Websense not logging from Network Agent, only logging from NetScreen integration

March 14, 2013, 8:44 am

≫ Next: TS1.explicit.bing.net - TS2.explicit.bing.net -TS3.explicit.bing.net

≪ Previous: Ability to apply group based and ip based polices in tandem

$

0

0

We have WebSense 7.7.3 running on Windows Server 2008 R2 (64bit), Network Agent on seperate Windows Server 2008 R2 (64bit).

In Real Time Monitor and in reports, only HTTP traffic is logged.

Network Agent running on seperate server, and set to generate debug log, and is seeing all traffic (HTTP, HTTPS, POP3 etc), and able to block https when policy changed to block it.. Have reinstalled Network Agent, and install checks it can connect to services on the main server OK.

Juniper SSG-140 configured to send HTTP/HTTPS requests to websense (but only blocks HTTP as per standard config).

Default policy set so all protocols are logged.

For a few days this was working fine, reports and real time monitor listed POP3, HTTPS and HTTP traffic.. The we had our scheduled microsoft patch updates which included reboots of all servers, and now we only see HTTP traffic in Real Time Monitor and in reports.. All websense services running, have rebooted both servers.. Options in websense web interface for network agent are set correct to log all traffic..

Used the testlogserver, and its only displaying HTTP traffic (with a log source of enhanced log), if I stop the network agent service, then testlogserver displays HTTP and HTTPS traffic (with a log source of integrated)

Any ideas on what we need to check? Seems something is wrong with the filtering service?

Network Agent debug log indicates its logging all traffic.. example of HTTPS:

 

[03/15/2013 02:59:04.633] (4008): LogRequest:

Time: Fri Mar 15 02:58:05 2013

EnhancedLog: 0

Proto ID: 11

Url: HTTPS://74.125.237.18:443

Source: 10.0.0.85

Port: 443

DescriptionCode: 1026

StatusCode: 0

Category: 76

BytesReceived: 0

BytesSent: 60

Duration: 59

Periodic: 0

---

TS1.explicit.bing.net - TS2.explicit.bing.net -TS3.explicit.bing.net

April 15, 2013, 8:24 am

≫ Next: Auto Upload Uncategorized to be categorized

≪ Previous: Websense not logging from Network Agent, only logging from NetScreen integration

$

0

0

Auto Upload Uncategorized to be categorized

March 21, 2013, 8:42 am

≫ Next: Triton 7.7 Web Security upgrade - Log Server did not upgrade

≪ Previous: TS1.explicit.bing.net - TS2.explicit.bing.net -TS3.explicit.bing.net

$

0

0

Auto Upload Uncategorized to be categorized

 

 

shouldnt be hard to create an api or something to allow the uncategorized to be sent directly to websense for categorization

Triton 7.7 Web Security upgrade - Log Server did not upgrade

April 8, 2013, 11:40 am

≫ Next: Moving to new hardware, and upgrading

≪ Previous: Auto Upload Uncategorized to be categorized

$

0

0

Upgrade from 7.6 to 7.7 and the log server did not upgrade with the reset of teh system.  I am getting the IO error in web security.  

Following the troubleshooting in this article:

http://www.websense.com/support/article/kbarticle/Log-Server-not-running-after-upgrading-to-v7-7

I have concluded that Solution II is where my problem resides.  However, Solution II isn't really a solution but more so a reason.  There is no solution for fixing it.  How do i upgrade the database to 7.7.

 

Thank you

Moving to new hardware, and upgrading

April 15, 2013, 1:38 pm

≫ Next: how have a website re-classified

≪ Previous: Triton 7.7 Web Security upgrade - Log Server did not upgrade

$

0

0

We are currently on Email Security v7.2.  We need to upgrade to 7.3, install the Personal Email Manager, as well as move to new hardware.  Any suggestions for which order to complete this in?  Any documentation on how to move to new hardware?

how have a website re-classified

March 18, 2013, 10:32 am

≫ Next: integration with Palo Alto

≪ Previous: Moving to new hardware, and upgrading

$

0

0

Hello, 

I am new to Websense, and we have a website that is being blocked by websense saying it is a marijauana site (second hand info) i have verified that the site address etc goes to a kindle books and tips page.  it has temporarily been added to a bypass list.

what is the appropriate procedure to have websense reclassify it correctly?

integration with Palo Alto

April 16, 2013, 3:16 am

≫ Next: Filter 7.1 intermittently failing to access SSL sites - Error 107 (net::ERR_SSL_PROTOCOL_ERROR):SSL protocol error.

