LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Secure Web Gateway » General

Usage of external CA certificates

Charles Creegan — Wed, 01 Apr 2020 00:00:00 GMT

This article applies to:

WebMarshal

Question:

How can I use external CA certificate with WebMarshal?

Information:

Use of publicly trusted CA certificates in proxying end-user communications with internet systems is prohibited by some browser manufacturer rules and regulations. LevelBlue recommends the use of a self signed or enterprise CA for proxying use. If you intend to use a publicly trusted or cross signed CA certificate with this product, consult with the issuing CA to ensure your use is compliant with all current and anticipated regulations.

To import a CA certificate, you can use the Certificate Converter Tool available from the WebMarshal Download page.

Version 11.5 End of Maintenance

Shawn Cook — Thu, 10 Nov 2016 11:17:36 GMT

This article applies to:

SWG 11.5

Information:

The purpose of this notice is to inform you that the End of Maintenance period for Secure Web Gateway version 11.5 will be on October 19, 2016.

To assist you in making the transition to a later, supported SWG version, we will extend the support period for an additional 6 months, until April 19, 2017 (SWG version 11.5’s End of Life). During that time, you will still receive database downloads and security patches. Once the End of Life occurs, Trustwave will stop supporting SWG Version 11.5.

To keep your Trustwave SWG Appliances up-to-date and supported, please upgrade to version 11.6, 11.7 or later. Doing so will ensure your Trustwave SWG Appliances are updated and supported. We recommend that you upgrade to our latest available version in order to enjoy our latest enhancements.

More information on the policy including definitions of key terms can be found in the Secure Web Gateway Life Cycle Support Policy.

The latest SWG versions and documentation can be found on the Secure Web Gateway product pages.

Please contact Customer Support if you need guidance and information on the upgrade process.

Adding SWG HTTPS certificates to Mac/OSX

Shawn Cook — Thu, 09 Jun 2016 16:53:14 GMT

Summary:

This article describes the process of manually adding an SWG HTTPS certificate to an OSX keystore for use with HTTPS inspection.

Export the HTTPS certificate from the SWG by navigating to Administration -> System Settings -> SWG Devices, and expand the left-hand Tree to reveal the Scanning Server HTTPS section

Take the exported certificate, and copy it onto the Mac.
Import the certificate into the OSX Keychain using the Keychain Access program

Once imported, double-click the certificate in the Keychain Access window

Set 'When using this certificate' to 'Always Trust'

After the certificate has been loaded and trusted, navigate to System Preferences -> Network -> Proxies and ensure that the proxy for both HTTP and HTTPS is set.

Close the web browser and reopen it. You should now be able to browse to HTTPS sites through the SWG as expected.

Why the Status Page is not displayed in Chrome browser when using FTP over HTTP?

Mariusz Cieślak — Wed, 16 Sep 2015 09:06:27 GMT

This article applies to:

All SWG versions

Question:

Why the Status Page is not displayed in Chrome browser when using FTP over HTTP protocol? (when setting port 8080 in the proxy settings for FTP transactions on the browser side)

Reply:

The header in the GET request coming from the browser which is mandatory for activating the Status Page is the User-Agent header.

This is visible in the "Administration > System Settings > Scanning > Scanning Options" section of the SWG GUI (part of the configuration) - see the screenshot below:

Chrome browser doesn't include User-Agent header in the GET request when FTP over HTTP protocol is being used.
Please see below the comparison of the GET requests that are sent by the browsers for retrieving the same file when using Chrome and Firefox:

1) Chrome browser - no User-Agent header is included in the GET request:

2) Firefox browser - User-Agent header is included in the GET request:

Notes:

This article is applicable only when FTP over HTTP protocol is used (port 8080 for FTP transactions is set on the browser side in the proxy settings). For other protocols (e.g. HTTP etc.), the behavior is different.

Is it possible to enable Caching Kit on the Cloud scanner?

Mariusz Cieślak — Tue, 01 Sep 2015 09:04:28 GMT

This article applies to:

All SWG versions

Question:

Is it possible to enable Caching Kit using the "config_hardware" command on the Cloud scanner?

Reply:

No, this is not possible (as per the design). On the Cloud Scanner / "SWG Remote Device" type, "config_hardware" command is disabled - see the example below:

The reason for disabling the "config_hardware" command for the Cloud scanner devices is that writing to additional volume (sdb) in the Cloud infrastructure would have to be done over the network, thus causing higher delays in processing requests on the SWG than writing to a physical drive. Drives in Cloud instances are connected over the network and the performance is lower than the performance of physical volumes. Enabling Caching Kit in such scenario doesn't provide expected performance benefits.

End of Maintenance for Secure Web Gateway version 10.2

Charles — Mon, 20 Apr 2015 14:57:44 GMT

This article applies to:

Secure Web Gateway (SWG) 10.2

Secure Web Gateway 10.2 End of Life

Dear valued SWG customer,

According to the Trustwave Product Support Policy, we are announcing that the End-of-Maintenance period for Secure Web Gateway version 10.2 will close on October 1, 2014.

To assist you in making the transition to a later, supported version, we will extend the support period for an additional 6 months. During that time, until the version's End-of-Life, you will receive database downloads and security patches.

We will officially stop supporting SWG version 10.2 when this timeframe expires, on April 1, 2015. To keep your Trustwave SWG Appliances up-to-date and supported, please use the remaining period to upgrade to version 11.0, 11.5 or later. (To determine which supported versions can be installed on your existing hardware, see the Supported Versions matrix.)

The latest SWG versions and documentation can be found on the Secure Web Gateway support pages.

Please contact the Technical Assistance Center if you need guidance and information on the upgrade process.

In some scenarios SWG does not recognize LDAP users

ofer Kalef — Wed, 05 Feb 2014 01:20:06 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

In some scenarios SWG does not recognize LDAP users, even if they are in an imported group.

Information:

If a customer adds a user/users after importing user/users group, the user/users won't be in the SWG database.

Use scheduled updating of LDAP/AD users or manually import users after any changes that you make to the LDAP tree structure (for example, adding/removing groups, changing their order), or the changes will not be applied.

How to setup and gather debug logs

ofer Kalef — Sun, 24 Nov 2013 03:51:08 GMT

This article applies to:

SWG 11.x
SWG 10.x

Question:

How do I setup an SWG into debug mode?

Procedure:

When trouble shooting an issue, there might be a need to gather extended logs from the SWG. By default these “debug” logs are not turned on. Follow the instructions below to turn on Debug logs and then reproduce the issue that you are seeing.

Log into the Management console and go to Administration -> System Settings -> Debug log.
Set the debug log level to 1 (full trace). Save and commit.

Now you will want to reproduce the issue by surfing to the site that is exhibiting the issue while going through the SWG proxy.

Once the issue is reproduced, go back into the GUI and set the debug log level back to 6 (fatal errors only), then you will need to immediately save the support logs by going to the limited shell and type the command save_support_logs. To collect the support logs, please see the following KB article.

Note:

*It’s very important that the logs are saved directly after the issue is reproduced. While in debug mode the logging profile is greatly increased so that they will record all data that goes through the system. Since this is the case, the logs on the system will rotate out very fast, if too much time is given between the issue and when the logs are gathered, the log containing the issue could rotate out and the data that is needed will be lost

502 Bad Gateway error – Squid is not running

ofer Kalef — Sun, 24 Nov 2013 01:48:51 GMT

INFO:502 Bad Gateway – Squid is not running.

This article applies to:

SWG: 11.x

· Description
In some scenarios Squid won’t start and in the GUI you may see a communication such as:

"This cache server is not active."

· Symptoms

You will see a 502 Bad Gateway error.

· Cause
It is a known bug in Squid that it does not accept some special chars like "_" or "-".

· Solution
Change the hostname to a name without special, reserved characters.

Notes:

Changes like this will cause certain processes to restart on the SWG and may interrupt scanning in a production environment.

It is recommended to do this during a maintenance window where it’s appropriate for the system to go down.

Check or Change Trustwave Filter List Categorization

ofer Kalef — Thu, 14 Nov 2013 04:36:11 GMT

This article applies to:

SWG 10.1
SWG 10.2
SWG 11.x

Question:

How can you check the classification of a URL in the Trustwave Filter List database?

Information:

It may happen that a given link is wrongly categorized. In addition, a URL can sometimes change owner and website content.

You can check a site category in the Trustwave Filter List database, or submit a site to Trustwave if it needs to be added to the database or reviewed for a possible mistake in categorization.

Go to:

https://support.levelblue.com/m86filtercheck.asp

You can also view a list of categories and their definitions.

Upgrade SWG version 10.2 to version 11.0

ofer Kalef — Tue, 24 Sep 2013 08:28:14 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

How do I upgrade my SWG from 10.2 to 11.0?

