Cisco IronPort Web Security Appliance – CLI commands

Clearing authentication cache in IronPort

1.Use Putty or your telnet application of preference to log into the CLI of Ironport with the local admin account or domain account depending on your environments configuration.

2.Type in “authcache” at the command prompt and hit enter.
3.You have 3 choices, type in “List” and hit enter, then enter to confirm. This will give you a list of all authenticated users.
4.Now you can choose “FLUSHALL” to clear the entire cache, or “FLUSHUSER” to clear a user.

5.Type in “FLUSHUSER” and enter.
6.Enter “1” for the realm name unless it is a guest user.
7.Enter the username from the list and hit enter.

8.The user you chose has been cleared from the authentication cache and will authenticate the next time they use a web browser to hit an external web site.

Troubleshooting via the Grep command

Type “grep”

Currently configured logs:
1. “accesslogs” Type: “Access Logs” Retrieval: FTP Poll
2. “authlogs” Type: “Authentication Framework Logs” Retrieval: FTP Poll
3. “avc_logs” Type: “AVC Engine Logs” Retrieval: FTP Poll
4. “bypasslogs” Type: “Proxy Bypass Logs” Retrieval: FTP Poll
5. “cli_logs” Type: “CLI Audit Logs” Retrieval: FTP Poll
6. “configdefragd_logs” Type: “Configuration Logs” Retrieval: FTP Poll
7. “dca_logs” Type: “DCA Engine Logs” Retrieval: FTP Poll
8. “external_auth_logs” Type: “External Authentication Logs” Retrieval: FTP
Poll
9. “feedback_logs” Type: “Feedback Logs” Retrieval: FTP Poll
10. “ftpd_logs” Type: “FTP Server Logs” Retrieval: FTP Poll
11. “gui_logs” Type: “GUI Logs” Retrieval: FTP Poll
12. “haystackd_logs” Type: “Haystack Logs” Retrieval: FTP Poll
13. “idsdataloss_logs” Type: “Data Security Logs” Retrieval: FTP Poll
14. “logderrorlogs” Type: “Logging Logs” Retrieval: FTP Poll
15. “mcafee_logs” Type: “McAfee Logs” Retrieval: FTP Poll
16. “musd_logs” Type: “AnyConnect Secure Mobility Daemon Logs” Retrieval: FTP
Poll
17. “pacd_logs” Type: “PAC File Hosting Daemon Logs” Retrieval: FTP Poll
18. “proxylogs” Type: “Default Proxy Logs” Retrieval: FTP Poll
19. “reportd_logs” Type: “Reporting Logs” Retrieval: FTP Poll
20. “reportqueryd_logs” Type: “Reporting Query Logs” Retrieval: FTP Poll
21. “saas_auth_log” Type: “SaaS Auth Logs” Retrieval: FTP Poll
22. “shd_logs” Type: “SHD Logs” Retrieval: FTP Poll
23. “snmp_logs” Type: “SNMP Logs” Retrieval: FTP Poll
24. “sntpd_logs” Type: “NTP Logs” Retrieval: FTP Poll
25. “sophos_logs” Type: “Sophos Logs” Retrieval: FTP Poll
26. “status” Type: “Status Logs” Retrieval: FTP Poll
27. “system_logs” Type: “System Logs” Retrieval: FTP Poll
28. “trafmon_errlogs” Type: “Traffic Monitor Error Logs” Retrieval: FTP Poll
29. “trafmonlogs” Type: “Traffic Monitor Logs” Retrieval: FTP Poll
30. “uds_logs” Type: “UDS Logs” Retrieval: FTP Poll
31. “updater_logs” Type: “Updater Logs” Retrieval: FTP Poll
32. “wbnp_logs” Type: “WBNP Logs” Retrieval: FTP Poll
33. “webcat_logs” Type: “Web Categorization Logs” Retrieval: FTP Poll
34. “webrootlogs” Type: “Webroot Logs” Retrieval: FTP Poll
35. “welcomeack_logs” Type: “Welcome Page Acknowledgement Logs” Retrieval: FTP
Poll

Enter the number of the log you wish to grep.
[> 1
Enter the regular expression to grep.
]> (Enter IP address of workstations)
Do you want this search to be case insensitive? [Y]>
Do you want to search for non-matching lines? [N]>
Do you want to tail the logs? [N]> y
Do you want to paginate the output? [N]>
Press Ctrl-C to stop.

Using GREP to check why website is blocked
1.Log into the CLI of the Ironport Web Filter. Ip address is 192.168.x.x
2.At the command prompt, type in “grep” and hit enter.
3.You will see a list of configured logs, type in “1” and enter.
4.Now it will ask “Enter the regular expression to grep”, enter the ip address of the users pc.
5.Next prompt hit enter(default).

6.Next prompt hit enter(default).

7.Next prompt enter “Y” for yes.

8.Next prompt hit enter(default).

9.Now have user try to navigate to the web page.
10.2 most common outputs are shown below. The first one is a successful attempt to a webpage and the second is a blocked attempt.10

10.2
11.In the output, a TCP_MISS/200(HTTP error code) is a successful attempt.

A TCP_DENIED/403 is a blocked attempt.

In the output it will show you the IP Address, why it was blocked, website, user name, why blocked and Access Policy. These items are highlighted below.

1371242356.784 2 192.168.1.10 TCP_DENIED/403 0 GET http://nudegirls.com/ “Domaintest@realm name” NONE/- – BLOCK_WEBCAT_11-HIM-AD_Users-NONE-NONE-NONE-NONE <IW_porn,0.0,-,”-“,-,-,-,-,”-“,-,-,-,”-“,-,-,”-“,”-“,-,-,IW_porn,-,”-“,”-“,”Unknown”,”Unknown”,”-“,”-“,0.00,0,-,”-“,”-“> –
12.When you are finished type in “cntrl+c” and enter to leave “grep” mode.

Type “quit” and enter to exit the CLI.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s