Hi Mike,
WBRS in the access policy pipe line can override other policy settings. Check the user guide (7.1) for the flow. (Figure 8-3 Applying Access Policy Actions). If its blocked by one engine/policy then it will not be passed on to others. If its blocked by object blocking, the flow stops there itself and does not proceed further. You can't have object blocking and WBRS based blocking applied at the same time. Certain sites have a very good reputation score which can skip the malware scanning and even object blocking/url filtering. This was an issue in 6.x release. However, fixed in 7.x. Samarth Chidanand Sr Instructor / Developer - IPexpert CCIE #18535 (R&S, Security) CCSI #34585 From: Mike Rojas [mailto:[email protected]] Sent: Sunday, June 2, 2013 9:03 AM To: Samarth Chidanand; [email protected] Subject: RE: [OSL | CCIE_Security] WSA Authentication, Policies and Proxy Bypass Hi Samarth, It was based on observation, I have my proctor lab session tomorrow. It was the same file being pulled, with the object blocking it was immediately blocked but I assume it should have been also block based on the malware policy inherit from the global access policy. Piotr Said that the download was allowed and then cancelled the download to continue with the video, Im not quite sure if he would have let the download continue it would have been truncated. Mike. _____ From: [email protected] To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] WSA Authentication, Policies and Proxy Bypass Date: Sun, 2 Jun 2013 07:19:34 +0530 Hi Mike, Check my previous reply. I have not taken a look at the video. However there is a difference between object blocking i.e. certain file types being downloaded and malware downloads or even based on WBRS (DVS based - malware). If you are doing the same in your practice lab, then share the accesslogs. Samarth Chidanand Sr Instructor / Developer - IPexpert CCIE #18535 (R&S, Security) CCSI #34585 From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Sunday, June 2, 2013 4:33 AM To: [email protected] Subject: [OSL | CCIE_Security] WSA Authentication, Policies and Proxy Bypass Hi, I was checking this demo, the last video on the WSA introduction. There are basically two policies created, one for Vlan100 and another one for Vlan60. The VLAN100 is able to download the malware.exe file correctly because he is only monitoring it. Since The global policy was being inherit, and the per group policy was not configured the first time, the User was not able to downloaded based on the malware policy on the globla policy. Once the Policy was modified, the User was able to download the file and it was only being Monitored. For the Vlan60 The user should have been blocked as per the task The first thing that is shown is the User being able to download the file correctly but the download is stopped (manually) Then the policy for .exe is changed and the User is immediately blocked to download the file My question is, shouldnt the first download of the VLAN 60 user be blocked based on the inherit policy for malware as it did on the first attempt on Vlan100? Mike.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