Procedure:

A new system has been introduced into SWG 10.2 and 11.0 to enable the download and upgrade to a new version from the Policy Server Management GUI. Follow the steps below to complete the upgrade process:

1. Log into your SWG Policy Server.

2. Navigate to Administration > Updates > Update Management.

3. Click Install on the version 11 upgrade item. If this item is not present, click Retrieve Updates.

4. The rest of the install process is automatic.

To install the upgrade on scanners:

1. Go to Administration > System Settings > Trustwave Devices.

2. Right-click each relevant device and select Upgrade Scanners to PS Version.

Notes:

The install process can take as long as 1 hour or more. During the upgrade process, GUI access can be limited or inaccessible. Allow extra time after notification that the install process is finished - back-end and other processes not visible may still be coming online and upgrading.

Important: The Upgrade will stop production scanning.

Allow (bypass) Audio Streaming through SWG

ofer Kalef — Tue, 24 Sep 2013 08:21:13 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Audio streams (e.g. Web Radio) do not work through the SWG, and there are no log entries.
I have an "Allow Streaming" rule, but audio streaming does not work and the logs don't show anything being Blocked.

Procedure:

Audio streaming formats are not included in "Allow streaming" rule by default.

In order to allow (actually, to bypass) these formats, modify the rule conditions by selecting 'Audio File' as shown below:

Malware Entrapment Profile levels as shown in the weblogs

ofer Kalef — Sun, 15 Sep 2013 01:17:30 GMT

This article applies to:

SWG v10.1 and above

Question:

Malware Entrapment Profile level is set to Strict, however, transaction shows Basic, Medium and Strict levels. Why?
Malware Entrapment Profile is blocking too much/little content. Can I adjust it?

Information:

As of SWG 10.1, the User Interface allows adjustment of Malware Entrapment Profile (MEP) security level. To do this, highlight the Malware Entrapment Profile condition in the "Block Malicious Content (Malware Entrapment Engine)" Rule and set its level as desired in the right pane, as shown below:

Web content will be blocked by MEP up to and including the specified threshold, e.g. if set to Medium, content is blocked if it breaks Basic or Medium. The transaction log will show what MEP level was reached, so if MEP is set to Strict the transaction logs will show Basic, Medium and Strict entries.

Note that if the Logging Policy is set to log more than Blocked/Corrective actions (e.g. "Log everything except images"), then the logs will show MEP levels for traffic that was not blocked, indicating that the Entrapper engine was called but allowed the traffic, as shown in green below:

Notes:

None.

Windows 7 SWG USB Drive Bootable creator

ofer Kalef — Sun, 08 Sep 2013 07:13:26 GMT

This article applies to:

SWG 10.x
SWG 11.x (for clean installation)

The following information will help guide you in creating a USB key that can be used to upgrade a SWG physical appliance.

Installation tool:

This tool allows creation of a USB bootable drive for version upgrading/fresh install for the Trustwave Security SWG.

To create a USB key:

Download and run the M86USB.EXE (see below for download location/s)
Format the USB flash drive as FAT32
Run the M86USB.EXE tool, choose the drive letter for the USB flash drive and click OK
Download and copy the version ISO file to the USB flash drive
Download and extract the VSI (VS Installer) to the USB flash drive - make sure you are extracting the files and not a TGZ/TAR/ZIP file (if TGZ/TAR/ZIP extract it's contents to the USB flash drive)

M86USB Version 2.1 January 2011 - FTP download location:
ftp://Outgoing:Mr8om21r@swgftp.trustwave.com/support/M86USB/M86USB.EXE

Usage video – download location:
ftp://Outgoing:Mr8om21r@swgftp.trustwave.com/support/M86USB/M86USBTOOL.avi

For proper VSI and ISO please visit:

https://support.levelblue.com/Secure-Web-Gateway/Upgrade.asp

Note: this method can be used for upgrades from 9.x to 10.2.

Where can I find SWG downloads and documentation?

ofer Kalef — Sun, 08 Sep 2013 07:04:20 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

Where can I find the latest SWG downloads and documentation?

Reply:

All information can be found on the Trustwave Web site in the Secure Web Gateway section. Go to:

https://support.levelblue.com/downloads-and-documentation.asp

Note:

You will need to sign up for a customer login ID and password to view these files.

SWG Support Policy Aug 2013

ofer Kalef — Mon, 26 Aug 2013 03:18:54 GMT

This article applies to:

Question:

What is the Trustwave SWG support policy

Information:

See attached File

What is the longest URL that could be added to the URL list?

ofer Kalef — Fri, 19 Jul 2013 01:31:38 GMT

This article applies to:

SWG 10.x

Question:

URL list entry - what is the limit on the URL length ?

