WSA Setup

In this blog post I'm going to go through the setup of a virtual Web Security Appliance from scratch and a couple of different options you can take. This is a basic setup for the purposes of using later using it to configure pxGrid and TrustSec settings.

After loading the OVA on the ESXi host, boot the VM and launch the console. You should be able to login to the WSA using the default username/password of admin/ironport

Type in interfaceconfig and edit the default management interface to assign a static IP of your choosing so you can access the WSA management from your browser. I usually enable FTP and SSH on this interface at the same time. 

After you have finished with this, exit to the regular CLI and issue the commit command to apply any changes. 

Issue the setgateway command to configure the default gateway if you are not located on the same subnet as the WSA. 

You may also want to configure NTP using the ntpconfig command and DNS using the dnsconfig command. 

FTP to your WSA and place the license XML file in the configuration direction. After you have done so, issue the loadlicense command in the CLI to load the license. After the license has been applied, issue the saveconfig command and navigate to the WSA from your browser using the following URL: https://ip-address:8443 and log in with the default credentials again. 

In the WSA console, navigate to System Administration> System Setup>System Setup Wizard and start the wizard. Be sure to do this AFTER you have loaded the license or it won't let you run the wizard. 

Name the appliance and click next.

I'm going to leave everything at the defaults on the three screens and click next unless you want to change the IP address or add an IP address to a different interface or configure simplex for L4TM:

On the next screen, you can configure static routes if you wish. If you do not wish to configure them, click next:

On the next screen, you can configure the WSA for WCCP if you wish:

Create an administrator password on the next screen, enter a email to send alerts to or a email list, the SMTP relay information, and if you would like to participate in SensorBase which helps increase Cisco's Security Intelligence:

On the next screen, configure the default action for the global policy, the action for suspect malware addresses, enable/disable acceptable use controls, reputation filtering, and data security filtering:

On the last screen, review the configuration and click Install this Configuration:


You will be logged out of the WSA and have to log back in with your new credentials. 

Note: If you would like to configure WCCP with the WSA, navigate to Network>Transparent Redirection and click on Edit Device. Choose WCCP v2 Router from the drop-down and click Submit:

On the next page, click Add Services and add the following: 

Click Submit and then commit the changes. On the router, ASA or Layer 3 switch, configure WCCP. A sample configure would look like this:

ip wccp version 2

ip access-list extended wccp-redirect
permit tcp any eq www
permit tcp any eq 443
permit tcp any eq www
permit tcp any eq 443

deny ip any
deny ip any

ip wccp 90 redirect-list wccp-redirect

interface vlan 50
ip wccp 90 redirect in

interface vlan 70
ip wccp 90 redirect in

You can test the configuration by navigating to a webpage from one of the subnets, trying to get blocked, and then navigating to Reporting>Users in ISE to view the users, blocked traffic, etc: