Websense and switch span/monitor session

I have seen this question numerous times with the same answer, and it seems to be working for the most part...but I am still missing something! I need to get my Websense server filtering all the protocols(not just HTTP). I am using a (2) Sonicwall pro 4060 firewalls in a fail over configuration. Briefly my setup...

Cisco 3750G switch
Backup Sonicwall LAN plugged into port Gi1/0/5
Primary Sonicwall LAN plugged into port Gi/1/0/18
Websense server xxx.xxx.xx.44 NIC plugged into Port 6, xxx.xxx.xx.45 NIC plugged into port 21

Switch Config
monitor session 1 source interface Gi1/0/5 , Gi1/0/18
monitor session 1 destination interface Gi1/0/21 ingress untagged vlan 1

CORESW1#show monitor session 1
Session 1
Type              : Local Session
Source Ports      :
    Both          : Gi1/0/5,Gi1/0/18
Destination Ports : Gi1/0/21
    Encapsulation : Native
          Ingress : Enabled, default VLAN = 1
    Ingress encapsulation: Untagged

At this moment the Websense server is seeing all HTTP traffic, and is successfully blocking traffic per the block policy. The biggest issue is its not seeing any other protocol. Websense support tells me that this means the span is setup incorrectly...I am able to bi-directionally communicate to both NICs on the server, is this part of the problem? I really don't care if only 1 is able to communicate outbound or not, so that can be changed if needed.

I ran a wireshark capture of the .45 NIC on the websense server and it seems to only see HTTP information coming from the outside in, this doesnt seem quite right does it?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You should be seeing all traffic in/out of the firewall, which is 99.9% http traffic.
Try running an FTP session with wireshark running on a separate span session.
monitor sess 2 source intreface gi1/0/5, gi1/0/18
monitor sess 2 destination gi1/022  <== don't put any other arguments


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ehab SalemIT ManagerCommented:
An im[portant point for Websense and spanning is that the port that will monitor should monitor traffic going from your network to the firewall/proxy.
Your network should be connected at an end to the switch where the firewall is connected.

your network -------->Switch with following ports: firewall, spanning port
mikerunkelAuthor Commented:
Ok so the Websense spanning is on the same switch taht the firewall is plugged into, so it sounds like that is good. It is also monitoring the specific ports of the firewalls.I will try the FTP monitor too.
mikerunkelAuthor Commented:
I was able to resolve the issue by installing the "Stand Alone" edition of the Websense product, this allowed it leave the Sonicwall Firewalls out of the loop and just strictly monitor everything that is going across those ports.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.