Information:

The following error message could show up when adding a very long URL:

When adding a URL from the logs section, the error message would be different:

Every URL list entry is a name stored in the DB being the same as the URL itself
This name field in the DB is limited to 192 chars.

If needed there are ways to extend this field manually, however, these changes are not recommended.

Our recommendation for such URLs is to use a RegEx entry with a wildcard: domain_name*file_name .

Customized messages for user response action are not retained with Version 11.0 upgrade

ofer Kalef — Mon, 08 Jul 2013 02:24:33 GMT

This article applies to:

SWG 11.x

Question:

Why do Block page messages look different after the system is upgraded to Version 11.0?

Information:

This is a known issue with the V11.0 upgrade - Rule Action messages are reset to default.

To restore these messages, we recommend saving them before upgrading the system:

1. Navigate to Policies > End User Messages > Message Template, and select the relevant message template from the Rule Action drop down list.

2. Click the Switch to HTML View button. The message is displayed in HTML, similar to that shown below:

3. Select the HTML code presented in this view, copy it and to paste it into a text file using the text editor of your choice.

4. Save the file and click the Cancel button in the SWG UI.

5. Repeat these steps for the next Rule Action message details.

Once the SWG system is upgraded and running V11.0, follow the steps above to restore the HTML code for the custom messages used by SWG before the upgrade.

SWG will not synchronize

ofer Kalef — Sun, 07 Jul 2013 05:39:54 GMT

This article applies to:

SWG 9.x
SWG 10.x
SWG 11.x

Question:

What initial steps can I take if my Policy server and scanners remain unsynchronized?

Procedure:

In the event that your Policy server is not synchronized with a scanner, there are 2 commands that you can run that may help bring synchronization back up. Both of these commands can be run from the limited shell via a ssh connection.

reset_config This command will send the most recent configuration to the device. This does not restart any primary processes and will not interrupt production scanning.

restart_role This command will bring down most main processes and bring them back up in a clean running state. Even though this is not a hardware restart, it will stop scanning in a production environment. It is only suggested to use this command when it’s appropriate to take scanning down for a few minutes.

Notes:

If either of the commands do not bring back synchronization between the Policy server and scanners, please open a case via Trustwave support for further assistance.

Block page displays an unfamiliar category

ofer Kalef — Mon, 17 Jun 2013 01:33:14 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

The User gets a Block page with a block reason that contains an unfamiliar category. The User is using the Websense/IBM filter but the category in the block reason is not a Websense/IBM category.
In the Web Log Transaction Entry Details > Request > Websense (or IBM), the categories seem correct. Why is there an inconsistency?

Reply:

If the block page came from a cloud scanner, the reason is an inconsistency between the category in the block reason and the filter engine categories, which correctly shows in the Web Log Transaction Entry Details > Request > Websense (or IBM).

No updates for Virtual SWG system

ofer Kalef — Mon, 17 Jun 2013 01:29:20 GMT

This article applies to:

Virtual SWG 10.x
Virtual SWG 11.x

Symptoms:

Updates not installed, and no new updates are available when retrieving updates manually.
System log shows an error on connecting with the Update server.

Causes:

This may happen due to the default date/time settings used for a Virtual installation - Check the current time/date set on SWG to verify.

Resolution:

Update the date/time settings using the config_time limited shell command. The best update method is to specify an NTP server, public or local:

How to use Health Check options with SWG Proxy - Best Practice

ofer Kalef — Mon, 17 Jun 2013 01:10:44 GMT

This article applies to:

SWG 10.x
SWG 11.x

Question:

What is the best way to health-check an SWG Proxy?

Information:

The Health Check mechanism is usually required to ensure that a device is up and available to process User/Server sessions/requests.

There are multiple ways to achieve that with an SWG proxy; For example, it could be an external URL, assuming that the Web Server hosting it is itself available.

In this case, the source device expects to get a predefined response code from the SWG proxy, which is usually HTTP 403 Forbidden code or HTTP 200 OK code.

SWG health-check functionality provides URL(s) that could be used for that purpose, making it easier for administration:

http://Vital.Security.Health.Check - responding with HTTP 403 Forbidden code

http://Vital.Security.Loadbalancer.Check - responding with HTTP 200 OK code

Both health-check resources operate equally well for the purpose of actual system monitoring.

