Testing websense on same vlan

October 27, 2014, 6:53 am

≫ Next: Distinguish confirmed and unconfirmed block actions in incidents

≪ Previous: Delegated adminstrator role that possess "exceptions only + auditor" functionality

Hi, I'm currently testing the newest version of Websense (7.8.4) and it's ipv6 filtering. Because of the environment I'm in, I can test ipv4 by blocking sites on the internet, but there is no internet connectivity on the ipv6 network. Because of this, I had to stand up an ipv6 web server inside our network, and because of network issues it is on a machine on the same ipv6 subnet as the client I'm using to access the web server.

My question is, will the response time of the webserver packets cause a conflict with the websense packets, in that the rst packets are not sent quickly enough and the web server "wins out"? When I go to access the page (and it's blocked via policy), I see in RTM that the page is marked as blocked but it still appears on the client. I see through Wireshark that when I access a blocked ipv4 page, I get the SYN, SYN ACK, and ACK packets as expected, and then the GET and the 302 packets. I then see the RST packets, along with an ACK. When I try to access the ipv6 server, however, I see SYN, SYN ACK, and ACK packets in the begiinning, then a GET, but then I see a FIN PSH ACK packet from the spoofed IP instead of the 302. I don't see the 302 until much later, along with some out-of-order and reassembled PDU packets. I see a bunch of RST packets, but they don't seem to do anything since I'm still connected to the web server (I get the page).

I'm confused, I believe it may be due to the fact that the client, network agent, and webserver are all on the same vlan. I should also note that I'm using the software stand-alone version of Websense Web Security. Any help would be greatly appreciated, thanks!

↧

Distinguish confirmed and unconfirmed block actions in incidents

October 28, 2014, 9:44 am

≫ Next: Site Lookup Tool

≪ Previous: Testing websense on same vlan

Steps to reproduce:
Create a simple rule (PCI, no word boundaries) with Endpoint channels.
Set the action plan to "Confirm" on all endpoint channels.

When a violation occurs on the endpoint, do nothing and the "confirmation" box will disappear after few seconds with no action from the user.
the Incident is registered as "Blocked (confirmed)"
Even though there was no confirmation.

Actual result:
the Incident is registered as "Blocked (confirmed)"
Even though there was no confirmation.

Expected result:
Incident should report "Blocked (Un-confirmed)"

All the customer needs is to have a way to distinguish in incident reports, what was actively confirmed by the customer and what wasent confirmed within the 10 second time frame.

↧

Site Lookup Tool

October 28, 2014, 5:26 am

≫ Next: Download Product Page Doesn't Work

≪ Previous: Distinguish confirmed and unconfirmed block actions in incidents

Is there an issue with the Site Lookup Tool this morning. Several attempts to research URLS has returned the error 'The Site Lookup service is having a problem, or one or more URL's entered is invalid. Please try again later.'. We utilize this tool extensively during the day and for it to be down for too long will cause issues.

↧

Download Product Page Doesn't Work

October 29, 2014, 5:44 am

≫ Next: Websense Log server - We need user name and ip address (public)

≪ Previous: Site Lookup Tool

I have been trying all morning via different browsers to get the ISO image for the protector. The form to select the product, OS, version, etc. is completely dysfyunctional.

↧

Websense Log server - We need user name and ip address (public)

October 29, 2014, 5:50 am

≫ Next: Run a Presentation report on a subnet access for a specific URL

≪ Previous: Download Product Page Doesn't Work

Dear Team,

We have Websense remote filtering server for boardband user.

We pull out the report of our user on daily base both from (Inbound and Outbound User) in boardband location we have dtf agent is installed in there laptop. So when we pull the report we only get the username or the emp ID. As per the client request we require the username and ip address to be shown in the report.

Kindly refer to the case id which was log for reference: 01853532

Kindly update us on this case asap.

↧

Run a Presentation report on a subnet access for a specific URL

October 29, 2014, 8:20 am

≫ Next: WS 7.8.4 & Squid Version 3

≪ Previous: Websense Log server - We need user name and ip address (public)

Customer is requesting the ability to run a Presentation Report on a subnet for access to a specific URL. And return the User names. They were able to run on a subnet by IP address and category but the report showed only IP addresses.

The initial request was to run against two subnets for user access to Netflix.

↧

WS 7.8.4 & Squid Version 3

October 30, 2014, 1:06 am

≫ Next: Decreasing effectiveness of Email Security 7.3

≪ Previous: Run a Presentation report on a subnet access for a specific URL

Is WS 7.8.4 compatible with Squid Proxy Version 3 ?

↧

Decreasing effectiveness of Email Security 7.3

June 25, 2014, 6:11 am

≫ Next: Delivery delayed when reporting spam to asa@websense.com email security v7.3

≪ Previous: WS 7.8.4 & Squid Version 3

My company has been using Email Security (now at version 7.3, the last) since the early days of it being Surf Control. Lately though, it seems that the amount of spam leaking through the cracks is increasing a significant amount, despite the server's update schedule running regularly.

I understand that this product is no longer getting version upgrades, but my question is: Is there any reason that it should be becoming less effective as time wears on, despite definition updates? What can I point to to try and figure out how to get a better detection rate without cranking up the false positives?

