The WSA main features are  L4 Traffic Monitor and Web Proxy. Other features are
– URL filtering
– Web usage controls
– Application visibility & control
– Anti-Malware scanning (Sophos, McAfee, Webroot)

Secure web proxy monitors and scans web traffic for malicious  content. When you enable the web proxy, you can configure it to be in transparent or explicit forward  mode

The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own  database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch.

When you enable the web proxy, you can configure it to be in transparent or explicit forward mode.


Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy.

Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default

ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address

Automatic: Configure each client application to use a PAC file to detect the appliance Web Proxy  automatically. Then you can edit the PAC file to specify the appliance Web Proxy information. PAC files work with web browsers only.
Manual: Configure each client application to point the appliance Web Proxy by specifying the  appliance hostname or IP address and the port number, such as 3128, used for listening to data  traffic.

Transparent Proxy: Clients applications are unaware of the Web Proxy and do not have to be configured to connect to the proxy. This deployment requires an Layer 4 switch or a WCCP v2  router. When you specify a WCCP router, you need to configure additional settings on  the appliance.When you specify a Layer 4 switch, you only need to specify that the appliance is connected to a Layer 4 switch when you configure the appliance.

Note: When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through  explicit HTTPS connections and it drops transparently redirected HTTPS requests


Device Interface:

Management – M1 and M2: Use for management of the WSA. Can also be used for data traffic in deployments where there is no separate management network.
Data – P1 and P2: Use the Data interfaces for Web Proxy data traffic. Only P1 enabled by default. If P2 is enabled both interfaces should be connected to a different subnet.
L4 Traffic Monitor – T1 and T2: Use for Tap and Span. Can be used in simplex (only T1 for incoming and outgoing traffic) or duplex (T1 and T2 connected. T1 for outgoing and T2 for incoming) communication.


WSA ports Web Security Appliance Ethernet Ports

WSA Initial Configs

Initial interface config can be done via CLI or by going to default IP address and configuring from browser (Wizard or manual). Default setting are:

default username/password: admin/ironport
default ip address/mask:
No default gateway is set
default port: 8080 and 8443 for http and https


Implementing WCCP

To set up the WSA to use WCCP you need to create at least one WCCP service on the appliance and configure the router to work with the Web Security appliance.

A WCCP service is an appliance configuration that defines a service group to a WCCP v2 router. It includes information such as the service ID and ports used. Service groups allow a web proxy to establish  connectivity with a WCCP router and to handle redirected traffic from the router

Example WCCP Service

ip wccp version 2
ip wccp service_group 
interface interface_type_number
ip wccp service_group redirect direction
ip wccp service_group password password 
ip wccp service_group redirect direction

ip wccp service_group redirect direction
Use in when you want the router to redirect packets as they enter  the router
Use out when you want the router to redirect packets right before they leave the router
ASA supports only redirect in

ip wccp service_group.
Web-cache. Enter “web-cache” when the appliance WCCP service uses the standard service
Service ID number. Enter a number from 0 to 255 when the appliance WCCP service uses a  dynamic service ID. The number should match the service ID number used in the appliance.

Example WCCP Service — Standard Service, No Password Required

ip wccp version 2
ip wccp web-cache [redirect-list acl]
interface GigabitEthernet1/0/14
ip wccp web-cache redirect in

Example WCCP Service — Dynamic Service for IP Spoofing, Password required

ip wccp version 2
ip wccp 90
interface GigabitEthernet1/0/14
ip wccp 90 redirect in
ip wccp 90 password Cisco123

show wccp
show wccp 90 service
show wccp 91 detail

There are 2 WCCP redirection methods
– Layer 2: WSA and router are on same layer 2 network.

Note: ASA only supports GRE.


Implementing L4 Traffic Monitor

Configure span session for Vlan where traffic will be monitored.

packetcapture – look at packets destined any interface of the wsa.

monitor session 1 source int g1/0/1
monitor session 1 destination interface g1/0/20
show monitor


Miscellaneous commands:

showconfig –  show running config
resetconfig – reset to factory defaults
interfaceconfig – configure wsa interface
setgateway – configure wsa default gateway
resetconfig – reset to factory default

ping, nslookup, grep, authcache


IP Expert VOD, INE Security Boot Camp