Websense and switch span/monitor session

I have seen this question numerous times with the same answer, and it seems to be working for the most part...but I am still missing something! I need to get my Websense server filtering all the protocols(not just HTTP). I am using a (2) Sonicwall pro 4060 firewalls in a fail over configuration. Briefly my setup...

Cisco 3750G switch
Backup Sonicwall LAN plugged into port Gi1/0/5
Primary Sonicwall LAN plugged into port Gi/1/0/18
Websense server xxx.xxx.xx.44 NIC plugged into Port 6, xxx.xxx.xx.45 NIC plugged into port 21

Switch Config
monitor session 1 source interface Gi1/0/5 , Gi1/0/18
monitor session 1 destination interface Gi1/0/21 ingress untagged vlan 1

CORESW1#show monitor session 1
Session 1
Type              : Local Session
Source Ports      :
    Both          : Gi1/0/5,Gi1/0/18
Destination Ports : Gi1/0/21
    Encapsulation : Native
          Ingress : Enabled, default VLAN = 1
    Ingress encapsulation: Untagged

At this moment the Websense server is seeing all HTTP traffic, and is successfully blocking traffic per the block policy. The biggest issue is its not seeing any other protocol. Websense support tells me that this means the span is setup incorrectly...I am able to bi-directionally communicate to both NICs on the server, is this part of the problem? I really don't care if only 1 is able to communicate outbound or not, so that can be changed if needed.

I ran a wireshark capture of the .45 NIC on the websense server and it seems to only see HTTP information coming from the outside in, this doesnt seem quite right does it?

Who is Participating?
lrmooreConnect With a Mentor Commented:
You should be seeing all traffic in/out of the firewall, which is 99.9% http traffic.
Try running an FTP session with wireshark running on a separate span session.
monitor sess 2 source intreface gi1/0/5, gi1/0/18
monitor sess 2 destination gi1/022  <== don't put any other arguments

Ehab SalemConnect With a Mentor IT ManagerCommented:
An im[portant point for Websense and spanning is that the port that will monitor should monitor traffic going from your network to the firewall/proxy.
Your network should be connected at an end to the switch where the firewall is connected.

your network -------->Switch with following ports: firewall, spanning port
mikerunkelAuthor Commented:
Ok so the Websense spanning is on the same switch taht the firewall is plugged into, so it sounds like that is good. It is also monitoring the specific ports of the firewalls.I will try the FTP monitor too.
mikerunkelAuthor Commented:
I was able to resolve the issue by installing the "Stand Alone" edition of the Websense product, this allowed it leave the Sonicwall Firewalls out of the loop and just strictly monitor everything that is going across those ports.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.