Is there any reason that the Email Security Gateway or other Websense products would do a better job of filtering our corporate mail compared to our Email Security 7.3 with all the latest definitions, and if so, how significant would you say that change would be?

↧

Delivery delayed when reporting spam to asa@websense.com email security v7.3

October 28, 2014, 6:49 am

≫ Next: hybrid service is inactive

≪ Previous: Decreasing effectiveness of Email Security 7.3

We have been receiving "delivery delayed" messages when trying to report spam to asa@websense.com.

Mail Delivery Subsystem <MAILER-DAEMON@rly60e.srv.mailcontrol.com>

From: <my email address>

Delivery is delayed to these recipients or groups:

asa@websense.com

Subject:

This message hasn't been delivered yet. Delivery will continue to be attempted.

Any suggestions or help is much appreciated.

Thanks.

↧

hybrid service is inactive

November 3, 2014, 5:59 am

≫ Next: Block part of website

≪ Previous: Delivery delayed when reporting spam to asa@websense.com email security v7.3

ESG version 78

Secondary appliance showing alert - hybrid service is inactive

Secondary appliance is also configured to receive emails ( this is set as a fallback route in cloud portal)

Primary is the main appliance that receives inbound emails.

The alert will always appear as the secondary appliance is not the first preference to which the inbound emails should be sent from the cloud.

The only way to disable the alert is to the stop the service alertd in the backend (ssh) but this would mean that no alerts will then be generated.

Requirement is that the alert ( just for the hybrid service) to be disabled through GUI manager for secondary appliance.

Please note the alert appears as the secondary has not received any emails as they were received by the primary appliance.

Hope the above is ok.

↧

Block part of website

November 3, 2014, 7:09 am

≫ Next: Block foreign domains in Cloud Web Security

≪ Previous: hybrid service is inactive

Can you block part of a website say : www.mydomain.ie/testing/block but allow access to www.mydomain.ie or www.mydomain.ie/testing

Have created a custom list and tried blocking part of a website. Within the test feature or websense it says that the category is custom and blocked, however in the logserver it comes up with Category = unknown and I think 1899.

Just to add - Have latest version of Triton working fine apart from this issue.......the custom filter does work for websites, just does not seem to work for webpages.

Thanks

↧

Block foreign domains in Cloud Web Security

November 3, 2014, 2:43 pm

≫ Next: Decide to Spam by SCL score

≪ Previous: Block part of website

I've been reading through some of the forum posts available and have yet to see an answer on how to block a foreign domain in Web Security. This should be a very simple process to block any site that ends with .ru or .cn.

I should also be able to upload this via a csv file. Does anyone have a workaround for this? This should not be this complex to do.

Tongue Tied

↧

Decide to Spam by SCL score

November 4, 2014, 5:02 am

≫ Next: Modify endpoint confirmation message

≪ Previous: Block foreign domains in Cloud Web Security

why we cant decide to mail is spam or not by the Spam Confidence Level score?

↧

Modify endpoint confirmation message

July 31, 2012, 6:53 am

≫ Next: SSL Decryption Raw Feed/Tap

≪ Previous: Decide to Spam by SCL score

How do i modify the endpoint confirmation message on endpoint client.?

I want to add custom message with compnay name instead of Websense.

↧

SSL Decryption Raw Feed/Tap

November 5, 2014, 12:39 am

≫ Next: Skype IM performance is degraded by "file acces" monitoring

≪ Previous: Modify endpoint confirmation message

One of the key means to investigate cybersecurity threats, is to send the raw feed of outbound Internet traffic to a network forensic device. As a greater portion of internet traffic is HTTPS, and the Websense Web Security Gateway is already decrypting the traffic, we are requesting a feature that would allow one to obtain or extract a raw feed of the HTTPS traffic decrypted by the Websense Web Security Gateway so that it can be sent to a storage unit.

↧

Skype IM performance is degraded by "file acces" monitoring

November 5, 2014, 7:23 am

≫ Next: Internal Root CA import not working after 7.8.4

≪ Previous: SSL Decryption Raw Feed/Tap

We are conducting a PoC of V10K G3 and we've found that Skype functionality is degraded to the point of being useless after deploying the endpoint client. This happens on older systems with IDE drives as well as newer SSD based systems. I have been advised by support that the data monitoring component generates very high IO operations when monitoring for file transfers via Skype, I do not see any notable IO operations that correspond with this. We are also seeing this problem during normal text chat usage too. Skype "locks up" for up to 15sec at a time.

FR201403-6599

↧

Internal Root CA import not working after 7.8.4

October 21, 2014, 3:48 am

≫ Next: WES 7.3 - PFS - "perfect forward secrecy"

≪ Previous: Skype IM performance is degraded by "file acces" monitoring

Subject	Internal root CA import doesnt work after upgrade to 7.8.4
Description	I have created a private key and certificate for my new CentOS 8.4 Websense 7.8.4 server. Importing works fine, when I backup it (download) it looks ok. However, it seems that Websense doenst re-encrypt the HTTPS stream with the full certificate path after 7.8.4. On 7.8.2 it works fine, after upgrading to 7.8.4 it still works fine, but after reinstalling the same certificates it stops working and users get an insecure message.

[This is also a (stale) support ticket btw]

↧