15.16.45 timeout 30 protocol TCP version 1 connections 10
url-server (inside) vendor websense host 10.160.6.77 timeout 30 protocol TCP version 4 connections 10
url-server (inside) vendor websense host 10.13.16.45 timeout 30 protocol TCP version 4 connections 10

ciscoasa/CUST# show url-server statistics

Global Statistics:
--------------------
URLs total/allowed/denied         137923/135998/1925
URLs allowed by cache/server      0/135998
URLs denied by cache/server       0/1925
HTTPSs total/allowed/denied       76109/55125/20984
HTTPSs allowed by cache/server    0/55125
HTTPSs denied by cache/server     0/20984
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  64884
Server timeouts/retries           6/80
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------
10.160.6.77                       UP
  Vendor                          websense

  Port                            15868
  Requests total/allowed/denied   214036/191121/22909
  Server timeouts/retries         6/80
  Responses received              214030
  Response time average 60s/300s  0/0
10.15.16.45                       UP
  Vendor                          websense

  Port                            15868
  Requests total/allowed/denied   0/0/0
  Server timeouts/retries         0/0
  Responses received              0
  Response time average 60s/300s  0/0

URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          194372  191704
LOOKUP_REQUEST          217845  217759
LOG_REQUEST             0       NA

Errors:
-------
RFC noncompliant GET method     0
URL buffer update failure       0

ciscoasa/CUST# show url-block block statistics

URL Pending Packet Buffer Stats with max block  16
-----------------------------------------------------
Cumulative number of packets held:              2091333
Maximum number of packets held (per URL):       8
Current number of packets held (global):                0
Packets dropped due to
       exceeding url-block buffer limit:        510456
       HTTP server retransmission:              39723
Number of packets released back to client:      2072781