≪ Previous: how have a website re-classified

$

0

0

Hello! 

I am testing a couple of firewall and proxy and I would like to know if  I can use Websense websecurity with a Palo Alto firewall?

Could you give me that information ? 

If Palo Alto is not able to be integrated with websense websecurity, which firewall is able to do it? 

Thank you.

Filter 7.1 intermittently failing to access SSL sites - Error 107 (net::ERR_SSL_PROTOCOL_ERROR):SSL protocol error.

February 15, 2013, 2:44 am

≫ Next: Easy Method to Block Entire Countries

≪ Previous: integration with Palo Alto

$

0

0

Hi

We are using Web Filter 7.1 on Windows Server 2003 with a Juniper firewall. Our users are finding that access to SSL enabled sites (google sites, microsoft office 365, Gmail email attachments) is intermittently giving an SSL connection error and not presenting content.

If we refresh the page repeatedly we eventually get through, and I can see the details of the site's certificate.  When we get the SSL error, I see only a "identity not verified" error instead of the certificate.

It's happening throughout the site, on a variety of clients.  I have reinstalled network agent and web filtering services, with integrated and universal mode.  I find that if I restart the web filtering service our users get through without errors for about 10/20 minutes but then they start reappearing again.  If I turn off the web filtering service the errors stop and we get 100% connectivity.

Technicians have been unable to find a fix - anyone got any ideas please?  We are a heavy Google Apps using school, but we have had to turn off the filtering service (email, Intranet, docs were unusable) which is a real liability.

---

Easy Method to Block Entire Countries

October 28, 2010, 7:44 am

≫ Next: Not showing page 2 of AD users

≪ Previous: Filter 7.1 intermittently failing to access SSL sites - Error 107 (net::ERR_SSL_PROTOCOL_ERROR):SSL protocol error.

$

0

0

There should be a quick & easy way to block an entire country's domain without having to resort to CPU hogging Regex. This should also include the country's IP ranges.

Not showing page 2 of AD users

April 17, 2013, 11:37 am

≫ Next: False alerts in Triton

≪ Previous: Easy Method to Block Entire Countries

$

0

0

When I try to AD users as clients (we have well over 500) and I try to get to the second page of users, the list of users disappears and only shows domain names and then I can't open up any of them until I log out and back in.

 

I really need to be able to add users who should be on page 2 of users.

 

Eric

False alerts in Triton

April 17, 2013, 5:53 am

≫ Next: Can a run all websense Sevices as AD accounts?

≪ Previous: Not showing page 2 of AD users

$

0

0

I have several false alerts in Triton for filtering services not being started on 4 different filtering servers in my environment. I have verified Triton/Policy server has connectivity both ways to all of them. All services are running normally. 2 are appliances, 2 are Windows servers. One is even on the same subnet as the Triton/Policy server! Sometimes it says they are not sending logs, but they are, and sometimes it says the DC Agents are not available either, when they are.

I'm tired of the security operations center folks bugging me about them.

Has anyone experienced this?

Can a run all websense Sevices as AD accounts?

April 17, 2013, 2:53 am

≫ Next: Integrating Websecurity with third party SIEM product-Event log Analyzer 7

≪ Previous: False alerts in Triton

$

0

0

We have some problem with GPO is blocking local access to websense services, is it possilbe to run a all Websense Sevices as AD accounts?

 

 

Integrating Websecurity with third party SIEM product-Event log Analyzer 7

April 17, 2013, 11:08 pm

≫ Next: Social Web Controls

≪ Previous: Can a run all websense Sevices as AD accounts?