However, one important detail should be mentioned about the response code returned by these health checks:

If SWG is set to use a custom Block Page template using enhanced HTML components (form, logo, labels), it may result in a larger Block Page that is
sent back by SWG to the source device.
As a result, the TCP session established for such health check may not be closed properly on the SWG side, as shown in the network snippet below:

SWG proxy 172.18.180.151 sends HTTP 403 Forbidden response (packet #82).

Client, 172.18.180.152, does close it from its side (FIN packet #86); However, SWG proxy does not close the session.

The network snapshot above was taken from an SWG proxy that is sending a custom Block Page with multiple graphical components in it.

(Multiple customers do modify the Blocking Page to make it look more user-friendly or business-oriented.)

The network snapshot below was taken from an SWG proxy set to send a default Block Page, with no graphical enhancements in it:

Same SWG proxy sends HTTP 403 Forbidden response (packet #34) and immediately after that sends FIN packet #35 to close the TCP session from its side.

Same client as in previous example then sends FIN, ACK packet #39 to close the TCP session from its side.

When the SWG proxy returns HTTP 200 OK code it does not send a Block Message (custom or default), which in turn prevents the situation where network
sessions are not properly closed.

We used http://Vital.Security.Health.Check URL in this example, returning HTTP 403 Forbidden code.

Based on these results our recommendation is to prefer the second health check URL: http://Vital.Security.Loadbalancer.Check responding with
HTTP 200 OK code.

Notes:

These test results do not provide solid evidence that the network sessions are not closed properly.

However, it may result in some unexpected situations due to continuous inefficient operation mode.

Signing CSR request and importing certificate for the scanner

ofer Kalef — Tue, 29 Jan 2013 23:59:01 GMT

This article applies to:

SWG v10.0
SWG v10.1

Question:

This article describes detailed instructions on how to:

Generate CSR request for Scanning Server using Trustwave SWG Web interface
Submit CSR request data using MS PKI Web interface
Import certificate information into Trustwave SWG Scanning Server

Procedure:

1. Navigate to the Devices section in Trustwave SWG GUI, right-click the HTTPS module on the scanner and choose Generate Certificate option:

2. Choose CSR Certificate Type in the right pane and fill in all relevant details:

3. System responds with "Operation Succeeded" message, with the CSR request data in the background. Click OK and copy CSR data as simple text data.

4. Commit the changes. Do not create new CSR requests for other devices managed under same Policy Server.

5. Navigate to the MS-PKI Web GUI and select "Request a certificate" task:

6. Submit advanced certificate request:

7. Choose the option to submit CSR by using a base-64-encoded CMC or PKCS#10 file:

8. Paste CSR data that was copied in step 3 above.

Before submitting a request make sure Certificate Template is set to use Subordinate Certification Authority and "CA:TRUE" is set as Additional Attribute.

9. Select Base 64 encoded option and download certificate:

10. Save the certificate on your system:

11. Open this certificate using text editor and copy the data as simple text data:

12. Navigate to the Devices section in Trustwave SWG GUI, right-click the HTTPS module on the scanner and choose Import Certificate option:

13. Choose CSR Certificate Type in the right pane and paste in certificate data that was copied in step 10 above:

14. Commit changes. Certificate can now be exported from the device.

If required to sign CSR certificate for more than one scanning server, it is important to perform above steps as separate procedure for every device.

SFG data mechanism and the use of 'Bypassed Context Scanning List' in SWG 10.x

Rudolf Kessler — Wed, 29 Aug 2012 01:47:01 GMT

This article applies to:

SWG 10.x

Question:

SWG 10.1 comes with a new Scan Engine (Entrapper). Is the SFG Data Mechanism and the "Bypassed Context Scanning List" still in use?

Reply:

Inserting SFG Data tags to the page code was necessary in order to track and analyze a site in full context. If any problems occured with this, the solution was to add a site to the "Bypassed Context Scanning List".

SFG data is still being used in the product but in less scenarios than before. For example java scripts are no longer marked with SFG since Entrapper (the new scan engine) now does pre-fetching, however, will still add SFG tags to java applets.

Due to the above, the need for this list has dramatically decreased but we still want to keep this functionality for other scenarios in case it creates a problem in the page.

Notes:

Getting XMLHTTP support error message upon logging to SWG UI

Rudolf Kessler — Wed, 18 Jul 2012 06:11:13 GMT

This article applies to:

SWG 10.1 or higher

Symptoms:

User is getting below error message upon logging to SWG UI:

Causes:

This issue was reported for IE browser(s) but may also be relevant for other browsers.

Resolution:

Make sure that the following Advanced Security option is enabled in IE browser: