Websense and switch span/monitor session

Posted on 2008-11-07
Last Modified: 2012-05-05
I have seen this question numerous times with the same answer, and it seems to be working for the most part...but I am still missing something! I need to get my Websense server filtering all the protocols(not just HTTP). I am using a (2) Sonicwall pro 4060 firewalls in a fail over configuration. Briefly my setup...

Cisco 3750G switch
Backup Sonicwall LAN plugged into port Gi1/0/5
Primary Sonicwall LAN plugged into port Gi/1/0/18
Websense server NIC plugged into Port 6, NIC plugged into port 21

Switch Config
monitor session 1 source interface Gi1/0/5 , Gi1/0/18
monitor session 1 destination interface Gi1/0/21 ingress untagged vlan 1

CORESW1#show monitor session 1
Session 1
Type              : Local Session
Source Ports      :
    Both          : Gi1/0/5,Gi1/0/18
Destination Ports : Gi1/0/21
    Encapsulation : Native
          Ingress : Enabled, default VLAN = 1
    Ingress encapsulation: Untagged

At this moment the Websense server is seeing all HTTP traffic, and is successfully blocking traffic per the block policy. The biggest issue is its not seeing any other protocol. Websense support tells me that this means the span is setup incorrectly...I am able to bi-directionally communicate to both NICs on the server, is this part of the problem? I really don't care if only 1 is able to communicate outbound or not, so that can be changed if needed.

I ran a wireshark capture of the .45 NIC on the websense server and it seems to only see HTTP information coming from the outside in, this doesnt seem quite right does it?

Question by:mikerunkel
    LVL 79

    Accepted Solution

    You should be seeing all traffic in/out of the firewall, which is 99.9% http traffic.
    Try running an FTP session with wireshark running on a separate span session.
    monitor sess 2 source intreface gi1/0/5, gi1/0/18
    monitor sess 2 destination gi1/022  <== don't put any other arguments

    LVL 14

    Assisted Solution

    by:Ehab Salem
    An im[portant point for Websense and spanning is that the port that will monitor should monitor traffic going from your network to the firewall/proxy.
    Your network should be connected at an end to the switch where the firewall is connected.

    your network -------->Switch with following ports: firewall, spanning port

    Author Comment

    Ok so the Websense spanning is on the same switch taht the firewall is plugged into, so it sounds like that is good. It is also monitoring the specific ports of the firewalls.I will try the FTP monitor too.

    Author Closing Comment

    I was able to resolve the issue by installing the "Stand Alone" edition of the Websense product, this allowed it leave the Sonicwall Firewalls out of the loop and just strictly monitor everything that is going across those ports.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now