$

0

0

Hi Team,

I have a MCS customer where they would like to use SIEM integration on Triton UI to forward the log transaction data to third party server.

Cureent setup/settings
----------------------------

Websense version: 7.7.3
MUX service is installed.
Third party (syslog) server: Event Log Analyzer 7
On Triton UI: UDP 514 port is used with SIEM format "syslogCEF (Arcsight)".

Current status:  We have confirmed with the help of packet capture that websense server is sending the transaction data to the third party server (event log analyzer 7), but still the logs are not showing on third party server.

Please suggest if we need to do any more on websense server side (like SIEM format) or on third party server.

Regards,

Harsha

 

Social Web Controls

April 18, 2013, 1:44 pm

≫ Next: Server 2012 Compatible?

≪ Previous: Integrating Websecurity with third party SIEM product-Event log Analyzer 7

$

0

0

We are running Triton 7.5 in Stand-Alone and just received the notice that our database had been updated with the new Social Web Controls.  Even though the categories are there is there a date for when the URLs will be moved to the new categories?  I am wanting to be prepared so that our categories and filters are correct for when Facebook moves from 'Social Networking' to 'Social Web Controls - Facebook'.

 

Thanks

Server 2012 Compatible?

April 18, 2013, 2:46 am

≫ Next: Websense email security gateway and DLP concept

≪ Previous: Social Web Controls

$

0

0

Hi

 

We are running Email Security  7.2.

I am getting a new Server with Server 2012 Standard Edition on. I want to upgrade to Email Security 7.7. Is it compatible on Server 2012?

 

Regards

---

Websense email security gateway and DLP concept

April 19, 2013, 12:17 am

≫ Next: Possible to Review old STEMLogs?

≪ Previous: Server 2012 Compatible?

$

0

0

Dears,

 

I want to ask about Policy Rule concept in email security gateway,

 

the last policy rule is to use the data security feature, however and as per documentation, once a policy match the other policies will be ignored,

 

however if we create a Policy rule and in email security tab, the email is matching that policy, the email is being also scanned by DLP.

 

can someone explain the concept for me.

Possible to Review old STEMLogs?

April 19, 2013, 7:24 am

≫ Next: Maintenance Mode Toggle

≪ Previous: Websense email security gateway and DLP concept

$

0

0

I recently had to create a new STEMLog database as our other was close to the database size limit in SQL Express.  Is there a way to review the old STEMLog using the Email Message Administrator tool?

Maintenance Mode Toggle

April 19, 2013, 8:48 am

≫ Next: URL categories removed

≪ Previous: Possible to Review old STEMLogs?

$

0

0

I have two appliances clustered and using WCCP.  I've noticed when I am rebooting or upgrading the appliance, there is a time where it is still participating in WCCP but not filtering any traffic.

I would like to be able to put an appliance in a maintenance mode to stop it from participating in filtering.

URL categories removed

October 19, 2009, 10:23 pm

≫ Next: Remove traces of Websense detected in System State Backup

≪ Previous: Maintenance Mode Toggle

$

0

0

Hello,

I have a Policy Server working with 2 Filtering servers: one in Squid Integration (working well) and a new one in Stand Alone mode (with also Network Agent installed). During the night I have received a warning mail saying "URL categories removed from master database" from the Filtering Service in Stand Alone mode. The list was full of all categories of Websense (about 100).
From the statistics I see 0 blocked pages from the stand alone server (even if all the traffic is visible to the Network agent)
Any help?

Thank-you, Roberto
I'm using Websense Enterprise 6.1

Remove traces of Websense detected in System State Backup

April 19, 2013, 10:47 am

≫ Next: Tirton remains in "Processing..."

≪ Previous: URL categories removed

$

0

0

I've migrated Websense to another server and uninstalled it.  However, Backup Exec is finding traces of it in the Systems State and sends warning every time a backup is performed.  How can I go about removing those traces?  Can cleaning the registry do this?

 

Thanks for any assistance.