Using 7.8.4 for a few days and I was hoping this would be there but I can't find it if it is.
We have multiple quarantine administrators and occasionally someone will release a message they clearly should not have. We would like an audit entry to show who released it.
I’ve just discovered that SSL decryption is not available for users connecting to a secondary proxy server port - update - this was an unannounced 'fix' introduced in 7.8.4 to 'correct' the earlier behaviour where SSL decryption was enabled on all proxy server ports in 7.8.1-7.8.3!
Using secondary proxy server ports is an invaluable option when using Rules-based authentication, but its value is severely compromised if it means SSL decryption is effectively disabled for those users in 7.8.4.
I couldn’t find any reference to this change of behaviour in the release notes or the known and resolved issues list for 7.8.4.Feature Request: Restore support for SSL decryption on the secondary HTTP proxy server ports in 7.8.4 and later. Currently Content Gateway will only inspect SSL traffic on proxy port 8080. Right now you cannot add additional ports to the HTTPS Proxy Server Port field in CG Manager > Configure > Protocols > HTTPS. This should be extended to allow administrators to add in the secondary proxy server ports, either through the GUI or through records.config (content_line).
I would consider the pre-7.8.4 behaviour where SSL decryption was enabled on all HTTP proxy server ports to be the desired and expected behaviour for a web security gateway. The unannounced change in 7.8.4 introduces a security loophole that could expose Websense customers using secondary proxy ports to risks of malware infection and data theft/leakage without them being aware of the danger.
I can understand the use case for disabling SSL decryption for a secondary proxy port – BYOD and explicit proxy springs to mind, but this change to the product should have been announced and ideally made optional through a records.config setting where the default setting left SSL decryption enabled for all HTTP proxy server ports.
In an ideal world, SSL Decryption would be enabled for all HTTP proxy server ports so that the product can fulfil its mandate as a web security gateway. Customers should then have the option to selectively disable SSL decryption for specific secondary proxy ports.
Example config settings to allow customers to control whether SSL decryption is enabled on all HTTP proxy server ports:
Proxy.config.ssl.all_server_ports_enabled INT 1
Or
Proxy.config.ssl.server_ports STRING 8080 18080 18081
The IWA page on the appliance has a very nice feature that shows how many clients are authenticating with Kerberos, NTLM and Basic. We need to figure out who or what is authenticating by methods other than Kerberos so we can get them fixed.
| Subject | Internal root CA import doesnt work after upgrade to 7.8.4 | ||
| Description | I have created a private key and certificate for my new CentOS 8.4 Websense 7.8.4 server. Importing works fine, when I backup it (download) it looks ok. However, it seems that Websense doenst re-encrypt the HTTPS stream with the full certificate path after 7.8.4. On 7.8.2 it works fine, after upgrading to 7.8.4 it still works fine, but after reinstalling the same certificates it stops working and users get an insecure message. | ||
[This is also a (stale) support ticket btw]
Per Websense Global Technical Support - Case Number:01892517
If you Add a new Policy, and specify an existing Policy as a Template, the File Blocking Settings are not created correctly on the new Policy, and you are left with un-usable policy.
I am told that by design if the file type has been applied to any groups/users, then the related file type will not be cloned/copied because the User/Group can only be registered in one Policy. This results in a policy where you can no longer access the file type and there is no way to reset it so policy is unusable.
I would suggest that when copying the policy then the File Blocking section should just drop out the group references and leave you with the default settings in a similar fashion to how the exceptions are handled on the Web Policy and Application Control pages.
After upgrading to 7.8.4 there is no current data displayed on the Threats tab in the Dashboard. It seems that everything else is working as it should. The rest of the tabs contain current data and I am able to view activity through the Investigative Reports area. OS is 2008 R2. Is anyone else experiencing this?
Dear Websense!
There should be an option to be able to send Audit Logs to a syslog or SIEM server.
Thank you in advance.
Best Regards,
Erik Molnar
It's madness that in the Cloud Websense version you can't create a new policy using another as a base template. Either that or copy settings from one policy to all others.
Hello all,
Admittedly, I have been a forum troll for answers, however, find myself not finding solutions to any of my issues,
* My First post (Question) - please help
ENVIRNMENT:
MS Windows 2012 R2 - WSGA 7.8.4 TRITON
Red Hat Enterprise Linux Server release 6.5 (Santiago) - WSGA 7.8.4 WCG (HF01 Multi Fix / HF03 Multi Fix / HF03 - UserService Anonymous Bind Fail / HF 04 Multi Fix)
ISSUE:
TRITON > Policy Management > Clients
We have 5 AD groups (L01 to L05)
L01 - Controlled Internet Access
L02 - Basic Internet Access
L03 - General Internet Access
L04 - General Internet Access plus additional protocols
L05 - Unrestricted Internet Access
Each AD groups is assigned an Internet policy and Protocol Filter
We also make use of an Limited Access Filter for a list of approved sites (whitelist) clients are allowed to go to which ties to the WCG > Configure > Security > Access Control List and is assigned to the Default Policy.
PROBLEM:
With each group assigned their policy, everything works as designed, restrictions are applied, block pages .etc, however, when we activate, the default policy and assigned it the limited access filter (save and deploy), all groups explicitly enforce the Default Policy and only certain HTTPS sites open (ties to access filter), where, opening https://www.google.com is presented with page cannot be displayed message.
ANOMALY:
This is our QA environments and our production environment is set up the exact same way, however ever using WSGA 7.8.6 and everything is working as designed
INSTALLATION:
Fresh install, no policy imports
MAIN QUESTION:
Why is the Default Policy is being explicitly enforced
MY POLICY ASSIGNMENT:
L05 - Unrestricted Internet Access
TESTLOG SERVER:
Log Source= Protocol Log
Client Hostname= 10.217.32.23
SourceIp= 10.217.32.23
DestinationIp= 91.225.248.129
server= 10.217.219.140
time= Mon Dec 01 08:59:22 2014 version= 6
disposition= 1031 - Blocked By Limited Access Filter
URL= https://www.linkedin.com
protocol= 11 - https port= 443 networkDirection= Outbound
method= CONNECT
contentType =
category= 1527 - Social Web Controls - LinkedIn
categoryReason= 1 - Master Database: URL
bytes sent= 0 bytes received= 0
file name=
True File Type= 0 - None
roleId= 8
user=
duration= 20 ms
scan duration= 14 ms
policyName= Super Administrator**Default
SIEM Results
protocol version= 0
server status code= 0
proxy status code= 403
client source port=56156
client destination port= 8080
proxy source=10.217.219.140
proxy source port= 0
user agent= Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
X-Forward For=
Hi,
We have deployed the Websense Endpoint client for Cloud Web Security.
This is working well however users have noticed multiple Web Endpoint Diagnostic Tool (WEDT) icons in the systray.
This is because we have a Citrix environment. Laptop users do not use a Citrix desktop but just open one or more published applications. Each open application creates an additional WEDT icon in the systray.
The New Feature Request is that the WEDT icon can be disabled or hidden from the systray.
Thanks,
Martin
It would be so much nicer to have a default of 2 hours or so. Most times, running reporting is for tracking why a site is blocked or not working properly. I only need to see the last few minutes. Either default to one hour, or have the ability to change the default to whatever you prefer would be my suggestion.
We have a need to check a list of sites against the websense database in a scripted manner
There is no easy way to do this.
An api or command line would be great.
We are using the Websense Triton Cloud Security platform. When running the Websense Endpoint client on a Windows 7 computer with IE 11,Internet browsing has been slow and sometimes shows "Not Responding" and freezes the computer. Google Chrome does not experience the same extreme conditions.
If we uninstall the Endpoint Client and just keep the proxy address in IE, browsing is fast. There seems to be a definite issue with the WS Endpoint Client software and Internet Explorer.
Has anyone experienced these symptoms?
Hİ,
We need to a specific action for PCI compliance.We are finance instition and End users may send whole 16 digit credit card number (PAN) within email body. We do not want to nor block neither quarantine email. We want to mask some digit of these 16 digits like 1234 56** **** 7890 both inbound and outbound direction.
Of course this feature request is not limited to PAN, it might be needed for other critical strings like SSN, TAX Numbers etc.
Regards,
Put in a feature to backup/restore custom categories. I had an issue today with accidentally deleting a custom category and found that there was no way to restore the custom list. Something that we put work into to build we should be able to have a backup of it but no luck. This is for the cloud web solution.
Is this a direct upgrade using the v7.8.4 Windows installer? I can't find anything that says it explicitly.
Thanks
Can the contents of the referred field please be added to the websense multiplexer log.
The HTTP referer is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested.
Example line entry when browsing the websense site.
Referer: http://www.websense.com/content/home.aspx
This would be helpful for security investigations to track the referrer.