Content Analysis Licensing

book

Article ID: 168994

calendar_today

Updated On:

Products

Content Analysis Software - CA CAS-VA CAS-S200 CAS-S400 CAS-S500

Issue/Introduction

Antivirus scanning services cannot begin without a valid base license as well as a license from a supported AV vendor downloaded to the Content Analysis System.

Resolution

To associate an antivirus or other add-on license:
1. In a Web browser, enter the following URL: https://support.broadcom.com/user/user_redirect?dest=entitlement
2. Enter your Broadcom credentials, and click Login.
3. Locate the device serial number
4. Click on the ribbon icon under the "License" column

A new tab is generated with the device information

On the bottom half of the screen, you will see three options: Download License, Software Add-ons, and Swap. Go to the Software Add-ons tab.

5. Click on Add On

This menu now displays all available add-ons that you can associate to this device.

6. Navigate by highlighting and pressing the > button to move, or the >> button to move all.

Note: Exercise diligence in this location, if you create a conflict with add-ons you may experience inoperable downloads. 

7. After you select the desired licensing to be applied, proceed by indicating you have read the EULA and agree by ticking the box, then press the Link/De-Link button.

8. Once the device can download the information, you will notice that the status changes from unavailable to available. To place the licenses into use, tick the appropriate boxes, and press save changes.
 

Content Analysis Licensing Troubleshooting:
 
There are two options to apply the licenses for Content Analysis

  1. Download License from Blue Coat
  2. Upload License File

First step is association of the subscriptions. If you have not associated the subscriptions via the portal then the subscriptions will fail to associate with the device, and will not be available to download or activation.  In order for Content Analysis to properly function, the device will need internet communication that does not involve TLS/SSL inspection for subscription destinations. This is due to the fact that Content Analysis platform utilizes mutual authentication in the transaction to gain access to entitlements.

The URLs in use during the normal transactions and operations can be located under the Content Analysis heading in the following document: Required Ports and URLs Guide

Uploading the License File will still require an internet connection to download the Engines and Signatures for the Anti-Virus as well as Static Analysis Engine and pattern components. Manual installation of the Content Analysis base license only includes the necessary elements to operate and if one is configured, send data to a sandboxing service. Antivirus products are managed with a subscription-based license that requires that your Content Analysis appliance is connected to the Internet to retrieve and use.

Content Analysis systems check the cloud for AV updates several times a minute. During that probe, the license, engine, and pattern files for each AV product you have purchased is checked and verified.  Part of that check is verification in Broadcom's back-end database that the base license attached to a serial number, is correctly linked to the purchased AV subscriptions. That includes File Reputation, which is also a subscription, similar to AV products.

For Downloading
If the Content Analysis is behind a ProxySG, explicitly, the following CPL policy will allow proper communication. This is normally recommended to be placed in the local policy file. The local policy file will be located on the ProxySG under Configuration > Policy > Policy Files > Local Policy File.

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.168.21.10 detect_protocol.ssl(no) ALLOW
For explicit communication through a ProxySG, be sure to check the configuration of the settings on Content Analysis Web UI; under Settings > Proxy. In order for these settings to be functional, ensure that you tick the “Enable” checkbox and place the authentication credentials for Proxy Authentication. (These steps will still require the above policy in place on the ProxySG).
If you do not have a set of Proxy Authentication credentials for Content Analysis to use, the policy on the ProxySG will need to be adjusted to include an authentication disable:

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.168.21.10 authenticate(no) detect_protocol.ssl(no) ALLOW

For transparent communication from Content Analysis through a ProxySG, there are two options the ProxySG has to allow the communication to occur:

  1. Create a TCP Tunnel service for the source IP of the Content Analysis
  2. Create a Static Bypass entry for the source IP of the Content Analysis
    (There is no option with transparent to disable protocol detection on the SSL Proxy listener)

If the decision to use TCP Tunnel service is determined, you will still need to include the following policy:

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.168.21.10 authenticate(no) ALLOW

If the download is still failing after all of the previous steps have been taken, we will want to verify that the birth certificate is valid. This can be verified in two ways:
1. Running a packet capture from the Content Analysis to verify the birth certificate is properly provided.
The certificate will be within a response to the server with the certificate from the Content Analysis with the Serial Number of the device as the Common Name. In addition, it will be signed by abrca.bluecoat.com.


2. Go to Utilities > System Information, and look for the following line:
"birthCertificateValid": true

If for any reason, this is not the case, please run the following command from enabled mode in CLI (Hardware Only):
request-appliance-certificate

Subscription Updates:
If you have recently updated or renewed the subscriptions, and the Content Analysis has not reflected the update over the course of 30 minutes to one hour, you can address via refresh of the antivirus and engine signatures. This option is found under Utilities > Services. This action will request the update without the etag. This will only work if the backend has propagated the update.
 

Some common error codes that have been seen with the restriction of access upstream or upstream modification of access usually include (but not limited to) the following (clp_services log will record):

Peer Not Authenticated
Invalid Server Certificate
Read Timed Out
Request Timed Out
Connect to URL Timed Out
Connection to URL Refused
Proxy Authentication Required

Attachments